diff options
| author | fengweihao <[email protected]> | 2023-11-23 11:17:11 +0800 |
|---|---|---|
| committer | fengweihao <[email protected]> | 2023-11-23 11:17:11 +0800 |
| commit | fe9e8286f9d36a699e8a078da0ce1c13663566a6 (patch) | |
| tree | c06433ed3546d9d2a28fbe77b606ee5e2ccdc0a1 | |
| parent | 5684fac24452c5665c39a8cdc197eca70f14a131 (diff) | |
TSG-17778 优化App ID、FQDN Category ID和Tunnel ID的处理逻辑,多次扫描支持非配置
| -rw-r--r-- | common/include/verify_policy.h | 16 | ||||
| -rw-r--r-- | platform/src/verify_matcher.cpp | 274 | ||||
| -rw-r--r-- | platform/src/verify_policy.cpp | 41 | ||||
| -rw-r--r-- | resource/table_info.conf | 17 | ||||
| -rw-r--r-- | resource/table_info_simple.conf | 17 |
5 files changed, 281 insertions, 84 deletions
diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h index acd3059..e264958 100644 --- a/common/include/verify_policy.h +++ b/common/include/verify_policy.h @@ -105,6 +105,13 @@ struct verify_policy struct verify_policy_thread *work_threads[VERIFY_ARRAY_MAX]; }; +struct fqdn_category_id +{ + int fqdn_cat_num; + long long int group_id[8]; + unsigned int fqdn_cat_id[8]; +}; + struct request_query_obj { int table_id; @@ -124,11 +131,8 @@ struct request_query_obj int nth_scan_num; cJSON* attributes; - int category_user_num; - unsigned int category_id_user[8]; - - int category_built_num; - unsigned int category_id_built[8]; + struct fqdn_category_id fqdn_user; + struct fqdn_category_id fqdn_builtin; }; struct verify_policy_query @@ -146,6 +150,8 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer void http_get_scan_status(struct request_query_obj *query_obj, int type, cJSON *attributes, cJSON *data_obj, void *pme); int maat_table_init(struct verify_policy * verify, const char* profile_path); int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, size_t hit_cnt, cJSON *data_obj, void *pme); +void http_res_hdr_num(void *pem); +void http_req_hdr_num(void *pem); void verify_policy_tunnle_add(void * pme); int policy_verify_regex_expression(const char *expression); diff --git a/platform/src/verify_matcher.cpp b/platform/src/verify_matcher.cpp index 3f5035b..1d013f4 100644 --- a/platform/src/verify_matcher.cpp +++ b/platform/src/verify_matcher.cpp @@ -63,6 +63,7 @@ enum verify_profile_table POLICY_TUNNEL_CATALOG, POLICY_TUNNEL_ENDPOINT, POLICY_TUNNEL_LABEL, + POLICY_APP_DI_DICT, POLICY_PROFILE_TABLE_MAX, }; @@ -100,13 +101,14 @@ struct ip_data_ctx int Nth_scan[2]; }; -struct fqdn_category_t +struct fqdn_category_ctx { int ref_cnt; - unsigned int category_id; + unsigned int fqdn_cat_id; int match_method; char fqdn[VERIFY_ARRAY_MAX]; + long long int group_id; pthread_mutex_t lock; }; @@ -119,6 +121,7 @@ struct tunnel_data_ctx char *composition; char *description; + long long int group_id; pthread_mutex_t lock; }; @@ -131,6 +134,15 @@ struct rule_data_ctx pthread_mutex_t lock; }; +struct app_id_dict +{ + int ref_cnt; + int app_id; + long long int group_id; + + pthread_mutex_t lock; +}; + struct policy_scan_ctx { enum policy_action action; @@ -145,6 +157,8 @@ struct policy_scan_ctx int n_read; struct maat_hit_path hit_path[HIT_PATH_SIZE]; + int req_hdr_num; + int res_hdr_num; int tunnel_endpoint_x; int bool_id_array_idx; unsigned long long bool_id_array[256]; @@ -182,6 +196,18 @@ void verify_policy_tunnle_add(void * pme) ctx->tunnel_endpoint_x++; } +void http_req_hdr_num(void *pem) +{ + struct policy_scan_ctx * ctx = (struct policy_scan_ctx *)pem; + ctx->req_hdr_num++; +} + +void http_res_hdr_num(void *pem) +{ + struct policy_scan_ctx * ctx = (struct policy_scan_ctx *)pem; + ctx->res_hdr_num++; +} + void *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, int compile_table_id) { struct policy_scan_ctx * ctx = ALLOC(struct policy_scan_ctx, 1); @@ -448,12 +474,25 @@ void tunnel_catalog_table_new_cb(const char *table_name, int table_id, const cha return; } + int group_id=0; char *group_id_str=NULL; + size_t offset=0, len=0; + + ret = maat_helper_read_column(table_line, 8, &offset, &len); + if(ret >= 0) + { + group_id_str=ALLOC(char, len+1); + memcpy(group_id_str, table_line+offset, len); + group_id=atoll(group_id_str); + FREE(&group_id_str); + } + struct tunnel_data_ctx *tunnel=ALLOC(struct tunnel_data_ctx, 1); memset(tunnel, 0, sizeof(struct tunnel_data_ctx)); tunnel->id=tunnel_id; tunnel->name=strdup(tunnel_name); tunnel->type=strdup(tunnel_type); tunnel->composition=strdup(composition); + tunnel->group_id=group_id; tunnel->ref_cnt=1; pthread_mutex_init(&(tunnel->lock), NULL); @@ -539,25 +578,11 @@ int maat_tunnel_table_init(int profile_idx,int vsys_id, const char *table_name = table_name_map[profile_idx]; table_id=g_policy_rt->profile_table_id[profile_idx]=maat_get_table_id(g_policy_rt->feather[vsys_id], table_name); - if(table_id < 0) - { - goto finish; - } - - if(profile_idx==POLICY_TUNNEL_CATALOG) - { - table_id=maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id],table_name, new_func[profile_idx], free_func, dup_func, - 0,NULL); - } - if(profile_idx==POLICY_TUNNEL_ENDPOINT) + if(table_id > 0) { - table_id=maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id], table_name, new_func[profile_idx], free_func, dup_func, - 0, NULL); - + table_id=maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id], table_name, new_func[profile_idx], free_func, dup_func, 0, NULL); + return table_id; } - return table_id; - -finish: mesa_runtime_log(RLOG_LV_FATAL, "Register table %s failed.", table_name); return -1; } @@ -621,11 +646,99 @@ int maat_fqdn_cat_table_init(int profile_idx, int vsys_id, table_id=g_policy_rt->profile_table_id[profile_idx]=maat_get_table_id(g_policy_rt->feather[vsys_id], table_name); if(table_id >= 0) { + ret=maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id], table_name, new_func, free_func, dup_func, 0, NULL); + return ret; + } + mesa_runtime_log(RLOG_LV_FATAL, "Register fqdn cat table %s failed.", table_name); + return -1; +} + +void app_dict_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) +{ + int ret=0; + size_t offset=0, len=0; + char *app_id_str=NULL, *group_id_str=NULL; + struct app_id_dict *app_dict=ALLOC(struct app_id_dict, 1); + + ret = maat_helper_read_column(table_line, 1, &offset, &len); + if(ret >= 0) + { + app_id_str=ALLOC(char, len+1); + memcpy(app_id_str, table_line+offset, len); + app_dict->app_id=atoi(app_id_str); + FREE(&app_id_str); + } + + ret = maat_helper_read_column(table_line, 18, &offset, &len); + if(ret >= 