summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorfengweihao <[email protected]>2023-03-30 19:50:00 +0800
committerfengweihao <[email protected]>2023-03-30 19:50:00 +0800
commit528725397659c8cb99661f980c5a3aca7619ff76 (patch)
tree0fbf5b6a3cb044a1e737528cac2b793d6d98a119
parent92e9c25946b952c7209ab2f7135451e0ea58a928 (diff)
TSG-13721 策略验证支持MAAT4v3.0.0
Diffstat
-rw-r--r--CMakeLists.txt2
-rw-r--r--ci/travis.sh2
-rw-r--r--common/include/verify_policy.h70
-rw-r--r--common/include/verify_policy_logging.h8
-rw-r--r--common/include/verify_policy_utils.h2
-rw-r--r--common/src/verify_policy_logging.cpp15
-rw-r--r--platform/CMakeLists.txt4
-rw-r--r--platform/src/verify_matcher.cpp (renamed from scan/src/policy_scan.cpp)1033
-rw-r--r--platform/src/verify_policy.cpp151
-rw-r--r--resource/table_info_proxy.conf450
-rw-r--r--resource/table_info_security.conf755
-rw-r--r--scan/CMakeLists.txt6
-rw-r--r--scan/include/policy_scan.h13
-rw-r--r--vendor/CMakeLists.txt2
14 files changed, 1798 insertions, 715 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 766a001..e425d60 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -53,4 +53,4 @@ enable_testing()
add_subdirectory(vendor)
add_subdirectory(common)
add_subdirectory(platform)
-add_subdirectory(scan)
+
diff --git a/ci/travis.sh b/ci/travis.sh
index 5f0b6f1..0ade55e 100644
--- a/ci/travis.sh
+++ b/ci/travis.sh
@@ -33,7 +33,7 @@ env | sort
: "${COMPILER_IS_GNUCXX:=OFF}"
# Install dependency from YUM
-yum install -y libcjson-devel libmaatframe-devel libMESA_handle_logger-devel librulescan-devel libMESA_prof_load-devel sapp-devel
+yum install -y libcjson-devel libmaat4-devel libMESA_handle_logger-devel libMESA_prof_load-devel sapp-devel
mkdir build || true
cd build
diff --git a/common/include/verify_policy.h b/common/include/verify_policy.h
index 2b152f0..c8d2733 100644
--- a/common/include/verify_policy.h
+++ b/common/include/verify_policy.h
@@ -13,15 +13,15 @@
struct breakpad_instance;
-#define TRAFFIC_VSYS_ID_MAX 255
+#define VSYS_ID_MAX 255
-enum verify_policy_type
+enum compile_table_typle
{
TSG_TABLE_SECURITY,
PXY_TABLE_MANIPULATION,
- PXY_TABLE_DEFENCE,
TSG_TRAFFIC_SHAPING,
TSG_SERVICE_CHAINGNG,
+ PXY_TABLE_DEFENCE,
__SCAN_POLICY_MAX
};
@@ -36,7 +36,8 @@ enum manipulate_sacn_table
PXY_CTRL_SOURCE_ADDR,
PXY_CTRL_DESTINATION_ADDR,
PXY_CTRL_HTTP_URL,
- PXY_CTRL_HTTP_FQDN,
+ PXY_CTRL_HTTP_HOST,
+ PXY_CTRL_HTTP_HOST_CAT,
PXY_CTRL_HTTP_REQ_HDR,
PXY_CTRL_HTTP_REQ_BODY,
PXY_CTRL_HTTP_RES_HDR,
@@ -45,6 +46,7 @@ enum manipulate_sacn_table
PXY_CTRL_APP_ID,
PXY_CTRL_DOH_QNAME,
PXY_CTRL_DOH_HOST,
+ PXY_CTRL_DOH_HOST_CAT,
PXY_CTRL_IMSI,
PXY_CTRL_PHONE_NUMBER,
PXY_CTRL_APN,
@@ -60,18 +62,23 @@ enum security_scan_table
TSG_SECURITY_SOURCE_ADDR,
TSG_SECURITY_DESTINATION_ADDR,
TSG_SECURITY_HTTP_URL,
- TSG_SECURITY_HTTP_FQDN,
+ TSG_SECURITY_HTTP_HOST,
+ TSG_SECURITY_HTTP_HOST_CAT,
TSG_SECURITY_HTTP_REQ_HDR,
TSG_SECURITY_HTTP_REQ_BODY,
TSG_SECURITY_HTTP_RES_HDR,
TSG_SECURITY_HTTP_RES_BODY,
TSG_SECURITY_SUBSCRIBE_ID,
TSG_SECURITY_APP_ID,
- TSG_SECURITY_HTTPS_SNI,
- TSG_SECURITY_HTTPS_CN,
- TSG_SECURITY_HTTPS_SAN,
+ TSG_SECURITY_SSL_SNI,
+ TSG_SECURITY_SSL_SNI_CAT,
+ TSG_SECURITY_SSL_CN,
+ TSG_SECURITY_SSL_CN_CAT,
+ TSG_SECURITY_SSL_SAN,
+ TSG_SECURITY_SSL_SAN_CAT,
TSG_SECURITY_DNS_QNAME,
TSG_SECURITY_QUIC_SNI,
+ TSG_SECURITY_QUIC_SNI_CAT,
TSG_SECURITY_MAIL_ACCOUNT,
TSG_SECURITY_MAIL_FROM,
TSG_SECURITY_MAIL_TO,
@@ -97,28 +104,6 @@ enum security_scan_table
__SECURITY_TABLE_MAX
};
-enum http_ev_bit_number
-{
- IP_BITNUM = 0,
- URL_BITNUM,
- FQDN_BITNUM,
- REQ_HDR_BITNUM,
- RESP_HDR_BITNUM,
- CONTENT_BITNUM,
- SUBSCRIBE_ID
-};
-
-enum policy_http_event
-{
- EV_HTTP_IP = 1ULL << IP_BITNUM,
- EV_HTTP_URL = 1ULL << URL_BITNUM,
- EV_HTTP_FQDN = 1ULL << FQDN_BITNUM,
- EV_HTTP_REQ_HDR = 1ULL << REQ_HDR_BITNUM,
- EV_HTTP_RESP_HDR = 1ULL << RESP_HDR_BITNUM,
- EV_HTTP_CONTENT = 1ULL << CONTENT_BITNUM,
- EV_HTTP_SUBSCRIBE_ID = 1ULL << SUBSCRIBE_ID,
-};
-
struct verify_policy_thread
{
int id;
@@ -141,15 +126,16 @@ struct verify_policy
struct verify_policy_thread *work_threads[VERIFY_ARRAY_MAX];
};
-struct verify_policy_query_obj
+struct request_query_obj
{
- int protocol_field;
+ int table_id;
int numeric;
char *keyword;
char *district;
char *attri_name;
+ int protocol;
struct ipaddr *ip_addr;
struct ipaddr *endpoint;
@@ -169,25 +155,19 @@ struct verify_policy_query_obj
struct verify_policy_query
{
int vsys_id;
- int shaping;
- enum verify_policy_type type;
- struct verify_policy_query_obj verify_object[32];
+ enum compile_table_typle table_typle;
+ struct request_query_obj verify_object[32];
};
extern struct verify_policy * g_verify_proxy;
-void * pangu_http_ctx_new(unsigned int thread_id);
-
+void *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, enum compile_table_typle table_typle, int compile_table_id);
void pangu_http_ctx_free(void * pme);
-
-size_t verify_policy_scan(int vsys_id, enum verify_policy_type policy_type, struct verify_policy_query_obj *query_obj, cJSON *data_obj, void *pme);
-
-void http_get_scan_status(struct verify_policy_query_obj *query_obj, int type, int shaping, cJSON *attributes, cJSON *data_obj, void *pme);
-
+size_t policy_verify_scan(int vsys_id, enum compile_table_typle policy_type, struct request_query_obj *query_obj, cJSON *data_obj, void *pme);
+void http_get_scan_status(struct request_query_obj *query_obj, int type, cJSON *attributes, cJSON *data_obj, void *pme);
+int proxy_policy_init(struct verify_policy * verify, const char* profile_path);
int security_policy_init(struct verify_policy * verify, const char* profile_path);
-
-int http_hit_policy_list(enum verify_policy_type policy_type, int shaping, size_t hit_cnt, cJSON *data_obj, void *pme);
-
+int http_hit_policy_list(int vsys_id, enum compile_table_typle policy_type, int compile_table_id, size_t hit_cnt, cJSON *data_obj, void *pme);
void verify_policy_tunnle_add(void * pme);
#endif
diff --git a/common/include/verify_policy_logging.h b/common/include/verify_policy_logging.h
index bb44782..e2a65fe 100644
--- a/common/include/verify_policy_logging.h
+++ b/common/include/verify_policy_logging.h
@@ -29,9 +29,7 @@ extern RTLogInit2Data logging_sc_lid;
/* The maximum length of the log message */
#define RT_LOG_MAX_LOG_MSG_LEN 4096
-extern void mesa_logging_print(int log_level, const char *module, const char *msg);
-
-#define mesa_log(x, y, z, ...) do { \
+#define mesa_log(x, y, ...) do { \
char _sc_log_msg[RT_LOG_MAX_LOG_MSG_LEN] = ""; \
char *_sc_log_temp = _sc_log_msg; \
if ( !x ) \
@@ -40,11 +38,11 @@ extern void mesa_logging_print(int log_level, const char *module, const char *ms
(RT_LOG_MAX_LOG_MSG_LEN - \
(_sc_log_temp - _sc_log_msg)), \
__VA_ARGS__); \
- mesa_logging_print(y, z, _sc_log_msg); \
+ MESA_handle_runtime_log(logging_sc_lid.run_log_handle, y, __FUNCTION__, _sc_log_msg); \
} \
} while(0)
-#define mesa_runtime_log(level, module, ...) mesa_log(logging_sc_lid.debug_switch, level, module, __VA_ARGS__)
+#define mesa_runtime_log(level, ...) mesa_log(logging_sc_lid.debug_switch, level, __VA_ARGS__)
extern void * verify_syslog_init(const char *config);
diff --git a/common/include/verify_policy_utils.h b/common/include/verify_policy_utils.h
index 68e6041..087a57d 100644
--- a/common/include/verify_policy_utils.h
+++ b/common/include/verify_policy_utils.h
@@ -52,6 +52,6 @@
char* rt_strdup(const char* s);
#define CHECK_OR_EXIT(condition, fmt, ...) \
-do { if(!(condition)) { mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, fmt, ##__VA_ARGS__); exit(EXIT_FAILURE); } } while(0) \
+do { if(!(condition)) { mesa_runtime_log(RLOG_LV_FATAL, fmt, ##__VA_ARGS__); exit(EXIT_FAILURE); } } while(0) \
#endif
diff --git a/common/src/verify_policy_logging.cpp b/common/src/verify_policy_logging.cpp
index 8fab9dc..2d77b6d 100644
--- a/common/src/verify_policy_logging.cpp
+++ b/common/src/verify_policy_logging.cpp
@@ -19,15 +19,8 @@
#include <MESA/MESA_prof_load.h>
#include <MESA/MESA_handle_logger.h>
-
RTLogInit2Data logging_sc_lid;
-void mesa_logging_print(int log_level, const char *module, const char *msg)
-{
- MESA_handle_runtime_log(logging_sc_lid.run_log_handle, log_level, (const char *)module, msg);
- return;
-}
-
void * verify_syslog_init(const char *config)
{
@@ -44,14 +37,14 @@ void * verify_syslog_init(const char *config)
logging_sc_lid.run_log_handle = MESA_create_runtime_log_handle("verify_policy", RLOG_LV_DEBUG);
if(logging_sc_lid.run_log_handle == NULL){
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Create log runtime_log_handle error, init failed!");
+ mesa_runtime_log(RLOG_LV_FATAL, "Create log runtime_log_handle error, init failed!");
goto finish;
}else{
- mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Log module initialization");
+ mesa_runtime_log(RLOG_LV_INFO, "Log module initialization");
}
- mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "%s:%d", "Log level", logging_sc_lid.run_log_level);
- mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "%s:%s", "Log Directory", logging_sc_lid.run_log_path);
+ mesa_runtime_log(RLOG_LV_INFO, "%s:%d", "Log level", logging_sc_lid.run_log_level);
+ mesa_runtime_log(RLOG_LV_INFO, "%s:%s", "Log Directory", logging_sc_lid.run_log_path);
return logging_sc_lid.run_log_handle;
finish:
diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt
index e6aaaa1..3b006f2 100644
