diff options
| author | fengweihao <[email protected]> | 2024-03-01 15:36:17 +0800 |
|---|---|---|
| committer | fengweihao <[email protected]> | 2024-03-01 15:36:17 +0800 |
| commit | 620d367a504571e7c4c16edeea4f75f7269772e0 (patch) | |
| tree | 3534d6383bf9714fdc48f1781b300f6a92b36ff4 | |
| parent | e834b5ad007fefc318657083ee7d0662766b7d21 (diff) | |
TSG-19601 PolicyVerify支持ASN Object TSG-19596 Object Match返回Protocol命中路径v4.0.11-20240301
| -rw-r--r-- | common/include/verify_policy.h | 2 | ||||
| -rw-r--r-- | platform/src/verify_matcher.cpp | 244 | ||||
| -rw-r--r-- | platform/src/verify_policy.cpp | 14 | ||||
| -rw-r--r-- | resource/table_info.conf | 28 |
4 files changed, 195 insertions, 93 deletions
diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h index fc22718..51da7d4 100644 --- a/common/include/verify_policy.h +++ b/common/include/verify_policy.h @@ -86,6 +86,8 @@ enum tsg_obj_table TSG_OBJ_SSL_ESNI, TSG_OBJ_SSL_NO_SNI, TSG_OBJ_TUNNEL_LEVEL, + TSG_OBJ_INTERNAL_ASN, + TSG_OBJ_EXTERNAL_ASN, __TSG_OBJ_MAX }; diff --git a/platform/src/verify_matcher.cpp b/platform/src/verify_matcher.cpp index dc96fa1..70be885 100644 --- a/platform/src/verify_matcher.cpp +++ b/platform/src/verify_matcher.cpp @@ -70,7 +70,7 @@ enum verify_profile_table struct ip_data_table { int profile_id; - + int group_id; int ref_cnt; char *asn; @@ -90,6 +90,17 @@ struct http_field_name enum http_std_field field_id; }; +enum nth_scan_type +{ + NTH_SCAN_IP_SRC_LOCATION = 0, + NTH_SCAN_IP_DST_LOCATION, + NTH_SCAN_IP_DST_ASN, + NTH_SCAN_IP_SRC_ASN, + NTH_SCAN_IP_INTERNAL_ASN, + NTH_SCAN_IP_EXTERNAL_ASN, + NTH_SCAN_MAX +}; + /** Nth_scan: Since there is no virtual table name in the request due to IP location and IP protocol, * the current hit path scan count needs to be recorded to correspond to the virtual table name */ struct ip_data_ctx @@ -100,7 +111,7 @@ struct ip_data_ctx char *organization_server; char *location_client; char *location_server; - int Nth_scan[3]; + int Nth_scan[NTH_SCAN_MAX]; }; struct fqdn_category_ctx @@ -302,13 +313,13 @@ static char* verify_unescape(char* s) void ip_asn_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp) { - int addr_type; + int addr_type, group_id=0; int ret=0,profile_id=0,is_valid=0; char start_ip[40], end_ip[40],asn[40]={0}; char organization[VERIFY_ARRAY_MAX]; - ret=sscanf(table_line, "%d\t%d\t%s\t%s\t%s\t%s\t%d", &profile_id, &addr_type, start_ip, end_ip, asn, organization, &is_valid); - if(ret!=7) + ret=sscanf(table_line, "%d\t%d\t%d\t%s\t%s\t%s\t%s\t%d", &profile_id, &group_id, &addr_type, start_ip, end_ip, asn, organization, &is_valid); + if(ret!=8) { mesa_runtime_log(RLOG_LV_FATAL, "Policy table parse ip ASN failed, ret:%d, %s", ret, table_line); return; @@ -320,6 +331,7 @@ void ip_asn_table_new_cb(const char *table_name, int table_id, const char* key, ip_asn->profile_id=profile_id; ip_asn->asn=strdup(asn); ip_asn->organization=strdup(organization); + ip_asn->group_id=group_id; ip_asn->ref_cnt=1; pthread_mutex_init(&(ip_asn->lock), NULL); @@ -530,8 +542,8 @@ void tunnel_label_table_new_cb(const char *table_name, int table_id, const char* } -const