TSG-2620 策略验证支持quic协议

author: fengweihao <[email protected]> 2020-08-06 10:32:47 +0800
committer: fengweihao <[email protected]> 2020-08-06 10:32:47 +0800
commit: 078228c53cec40d61f50e7a704782b6ebabcedc3 (patch)
tree: e56715c36970b108fd2343732eb5776a88f52497
parent: afab73ad5f87a945d3b8018ead6ce5a99a1c5eed (diff)
4 files changed, 33 insertions, 29 deletions
diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h
index d548b0b..6e4ee8b 100644
--- a/common/include/verify_policy.h
+++ b/common/include/verify_policy.h
@@ -55,6 +55,7 @@ enum security_scan_table
     PXY_SECURITY_HTTPS_CN,
     PXY_SECURITY_HTTPS_SAN,
     PXY_SECURITY_DNS_QNAME,
+    PXY_SECURITY_QUIC_SNI,
     PXY_SECURITY_MAIL_ACCOUNT,
     PXY_SECURITY_MAIL_FROM,
     PXY_SECURITY_MAIL_TO,
diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp
index 19193cf..fa07442 100644
--- a/platform/src/verify_policy.cpp
+++ b/platform/src/verify_policy.cpp
@@ -81,6 +81,7 @@ enum verify_policy_type tsg_policy_type_str2idx(const char *action_str)
 int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_str, char *buff, char **p)
 {
 	const char * table_name[__SECURITY_TABLE_MAX] ={0};
+	size_t max = type != PXY_TABLE_MANIPULATION ? (int)PXY_SECURITY_APP_ID : (int)PXY_CTRL_DOH_HOST;
 
 	switch(type)
 	{
@@ -112,6 +113,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
 			table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
 			table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
 			table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME";
+			table_name[PXY_SECURITY_QUIC_SNI] = "TSG_FIELD_QUIC_SNI";
 			table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
 			table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM";
 			table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO";
@@ -130,8 +132,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
 			break;
 	}
 	size_t i = 0;
-
-	for (i = 0; i < sizeof(table_name) / sizeof(const char *); i++)
+	for (i = 0; i <= max; i++)
 	{
 		if (0 == strcasecmp(action_str, table_name[i]))
 			break;
diff --git a/resource/table_info_security.conf b/resource/table_info_security.conf
index 86d997d..80f2464 100644
--- a/resource/table_info_security.conf
+++ b/resource/table_info_security.conf
@@ -30,29 +30,30 @@
 18	TSG_FIELD_SSL_CN	virtual	TSG_OBJ_FQDN	--
 19	TSG_FIELD_SSL_SAN	virtual	TSG_OBJ_FQDN	--
 20	TSG_FIELD_DNS_QNAME	virtual	TSG_OBJ_FQDN	--
-21	TSG_FIELD_MAIL_ACCOUNT	virtual	TSG_OBJ_ACCOUNT	--
-22	TSG_FIELD_MAIL_FROM	virtual	TSG_OBJ_ACCOUNT	--
-23	TSG_FIELD_MAIL_TO	virtual	TSG_OBJ_ACCOUNT	--
-24	TSG_FIELD_MAIL_SUBJECT	virtual	TSG_OBJ_KEYWORDS	--
-25	TSG_FIELD_MAIL_CONTENT	virtual	TSG_OBJ_KEYWORDS	--
-26	TSG_FIELD_MAIL_ATT_NAME	virtual	TSG_OBJ_KEYWORDS	--
-27	TSG_FIELD_MAIL_ATT_CONTENT	virtual	TSG_OBJ_KEYWORDS	--
-28	TSG_FIELD_FTP_URI	virtual	TSG_OBJ_URL	--
-29	TSG_FIELD_FTP_CONTENT	virtual	TSG_OBJ_KEYWORDS	--
-30	TSG_FIELD_FTP_ACCOUNT	virtual	TSG_OBJ_ACCOUNT	--
-31	TSG_SECURITY_SOURCE_ADDR	virtual	TSG_OBJ_IP_ADDR	--
-32	TSG_SECURITY_DESTINATION_ADDR	virtual	TSG_OBJ_IP_ADDR	--
-33	TSG_SECURITY_ADDR	composition	{"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"}
-34      TSG_IP_ASN_BUILT_IN     ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
-35      TSG_IP_ASN_USER_DEFINED ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
-36      TSG_IP_LOCATION_BUILT_IN        ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
-37      TSG_IP_LOCATION_USER_DEFINED    ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
-38      TSG_OBJ_AS_NUMBER       expr    UTF8    UTF8/GBK        yes     0
-39      TSG_SECURITY_SOURCE_ASN virtual TSG_OBJ_AS_NUMBER       --
-40      TSG_SECURITY_DESTINATION_ASN    virtual TSG_OBJ_AS_NUMBER       --
-41      TSG_OBJ_GEO_LOCATION    expr    UTF8    UTF8/GBK        yes     0
-42      TSG_SECURITY_SOURCE_LOCATION    virtual TSG_OBJ_GEO_LOCATION    --
-43      TSG_SECURITY_DESTINATION_LOCATION       virtual TSG_OBJ_GEO_LOCATION    --
+21	TSG_FIELD_QUIC_SNI	virtual	TSG_OBJ_FQDN	--
+22	TSG_FIELD_MAIL_ACCOUNT	virtual	TSG_OBJ_ACCOUNT	--
+23	TSG_FIELD_MAIL_FROM	virtual	TSG_OBJ_ACCOUNT	--
+24	TSG_FIELD_MAIL_TO	virtual	TSG_OBJ_ACCOUNT	--
+25	TSG_FIELD_MAIL_SUBJECT	virtual	TSG_OBJ_KEYWORDS	--
+26	TSG_FIELD_MAIL_CONTENT	virtual	TSG_OBJ_KEYWORDS	--
+27	TSG_FIELD_MAIL_ATT_NAME	virtual	TSG_OBJ_KEYWORDS	--
+28	TSG_FIELD_MAIL_ATT_CONTENT	virtual	TSG_OBJ_KEYWORDS	--
+29	TSG_FIELD_FTP_URI	virtual	TSG_OBJ_URL	--
+30	TSG_FIELD_FTP_CONTENT	virtual	TSG_OBJ_KEYWORDS	--
+31	TSG_FIELD_FTP_ACCOUNT	virtual	TSG_OBJ_ACCOUNT	--
+32	TSG_SECURITY_SOURCE_ADDR	virtual	TSG_OBJ_IP_ADDR	--
+33	TSG_SECURITY_DESTINATION_ADDR	virtual	TSG_OBJ_IP_ADDR	--
+34	TSG_SECURITY_ADDR	composition	{"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"}
+35      TSG_IP_ASN_BUILT_IN     ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
+36      TSG_IP_ASN_USER_DEFINED ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
+37      TSG_IP_LOCATION_BUILT_IN        ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
+38      TSG_IP_LOCATION_USER_DEFINED    ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
+39      TSG_OBJ_AS_NUMBER       expr    UTF8    UTF8/GBK        yes     0
+40      TSG_SECURITY_SOURCE_ASN virtual TSG_OBJ_AS_NUMBER       --
+41      TSG_SECURITY_DESTINATION_ASN    virtual TSG_OBJ_AS_NUMBER       --
+42      TSG_OBJ_GEO_LOCATION    expr    UTF8    UTF8/GBK        yes     0
+43      TSG_SECURITY_SOURCE_LOCATION    virtual TSG_OBJ_GEO_LOCATION    --
+44      TSG_SECURITY_DESTINATION_LOCATION       virtual TSG_OBJ_GEO_LOCATION    --
 