--- a/platform/CMakeLists.txt
+++ b/platform/CMakeLists.txt
@@ -2,11 +2,11 @@ if(COMMAND cmake_policy)
cmake_policy(SET CMP0003 NEW)
endif(COMMAND cmake_policy)
-add_executable(verify-policy src/verify_policy.cpp)
+add_executable(verify-policy src/verify_policy.cpp src/verify_matcher.cpp)
#target_include_directories(verify-policy PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include)
-target_link_libraries(verify-policy common policy_scan)
+target_link_libraries(verify-policy common cjson maatframe)
target_link_libraries(verify-policy pthread dl
libevent-static
MESA_handle_logger
diff --git a/scan/src/policy_scan.cpp b/platform/src/verify_matcher.cpp
index 8a39f63..d1ec97b 100644
--- a/scan/src/policy_scan.cpp
+++ b/platform/src/verify_matcher.cpp
@@ -11,7 +11,7 @@
#include <sys/types.h>
#include <pthread.h>
-#include <MESA/Maat_rule.h>
+#include <MESA/maat.h>
#include <MESA/MESA_handle_logger.h>
#include <MESA/MESA_prof_load.h>
#include <MESA/stream.h>
@@ -34,9 +34,8 @@ enum policy_action
PG_ACTION_REJECT = 0x10,
PG_ACTION_SHAPING = 0x20,
PG_ACTION_MANIPULATE = 0x30,
- PG_ACTION_SERVICE_CHAINING = 0x40,
- PG_ACTION_INLINE_DEVICE = 0x60,
- PG_ACTION_WHITELIST = 0x80,
+ PG_ACTION_WHITELIST = 0x60,
+ PX_ACTION_SHUNT = 0x80,
__PG_ACTION_MAX
};
@@ -118,18 +117,28 @@ struct tunnel_data_ctx
pthread_mutex_t lock;
};
-struct verify_policy_scan_ctx
+struct rule_data_ctx
+{
+ int ref_cnt;
+ int config_id;
+ int service_id;
+ unsigned char action;
+ pthread_mutex_t lock;
+};
+
+struct policy_scan_ctx
{
enum policy_action action;
char * action_para;
- scan_status_t scan_mid;
- stream_para_t sp;
+ struct maat_state *scan_mid;
size_t hit_cnt;
- struct Maat_rule_t result[MAX_SCAN_RESULT];
+ long long result[MAX_SCAN_RESULT];
+ struct rule_data_ctx *hit_rules;
+
size_t n_enforce;
- struct Maat_rule_t * enforce_rules;
+ struct rule_data_ctx * enforce_rules;
int n_read;
- struct Maat_hit_path_t hit_path[2048];
+ struct maat_hit_path hit_path[2048];
int tunnel_endpoint_x;
int bool_id_array_idx;
@@ -142,11 +151,12 @@ struct verify_policy_scan_ctx
struct verify_policy_rt
{
- Maat_feather_t maat[TRAFFIC_VSYS_ID_MAX][__SCAN_POLICY_MAX];
+ struct maat *feather[VSYS_ID_MAX][__SCAN_POLICY_MAX];
void * local_logger;
int log_level;
int thread_num;
- int plolicy_table_id[POLICY_PROFILE_TABLE_MAX];
+ int compile_table_id[__SCAN_POLICY_MAX];
+ int profile_table_id [POLICY_PROFILE_TABLE_MAX];
int scan_table_id[__SCAN_POLICY_MAX][__SECURITY_TABLE_MAX];
};
@@ -160,25 +170,30 @@ struct verify_policy_rt * g_policy_rt;
void verify_policy_tunnle_add(void * pme)
{
- struct verify_policy_scan_ctx * ctx = (struct verify_policy_scan_ctx *) pme;
+ struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme;
ctx->tunnel_endpoint_x++;
}
-
-void * pangu_http_ctx_new(unsigned int thread_id)
+void *policy_scan_ctx_new(unsigned int thread_id, int vsys_id, enum compile_table_typle table_typle, int compile_table_id)
{
- struct verify_policy_scan_ctx * ctx = ALLOC(struct verify_policy_scan_ctx, 1);
- ctx->scan_mid = NULL;
+ struct policy_scan_ctx * ctx = ALLOC(struct policy_scan_ctx, 1);
+ ctx->scan_mid = maat_state_new(g_policy_rt->feather[vsys_id][table_typle], thread_id);
ctx->thread_id = (int) thread_id;
+ maat_state_set_scan_compile_table(ctx->scan_mid, g_policy_rt->compile_table_id[compile_table_id]);
+
return (void *)ctx;
}
void pangu_http_ctx_free(void * pme)
{
- struct verify_policy_scan_ctx * ctx = (struct verify_policy_scan_ctx *) pme;
+ struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme;
- FREE(&ctx->enforce_rules);
- Maat_clean_status(&(ctx->scan_mid));
+ if(ctx->enforce_rules)
+ FREE(&ctx->enforce_rules);
+ if(ctx->hit_rules)
+ FREE(&ctx->hit_rules);
+
+ maat_state_free(ctx->scan_mid);
ctx->scan_mid = NULL;
struct ip_data_ctx *ip_ctx = &ctx->ip_ctx;
@@ -194,28 +209,24 @@ void pangu_http_ctx_free(void * pme)
FREE(&ip_ctx->location_client);
if(ip_ctx->location_server)
FREE(&ip_ctx->location_server);
- if(ctx->sp)
- {
- Maat_stream_scan_string_end(&(ctx->sp));
- }
FREE(&ctx);
}
-static int pangu_action_weight[__PG_ACTION_MAX] = {0};
-void __pangu_action_weight_init() __attribute__((constructor, used));
-void __pangu_action_weight_init()
+static int policy_action_weight[__PG_ACTION_MAX] = {0};
+void __policy_action_weight_init() __attribute__((constructor, used));
+void __policy_action_weight_init()
{
- pangu_action_weight[PG_ACTION_NONE] = 0;
- pangu_action_weight[PG_ACTION_MONIT] = 1;
- pangu_action_weight[PG_ACTION_INTERCEPT] = 2;
- pangu_action_weight[PG_ACTION_MANIPULATE] = 3;
- pangu_action_weight[PG_ACTION_REJECT] = 4;
- pangu_action_weight[PG_ACTION_WHITELIST] = 5;
+ policy_action_weight[PG_ACTION_NONE] = 0;
+ policy_action_weight[PG_ACTION_MONIT] = 1;
+ policy_action_weight[PG_ACTION_INTERCEPT] = 2;
+ policy_action_weight[PG_ACTION_MANIPULATE] = 3;
+ policy_action_weight[PG_ACTION_REJECT] = 4;
+ policy_action_weight[PG_ACTION_WHITELIST] = 5;
}
static inline int action_cmp(enum policy_action a1, enum policy_action a2)
{
- return pangu_action_weight[a1] - pangu_action_weight[a2];
+ return policy_action_weight[a1] - policy_action_weight[a2];
}
static char* verify_unescape(char* s)
@@ -255,7 +266,7 @@ static char* verify_unescape(char* s)
return s;
}
-void ip_asn_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+void ip_asn_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int addr_type;
int ret=0,profile_id=0,is_valid=0;
@@ -265,7 +276,7 @@ void ip_asn_table_new_cb(int table_id, const char* key, const char* table_line,
ret=sscanf(table_line, "%d\t%d\t%s\t%s\t%s\t%s\t%d", &profile_id, &addr_type, start_ip, end_ip, asn, organization, &is_valid);
if(ret!=7)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Policy table parse ip ASN failed, ret:%d, %s", ret, table_line);
+ mesa_runtime_log(RLOG_LV_FATAL, "Policy table parse ip ASN failed, ret:%d, %s", ret, table_line);
return;
}
verify_unescape(organization);
@@ -278,7 +289,7 @@ void ip_asn_table_new_cb(int table_id, const char* key, const char* table_line,
ip_asn->ref_cnt=1;
pthread_mutex_init(&(ip_asn->lock), NULL);
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Policy table add success %d", profile_id);
+ mesa_runtime_log(RLOG_LV_DEBUG, "Policy table add success %d", profile_id);
*ad = ip_asn;
}
@@ -299,7 +310,8 @@ static int get_column_num(const char* line)
return i;
}
-void ip_location_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+
+void ip_location_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0,profile_id=0,is_valid=0;
int geoname_id=0, addr_type=0;
@@ -324,7 +336,7 @@ void ip_location_table_new_cb(int table_id, const char* key, const char* table_l
if(ret!=18)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Policy table parse ip location failed, ret:%d, %s", ret, table_line);
+ mesa_runtime_log(RLOG_LV_FATAL, "Policy table parse ip location failed, ret:%d, %s", ret, table_line);
return;
}
}
@@ -337,7 +349,7 @@ void ip_location_table_new_cb(int table_id, const char* key, const char* table_l
if(ret!=19)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Policy table parse ip location failed, ret:%d, %s", ret, table_line);
+ mesa_runtime_log(RLOG_LV_FATAL, "Policy table parse ip location failed, ret:%d, %s", ret, table_line);
return;
}
}
@@ -362,12 +374,12 @@ void ip_location_table_new_cb(int table_id, const char* key, const char* table_l
}
ip_asn->ref_cnt=1;
pthread_mutex_init(&(ip_asn->lock), NULL);
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Policy table add success %d", profile_id);
+ mesa_runtime_log(RLOG_LV_DEBUG, "Policy table add success %d", profile_id);
*ad = ip_asn;
}
-void ip_table_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void* argp)
+void ip_table_dup_cb(int table_id, void **to, void **from, long argl, void* argp)
{
struct ip_data_table* ip_asn=(struct ip_data_table*)(*from);
pthread_mutex_lock(&(ip_asn->lock));
@@ -376,7 +388,7 @@ void ip_table_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA
*to=ip_asn;
}
-void ip_table_free_cb(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+void ip_table_free_cb(int table_id, void **ad, long argl, void* argp)
{
if(*ad==NULL)
{
@@ -410,7 +422,7 @@ void ip_table_free(struct ip_data_table* ip_asn)
ip_table_free_cb(0, (void **)&ip_asn, 0, NULL);
}
-void tunnel_catalog_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+void tunnel_catalog_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0,tunnel_id=0,is_valid=0;
char tunnel_name[VERIFY_ARRAY_MAX]={0},tunnel_type[16]={0};
@@ -419,7 +431,7 @@ void tunnel_catalog_table_new_cb(int table_id, const char* key, const char* tabl
ret=sscanf(table_line, "%d\t%s\t%s\t%s\t%d", &tunnel_id, tunnel_name, tunnel_type, composition, &is_valid);
if(ret!=5)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Policy catalog table parse tunnel catalog failed, ret:%d, %s", ret, table_line);
+ mesa_runtime_log(RLOG_LV_FATAL, "Policy catalog table parse tunnel catalog failed, ret:%d, %s", ret, table_line);
return;
}
@@ -432,11 +444,11 @@ void tunnel_catalog_table_new_cb(int table_id, const char* key, const char* tabl
tunnel->ref_cnt=1;
pthread_mutex_init(&(tunnel->lock), NULL);
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Policy table add success %d", tunnel_id);
+ mesa_runtime_log(RLOG_LV_DEBUG, "Policy table add success %d", tunnel_id);
*ad = tunnel;
}