char *table_name_map[] = {"TSG_IP_ASN_USER_DEFINED", - "TSG_IP_ASN_BUILT_IN", +const char *table_name_map[] = {"TSG_OBJ_IP_ASN_USER_DEFINED", + "TSG_OBJ_IP_ASN_BUILT_IN", "TSG_IP_LOCATION_USER_DEFINED", "TSG_IP_LOCATION_BUILT_IN", "TSG_FQDN_CATEGORY_USER_DEFINED", @@ -724,7 +736,7 @@ int maat_ip_table_init(int profile_idx,int vsys_id, if(table_id >= 0) { table_id=maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id], table_name, new_func[profile_idx], free_func, dup_func, - 0, NULL); + 0, NULL); return 0; } mesa_runtime_log(RLOG_LV_FATAL, "Register table %s failed.", table_name); @@ -1035,10 +1047,9 @@ void http_get_location_status(cJSON *attributes, cJSON *attributeObj, struct ip_ if(item && item->type==cJSON_String) { attri_name = item->valuestring; - if(strcasecmp(attri_name, "source") == 0) + if((strcasecmp(attri_name, "source") == 0) || (strcasecmp(attri_name, "internal") == 0)) { cJSON_AddStringToObject(attributeObj, "ipGeoLocation",ip_ctx->location_client); - ipAsn=cJSON_CreateArray(); cJSON_AddItemToObject(attributeObj, "ipAsn", ipAsn); cJSON *ipAsnObj=NULL; @@ -1046,14 +1057,13 @@ void http_get_location_status(cJSON *attributes, cJSON *attributeObj, struct ip_ { ipAsnObj=cJSON_CreateObject(); cJSON_AddItemToArray(ipAsn, ipAsnObj); - cJSON_AddStringToObject(ipAsnObj, "asNumber", ip_ctx->asn_client); + cJSON_AddStringToObject(ipAsnObj, "asn", ip_ctx->asn_client); cJSON_AddStringToObject(ipAsnObj, "organization", ip_ctx->organization_client); } } - if(strcasecmp(attri_name, "destination") == 0) + if((strcasecmp(attri_name, "destination") == 0) || (strcasecmp(attri_name, "external") == 0)) { cJSON_AddStringToObject(attributeObj, "ipGeoLocation",ip_ctx->location_server); - ipAsn=cJSON_CreateArray(); cJSON_AddItemToObject(attributeObj, "ipAsn", ipAsn); cJSON *ipAsnObj=NULL; @@ -1061,7 +1071,7 @@ void http_get_location_status(cJSON *attributes, cJSON *attributeObj, struct ip_ { ipAsnObj=cJSON_CreateObject(); cJSON_AddItemToArray(ipAsn, ipAsnObj); - cJSON_AddStringToObject(ipAsnObj, "asNumber", ip_ctx->asn_server); + cJSON_AddStringToObject(ipAsnObj, "asn", ip_ctx->asn_server); cJSON_AddStringToObject(ipAsnObj, "organization", ip_ctx->organization_server); } } @@ -1096,6 +1106,18 @@ int hit_path_is_duplicate(struct maat_hit_path *src, struct maat_hit_path dest, return 0; } +int hit_rule_match_is_duplicate(struct maat_hit_path *src, struct maat_hit_path dest, int result_cnt) +{ + for(int i = 0; i < result_cnt; i++) + { + if(src[i].vtable_id == dest.vtable_id && src[i].top_group_id == dest.top_group_id) + { + return 1; + } + } + return 0; +} + void http_get_scan_status(struct request_query_obj *query_obj, int compile_table_id, cJSON *attributes, cJSON *data_obj, void *pme) { int i=0, j=0, result_cnt=0; @@ -1103,15 +1125,6 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table cJSON *attributeObj=NULL,*hitPaths=NULL; cJSON *item = NULL; - if(query_obj->table_id == TSG_OBJ_IP_PROTOCOL) - { - if(query_obj->attributes) - { - cJSON_Delete(query_obj->attributes); - } - return; - } - struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme; attributeObj=query_obj->attributes; @@ -1122,10 +1135,7 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table { if(0 == strcasecmp(item->valuestring, "tunnel_endpointa")) { - if(query_obj->attributes) - { - cJSON_Delete(query_obj->attributes); - } + cJSON_Delete(attributeObj); return; } } @@ -1133,7 +1143,6 @@ void http_get_scan_status(struct request_query_obj *query_obj, int compile_table if(compile_table_id == TSG_TABLE_SECURITY && query_obj->table_id == TSG_OBJ_TUNNEL) { - attributeObj=query_obj->attributes; cJSON_DeleteItemFromObject(attributeObj, "attributeName"); cJSON_AddStringToObject(attributeObj, "attributeName", "tunnel_endpoint_object"); cJSON_DeleteItemFromObject(attributeObj, "attributeValue"); @@ -1188,26 +1197,54 @@ int policy_verify_regex_expression(const char *expression) return maat_helper_verify_regex_expression(expression); } -int get_attributes_table_name(struct request_query_obj *request, int num, int Nth_scan, struct ip_data_ctx *ip_ctx, int tunnel_endpoint_x, cJSON *topObject) +static int get_ip_location_asn_table_name(struct ip_data_ctx *ip_ctx, int Nth_scan, cJSON *topObject) { - int i=0, j=0; - cJSON *attributeObj=NULL, *subchild=NULL; - /*ip location**/ - if(ip_ctx->Nth_scan[0] == Nth_scan) + int xret = 0; + if(ip_ctx->Nth_scan[NTH_SCAN_IP_SRC_LOCATION] == Nth_scan) { - cJSON_AddStringToObject(topObject, "tableName", "ATTR_SOURCE_IP"); - return 0; + cJSON_AddStringToObject(topObject, "tableName", "ATTR_SOURCE_LOCATION"); + goto finish; } - if(ip_ctx->Nth_scan[1] == Nth_scan) + if(ip_ctx->Nth_scan[NTH_SCAN_IP_DST_LOCATION] == Nth_scan) { - cJSON_AddStringToObject(topObject, "tableName", "ATTR_DESTINATION_IP"); - return 0; + cJSON_AddStringToObject(topObject, "tableName", "ATTR_DESTINATION_LOCATION"); + goto finish; + } + if(ip_ctx->Nth_scan[NTH_SCAN_IP_SRC_ASN] == Nth_scan) + { + cJSON_AddStringToObject(topObject, "tableName", "ATTR_SOURCE_ASN"); + goto finish; + } + if(ip_ctx->Nth_scan[NTH_SCAN_IP_DST_ASN] == Nth_scan) + { + cJSON_AddStringToObject(topObject, "tableName", "ATTR_DESTINATION_ASN"); + goto finish; + } + if(ip_ctx->Nth_scan[NTH_SCAN_IP_INTERNAL_ASN] == Nth_scan) + { + cJSON_AddStringToObject(topObject, "tableName", "ATTR_INTERNAL_ASN"); + goto finish; + } + if(ip_ctx->Nth_scan[NTH_SCAN_IP_EXTERNAL_ASN] == Nth_scan) + { + cJSON_AddStringToObject(topObject, "tableName", "ATTR_EXTERNAL_ASN"); + goto finish; } - /**ip protocol*/ - if(ip_ctx->Nth_scan[2] == Nth_scan) + return xret; +finish: + xret = 1; + return xret; +} + +int get_attributes_table_name(struct request_query_obj *request, int num, int Nth_scan, struct ip_data_ctx *ip_ctx, int tunnel_endpoint_x, cJSON *topObject) +{ + int i=0, j=0; + cJSON *attributeObj=NULL, *subchild=NULL; + + /*ip location**/ + if(get_ip_location_asn_table_name(ip_ctx, Nth_scan, topObject)) { - cJSON_AddStringToObject(topObject, "tableName", "ATTR_IP_PROTOCOL"); return 0; } @@ -1235,7 +1272,6 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, siz bool succeeded = false; size_t rules=0, i=0,j=0; int result_config[MAX_SCAN_RESULT] = {0}; - int result_object_id[512] = {0}; int vsys_id = verify_policy->vsys_id; int