0) + { + group_id_str=ALLOC(char, len+1); + memcpy(group_id_str, table_line+offset, len); + app_dict->group_id=atoll(group_id_str); + FREE(&group_id_str); + } + + app_dict->ref_cnt=1; + pthread_mutex_init(&(app_dict->lock), NULL); + *ad=app_dict; + return; +} + +void app_dict_table_free_cb(int table_id, void **ad, long argl, void* argp) +{ + if(*ad==NULL) + { + return; + } + + struct app_id_dict *app_dict=(struct app_id_dict *)(*ad); + pthread_mutex_lock(&(app_dict->lock)); + app_dict->ref_cnt--; + if(app_dict->ref_cnt>0) + { + pthread_mutex_unlock(&(app_dict->lock)); + return; + } + pthread_mutex_unlock(&(app_dict->lock)); + pthread_mutex_destroy(&(app_dict->lock)); + + FREE(&app_dict); + *ad=NULL; + return; +} + +void app_id_dict_free(struct app_id_dict *app_dict) +{ + app_dict_table_free_cb(0, (void **)&app_dict, 0, NULL); +} + +void app_dict_table_dup_cb(int table_id, void **to, void **from, long argl, void* argp) +{ + struct app_id_dict *app_dict=(struct app_id_dict *)(*from); + pthread_mutex_lock(&(app_dict->lock)); + app_dict->ref_cnt++; + pthread_mutex_unlock(&(app_dict->lock)); + *to=app_dict; + + return; +} + +int maat_app_dict_table_init(int profile_idx, int vsys_id, + maat_ex_new_func_t* new_func, + maat_ex_free_func_t* free_func, + maat_ex_dup_func_t* dup_func) +{ + int table_id=0, ret=0; + + const char *table_name = "APP_ID_DICT"; + table_id=g_policy_rt->profile_table_id[profile_idx]=maat_get_table_id(g_policy_rt->feather[vsys_id], table_name); + if(table_id >= 0) + { ret=maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id], table_name, new_func, free_func, dup_func, 0, NULL); return ret; } - mesa_runtime_log(RLOG_LV_FATAL, "Register fqdn cat table %s failed.", table_name); + mesa_runtime_log(RLOG_LV_FATAL, "Register app dict table %s failed.", table_name); return -1; } @@ -656,7 +769,7 @@ int maat_ip_table_init(int profile_idx,int vsys_id, void fqdn_cat_dup_data(int table_id, void **to, void **from, long argl, void* argp) { - struct fqdn_category_t *fqdn_cat=(struct fqdn_category_t *)(*from); + struct fqdn_category_ctx *fqdn_cat=(struct fqdn_category_ctx *)(*from); pthread_mutex_lock(&(fqdn_cat->lock)); fqdn_cat->ref_cnt++; pthread_mutex_unlock(&(fqdn_cat->lock)); @@ -668,11 +781,12 @@ void fqdn_cat_dup_data(int table_id, void **to, void **from, long argl, void* ar void fqdn_cat_new_data(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { int ret=0,id=0,is_valid=0; + long long int op_time=0; - struct fqdn_category_t *fqdn_cat = ALLOC(struct fqdn_category_t, 1); + struct fqdn_category_ctx *fqdn_cat = ALLOC(struct fqdn_category_ctx, 1); - ret=sscanf(table_line, "%d\t%u\t%s\t\t%d\t%d",&id, &fqdn_cat->category_id, fqdn_cat->fqdn, &fqdn_cat->match_method, &is_valid); - if(ret!=5) + ret=sscanf(table_line, "%d\t%u\t%s\t%d\t%d\t%llu\t%llu",&id, &fqdn_cat->fqdn_cat_id, fqdn_cat->fqdn, &fqdn_cat->match_method, &is_valid, &op_time, &fqdn_cat->group_id); + if(ret!