-void tunnel_endpoint_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+void tunnel_endpoint_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0,is_valid=0;
int endpoint_id=0,addr_type=0;
@@ -446,7 +458,7 @@ void tunnel_endpoint_table_new_cb(int table_id, const char* key, const char* tab
ret=sscanf(table_line, "%d\t%d\t%s\t%s\t%s\t%d", &endpoint_id, &addr_type, start_ip, end_ip, description, &is_valid);
if(ret!=6)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Policy table parse tunnel end point failed, ret:%d, %s", ret, table_line);
+ mesa_runtime_log(RLOG_LV_FATAL, "Policy table parse tunnel end point failed, ret:%d, %s", ret, table_line);
return;
}
@@ -457,11 +469,11 @@ void tunnel_endpoint_table_new_cb(int table_id, const char* key, const char* tab
tunnel->ref_cnt=1;
pthread_mutex_init(&(tunnel->lock), NULL);
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Policy endpoint table add success %d", endpoint_id);
+ mesa_runtime_log(RLOG_LV_DEBUG, "Policy endpoint table add success %d", endpoint_id);
*ad = tunnel;
}
-void tunnel_label_table_new_cb(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+void tunnel_label_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0,is_valid=0;
int label_id=0;
@@ -469,7 +481,7 @@ void tunnel_label_table_new_cb(int table_id, const char* key, const char* table_
ret=sscanf(table_line, "%d\t%d", &label_id, &is_valid);
if(ret!=2)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Policy table tunnel label failed, ret:%d, %s", ret, table_line);
+ mesa_runtime_log(RLOG_LV_FATAL, "Policy table tunnel label failed, ret:%d, %s", ret, table_line);
return;
}
@@ -479,7 +491,7 @@ void tunnel_label_table_new_cb(int table_id, const char* key, const char* table_
tunnel->ref_cnt=1;
pthread_mutex_init(&(tunnel->lock), NULL);
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Policy label table add success %d", label_id);
+ mesa_runtime_log(RLOG_LV_DEBUG, "Policy label table add success %d", label_id);
*ad = tunnel;
}
@@ -495,12 +507,12 @@ const char *table_name_map[] = {"TSG_IP_ASN_USER_DEFINED",
"TSG_TUNNEL_LABEL"};
int maat_tunnel_table_init(int profile_idx,int vsys_id,
- Maat_plugin_EX_free_func_t* free_func,
- Maat_plugin_EX_dup_func_t* dup_func)
+ maat_ex_free_func_t* free_func,
+ maat_ex_dup_func_t* dup_func)
{
int table_id=0;
- Maat_plugin_EX_new_func_t *new_func[] = {
+ maat_ex_new_func_t *new_func[] = {
[POLICY_ASN_USER_DEFINED] = NULL,
[POLICY_ASN_BUILT_IN] = NULL,
[POLICY_LOCATION_USER_DEFINED] = NULL,
@@ -513,7 +525,7 @@ int maat_tunnel_table_init(int profile_idx,int vsys_id,
};
const char *table_name = table_name_map[profile_idx];
- table_id=g_policy_rt->plolicy_table_id[profile_idx]=Maat_table_register(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], table_name);
+ table_id=g_policy_rt->profile_table_id[profile_idx]=maat_get_table_id(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], table_name);
if(table_id < 0)
{
goto finish;
@@ -521,23 +533,23 @@ int maat_tunnel_table_init(int profile_idx,int vsys_id,
if(profile_idx==POLICY_TUNNEL_CATALOG)
{
- table_id=Maat_bool_plugin_EX_register(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY],table_id, new_func[profile_idx], free_func, dup_func,
+ table_id=maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY],table_name, new_func[profile_idx], free_func, dup_func,
0,NULL);
}
if(profile_idx==POLICY_TUNNEL_ENDPOINT)
{
- table_id=Maat_ip_plugin_EX_register(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], table_id, new_func[profile_idx], free_func, dup_func,
+ table_id=maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], table_name, new_func[profile_idx], free_func, dup_func,
0, NULL);
}
return table_id;
finish:
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Register table %s failed.", table_name);
+ mesa_runtime_log(RLOG_LV_FATAL, "Register table %s failed.", table_name);
return -1;
}
-void tunnel_table_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+void tunnel_table_free_data(int table_id, void **ad, long argl, void* argp)
{
if(*ad==NULL)
{
@@ -574,7 +586,7 @@ void tunnel_table_free(struct tunnel_data_ctx* tunnel)
tunnel_table_free_data(0, (void **)&tunnel, 0, NULL);
}
-void tunnel_table_dup_data(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void* argp)
+void tunnel_table_dup_data(int table_id, void **to, void **from, long argl, void* argp)
{
struct tunnel_data_ctx *tunnel=(struct tunnel_data_ctx *)(*from);
pthread_mutex_lock(&(tunnel->lock));
@@ -586,31 +598,31 @@ void tunnel_table_dup_data(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX
}
int maat_fqdn_cat_table_init(int profile_idx, int vsys_id,
- Maat_plugin_EX_new_func_t* new_func,
- Maat_plugin_EX_free_func_t* free_func,
- Maat_plugin_EX_dup_func_t* dup_func)
+ maat_ex_new_func_t* new_func,
+ maat_ex_free_func_t* free_func,
+ maat_ex_dup_func_t* dup_func)
{
int table_id=0, ret=0;
const char *table_name = table_name_map[profile_idx];
- table_id=g_policy_rt->plolicy_table_id[profile_idx]=Maat_table_register(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], table_name);
+ table_id=g_policy_rt->profile_table_id[profile_idx]=maat_get_table_id(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], table_name);
if(table_id >= 0)
{
- ret=Maat_fqdn_plugin_EX_register(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], table_id, new_func, free_func, dup_func,
+ ret=maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], table_name, new_func, free_func, dup_func,
0, NULL);
return ret;
}
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Register fqdn cat table %s failed.", table_name);
+ mesa_runtime_log(RLOG_LV_FATAL, "Register fqdn cat table %s failed.", table_name);
return -1;
}
int maat_ip_table_init(int profile_idx,int vsys_id,
- Maat_plugin_EX_free_func_t* free_func,
- Maat_plugin_EX_dup_func_t* dup_func)
+ maat_ex_free_func_t* free_func,
+ maat_ex_dup_func_t* dup_func)
{
int table_id=0;
- Maat_plugin_EX_new_func_t *new_func[] = {
+ maat_ex_new_func_t *new_func[] = {
[POLICY_ASN_USER_DEFINED] = ip_asn_table_new_cb,
[POLICY_ASN_BUILT_IN] = ip_asn_table_new_cb,
[POLICY_LOCATION_USER_DEFINED] = ip_location_table_new_cb,
@@ -618,18 +630,18 @@ int maat_ip_table_init(int profile_idx,int vsys_id,
};
const char *table_name = table_name_map[profile_idx];
- table_id=g_policy_rt->plolicy_table_id[profile_idx]=Maat_table_register(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], table_name);
+ table_id=g_policy_rt->profile_table_id[profile_idx]=maat_get_table_id(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], table_name);
if(table_id >= 0)
{
- table_id=Maat_ip_plugin_EX_register(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], table_id, new_func[profile_idx], free_func, dup_func,
+ table_id=maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], table_name, new_func[profile_idx], free_func, dup_func,
0, NULL);
return 0;
}
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Register table %s failed.", table_name);
+ mesa_runtime_log(RLOG_LV_FATAL, "Register table %s failed.", table_name);
return -1;
}
-void fqdn_cat_dup_data(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DATA *from, long argl, void* argp)
+void fqdn_cat_dup_data(int table_id, void **to, void **from, long argl, void* argp)
{
struct fqdn_category_t *fqdn_cat=(struct fqdn_category_t *)(*from);
pthread_mutex_lock(&(fqdn_cat->lock));
@@ -640,7 +652,7 @@ void fqdn_cat_dup_data(int table_id, MAAT_PLUGIN_EX_DATA *to, MAAT_PLUGIN_EX_DAT
return;
}
-void fqdn_cat_new_data(int table_id, const char* key, const char* table_line, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+void fqdn_cat_new_data(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
int ret=0,id=0,is_valid=0;
@@ -650,17 +662,17 @@ void fqdn_cat_new_data(int table_id, const char* key, const char* table_line, MA
if(ret!=5)
{
FREE(&fqdn_cat);
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Parse fqdn category failed, ret: %d table_id: %d table_line: %s", ret, table_id, table_line);
+ mesa_runtime_log(RLOG_LV_FATAL, "Parse fqdn category failed, ret: %d table_id: %d table_line: %s", ret, table_id, table_line);
return;
}
fqdn_cat->ref_cnt=1;
pthread_mutex_init(&(fqdn_cat->lock), NULL);
- *ad=(MAAT_PLUGIN_EX_DATA)fqdn_cat;
+ *ad=fqdn_cat;
return;
}
-void fqdn_cat_free_data(int table_id, MAAT_PLUGIN_EX_DATA* ad, long argl, void* argp)
+void fqdn_cat_free_data(int table_id, void **ad, long argl, void* argp)
{
if(*ad==NULL)
{
@@ -688,96 +700,122 @@ void fqdn_cat_table_free(struct fqdn_category_t *fqdn_cat)
fqdn_cat_free_data(0, (void **)&fqdn_cat, 0, NULL);
}
-#if 0
-static enum policy_action decide_ctrl_action(const struct Maat_rule_t * hit_rules, size_t n_hit,
- struct Maat_rule_t ** enforce_rules, size_t * n_enforce)
+void compile_table_new_cb(const char *table_name, int table_id, const char* key, const char* table_line, void **ad, long argl, void* argp)
{
- size_t n_monit = 0, exist_enforce_num = 0, i = 0;
- const struct Maat_rule_t * prior_rule = hit_rules;
- struct Maat_rule_t monit_rule[n_hit];
- enum policy_action prior_action = PG_ACTION_NONE;
+ int ret=0;
+ int config_id=0, service_id=0, action=0;
+ int do_log=0,do_blacklist=0,is_valid=0;
+ char effective_range[VERIFY_ARRAY_MAX]={0};
+ char srv_def_large[VERIFY_STRING_MAX]={0};
- for (i = 0; i < n_hit && i < MAX_SCAN_RESULT ; i++)