compile_table_id = verify_policy->compile_table_id; @@ -1283,7 +1319,7 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, siz } cJSON_AddItemToArray(hit_obj, policy_obj); result_config[i] = ctx->hit_rules[i].config_id; - memset(result_object_id, 0, sizeof(result_object_id)); + struct maat_hit_path result_hit_path[MAX_SCAN_RESULT]={0}; int result_cnt=0; topObjectList=cJSON_CreateArray(); cJSON_AddItemToObject(policy_obj, "topObjectList", topObjectList); @@ -1291,15 +1327,25 @@ int http_hit_policy_list(struct verify_policy_query *verify_policy, int num, siz { if(ctx->hit_path[j].compile_id > 0 && ctx->hit_path[j].compile_id == ctx->hit_rules[i].config_id) { + if(hit_rule_match_is_duplicate(result_hit_path, ctx->hit_path[j], result_cnt)) + { + continue; + } + else + { + memcpy(&result_hit_path[result_cnt], &ctx->hit_path[j], sizeof(struct maat_hit_path)); + result_cnt++; + } + #if 0 if(http_hit_policy_match(result_object_id, j, ctx->hit_path[j].top_group_id)) { continue; } + #endif topObject=cJSON_CreateObject(); cJSON_AddNumberToObject(topObject, "objectId", ctx->hit_path[j].top_group_id); cJSON_AddNumberToObject(topObject, "notFlag", ctx->hit_path[j].NOT_flag); cJSON_AddNumberToObject(topObject, "nthClause", ctx->hit_path[j].clause_index); - result_object_id[j] = ctx->hit_path[j].top_group_id; get_attributes_table_name(verify_policy->request_object, num, ctx->hit_path[j].Nth_scan, &ctx->ip_ctx, ctx->tunnel_endpoint_x, topObject); cJSON_AddItemToArray(topObjectList, topObject); } @@ -1396,7 +1442,7 @@ int ip_location_scan(struct policy_scan_ctx *ctx, int vsys_id, struct ip_addr *s if(scan_ret >= MAAT_SCAN_OK) { ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); - ctx->ip_ctx.Nth_scan[1] = maat_state_get_scan_count(ctx->scan_mid); + ctx->ip_ctx.Nth_scan[NTH_SCAN_IP_DST_LOCATION] = maat_state_get_scan_count(ctx->scan_mid); } } if(ip_location_client!=NULL) @@ -1438,7 +1484,7 @@ int ip_location_scan(struct policy_scan_ctx *ctx, int vsys_id, struct ip_addr *s if(scan_ret >= MAAT_SCAN_OK) { ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); - ctx->ip_ctx.Nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); + ctx->ip_ctx.Nth_scan[NTH_SCAN_IP_SRC_LOCATION] = maat_state_get_scan_count(ctx->scan_mid); } } @@ -1449,17 +1495,19 @@ int ip_location_scan(struct policy_scan_ctx *ctx, int vsys_id, struct ip_addr *s return hit_cnt_ip; } -int ip_asn_scan(struct policy_scan_ctx * ctx, int vsys_id, struct ip_addr* sip, struct ip_addr* dip, int hit_cnt) +int ip_asn_scan(struct policy_scan_ctx * ctx, int vsys_id, int table_id, struct ip_addr* sip, struct ip_addr* dip, int hit_cnt) { size_t n_hit_result=0; - int scan_ret=0, hit_cnt_ip=0; + int scan_ret=0, hit_cnt_ip=0, Nth_scan_cnt=0; + struct maat_hit_path hit_path[HIT_PATH_SIZE]; struct ip_data_table* ip_asn_client=NULL, *ip_asn_server=NULL; if(!g_policy_rt->load_ip_location) { return 0; } - + + memset(hit_path, 0, sizeof(struct maat_hit_path)*HIT_PATH_SIZE); maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_ASN_USER_DEFINED], sip, (void **)&ip_asn_client, 1); maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_ASN_USER_DEFINED], dip, (void **)&ip_asn_server, 1); @@ -1472,46 +1520,91 @@ int ip_asn_scan(struct policy_scan_ctx * ctx, int vsys_id, struct ip_addr* sip, maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id], g_policy_rt->profile_table_id[PROFILE_ASN_BUILT_IN], dip,(void **)&ip_asn_server, 1); } + struct maat_hit_group hit_group; if(ip_asn_server!