=7) { FREE(&fqdn_cat); mesa_runtime_log(RLOG_LV_FATAL, "Parse fqdn category failed, ret: %d table_id: %d table_line: %s", ret, table_id, table_line); @@ -692,7 +806,7 @@ void fqdn_cat_free_data(int table_id, void **ad, long argl, void* argp) return; } - struct fqdn_category_t *fqdn_cat=(struct fqdn_category_t *)(*ad); + struct fqdn_category_ctx *fqdn_cat=(struct fqdn_category_ctx *)(*ad); pthread_mutex_lock(&(fqdn_cat->lock)); fqdn_cat->ref_cnt--; if(fqdn_cat->ref_cnt>0) @@ -708,7 +822,7 @@ void fqdn_cat_free_data(int table_id, void **ad, long argl, void* argp) return; } -void fqdn_cat_table_free(struct fqdn_category_t *fqdn_cat) +void fqdn_cat_table_free(struct fqdn_category_ctx *fqdn_cat) { fqdn_cat_free_data(0, (void **)&fqdn_cat, 0, NULL); } @@ -921,18 +1035,18 @@ void http_get_fqdn_cat_id(struct request_query_obj *query_obj, cJSON *attributeO cJSON_AddItemToObject(attributeObj, "sniCategory", sniCategory); cJSON *fqdnObj=NULL; - for(i=0; i<query_obj->category_user_num; i++) + for(i=0; i<query_obj->fqdn_user.fqdn_cat_num; i++) { fqdnObj=cJSON_CreateObject(); cJSON_AddItemToArray(sniCategory, fqdnObj); - cJSON_AddNumberToObject(fqdnObj, "categoryId", query_obj->category_id_user[i]); + cJSON_AddNumberToObject(fqdnObj, "categoryId", query_obj->fqdn_user.fqdn_cat_id[i]); } - for(i=0; i<query_obj->category_built_num; i++) + for(i=0; i<query_obj->fqdn_builtin.fqdn_cat_num; i++) { fqdnObj=cJSON_CreateObject(); cJSON_AddItemToArray(sniCategory, fqdnObj); - cJSON_AddNumberToObject(fqdnObj, "categoryId", query_obj->category_id_built[i]); + cJSON_AddNumberToObject(fqdnObj, "categoryId", query_obj->fqdn_builtin.fqdn_cat_id[i]); } } @@ -1399,7 +1513,7 @@ int get_fqdn_category_id(long long *result, const char *fqdn, int table_id, int size_t n_hit_result=0; int n_read=0, hit_path_cnt=0; int i=0,ret=0, hit_cnt_fqdn=0; - struct fqdn_category_t *fqdn_cat_user[8]={0},*fqdn_cat_built[8]={0}; + struct fqdn_category_ctx *fqdn_cat_user[8]={0},*fqdn_cat_built[8]={0}; if(!g_policy_rt->load_fqdn_cat) { @@ -1411,40 +1525,41 @@ int get_fqdn_category_id(long long *result, const char *fqdn, int table_id, int { if(i < 8) { - if(http_hit_policy_match((int *)query_obj->category_id_user, j, (int)fqdn_cat_user[i]->category_id)) + if(http_hit_policy_match((int *)(query_obj->fqdn_user.fqdn_cat_id), j, (int)fqdn_cat_user[i]->fqdn_cat_id)) { continue; } - query_obj->category_id_user[j] = fqdn_cat_user[i]->category_id; + query_obj->fqdn_user.fqdn_cat_id[i] = fqdn_cat_user[i]->fqdn_cat_id; + query_obj->fqdn_user.group_id[i] = fqdn_cat_user[i]->group_id; j++; } fqdn_cat_table_free(fqdn_cat_user[i]); } - query_obj->category_user_num = j< 8 ? j : 8; + query_obj->fqdn_user.fqdn_cat_num = j< 8 ? j : 8; ret=maat_fqdn_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[POLICY_FQDN_CAT_BUILT_IN], fqdn, (void **)fqdn_cat_built, 8); for(i=0; i <ret; i++) { if(i < 8) { - if(http_hit_policy_match((int *)query_obj->category_id_built, k, (int)fqdn_cat_built[i]->category_id)) + if(http_hit_policy_match((int *)(query_obj->fqdn_builtin.fqdn_cat_id), k, (int)fqdn_cat_built[i]->fqdn_cat_id)) { continue; } - query_obj->category_id_built[k] = fqdn_cat_built[i]->category_id; + query_obj->fqdn_builtin.fqdn_cat_id[i] = fqdn_cat_built[i]->fqdn_cat_id; + query_obj->fqdn_builtin.group_id[i] = fqdn_cat_built[i]->group_id; k++; } fqdn_cat_table_free(fqdn_cat_built[i]); } - query_obj->category_built_num = k < 8 ? k : 8; + query_obj->fqdn_builtin.fqdn_cat_num = k < 8 ? k : 8; - if(query_obj->category_user_num > 0) + if(query_obj->fqdn_user.fqdn_cat_num > 0) { - for(i=0; i<query_obj->category_user_num; i++) + for(i=0; i<query_obj->fqdn_user.fqdn_cat_num; i++) { - ret=maat_scan_integer(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], - query_obj->category_id_user[i], result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, - &n_hit_result, ctx->scan_mid); + ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &query_obj->fqdn_user.group_id[i], 1, + result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &n_hit_result, ctx->scan_mid); if(ret>0) { hit_cnt_fqdn+=n_hit_result; @@ -1457,15 +1572,22 @@ int get_fqdn_category_id(long long *result, const char *fqdn, int table_id, int hit_path_cnt++; } } + + ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], + result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, + &n_hit_result, ctx->scan_mid); + if (ret == MAAT_SCAN_HIT) + { + hit_cnt_fqdn += n_hit_result; + } goto finish; } - if (query_obj->category_built_num > 0) + if (query_obj->fqdn_builtin.fqdn_cat_num > 0) { - for(i=0; i<query_obj->category_built_num; i++) + for(i=0; i<query_obj->fqdn_builtin.fqdn_cat_num; i++) { - ret=maat_scan_integer(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], - query_obj->category_id_built[i], result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, - &n_hit_result, ctx->scan_mid); + ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &query_obj->fqdn_builtin.group_id[i], 1, + result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &n_hit_result, ctx->scan_mid); if(ret>0) { hit_cnt_fqdn+=n_hit_result; @@ -1478,6 +1600,13 @@ int get_fqdn_category_id(long long *result, const char *fqdn, int table_id, int hit_path_cnt++; } } + ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], + result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, + &n_hit_result, ctx->scan_mid); + if (ret == MAAT_SCAN_HIT) + { + hit_cnt_fqdn += n_hit_result; + } } finish: query_obj->nth_scan_num = hit_path_cnt; @@ -1507,9 +1636,8 @@ int policy_verify_scan_tunnel_id(long long *result, struct ip_addr *sip, int hit ret=maat_bool_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[POLICY_TUNNEL_CATALOG], ctx->bool_id_array, ctx->bool_id_array_idx, (void**)(&tunnel_catalog), TUNNEL_CATALOG_MAX); for(i=0; i<ret && i<TUNNEL_CATALOG_MAX; i++) { - scan_ret=maat_scan_integer(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_TUNNEL], - tunnel_catalog[i]->id, result+hit_cnt+hit_cnt_tunnel, MAX_SCAN_RESULT-hit_cnt-hit_cnt_tunnel, - &n_hit_result, ctx->scan_mid); + scan_ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_TUNNEL], &tunnel_catalog[i]->group_id, 1, + result+hit_cnt+hit_cnt_tunnel, MAX_SCAN_RESULT-hit_cnt-hit_cnt_tunnel, &n_hit_result, ctx->scan_mid); if(scan_ret>= MAAT_SCAN_HALF_HIT) { hit_cnt_tunnel+=n_hit_result; @@ -1545,18 +1673,25 @@ static int policy_verify_scan_app_id(struct request_query_obj *request, struct p { int n_read=0; int scan_ret=0, hit_cnt_app_id=0; + struct app_id_dict *app_dict=NULL; size_t n_hit_result=0; + long long app_id = request->numeric; int table_id = request->table_id; - int scan_val = request->numeric; - scan_ret=maat_scan_integer(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], - scan_val, ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, - &n_hit_result, ctx->scan_mid); + app_dict = (struct app_id_dict*)maat_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[POLICY_APP_DI_DICT], (const char *)&app_id, sizeof(long