+ ret=sscanf(table_line, "%d\t%d\t%d\t%d\t%d\t%s\t%s\t%d", &config_id, &service_id, &action, &do_blacklist, &do_log,effective_range,srv_def_large, &is_valid);
+ if(ret!=8)
{
- unsigned char __expand_action = (unsigned char) hit_rules[i].action;
- enum policy_action __action = (enum policy_action) __expand_action;
- if (__action == PG_ACTION_MONIT)
- {
- memcpy(monit_rule + n_monit, hit_rules + i, sizeof(struct Maat_rule_t));
- n_monit++;
- break;
- }
+ mesa_runtime_log(RLOG_LV_FATAL, "Security compile table parse failed, ret:%d, %s", ret, table_line);
+ return;
}
- i = (i == 0) ? 1 : 0;
+ do_log=do_log;
+ do_blacklist=do_blacklist;
+ is_valid=is_valid;
- prior_action = (enum policy_action)hit_rules[i].action;
- prior_rule = hit_rules + i;
+ struct rule_data_ctx *rule_ctx=ALLOC(struct rule_data_ctx, 1);
+ rule_ctx->config_id=config_id;
+ rule_ctx->action=action;
+ rule_ctx->service_id=service_id;
+ rule_ctx->ref_cnt=1;
+ pthread_mutex_init(&(rule_ctx->lock), NULL);
- exist_enforce_num = *n_enforce;
- if (prior_action == PG_ACTION_MONIT)
- {
- *n_enforce += n_monit;
- }
- else
- {
- *n_enforce += n_monit + 1;
- }
+ *ad = rule_ctx;
+}
- *enforce_rules = (struct Maat_rule_t *) realloc(*enforce_rules, sizeof(struct Maat_rule_t) * (*n_enforce));
- if (prior_action == PG_ACTION_MONIT)
+void compile_free_data(int table_id, void **ad, long argl, void* argp)
+{
+ if(*ad==NULL)
{
- memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct Maat_rule_t));
+ return;
}
- else
+ struct rule_data_ctx *rule_ctx=(struct rule_data_ctx *)(*ad);
+ pthread_mutex_lock(&(rule_ctx->lock));
+ rule_ctx->ref_cnt--;
+ if(rule_ctx->ref_cnt>0)
{
- memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct Maat_rule_t));
- memcpy(*enforce_rules, prior_rule, sizeof(struct Maat_rule_t));
- memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct Maat_rule_t));
+ pthread_mutex_unlock(&(rule_ctx->lock));
+ return;
}
+ pthread_mutex_unlock(&(rule_ctx->lock));
+ pthread_mutex_destroy(&(rule_ctx->lock));
- return prior_action;
+ FREE(&rule_ctx);
+ *ad=NULL;
+ return;
+}
+
+void compile_free(struct rule_data_ctx *compile_ctx)
+{
+ compile_free_data(0, (void **)&compile_ctx, 0, NULL);
}
-#endif
-static enum policy_action decide_ctrl_action(enum verify_policy_type policy_type, int shaping, const struct Maat_rule_t * hit_rules, size_t n_hit, struct Maat_rule_t ** enforce_rules, size_t * n_enforce)
+void compile_dup_data(int table_id, void **to, void **from, long argl, void* argp)
+{
+ struct rule_data_ctx *rule_ctx=(struct rule_data_ctx *)(*from);
+ pthread_mutex_lock(&(rule_ctx->lock));
+ rule_ctx->ref_cnt++;
+ pthread_mutex_unlock(&(rule_ctx->lock));
+ *to=rule_ctx;
+
+ return;
+}
+
+static enum policy_action decide_ctrl_action(int vsys_id, enum compile_table_typle policy_type, int compile_table_id, long long *results, size_t n_hit,
+ struct rule_data_ctx ** enforce_rules, size_t * n_enforce, struct rule_data_ctx **hit_rules)
{
size_t n_monit = 0, exist_enforce_num = 0, i = 0;
- const struct Maat_rule_t * prior_rule = hit_rules;
- struct Maat_rule_t monit_rule[n_hit];
enum policy_action prior_action = PG_ACTION_NONE;
+ struct rule_data_ctx *rule_ctx=NULL;
+ struct rule_data_ctx *hit_rules_ex=NULL;
- for (i = 0; i < n_hit && i<MAX_SCAN_RESULT; i++)
+ if(n_hit < 0)
{
- unsigned char __expand_action = (unsigned char) hit_rules[i].action;
- enum policy_action __action = (enum policy_action) __expand_action;
+ return prior_action;
+ }
- if (shaping == 1 && __action != PG_ACTION_SHAPING)
- {
- continue;
- }
- if (shaping ==2 && __action != PG_ACTION_SERVICE_CHAINING)
- {
- continue;
- }
- if (shaping == 0 && (__action == PG_ACTION_SHAPING || __action == PG_ACTION_SERVICE_CHAINING))
+ hit_rules_ex=ALLOC(struct rule_data_ctx, n_hit);
+ for (i = 0; i < n_hit && i<MAX_SCAN_RESULT; i++)
+ {
+ rule_ctx =(struct rule_data_ctx *)maat_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id][policy_type],
+ g_policy_rt->compile_table_id[compile_table_id],
+ (const char *)&results[i]);
+ if(!rule_ctx)
{
continue;
}
+ memcpy(hit_rules_ex+i, rule_ctx, sizeof(struct rule_data_ctx));
+ compile_free(rule_ctx);
+ }
+ *hit_rules=hit_rules_ex;
+
+ const struct rule_data_ctx * prior_rule = hit_rules_ex;
+ struct rule_data_ctx monit_rule[n_hit];
+
+ for (i = 0; i < n_hit && i<MAX_SCAN_RESULT; i++)
+ {
+ unsigned char __expand_action = (unsigned char) hit_rules_ex[i].action;
+ enum policy_action __action = (enum policy_action) __expand_action;
if (__action == PG_ACTION_MONIT)
{
- memcpy(monit_rule + n_monit, hit_rules + i, sizeof(struct Maat_rule_t));
+ memcpy(monit_rule + n_monit, hit_rules_ex + i, sizeof(struct rule_data_ctx));
n_monit++;
}
if (action_cmp(__action, prior_action) > 0)
{
- prior_rule = hit_rules + i;
+ prior_rule = hit_rules_ex + i;
prior_action = __action;
}
else if (action_cmp(__action, prior_action) == 0)
{
- if (hit_rules[i].config_id > prior_rule->config_id)
+ if (hit_rules_ex[i].config_id > prior_rule->config_id)
{
- prior_rule = hit_rules + i;
+ prior_rule = hit_rules_ex + i;
}
}
else
@@ -790,7 +828,7 @@ static enum policy_action decide_ctrl_action(enum verify_policy_type policy_type
{
if(*n_enforce==0)
{
- *enforce_rules=ALLOC(struct Maat_rule_t, 1);
+ *enforce_rules=ALLOC(struct rule_data_ctx, 1);
}
*enforce_rules[0]=*prior_rule;
*n_enforce=1;
@@ -813,18 +851,18 @@ static enum policy_action decide_ctrl_action(enum verify_policy_type policy_type
*n_enforce += n_monit + 1;
}
- *enforce_rules = (struct Maat_rule_t *) realloc(*enforce_rules, sizeof(struct Maat_rule_t) * (*n_enforce));
+ *enforce_rules = (struct rule_data_ctx *) realloc(*enforce_rules, sizeof(struct rule_data_ctx ) * (*n_enforce));
if (prior_action == PG_ACTION_MONIT && monit_enable)
{
- memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct Maat_rule_t));
+ memcpy(*enforce_rules + exist_enforce_num, monit_rule, n_monit * sizeof(struct rule_data_ctx ));
}
else
{
- memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct Maat_rule_t));
- memcpy(*enforce_rules, prior_rule, sizeof(struct Maat_rule_t));
+ memmove(*enforce_rules+1, *enforce_rules, exist_enforce_num*sizeof(struct rule_data_ctx ));
+ memcpy(*enforce_rules, prior_rule, sizeof(struct rule_data_ctx ));
if(monit_enable)
{
- memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct Maat_rule_t));
+ memcpy(*enforce_rules + exist_enforce_num + 1, monit_rule, n_monit * sizeof(struct rule_data_ctx ));
}
}
return prior_action;
@@ -833,14 +871,14 @@ static enum policy_action decide_ctrl_action(enum verify_policy_type policy_type
int http_table_in_fqdn(int protocol_field, int policy_type)
{
- if(policy_type == TSG_TABLE_SECURITY &&(protocol_field == TSG_SECURITY_HTTP_FQDN ||
- protocol_field == TSG_SECURITY_HTTPS_SNI || protocol_field==TSG_SECURITY_HTTPS_CN || protocol_field==TSG_SECURITY_HTTPS_SAN ||
+ if(policy_type == TSG_TABLE_SECURITY &&(protocol_field == TSG_SECURITY_HTTP_HOST ||
+ protocol_field == TSG_SECURITY_SSL_SNI || protocol_field==TSG_SECURITY_SSL_CN || protocol_field==TSG_SECURITY_SSL_SAN ||
protocol_field==TSG_SECURITY_DNS_QNAME || protocol_field == TSG_SECURITY_QUIC_SNI))
{
return 1;
}
- if(policy_type == PXY_TABLE_MANIPULATION &&(protocol_field == PXY_CTRL_HTTP_FQDN ||
+ if(policy_type == PXY_TABLE_MANIPULATION &&(protocol_field == PXY_CTRL_HTTP_HOST ||
protocol_field == PXY_CTRL_DOH_QNAME || protocol_field==PXY_CTRL_DOH_HOST))
{
return 1;
@@ -849,12 +887,12 @@ int http_table_in_fqdn(int protocol_field, int policy_type)
return 0;
}
-void http_get_fqdn_cat_id(struct verify_policy_query_obj *query_obj, int type, cJSON *attributeObj)
+void http_get_fqdn_cat_id(struct request_query_obj *query_obj, int type, cJSON *attributeObj)
{
int i=0;
cJSON *sniCategory=NULL;
- if(!http_table_in_fqdn(query_obj->protocol_field, type))
+ if(!http_table_in_fqdn(query_obj->table_id, type))
{
return;
}
@@ -943,40 +981,14 @@ int http_hit_policy_match(int result_config[], int cnt, int config)
return 0;
}
-int verify_shaping_policy_filter(struct verify_policy_scan_ctx * ctx, int shaping, int config)
-{
- size_t i=0;
-
- for (i = 0; i < ctx->hit_cnt; i++)
- {
- if (ctx->result[i].config_id == config)
- {
- if(shaping == 1 && ctx->result[i].action == PG_ACTION_SHAPING)
- {
- return 1;
- }
- if(shaping == 2 && ctx->result[i].action == PG_ACTION_SERVICE_CHAINING)
- {
- return 1;
- }
- if(shaping == 0 && (ctx->result[i].action != PG_ACTION_SHAPING || ctx->result[i].action != PG_ACTION_SERVICE_CHAINING))
- {
- return 1;
- }
-
- }
- }
- return 0;
-}
-
-void http_get_scan_status(struct verify_policy_query_obj *query_obj, int type, int shaping, cJSON *attributes, cJSON *data_obj, void *pme)
+void http_get_scan_status(struct request_query_obj *query_obj, int type, cJSON *attributes, cJSON *data_obj, void *pme)
{
int i=0, j=0, k=0;
int result_hit_nth[MAX_SCAN_RESULT] = {-1};
cJSON *attributeObj=NULL,*hitPaths=NULL;
cJSON *item = NULL;
- struct verify_policy_scan_ctx * ctx = (struct verify_policy_scan_ctx *) pme;
+ struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme;
attributeObj=query_obj->attributes;
@@ -992,7 +1004,7 @@ void http_get_scan_status(struct verify_policy_query_obj *query_obj, int type, i
}
}
- if(type == TSG_TABLE_SECURITY && query_obj->protocol_field == TSG_SECURITY_TUNNEL)
+ if(type == TSG_TABLE_SECURITY && query_obj->table_id == TSG_SECURITY_TUNNEL)
{
attributeObj=query_obj->attributes;