=NULL) { ctx->ip_ctx.asn_server=strdup(ip_asn_server->asn); ctx->ip_ctx.organization_server=strdup(ip_asn_server->organization); - scan_ret = maat_scan_string(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_IP_DST_ASN], - ip_asn_server->asn, strlen(ip_asn_server->asn), - ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, - &n_hit_result, ctx->scan_mid); + memset(&hit_group, 0, sizeof(hit_group)); + hit_group.group_id=ip_asn_server->group_id; + if(table_id == TSG_OBJ_DESTINATION_ADDR) + { + table_id = TSG_OBJ_IP_DST_ASN; + } + else + { + table_id = (table_id==TSG_OBJ_INTERNAL_ADDR)?TSG_OBJ_INTERNAL_ASN:TSG_OBJ_EXTERNAL_ADDR; + } + scan_ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1, + ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid); if(scan_ret == MAAT_SCAN_HIT) { hit_cnt_ip+=n_hit_result; } - scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_IP_DST_ASN], ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, + scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt_ip+=n_hit_result; } + if(scan_ret >= MAAT_SCAN_OK) + { + ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); + if(table_id == TSG_OBJ_IP_DST_ASN) + { + ctx->ip_ctx.Nth_scan[NTH_SCAN_IP_DST_ASN] = maat_state_get_scan_count(ctx->scan_mid); + } + else + { + Nth_scan_cnt = (table_id == TSG_OBJ_INTERNAL_ASN) ? NTH_SCAN_IP_INTERNAL_ASN : NTH_SCAN_IP_EXTERNAL_ASN; + ctx->ip_ctx.Nth_scan[Nth_scan_cnt] = maat_state_get_scan_count(ctx->scan_mid); + } + } } if(ip_asn_client!=NULL) { ctx->ip_ctx.asn_client=strdup(ip_asn_client->asn); ctx->ip_ctx.organization_client=strdup(ip_asn_client->organization); - scan_ret = maat_scan_string(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_IP_SRC_ASN], - ip_asn_client->asn, strlen(ip_asn_client->asn), - ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, - &n_hit_result, ctx->scan_mid); + memset(&hit_group, 0, sizeof(hit_group)); + hit_group.group_id=ip_asn_client->group_id; + + if(table_id == TSG_OBJ_SOURCE_ADDR) + { + table_id = TSG_OBJ_IP_SRC_ASN; + } + else + { + table_id = (table_id==TSG_OBJ_INTERNAL_ADDR)?TSG_OBJ_INTERNAL_ASN:TSG_OBJ_EXTERNAL_ADDR; + } + scan_ret=maat_scan_group(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], &hit_group, 1, + ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid); if(scan_ret == MAAT_SCAN_HIT) { hit_cnt_ip+=n_hit_result; } - scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[TSG_OBJ_IP_SRC_ASN], ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, + scan_ret = maat_scan_not_logic(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], ctx->result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid); if (scan_ret == MAAT_SCAN_HIT) { hit_cnt_ip+=n_hit_result; } + if(scan_ret >= MAAT_SCAN_OK) + { + ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, HIT_PATH_SIZE); + + if(table_id == TSG_OBJ_IP_SRC_ASN) + { + ctx->ip_ctx.Nth_scan[NTH_SCAN_IP_SRC_ASN] = maat_state_get_scan_count(ctx->scan_mid); + } + else + { + Nth_scan_cnt = (table_id == TSG_OBJ_INTERNAL_ASN) ? NTH_SCAN_IP_INTERNAL_ASN : NTH_SCAN_IP_EXTERNAL_ASN; + ctx->ip_ctx.Nth_scan[Nth_scan_cnt] = maat_state_get_scan_count(ctx->scan_mid); + } + } } if(ip_asn_server) ip_table_free(ip_asn_server); @@ -1537,7 +1630,6 @@ static int group_scan(struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, str { hit_cnt_group+=n_hit_result; } - return hit_cnt_group; } @@ -1845,7 +1937,7 @@ static int get_group_id_by_protocol(int protocol) return group_id; } -static int protocol_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt, int virtual_method) +static int protocol_scan(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int hit_cnt) { int n_read=0; int scan_ret=0, hit_cnt_protocol=0; @@ -1861,16 +1953,8 @@ static int protocol_scan(struct request_query_obj *request, struct policy_scan_c hit_cnt_protocol+=scan_ret; } n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, HIT_PATH_SIZE); - if(virtual_method) - { - request->merge_nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); - ctx->n_read=n_read; - } - else - { - ctx->ip_ctx.Nth_scan[2] = maat_state_get_scan_count(ctx->scan_mid); - ctx->ip_protocol_num++; - } + request->merge_nth_scan[0] = maat_state_get_scan_count(ctx->scan_mid); + ctx->n_read=n_read; } return hit_cnt_protocol; } @@ -1882,12 +1966,6 @@ static int ip_addr_scan(struct request_query_obj *request, struct policy_scan_ct size_t n_hit_result=0; int table_id = request->table_id; - scan_ret = protocol_scan(request, ctx, vsys_id, hit_cnt, 0); - if(scan_ret > 0) - { - hit_cnt_ip+=scan_ret; - } - if (request->ip_addr->addrtype == ADDR_TYPE_IPV4) { if(0 == strcasecmp(request->attri_name, "source") || 0 == strcasecmp(request->attri_name, "internal")) @@ -1996,12 +2074,6 @@ static int port_scan(struct request_query_obj *request, struct policy_scan_ctx * int table_id = request->table_id; int port = atoi(request->string); - scan_ret = protocol_scan(request, ctx, vsys_id, hit_cnt, 0); - if(scan_ret > 0) - { - hit_cnt_port+=scan_ret; - } - scan_ret=maat_scan_integer(g_policy_rt->feather[vsys_id], g_policy_rt->scan_table_id[table_id], port, ctx->result+hit_cnt+hit_cnt_port, MAX_SCAN_RESULT-hit_cnt-hit_cnt_port, &n_hit_result, ctx->scan_mid); if(scan_ret == MAAT_SCAN_HIT) @@ -2049,7 +2121,7 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer { hit_cnt+=scan_ret; } - scan_ret = ip_asn_scan(ctx, vsys_id, &source_ip, &dest_ip, hit_cnt); + scan_ret = ip_asn_scan(ctx, vsys_id, table_id, &source_ip, &dest_ip, hit_cnt); if(scan_ret > 0) { hit_cnt+=scan_ret; @@ -2061,7 +2133,7 @@ size_t policy_verify_scan(int vsys_id, int compile_table_id, struct request_quer } goto decide; case TSG_OBJ_IP_PROTOCOL: - scan_ret = protocol_scan(request, ctx, vsys_id, hit_cnt, 1); + scan_ret = protocol_scan(request, ctx, vsys_id, hit_cnt); if(scan_ret > 0) { hit_cnt+=scan_ret; @@ -2322,6 +2394,8 @@ static void common_table_name_int(const char *table_name[__TSG_OBJ_MAX]) table_name[TSG_OBJ_SSL_ESNI]="ATTR_SSL_ESNI"; table_name[TSG_OBJ_SSL_NO_SNI]="ATTR_SSL_NO_SNI"; table_name[TSG_OBJ_TUNNEL_LEVEL]="ATTR_TUNNEL_LEVEL"; + table_name[TSG_OBJ_INTERNAL_ASN]="ATTR_INTERNAL_ASN"; + table_name[TSG_OBJ_EXTERNAL_ASN]="ATTR_EXTERNAL_ASN"; return; } diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp index ac2c798..26837ad 100644 --- a/platform/src/verify_policy.cpp +++ b/platform/src/verify_policy.cpp @@ -143,6 +143,8 @@ int protoco_field_type_str2idx(const char *action_str, char *buff, char **p) table_name[TSG_OBJ_SSL_ESNI]="ATTR_SSL_ESNI"; table_name[TSG_OBJ_SSL_NO_SNI]="ATTR_SSL_NO_SNI"; table_name[TSG_OBJ_TUNNEL_LEVEL]="ATTR_TUNNEL_LEVEL"; + table_name[TSG_OBJ_INTERNAL_ASN]="ATTR_INTERNAL_ASN"; + table_name[TSG_OBJ_EXTERNAL_ASN]="ATTR_EXTERNAL_ASN"; size_t i = 0; for (i = 0; i < __TSG_OBJ_MAX; i++) @@ -245,6 +247,12 @@ static struct ipaddr * get_ip_from_json(cJSON *attributeValue, const char *attri const char *Ip=NULL; unsigned int Port=0; + if(attributeName==NULL) + { + mesa_runtime_log(RLOG_LV_FATAL, "The attributeType is of type iP, but the attributeName is empty, resulting in IP type parsing failure."); + return NULL; + } + item = cJSON_GetObjectItem(attributeValue,"ip"); if(item && item->type==cJSON_String) Ip = item->valuestring; item = cJSON_GetObjectItem(attributeValue,"port"); @@ -254,6 +262,12 @@ static struct ipaddr * get_ip_from_json(cJSON *attributeValue, const char *attri item=cJSON_GetObjectItem(attributeValue,"addrType"); if(item && item->type==cJSON_Number) addr_type = item->valueint; + if(strcasecmp(attributeName, "ip_protocol") == 0) + { + mesa_runtime_log(RLOG_LV_INFO, " [I] %s, protocol=%d", buff, *protocol); + return NULL; + } + struct ipaddr *ip_addr = NULL; if(strcasecmp(attributeName, "source") == 0 || strcasecmp(attributeName, "internal") == 0 || strcasecmp(attributeName, "tunnel_endpointa") == 0 || strcasecmp(attributeName, "tunnel_endpointb") == 0) diff --git a/resource/table_info.conf b/resource/table_info.conf index a9fa5b9..f69ee34 100644 --- a/resource/table_info.conf +++ b/resource/table_info.conf @@ -620,28 +620,28 @@ }, { "table_id":59, - "table_name":"TSG_IP_ASN_BUILT_IN", + "table_name":"TSG_OBJ_IP_ASN_BUILT_IN", "table_type":"ip_plugin", - "valid_column":19, + "valid_column":8, "custom": { "item_id":1, + "group_id":2, "ip_type":3, "start_ip":4, - "end_ip":5, - "addr_format":7 + "end_ip":5 } }, { "table_id":60, - "table_name":"TSG_IP_ASN_USER_DEFINED", + "table_name":"TSG_OBJ_IP_ASN_USER_DEFINED", "table_type":"ip_plugin", - "valid_column":19, + "valid_column":8, "custom": { "item_id":1, + "group_id":2, "ip_type":3, "start_ip":4, - "end_ip":5, - "addr_format":7 + "end_ip":5 } }, { @@ -1023,5 +1023,17 @@ "table_name":"ATTR_TUNNEL_LEVEL", "table_type":"virtual", "physical_table": "TSG_TUNNEL_CATALOG" + }, + { + "table_id":106, + "table_name":"ATTR_INTERNAL_ASN", + "table_type":"virtual", + "physical_table": "TSG_OBJ_AS_NUMBER" + }, + { + "table_id":107, + "table_name":"ATTR_EXTERNAL_ASN", + "table_type":"virtual", + "physical_table": "TSG_OBJ_AS_NUMBER" } ]
\ No newline at end of file |