 
 
diff --git a/scan/src/pangu_http.cpp b/scan/src/pangu_http.cpp
index 43de1d6..1d1e197 100644
--- a/scan/src/pangu_http.cpp
+++ b/scan/src/pangu_http.cpp
@@ -576,7 +576,7 @@ int http_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, st
 	if(ip_location_server!=NULL)
 	{
 		memset(buff,0,sizeof(buff));
-		snprintf(buff, sizeof(buff), "%s,%s,%s", ip_location_server->city_full, ip_location_server->province_full, ip_location_server->country_full);
+		snprintf(buff, sizeof(buff), "%s,%s", ip_location_server->city_full,ip_location_server->country_full);
 		ctx->ip_ctx.location_server=strdup(buff);
 
 		ip_location_table = (policy_type == PXY_TABLE_SECURITY) ? (int)PXY_SECURITY_IP_DST_LOCATION : (int)PXY_CTRL_IP_DST_LOCATION;
@@ -594,7 +594,7 @@ int http_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, st
 	if(ip_location_client!=NULL)
 	{
 		memset(buff,0,sizeof(buff));
-		snprintf(buff, sizeof(buff), "%s,%s,%s", ip_location_client->city_full, ip_location_client->province_full, ip_location_client->country_full);
+		snprintf(buff, sizeof(buff), "%s,%s", ip_location_client->city_full, ip_location_client->country_full);
 		ctx->ip_ctx.location_client=strdup(buff);
 
 		ip_location_table = (policy_type == PXY_TABLE_SECURITY) ? (int)PXY_SECURITY_IP_SRC_LOCATION : (int)PXY_CTRL_IP_SRC_LOCATION;
@@ -603,7 +603,7 @@ int http_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, st
 		snprintf(buff, sizeof(buff), "%s.%s.", ip_location_client->country_full, ip_location_client->city_full);
 		scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][ip_location_table],
 										 CHARSET_GBK, buff, strlen(buff),
-										 result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt,
+										 result+hit_cnt+hit_cnt_ip, NULL, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
 										 &(ctx->scan_mid), (int) thread_id);
 		if(scan_ret>0)
 		{
@@ -660,7 +660,7 @@ int http_ip_asn_scan(struct Maat_rule_t *result, struct ip_address* sip, struct
 		ip_asn_table = (policy_type == PXY_TABLE_SECURITY) ? (int)PXY_SECURITY_IP_SRC_ASN : (int)PXY_CTRL_IP_SRC_ASN;
 		scan_ret = Maat_full_scan_string(g_pangu_rt->maat[policy_type], g_pangu_rt->scan_table_id[policy_type][ip_asn_table],
 										 CHARSET_UTF8, ip_asn_client->asn, strlen(ip_asn_client->asn),
-										 result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt,
+										 result+hit_cnt+hit_cnt_ip, NULL, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
 										 &(ctx->scan_mid), (int) thread_id);
 		if(scan_ret>0)
 		{
@@ -984,6 +984,7 @@ int security_policy_init(struct verify_policy * verify, const char* profile_path
 	table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
 	table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
 	table_name[PXY_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME";
+	table_name[PXY_SECURITY_QUIC_SNI] = "TSG_FIELD_QUIC_SNI";
 	table_name[PXY_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
 	table_name[PXY_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM";
 	table_name[PXY_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO";
author	fengweihao <[email protected]>	2020-08-06 10:32:47 +0800
committer	fengweihao <[email protected]>	2020-08-06 10:32:47 +0800
commit	078228c53cec40d61f50e7a704782b6ebabcedc3 (patch)
tree	e56715c36970b108fd2343732eb5776a88f52497
parent	afab73ad5f87a945d3b8018ead6ce5a99a1c5eed (diff)