cJSON_DeleteItemFromObject(attributeObj, "attributeName");
@@ -1018,14 +1030,14 @@ void http_get_scan_status(struct verify_policy_query_obj *query_obj, int type, i
histObj=cJSON_CreateObject();
cJSON_AddItemToArray(hitPaths, histObj);
- cJSON_AddNumberToObject(histObj, "itemId", ctx->hit_path[i].region_id);
+ cJSON_AddNumberToObject(histObj, "itemId", ctx->hit_path[i].item_id);
cJSON_AddNumberToObject(histObj, "objectId", ctx->hit_path[i].sub_group_id);
if (ctx->hit_path[i].top_group_id < 0)
{
ctx->hit_path[i].top_group_id = ctx->hit_path[i].sub_group_id;
}
cJSON_AddNumberToObject(histObj, "topObjectId", ctx->hit_path[i].top_group_id);
- if(ctx->hit_path[i].compile_id > 0 && verify_shaping_policy_filter(ctx, shaping, ctx->hit_path[i].compile_id) == 1)
+ if(ctx->hit_path[i].compile_id > 0)
{
result_hit_nth[k] = ctx->hit_path[i].compile_id;
k++;
@@ -1039,13 +1051,13 @@ void http_get_scan_status(struct verify_policy_query_obj *query_obj, int type, i
http_get_fqdn_cat_id(query_obj, type, attributeObj);
}
-int http_hit_policy_list(enum verify_policy_type policy_type, int shaping, size_t hit_cnt, cJSON *data_obj, void *pme)
+int http_hit_policy_list(int vsys_id, enum compile_table_typle policy_type, int compile_table_id, size_t hit_cnt, cJSON *data_obj, void *pme)
{
bool succeeded = false;
size_t rules=0, i=0;
int result_config[MAX_SCAN_RESULT] = {0};
- struct verify_policy_scan_ctx * ctx = (struct verify_policy_scan_ctx *) pme;
+ struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme;
hit_cnt = ctx->hit_cnt;
if (hit_cnt <= 0)
@@ -1055,7 +1067,7 @@ int http_hit_policy_list(enum verify_policy_type policy_type, int shaping, size_
if (hit_cnt >= MAX_SCAN_RESULT) hit_cnt = MAX_SCAN_RESULT;
- ctx->action = decide_ctrl_action(policy_type, shaping, ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce);
+ ctx->action = decide_ctrl_action(vsys_id, policy_type, compile_table_id, ctx->result, hit_cnt, &ctx->enforce_rules, &ctx->n_enforce, &ctx->hit_rules);
ctx->hit_cnt = hit_cnt;
cJSON *hit_obj=NULL, *policy_obj=NULL;
hit_obj=cJSON_CreateArray();
@@ -1064,25 +1076,13 @@ int http_hit_policy_list(enum verify_policy_type policy_type, int shaping, size_
{
for (i = 0; i < ctx->hit_cnt; i++)
{
- if(shaping == 1 && ctx->result[i].action != PG_ACTION_SHAPING)
- {
- continue;
- }
- if(shaping == 2 && ctx->result[i].action != PG_ACTION_SERVICE_CHAINING)
- {
- continue;
- }
- if(shaping == 0 && (ctx->result[i].action == PG_ACTION_SHAPING || ctx->result[i].action == PG_ACTION_SERVICE_CHAINING))
- {
- continue;
- }
- if(http_hit_policy_match(result_config, i, ctx->result[i].config_id))
+ if(http_hit_policy_match(result_config, i, ctx->hit_rules[i].config_id))
{
continue;
}
succeeded = false;
policy_obj=cJSON_CreateObject();
- cJSON_AddNumberToObject(policy_obj, "policyId",ctx->result[i].config_id);
+ cJSON_AddNumberToObject(policy_obj, "policyId",ctx->hit_rules[i].config_id);
cJSON_AddStringToObject(policy_obj, "policyName", "");
for (rules = 0; rules < ctx->n_enforce; rules++)
@@ -1097,7 +1097,7 @@ int http_hit_policy_list(enum verify_policy_type policy_type, int shaping, size_
}
else
{
- if (ctx->enforce_rules[rules].config_id == ctx->result[i].config_id)
+ if (ctx->enforce_rules[rules].config_id == ctx->hit_rules[i].config_id)
{
cJSON_AddBoolToObject(policy_obj, "isExecutePolicy", true);
succeeded = true;
@@ -1109,13 +1109,13 @@ int http_hit_policy_list(enum verify_policy_type policy_type, int shaping, size_
cJSON_AddBoolToObject(policy_obj, "isExecutePolicy", false);
}
cJSON_AddItemToArray(hit_obj, policy_obj);
- result_config[i] = ctx->result[i].config_id;
+ result_config[i] = ctx->hit_rules[i].config_id;
}
}
return 0;
}
-int verify_ip_addr_to_address(struct ipaddr *ip_addr, struct ip_address *dest_ip, struct ip_address *source_ip)
+int ip_addr_to_address(struct ipaddr *ip_addr, struct ip_addr *dest_ip, struct ip_addr *source_ip)
{
if(ip_addr==NULL) return -1;
if (ip_addr->addrtype == ADDR_TYPE_IPV4)
@@ -1137,23 +1137,24 @@ int verify_ip_addr_to_address(struct ipaddr *ip_addr, struct ip_address *dest_ip
return 0;
}
-int http_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, struct ip_address *dip, int hit_cnt, unsigned int thread_id, int vsys_id, enum verify_policy_type policy_type, struct verify_policy_scan_ctx * ctx )
+int ip_location_scan(long long *result, struct ip_addr *sip, struct ip_addr *dip, int hit_cnt, unsigned int thread_id, int vsys_id, enum compile_table_typle policy_type, struct policy_scan_ctx *ctx)
{
+ size_t n_hit_result=0;
int scan_ret=0, hit_cnt_ip=0;
char buff[VERIFY_ARRAY_MAX]={0};
- struct Maat_hit_path_t hit_path[2048];
+ struct maat_hit_path hit_path[2048];
struct ip_data_table* ip_location_client=NULL, *ip_location_server=NULL;
- Maat_ip_plugin_get_EX_data(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->plolicy_table_id[POLICY_LOCATION_USER_DEFINED], sip, (void **)&ip_location_client, 1);
- Maat_ip_plugin_get_EX_data(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->plolicy_table_id[POLICY_LOCATION_USER_DEFINED], dip, (void **)&ip_location_server, 1);
+ maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->profile_table_id[POLICY_LOCATION_USER_DEFINED], sip, (void **)&ip_location_client, 1);
+ maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->profile_table_id[POLICY_LOCATION_USER_DEFINED], dip, (void **)&ip_location_server, 1);
if (ip_location_client == NULL)
{
- Maat_ip_plugin_get_EX_data(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->plolicy_table_id[POLICY_LOCATION_BUILT_IN], sip, (void **)&ip_location_client, 1);
+ maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->profile_table_id[POLICY_LOCATION_BUILT_IN], sip,(void **)&ip_location_client, 1);
}
if (ip_location_server == NULL)
{
- Maat_ip_plugin_get_EX_data(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->plolicy_table_id[POLICY_LOCATION_BUILT_IN], dip, (void **)&ip_location_server, 1);
+ maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->profile_table_id[POLICY_LOCATION_BUILT_IN], dip, (void **)&ip_location_server, 1);
}
int ip_location_table = 0;
@@ -1181,16 +1182,14 @@ int http_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, st
{
snprintf(buff, sizeof(buff),"%s.%s.%s.%s.", ip_location_server->country_full,ip_location_server->province_full, ip_location_server->city_full, ip_location_server->subdivision_addr);
}
-
- scan_ret = Maat_full_scan_string(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][ip_location_table],
- CHARSET_GBK, buff, strlen(buff),
- result+hit_cnt+hit_cnt_ip, NULL, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
- &(ctx->scan_mid), (int) thread_id);
+ scan_ret = maat_scan_string(g_policy_rt->feather[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][ip_location_table],
+ buff, strlen(buff), result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
+ &n_hit_result, ctx->scan_mid);
if(scan_ret>0)
{
- hit_cnt_ip+=scan_ret;
+ hit_cnt_ip+=n_hit_result;
}
- ctx->n_read=Maat_get_scan_status(g_policy_rt->maat[vsys_id][policy_type], &(ctx->scan_mid), MAAT_GET_SCAN_HIT_PATH, hit_path, sizeof(hit_path));
+ ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, sizeof(hit_path));
}
if(ip_location_client!=NULL)
{
@@ -1217,15 +1216,14 @@ int http_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, st
{
snprintf(buff, sizeof(buff),"%s.%s.%s.%s.", ip_location_client->country_full,ip_location_client->province_full, ip_location_client->city_full, ip_location_client->subdivision_addr);
}
- scan_ret = Maat_full_scan_string(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][ip_location_table],
- CHARSET_GBK, buff, strlen(buff),
- result+hit_cnt+hit_cnt_ip, NULL, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
- &(ctx->scan_mid), (int) thread_id);
+ scan_ret = maat_scan_string(g_policy_rt->feather[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][ip_location_table],
+ buff, strlen(buff),result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
+ &n_hit_result, ctx->scan_mid);
if(scan_ret>0)
{
- hit_cnt_ip+=scan_ret;
+ hit_cnt_ip+=n_hit_result;
}
- ctx->n_read=Maat_get_scan_status(g_policy_rt->maat[vsys_id][policy_type], &(ctx->scan_mid), MAAT_GET_SCAN_HIT_PATH, hit_path, sizeof(hit_path));
+ ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, sizeof(hit_path));
}
if(ip_location_server)
@@ -1235,22 +1233,23 @@ int http_ip_location_scan(struct Maat_rule_t *result, struct ip_address *sip, st
return hit_cnt_ip;
}
-int http_ip_asn_scan(struct Maat_rule_t *result, struct ip_address* sip, struct ip_address* dip, int hit_cnt, unsigned int thread_id, int vsys_id, enum verify_policy_type policy_type, struct verify_policy_scan_ctx * ctx)
+int http_ip_asn_scan(long long *result, struct ip_addr* sip, struct ip_addr* dip, int hit_cnt, unsigned int thread_id, int vsys_id, enum compile_table_typle policy_type, struct policy_scan_ctx * ctx)
{
+ size_t n_hit_result=0;
int scan_ret=0, hit_cnt_ip=0;
- struct Maat_hit_path_t hit_path[2048];
+ struct maat_hit_path hit_path[2048];
struct ip_data_table* ip_asn_client=NULL, *ip_asn_server=NULL;
- Maat_ip_plugin_get_EX_data(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->plolicy_table_id[POLICY_ASN_USER_DEFINED], sip, (void **)&ip_asn_client, 1);
- Maat_ip_plugin_get_EX_data(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->plolicy_table_id[POLICY_ASN_USER_DEFINED], dip, (void **)&ip_asn_server, 1);
+ maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->profile_table_id[POLICY_ASN_USER_DEFINED], sip, (void **)&ip_asn_client, 1);
+ maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->profile_table_id[POLICY_ASN_USER_DEFINED], dip, (void **)&ip_asn_server, 1);
if (ip_asn_client == NULL)
{
- Maat_ip_plugin_get_EX_data(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->plolicy_table_id[POLICY_ASN_BUILT_IN], sip, (void **)&ip_asn_client, 1);
+ maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->profile_table_id[POLICY_ASN_BUILT_IN], sip,(void **)&ip_asn_client, 1);
}
if (ip_asn_server == NULL)
{
- Maat_ip_plugin_get_EX_data(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->plolicy_table_id[POLICY_ASN_BUILT_IN], dip, (void **)&ip_asn_server, 1);
+ maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->profile_table_id[POLICY_ASN_BUILT_IN], dip,(void **)&ip_asn_server, 1);
}
int ip_asn_table = 0;
@@ -1260,16 +1259,16 @@ int http_ip_asn_scan(struct Maat_rule_t *result, struct ip_address* sip, struct
ctx->ip_ctx.organization_server=strdup(ip_asn_server->organization);
ip_asn_table = (policy_type == TSG_TABLE_SECURITY) ? (int)TSG_SECURITY_IP_DST_ASN : (int)PXY_CTRL_IP_DST_ASN;
- scan_ret = Maat_full_scan_string(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][ip_asn_table],
- CHARSET_UTF8, ip_asn_server->asn, strlen(ip_asn_server->asn),
- result+hit_cnt+hit_cnt_ip, NULL, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
- &(ctx->scan_mid), (int) thread_id);
+ scan_ret = maat_scan_string(g_policy_rt->feather[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][ip_asn_table],
+ ip_asn_server->asn, strlen(ip_asn_server->asn),
+ result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
+ &n_hit_result, ctx->scan_mid);
if(scan_ret>0)
{
- hit_cnt_ip+=scan_ret;
+ hit_cnt_ip+=n_hit_result;
}
- ctx->n_read=Maat_get_scan_status(g_policy_rt->maat[vsys_id][policy_type], &(ctx->scan_mid), MAAT_GET_SCAN_HIT_PATH, hit_path, sizeof(hit_path));
+ ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, sizeof(hit_path));
}
if(ip_asn_client!=NULL)
{
@@ -1277,15 +1276,16 @@ int http_ip_asn_scan(struct Maat_rule_t *result, struct ip_address* sip, struct
ctx->ip_ctx.organization_client=strdup(ip_asn_client->organization);
ip_asn_table = (policy_type == TSG_TABLE_SECURITY) ? (int)TSG_SECURITY_IP_SRC_ASN : (int)PXY_CTRL_IP_SRC_ASN;
- scan_ret = Maat_full_scan_string(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][ip_asn_table],
- CHARSET_UTF8, ip_asn_client->asn, strlen(ip_asn_client->asn),
- result+hit_cnt+hit_cnt_ip, NULL, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
- &(ctx->scan_mid), (int) thread_id);
+
+ scan_ret = maat_scan_string(g_policy_rt->feather[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][ip_asn_table],
+ ip_asn_client->asn, strlen(ip_asn_client->asn),
+ result+hit_cnt+hit_cnt_ip, MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,
+ &n_hit_result, ctx->scan_mid);
if(scan_ret>0)
{
- hit_cnt_ip+=scan_ret;
+ hit_cnt_ip+=n_hit_result;
}
- ctx->n_read=Maat_get_scan_status(g_policy_rt->maat[vsys_id][policy_type], &(ctx->scan_mid), MAAT_GET_SCAN_HIT_PATH, hit_path, sizeof(hit_path));
+ ctx->n_read=maat_state_get_hit_paths(ctx->scan_mid, hit_path, sizeof(hit_path));
}
if(ip_asn_server)
ip_table_free(ip_asn_server);
@@ -1294,15 +1294,16 @@ int http_ip_asn_scan(struct Maat_rule_t *result, struct ip_address* sip, struct
return hit_cnt_ip;
}
-int verify_get_fqdn_category_id(struct Maat_rule_t *result, const char *fqdn, int protocol_field, int hit_cnt, unsigned int thread_id, int vsys_id, enum verify_policy_type policy_type,
- struct verify_policy_scan_ctx * ctx, struct verify_policy_query_obj *query_obj)
+int get_fqdn_category_id(long long *result, const char *fqdn, int table_id, int hit_cnt, unsigned int thread_id, int vsys_id, enum compile_table_typle policy_type,
+ struct policy_scan_ctx * ctx, struct request_query_obj *query_obj)
{
- int j=0, k=0;;
+ int j=0, k=0;
+ size_t n_hit_result=0;
int n_read=0, hit_path_cnt=0;
int i=0,ret=0, hit_cnt_fqdn=0;
struct fqdn_category_t *fqdn_cat_user[8]={0},*fqdn_cat_built[8]={0};
- ret=Maat_fqdn_plugin_get_EX_data(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->plolicy_table_id[POLICY_FQDN_CAT_USER_DEFINED], fqdn, (void **)fqdn_cat_user, 8);
+ ret=maat_fqdn_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->profile_table_id[POLICY_FQDN_CAT_USER_DEFINED], fqdn, (void **)fqdn_cat_user, 8);
for(i=0; i <ret; i++)
{
if(i < 8)
@@ -1318,7 +1319,7 @@ int verify_get_fqdn_category_id(struct Maat_rule_t *result, const char *fqdn, in
}
query_obj->category_user_num = j< 8 ? j : 8;
- ret=Maat_fqdn_plugin_get_EX_data(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->plolicy_table_id[POLICY_FQDN_CAT_BUILT_IN], fqdn, (void **)fqdn_cat_built, 8);
+ ret=maat_fqdn_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], g_policy_rt->profile_table_id[POLICY_FQDN_CAT_BUILT_IN], fqdn, (void **)fqdn_cat_built, 8);
for(i=0; i <ret; i++)
{
if(i < 8)
@@ -1338,14 +1339,15 @@ int verify_get_fqdn_category_id(struct Maat_rule_t *result, const char *fqdn, in
{
for(i=0; i<query_obj->category_user_num; i++)
{
- ret=Maat_scan_intval(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][protocol_field], query_obj->category_id_user[i],
- result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &(ctx->scan_mid),(int) thread_id);
+ ret=maat_scan_integer(g_policy_rt->feather[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][table_id],
+ query_obj->category_id_user[i], result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn,
+ &n_hit_result, ctx->scan_mid);
if(ret>0)
{
- hit_cnt_fqdn+=ret;
+ hit_cnt_fqdn+=n_hit_result;
}
- n_read=Maat_get_scan_status(g_policy_rt->maat[vsys_id][policy_type], &(ctx->scan_mid), MAAT_GET_SCAN_HIT_PATH, ctx->hit_path, sizeof(ctx->hit_path));
- if(ret == -2 || ret >0)
+ n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, sizeof(ctx->hit_path));
+ if(ret >0)
{
query_obj->nth_scan[hit_path_cnt] = ctx->hit_path[ctx->n_read].Nth_scan;
ctx->n_read=n_read;
@@ -1358,14 +1360,15 @@ int verify_get_fqdn_category_id(struct Maat_rule_t *result, const char *fqdn, in
{
for(i=0; i<query_obj->category_built_num; i++)
{
- ret=Maat_scan_intval(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][protocol_field], query_obj->category_id_built[i],
- result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn, &(ctx->scan_mid),(int) thread_id);
+ ret=maat_scan_integer(g_policy_rt->feather[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][table_id],
+ query_obj->category_id_built[i], result+hit_cnt+hit_cnt_fqdn, MAX_SCAN_RESULT-hit_cnt-hit_cnt_fqdn,
+ &n_hit_result, ctx->scan_mid);
if(ret>0)
{
- hit_cnt_fqdn+=ret;
+ hit_cnt_fqdn+=n_hit_result;
}
- n_read=Maat_get_scan_status(g_policy_rt->maat[vsys_id][policy_type], &(ctx->scan_mid), MAAT_GET_SCAN_HIT_PATH, ctx->hit_path, sizeof(ctx->hit_path));
- if(ret == -2 || ret >0)
+ n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, sizeof(ctx->hit_path));
+ if(ret>0)
{
query_obj->nth_scan[hit_path_cnt] = ctx->hit_path[ctx->n_read].Nth_scan;
ctx->n_read=n_read;
@@ -1378,18 +1381,19 @@ finish:
return hit_cnt_fqdn;
}
-int verify_tunnle_id_scan(struct Maat_rule_t *result, struct ip_address *sip, int hit_cnt, unsigned int thread_id, int vsys_id, enum verify_policy_type policy_type,
- struct verify_policy_scan_ctx * ctx, struct verify_policy_query_obj *query_obj)
+int policy_verify_scan_tunnel_id(long long *result, struct ip_addr *sip, int hit_cnt, unsigned int thread_id, int vsys_id, enum compile_table_typle policy_type,
+ struct policy_scan_ctx * ctx, struct request_query_obj *query_obj)
{
#define TUNNEL_BOOL_ID_MAX 128
#define TUNNEL_CATALOG_MAX 128
+ size_t n_hit_result=0;
int i=0,ret=0,n_read=0;
int scan_ret=0, hit_cnt_tunnel=0;
int hit_path_cnt=0;
struct tunnel_data_ctx *endpoint_data[TUNNEL_BOOL_ID_MAX];
- ret=Maat_ip_plugin_get_EX_data(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->plolicy_table_id[POLICY_TUNNEL_ENDPOINT], sip, (void **)&endpoint_data, TUNNEL_BOOL_ID_MAX);
+ ret=maat_ip_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id][policy_type], g_policy_rt->profile_table_id[POLICY_TUNNEL_ENDPOINT], sip, (void **)&endpoint_data, TUNNEL_BOOL_ID_MAX);
for(i=0; i<ret && i<TUNNEL_BOOL_ID_MAX; i++)
{
ctx->bool_id_array[ctx->bool_id_array_idx]=(long long)endpoint_data[i]->id;
@@ -1398,17 +1402,18 @@ int verify_tunnle_id_scan(struct Maat_rule_t *result, struct ip_address *sip, in
}
struct tunnel_data_ctx *tunnel_catalog[TUNNEL_CATALOG_MAX];
- ret=Maat_bool_plugin_get_EX_data(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->plolicy_table_id[POLICY_TUNNEL_CATALOG], ctx->bool_id_array, ctx->bool_id_array_idx, (void**)(&tunnel_catalog), TUNNEL_CATALOG_MAX);
+ ret=maat_bool_plugin_table_get_ex_data(g_policy_rt->feather[vsys_id][policy_type], g_policy_rt->profile_table_id[POLICY_TUNNEL_CATALOG], ctx->bool_id_array, ctx->bool_id_array_idx, (void**)(&tunnel_catalog), TUNNEL_CATALOG_MAX);
for(i=0; i<ret && i<TUNNEL_CATALOG_MAX; i++)
{
- scan_ret=Maat_scan_intval(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][TSG_SECURITY_TUNNEL],
- tunnel_catalog[i]->id, result+hit_cnt+hit_cnt_tunnel, MAX_SCAN_RESULT-hit_cnt-hit_cnt_tunnel, &(ctx->scan_mid), (int) thread_id);