long)); + if(app_dict==NULL) + { + return 0; + } + + scan_ret = maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &app_dict->group_id, 1, + ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &n_hit_result, ctx->scan_mid); if(scan_ret == MAAT_SCAN_HIT) { hit_cnt_app_id+=n_hit_result; } + app_id_dict_free(app_dict); n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); request->nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); ctx->n_read=n_read; @@ -1585,7 +1720,7 @@ static int policy_verify_scan_flag(struct request_query_obj *request, struct pol return hit_cnt_flag; } -static int policy_verify_scan_http_hdr(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt) +static int policy_verify_scan_http_hdr(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, int hdr_num) { int n_read=0; int scan_ret=0, hit_cnt_hdr=0; @@ -1608,6 +1743,17 @@ static int policy_verify_scan_http_hdr(struct request_query_obj *request, struct { hit_cnt_hdr += n_hit_result; } + + if(hdr_num == 0) + { + scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result + hit_cnt, MAX_SCAN_RESULT - hit_cnt, + &n_hit_result, ctx->scan_mid); + if (scan_ret == MAAT_SCAN_HIT) + { + hit_cnt_hdr += n_hit_result; + } + } + n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); request->nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); ctx->n_read=n_read; @@ -1747,8 +1893,16 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer } goto decide; case TSG_OBJ_HTTP_REQ_HDR: + ctx->req_hdr_num--; + scan_ret = policy_verify_scan_http_hdr(request, ctx, vsys_id, hit_cnt, ctx->req_hdr_num); + if(scan_ret > 0) + { + hit_cnt+=scan_ret; + } + goto decide; case TSG_OBJ_HTTP_RES_HDR: - scan_ret = policy_verify_scan_http_hdr(request, ctx, vsys_id, hit_cnt); + ctx->res_hdr_num--; + scan_ret = policy_verify_scan_http_hdr(request, ctx, vsys_id, hit_cnt, ctx->res_hdr_num); if(scan_ret > 0) { hit_cnt+=scan_ret; @@ -1946,7 +2100,7 @@ static void common_table_name_int(const char *table_name[__TSG_OBJ_MAX]) return; } -int maat_plugin_table_int(int vsys_id, int compile_type_id) +int maat_complie_plugin_table_init(int vsys_id, int compile_type_id) { int table_id=0; const char *table_name=NULL; @@ -2017,9 +2171,9 @@ int maat_table_init(struct verify_policy * verify, const char* profile_path) mesa_runtime_log(RLOG_LV_DEBUG, "Register maat %p, table name %s, table id %d", g_policy_rt->feather[vsys_id], table_name[i], g_policy_rt->scan_table_id[i]); } - for(int compile_type_id = 0; compile_type_id < PXY_TABLE_DEFENCE; compile_type_id++) + for(int i = 0; i < PXY_TABLE_DEFENCE; i++) { - ret = maat_plugin_table_int(vsys_id, compile_type_id); + ret = maat_complie_plugin_table_init(vsys_id, i); if(ret<0) { goto error_out; @@ -2049,8 +2203,8 @@ int maat_table_init(struct verify_policy * verify, const char* profile_path) { goto error_out; } - } + ret = maat_app_dict_table_init(POLICY_APP_DI_DICT, vsys_id, app_dict_table_new_cb, app_dict_table_free_cb, app_dict_table_dup_cb); } ret = 0; error_out: diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp index 20eceb3..f175c59 100644 --- a/platform/src/verify_policy.cpp +++ b/platform/src/verify_policy.cpp @@ -376,6 +376,33 @@ static int get_query_result_regex(cJSON *verifylist_array_item, cJSON *data_obj) return 1; } +static void get_count_form_attributeName(void *ctx, cJSON *subchild) +{ + cJSON *item = NULL; + + item = cJSON_GetObjectItem(subchild, "attributeName"); + if(item && item->type==cJSON_String) + { + if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) + { + verify_policy_tunnle_add(ctx); + } + if(0 == strcasecmp(item->valuestring, "tunnel_endpointb")) + { + verify_policy_tunnle_add(ctx); + } + if(0 == strcasecmp(item->valuestring, "req_hdr")) + { + http_req_hdr_num(ctx); + } + if(0 == strcasecmp(item->valuestring, "res_hdr")) + { + http_res_hdr_num(ctx); + } + } + return; +} + int get_query_result_policy(cJSON *subitem, cJSON *data_obj, int thread_id) { int i = 0; @@ -415,19 +442,7 @@ int get_query_result_policy(cJSON *subitem, cJSON *data_obj, int thread_id) for (subchild = attributes->child; subchild != NULL; subchild = subchild->next) { - item = cJSON_GetObjectItem(subchild, "attributeName"); - if(item && item->type==cJSON_String) - { - if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) - { - verify_policy_tunnle_add(ctx); - } - - if(0 == strcasecmp(item->valuestring, "tunnel_endpointb")) - { - verify_policy_tunnle_add(ctx); - } - } + get_count_form_attributeName(ctx, subchild); } for (subchild = attributes->child; subchild != NULL; subchild = subchild->next) diff --git a/resource/table_info.conf b/resource/table_info.conf index 94d336e..5c01e6d 100644 --- a/resource/table_info.conf +++ b/resource/table_info.conf @@ -400,7 +400,7 @@ { "table_id":30, "table_name":"TSG_OBJ_FQDN_CAT", - "table_type":"intval", + "table_type":"interval", "valid_column":5, "custom": { "item_id":1, @@ -426,7 +426,7 @@ { "table_id":32, "table_name":"TSG_OBJ_APP_ID", - "table_type":"intval", + "table_type":"interval", "valid_column":5, "custom": { "item_id":1, @@ -825,7 +825,7 @@ { "table_id":83, "table_name":"TSG_OBJ_TUNNEL_ID", - "table_type":"intval", + "table_type":"interval", "valid_column":5, "custom": { "item_id":1, @@ -929,5 +929,16 @@ "table_name":"TSG_FILED_GTP_IMEI", "table_type":"virtual", "physical_table": "TSG_OBJ_IMEI" + }, + { + "table_id": 95, + "table_name": "APP_ID_DICT", + "table_type": "plugin", + "valid_column": 18, + "custom": { + "key": 1, + "key_type": "integer", + "key_len": 8 + } } ]
\ No newline at end of file diff --git a/resource/table_info_simple.conf b/resource/table_info_simple.conf index 087097f..81f1de8 100644 --- a/resource/table_info_simple.conf +++ b/resource/table_info_simple.conf @@ -400,7 +400,7 @@ { "table_id":30, "table_name":"TSG_OBJ_FQDN_CAT", - "table_type":"intval", + "table_type":"interval", "valid_column":5, "custom": { "item_id":1, @@ -426,7 +426,7 @@ { "table_id":32, "table_name":"TSG_OBJ_APP_ID", - "table_type":"intval", + "table_type":"interval", "valid_column":5, "custom": { "item_id":1, @@ -751,7 +751,7 @@ { "table_id":77, "table_name":"TSG_OBJ_TUNNEL_ID", - "table_type":"intval", + "table_type":"interval", "valid_column":5, "custom": { "item_id":1, @@ -855,5 +855,16 @@ "table_name":"TSG_FILED_GTP_IMEI", "table_type":"virtual", "physical_table": "TSG_OBJ_IMEI" + }, + { + "table_id": 89, + "table_name": "APP_ID_DICT", + "table_type": "plugin", + "valid_column": 18, + "custom": { + "key": 1, + "key_type": "integer", + "key_len": 8 + } } ]
\ No newline at end of file |