+ scan_ret=maat_scan_integer(g_policy_rt->feather[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][TSG_SECURITY_TUNNEL],
+ tunnel_catalog[i]->id, result+hit_cnt+hit_cnt_tunnel, MAX_SCAN_RESULT-hit_cnt-hit_cnt_tunnel,
+ &n_hit_result, ctx->scan_mid);
if(scan_ret>0)
{
- hit_cnt_tunnel+=scan_ret;
+ hit_cnt_tunnel+=n_hit_result;
}
- n_read=Maat_get_scan_status(g_policy_rt->maat[vsys_id][policy_type], &(ctx->scan_mid), MAAT_GET_SCAN_HIT_PATH, ctx->hit_path, sizeof(ctx->hit_path));
- if(ret == -2 || ret >0)
+ n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, sizeof(ctx->hit_path));
+ if(ret >0)
{
query_obj->nth_scan[hit_path_cnt] = ctx->hit_path[ctx->n_read].Nth_scan;
ctx->n_read=n_read;
@@ -1420,14 +1425,15 @@ int verify_tunnle_id_scan(struct Maat_rule_t *result, struct ip_address *sip, in
return hit_cnt_tunnel;
}
-static int verify_intercept_exclusion(const char *value, unsigned int thread_id, int vsys_id, enum verify_policy_type policy_type, struct verify_policy_scan_ctx * ctx)
+static int policy_verify_scan_intercept_exclusion(const char *value, unsigned int thread_id, int vsys_id, enum compile_table_typle policy_type, struct policy_scan_ctx * ctx)
{
int ret=0;
- scan_status_t scan_mid=NULL;
- struct Maat_rule_t result;
+ long long result=0;
+ size_t n_hit_result=0;
+ struct maat_state *scan_mid=maat_state_new(g_policy_rt->feather[vsys_id][policy_type], thread_id);
- ret=Maat_full_scan_string(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][TSG_SECURITY_EXCLUSION_SSL_SNI],
- CHARSET_UTF8, value, strlen(value), &result, NULL, 1, &scan_mid,(int) thread_id);
+ ret=maat_scan_string(g_policy_rt->feather[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][TSG_SECURITY_EXCLUSION_SSL_SNI],
+ value, strlen(value), &result, 1, &n_hit_result, scan_mid);
if(ret>0)
{
ctx->isExclusion = 1;
@@ -1435,57 +1441,257 @@ static int verify_intercept_exclusion(const char *value, unsigned int thread_id,
if(scan_mid!=NULL)
{
- Maat_clean_status(&scan_mid);
+ maat_state_free(scan_mid);
scan_mid=NULL;
}
return 0;
}
-size_t verify_policy_scan(int vsys_id, enum verify_policy_type policy_type, struct verify_policy_query_obj *query_obj, cJSON *data_obj, void *pme)
+static inline int secy_request_in_fqdn_cat(int compile_type, int table_id)
+{
+ if(compile_type == TSG_TABLE_SECURITY && (table_id == TSG_SECURITY_HTTP_HOST || table_id == TSG_SECURITY_SSL_SNI
+ || table_id==TSG_SECURITY_SSL_CN || table_id==TSG_SECURITY_SSL_SAN || table_id==TSG_SECURITY_DNS_QNAME
+ || table_id == TSG_SECURITY_QUIC_SNI))
+ {
+ return 1;
+ }
+ else
+ {
+ return 0;
+ }
+}
+
+static inline int pxy_request_in_fqdn_cat(int compile_type, int table_id)
+{
+ if(compile_type == PXY_TABLE_MANIPULATION &&(table_id == PXY_CTRL_HTTP_HOST || table_id == PXY_CTRL_DOH_QNAME
+ || table_id==PXY_CTRL_DOH_HOST))
+ {
+ return 1;
+ }
+ else
+ {
+ return 0;
+ }
+}
+
+static inline int request_in_ip_addr(int table_id)
+{
+ if(table_id == PXY_COMMON_SOURCE_ADDR || table_id == PXY_COMMON_DESTINATION_ADDR)
+ {
+ return 1;
+ }
+ else
+ {
+ return 0;
+ }
+}
+
+static inline int request_in_http_hdr(int table_id)
+{
+ if ((table_id == PXY_CTRL_HTTP_REQ_HDR) || table_id == PXY_CTRL_HTTP_RES_HDR)
+ {
+ return 1;
+ }
+ else
+ {
+ return 0;
+ }
+}
+
+static inline int request_in_exclusion(int compile_type, int table_id)
+{
+ if(compile_type == TSG_TABLE_SECURITY &&(table_id == TSG_SECURITY_SSL_SNI || table_id == TSG_SECURITY_HTTP_HOST))
+ {
+ return 1;
+ }
+ else
+ {
+ return 0;
+ }
+}
+
+static int policy_verify_scan_app_id(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int compile_type, int hit_cnt)
+{
+ int n_read=0;
+ int scan_ret=0, hit_cnt_app_id=0;
+ size_t n_hit_result=0;
+
+ int table_id = request->table_id;
+ int scan_val = request->numeric;
+
+ scan_ret=maat_scan_integer(g_policy_rt->feather[vsys_id][compile_type], g_policy_rt->scan_table_id[compile_type][table_id],
+ scan_val, ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+ &n_hit_result, ctx->scan_mid);
+ if(scan_ret == MAAT_SCAN_HIT)
+ {
+ hit_cnt_app_id+=n_hit_result;
+ }
+ n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, sizeof(ctx->hit_path));
+ request->nth_scan[0] = ctx->hit_path[ctx->n_read].Nth_scan;
+ ctx->n_read=n_read;
+ return hit_cnt_app_id;
+}
+
+static int policy_verify_scan_flag(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int compile_type, int hit_cnt)
+{
+ int n_read=0;
+ int scan_ret=0, hit_cnt_flag=0;
+ size_t n_hit_result=0;
+
+ int flag=request->numeric;
+ int table_id = request->table_id;
+
+ scan_ret=maat_scan_flag(g_policy_rt->feather[vsys_id][compile_type], g_policy_rt->scan_table_id[compile_type][table_id],
+ flag, ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+ &n_hit_result, ctx->scan_mid);
+ if(scan_ret==MAAT_SCAN_HIT)
+ {
+ hit_cnt_flag+=n_hit_result;
+ }
+ n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, sizeof(ctx->hit_path));
+ request->nth_scan[0] = ctx->hit_path[ctx->n_read].Nth_scan;
+ ctx->n_read=n_read;
+ return hit_cnt_flag;
+}
+
+static int policy_verify_scan_http_hdr(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int compile_type, int hit_cnt)
+{
+ int n_read=0;
+ int scan_ret=0, hit_cnt_hdr=0;
+ size_t n_hit_result=0;
+
+ if(!request->district || !request->keyword)
+ {
+ return hit_cnt_hdr;
+ }
+
+ int table_id = request->table_id;
+ const char *value = request->keyword;
+ const char * str_field_name = request->district;
+ scan_ret = maat_state_set_scan_district(ctx->scan_mid, str_field_name, strlen(str_field_name));
+ assert(scan_ret == 0);
+ scan_ret = maat_scan_string(g_policy_rt->feather[vsys_id][compile_type], g_policy_rt->scan_table_id[compile_type][table_id],
+ value, strlen(value), ctx->result + hit_cnt, MAX_SCAN_RESULT - hit_cnt,
+ &n_hit_result, ctx->scan_mid);
+ if (scan_ret == MAAT_SCAN_HIT)
+ {
+ hit_cnt_hdr += n_hit_result;
+ }
+ n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, sizeof(ctx->hit_path));
+ request->nth_scan[0] = ctx->hit_path[ctx->n_read].Nth_scan;
+ ctx->n_read=n_read;
+ return hit_cnt_hdr;
+}
+
+static int policy_verify_scan_ip_addr(struct request_query_obj *request, struct policy_scan_ctx *ctx, int vsys_id, int compile_type, int hit_cnt)
+{
+ int n_read=0;
+ int scan_ret=0, hit_cnt_ip=0;
+ size_t n_hit_result=0;
+
+ int table_id = request->table_id;
+ int protocol = 0;
+ if (request->ip_addr->addrtype == ADDR_TYPE_IPV4)
+ {
+ if(0 == strcasecmp(request->attri_name, "source"))
+ {
+ scan_ret = maat_scan_ipv4(g_policy_rt->feather[vsys_id][compile_type], g_policy_rt->scan_table_id[compile_type][table_id],
+ request->ip_addr->v4->saddr, request->ip_addr->v4->source, protocol, ctx->result+hit_cnt+hit_cnt_ip,
+ MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip,&n_hit_result, ctx->scan_mid);
+ if (scan_ret == MAAT_SCAN_HIT)
+ {
+ hit_cnt_ip += n_hit_result;
+ }
+ }
+ if(0 == strcasecmp(request->attri_name, "destination"))
+ {
+ scan_ret = maat_scan_ipv4(g_policy_rt->feather[vsys_id][compile_type], g_policy_rt->scan_table_id[compile_type][table_id],
+ request->ip_addr->v4->daddr, request->ip_addr->v4->dest, protocol,ctx->result+hit_cnt+hit_cnt_ip,
+ MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid);
+
+ if(scan_ret == MAAT_SCAN_HIT)
+ {
+ hit_cnt_ip += n_hit_result;
+ }
+ }
+ if(scan_ret >= MAAT_SCAN_HALF_HIT)
+ {
+ n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, sizeof(ctx->hit_path));
+ request->nth_scan[0] = ctx->hit_path[ctx->n_read].Nth_scan;
+ ctx->n_read=n_read;
+ }
+ }
+ if (request->ip_addr->addrtype == ADDR_TYPE_IPV6)
+ {
+ if(0 == strcasecmp(request->attri_name, "source"))
+ {
+ scan_ret = maat_scan_ipv6(g_policy_rt->feather[vsys_id][compile_type], g_policy_rt->scan_table_id[compile_type][table_id],
+ request->ip_addr->v6->saddr, request->ip_addr->v6->source, protocol,ctx->result+hit_cnt+hit_cnt_ip,
+ MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid);
+ if (scan_ret == MAAT_SCAN_HIT)
+ {
+ hit_cnt_ip += n_hit_result;
+ }
+ }
+ if(0 == strcasecmp(request->attri_name, "destination"))
+ {
+ scan_ret = maat_scan_ipv6(g_policy_rt->feather[vsys_id][compile_type], g_policy_rt->scan_table_id[compile_type][table_id],
+ request->ip_addr->v6->daddr, request->ip_addr->v6->dest, protocol, ctx->result+hit_cnt+hit_cnt_ip,
+ MAX_SCAN_RESULT-hit_cnt-hit_cnt_ip, &n_hit_result, ctx->scan_mid);
+ if (scan_ret == MAAT_SCAN_HIT)
+ {
+ hit_cnt_ip += n_hit_result;
+ }
+ }
+ if(scan_ret >= MAAT_SCAN_HALF_HIT)
+ {
+ n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, sizeof(ctx->hit_path));
+ request->nth_scan[0] = ctx->hit_path[ctx->n_read].Nth_scan;
+ ctx->n_read=n_read;
+ }
+ }
+ return hit_cnt_ip;
+}
+
+size_t policy_verify_scan(int vsys_id, enum compile_table_typle compile_type, struct request_query_obj *request, cJSON *data_obj, void *pme)
{
+ size_t n_hit_result=0;
int scan_ret=0, n_read;
- struct verify_policy_scan_ctx * ctx = (struct verify_policy_scan_ctx *) pme;
+ struct policy_scan_ctx * ctx = (struct policy_scan_ctx *) pme;
size_t hit_cnt = ctx->hit_cnt;
- int protocol_field = query_obj->protocol_field;
- const char *value = query_obj->keyword;
- int numeric = query_obj->numeric;
+ int table_id = request->table_id;
+ const char *value = request->keyword;
- if ((protocol_field == PXY_COMMON_SOURCE_ADDR || protocol_field == PXY_COMMON_DESTINATION_ADDR) && query_obj->ip_addr != NULL)
+ if (request_in_ip_addr(table_id) && request->ip_addr != NULL)
{
- struct ip_address dest_ip, source_ip;
- verify_ip_addr_to_address(query_obj->ip_addr, &dest_ip, &source_ip);
+ struct ip_addr dest_ip, source_ip;
+ ip_addr_to_address(request->ip_addr, &dest_ip, &source_ip);
- scan_ret = http_ip_location_scan(ctx->result, &source_ip, &dest_ip, hit_cnt, ctx->thread_id, vsys_id, policy_type, ctx);
+ scan_ret = ip_location_scan(ctx->result, &source_ip, &dest_ip, hit_cnt, ctx->thread_id, vsys_id, compile_type, ctx);
if(scan_ret > 0)
{
hit_cnt+=scan_ret;
}
- scan_ret = http_ip_asn_scan(ctx->result, &source_ip, &dest_ip, hit_cnt, ctx->thread_id, vsys_id, policy_type, ctx);
+ scan_ret = http_ip_asn_scan(ctx->result, &source_ip, &dest_ip, hit_cnt, ctx->thread_id, vsys_id, compile_type, ctx);
if(scan_ret > 0)
{
hit_cnt+=scan_ret;
}
-
- scan_ret = Maat_scan_proto_addr(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][protocol_field], query_obj->ip_addr, 0,
- ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &(ctx->scan_mid), ctx->thread_id);
- if (scan_ret > 0)
+ scan_ret = policy_verify_scan_ip_addr(request, ctx, vsys_id, compile_type, hit_cnt);
+ if(scan_ret > 0)
{
- hit_cnt += scan_ret;
+ hit_cnt+=scan_ret;
}
- n_read=Maat_get_scan_status(g_policy_rt->maat[vsys_id][policy_type], &(ctx->scan_mid), MAAT_GET_SCAN_HIT_PATH, ctx->hit_path, sizeof(ctx->hit_path));
- query_obj->nth_scan[0] = ctx->hit_path[ctx->n_read].Nth_scan;
- ctx->n_read=n_read;
goto decide;
}
- if(policy_type==TSG_TABLE_SECURITY && protocol_field==TSG_SECURITY_TUNNEL)
+ if(compile_type==TSG_TABLE_SECURITY && table_id==TSG_SECURITY_TUNNEL)
{
- struct ip_address dest_ip, source_ip;
- verify_ip_addr_to_address(query_obj->endpoint, &dest_ip, &source_ip);
-
- scan_ret = verify_tunnle_id_scan(ctx->result, &source_ip, hit_cnt, ctx->thread_id, vsys_id, policy_type, ctx, query_obj);
+ struct ip_addr dest_ip, source_ip;
+ ip_addr_to_address(request->endpoint, &dest_ip, &source_ip);
+ scan_ret = policy_verify_scan_tunnel_id(ctx->result, &source_ip, hit_cnt, ctx->thread_id, vsys_id, compile_type, ctx, request);
if(scan_ret)
{
hit_cnt+=scan_ret;
@@ -1493,98 +1699,76 @@ size_t verify_policy_scan(int vsys_id, enum verify_policy_type policy_type, stru
goto decide;
}
- if (protocol_field == PXY_CTRL_APP_ID)
+ if (table_id == PXY_CTRL_APP_ID)
{
- int scan_val=numeric;
- scan_ret=Maat_scan_intval(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][protocol_field], scan_val, ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &(ctx->scan_mid), ctx->thread_id);
- if(scan_ret>0)
+ scan_ret = policy_verify_scan_app_id(request, ctx, vsys_id, compile_type, hit_cnt);
+ if(scan_ret > 0)
{
hit_cnt+=scan_ret;
}
- n_read=Maat_get_scan_status(g_policy_rt->maat[vsys_id][policy_type], &(ctx->scan_mid), MAAT_GET_SCAN_HIT_PATH, ctx->hit_path, sizeof(ctx->hit_path));
- query_obj->nth_scan[0] = ctx->hit_path[ctx->n_read].Nth_scan;
- ctx->n_read=n_read;
goto decide;
}
- if (protocol_field == TSG_SECURITY_FLAG)
+ if (table_id == TSG_SECURITY_FLAG)
{
- int flag=numeric;
-
- scan_ret=Maat_scan_flag(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][protocol_field], flag, ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt, &(ctx->scan_mid), ctx->thread_id);
- if(scan_ret>0)
+ scan_ret = policy_verify_scan_flag(request, ctx, vsys_id, compile_type, hit_cnt);
+ if(scan_ret > 0)
{
hit_cnt+=scan_ret;
}
- n_read=Maat_get_scan_status(g_policy_rt->maat[vsys_id][policy_type], &(ctx->scan_mid), MAAT_GET_SCAN_HIT_PATH, ctx->hit_path, sizeof(ctx->hit_path));
- query_obj->nth_scan[0] = ctx->hit_path[ctx->n_read].Nth_scan;
- ctx->n_read=n_read;
goto decide;
}
- if ((protocol_field == PXY_CTRL_HTTP_REQ_HDR) || protocol_field == PXY_CTRL_HTTP_RES_HDR)
+ if (request_in_http_hdr(table_id))
{
- if(query_obj->district != NULL && value != NULL)
+ scan_ret = policy_verify_scan_http_hdr(request, ctx, vsys_id, compile_type, hit_cnt);
+ if(scan_ret > 0)
{
- const char * str_field_name = query_obj->district;
- scan_ret = Maat_set_scan_status(g_policy_rt->maat[vsys_id][policy_type], &(ctx->scan_mid), MAAT_SET_SCAN_DISTRICT,
- str_field_name, strlen(str_field_name));
- assert(scan_ret == 0);
- scan_ret = Maat_full_scan_string(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][protocol_field],
- CHARSET_UTF8, value, strlen(value),
- ctx->result + hit_cnt, NULL, MAX_SCAN_RESULT - hit_cnt, &(ctx->scan_mid), ctx->thread_id);
- if (scan_ret > 0)
- {
- hit_cnt += scan_ret;
- }
- n_read=Maat_get_scan_status(g_policy_rt->maat[vsys_id][policy_type], &(ctx->scan_mid), MAAT_GET_SCAN_HIT_PATH, ctx->hit_path, sizeof(ctx->hit_path));
- query_obj->nth_scan[0] = ctx->hit_path[ctx->n_read].Nth_scan;
- ctx->n_read=n_read;
+ hit_cnt+=scan_ret;
}
goto decide;
}
- if(policy_type == TSG_TABLE_SECURITY &&(protocol_field == TSG_SECURITY_HTTPS_SNI || protocol_field == TSG_SECURITY_HTTP_FQDN))
+ if(request_in_exclusion(compile_type, table_id))
{
- scan_ret = verify_intercept_exclusion(value, ctx->thread_id, vsys_id, policy_type, ctx);
+ scan_ret = policy_verify_scan_intercept_exclusion(value, ctx->thread_id, vsys_id, compile_type, ctx);
if(scan_ret>0)
{
hit_cnt+=scan_ret;
}
}
- if(policy_type == TSG_TABLE_SECURITY &&(protocol_field == TSG_SECURITY_HTTP_FQDN ||
- protocol_field == TSG_SECURITY_HTTPS_SNI || protocol_field==TSG_SECURITY_HTTPS_CN || protocol_field==TSG_SECURITY_HTTPS_SAN ||
- protocol_field==TSG_SECURITY_DNS_QNAME || protocol_field == TSG_SECURITY_QUIC_SNI))
+ if(secy_request_in_fqdn_cat(compile_type, table_id))
{
- scan_ret = verify_get_fqdn_category_id(ctx->result, value, protocol_field, hit_cnt, ctx->thread_id, vsys_id, policy_type, ctx, query_obj);
+ /*TSG_HOST, TSG_HOST+1=TSG_HOST_CAT**/
+ scan_ret = get_fqdn_category_id(ctx->result, value, table_id+1, hit_cnt, ctx->thread_id, vsys_id, compile_type, ctx, request);
if(scan_ret>0)
{
hit_cnt+=scan_ret;
}
}
- if(policy_type == PXY_TABLE_MANIPULATION &&(protocol_field == PXY_CTRL_HTTP_FQDN ||
- protocol_field == PXY_CTRL_DOH_QNAME || protocol_field==PXY_CTRL_DOH_HOST))
+ if(pxy_request_in_fqdn_cat(compile_type, table_id))
{
- scan_ret = verify_get_fqdn_category_id(ctx->result, value, protocol_field, hit_cnt, ctx->thread_id, vsys_id, policy_type, ctx, query_obj);
+ /*TSG_HOST, TSG_HOST+1=TSG_HOST_CAT**/
+ scan_ret = get_fqdn_category_id(ctx->result, value, table_id+1, hit_cnt, ctx->thread_id, vsys_id, compile_type, ctx, request);
if(scan_ret>0)
{
hit_cnt+=scan_ret;
}
}
- scan_ret = Maat_full_scan_string(g_policy_rt->maat[vsys_id][policy_type], g_policy_rt->scan_table_id[policy_type][protocol_field],
- CHARSET_UTF8, value, strlen(value),
- ctx->result+hit_cnt, NULL, MAX_SCAN_RESULT-hit_cnt,
- &(ctx->scan_mid), ctx->thread_id);
- if(scan_ret>0)
+
+ scan_ret = maat_scan_string(g_policy_rt->feather[vsys_id][compile_type], g_policy_rt->scan_table_id[compile_type][table_id],
+ value, strlen(value), ctx->result+hit_cnt, MAX_SCAN_RESULT-hit_cnt,
+ &n_hit_result, ctx->scan_mid);
+ if(scan_ret==MAAT_SCAN_HIT)
{
- hit_cnt+=scan_ret;
+ hit_cnt+=n_hit_result;
}
- n_read=Maat_get_scan_status(g_policy_rt->maat[vsys_id][policy_type], &(ctx->scan_mid), MAAT_GET_SCAN_HIT_PATH, ctx->hit_path, sizeof(ctx->hit_path));
- if(scan_ret == -2 || scan_ret >0)
+ n_read=maat_state_get_hit_paths(ctx->scan_mid, ctx->hit_path, sizeof(ctx->hit_path));
+ if(scan_ret >0)
{
- query_obj->nth_scan[query_obj->nth_scan_num] = ctx->hit_path[ctx->n_read].Nth_scan;
+ request->nth_scan[request->nth_scan_num] = ctx->hit_path[ctx->n_read].Nth_scan;
ctx->n_read=n_read;
}
decide:
@@ -1592,33 +1776,29 @@ decide:
return hit_cnt;
}
-static Maat_feather_t create_maat_feather(const char * instance_name, const char * profile, const char * section, const char *table_name, int max_thread, void * logger, int db_index)
+static struct maat *create_maat_feather(const char * instance_name, const char * profile, const char * section, const char *table_name, int max_thread, char *log_path, int db_index)
{
- Maat_feather_t target;
- int input_mode = 0, maat_perf_on = 0, maat_stat_on = 0;
- int ret = 0, scan_detail = 0, effect_interval = 60;
+ struct maat *target=NULL;
+ int input_mode = 0, maat_perf_on = 0, log_level=0;
+ int ret = 0, effect_interval = 60;
char table_info[VERIFY_STRING_MAX] = {0}, inc_cfg_dir[VERIFY_STRING_MAX] = {0}, ful_cfg_dir[VERIFY_STRING_MAX] = {0};
- char redis_server[VERIFY_STRING_MAX] = {0};
+ char redis_ip[VERIFY_STRING_MAX] = {0};
char redis_port_range[VERIFY_STRING_MAX] = {0};
- char accept_tags[VERIFY_STRING_MAX] = {0};
int redis_port_begin=0, redis_port_end=0;
int redis_port_select=0;
- char json_cfg_file[VERIFY_STRING_MAX] = {0}, maat_stat_file[VERIFY_PATH_MAX] = {0};
- char maat_stat_db_file[VERIFY_PATH_MAX] = {0};
+ char accept_tags[VERIFY_STRING_MAX] = {0};
+ char json_cfg_file[VERIFY_STRING_MAX] = {0};
+
MESA_load_profile_int_def(profile, section, "maat_input_mode", &(input_mode), 0);
- MESA_load_profile_int_def(profile, section, "perf_switch", &(maat_perf_on), 1);
+ MESA_load_profile_int_def(profile, section, "perf_switch", &(maat_perf_on), 0);
MESA_load_profile_string_def(profile, section, table_name, table_info, sizeof(table_info), "");
- MESA_load_profile_int_def(profile, section, "stat_switch", &(maat_stat_on), 1);
- MESA_load_profile_string_def(profile, section, "accept_tags", accept_tags, sizeof(accept_tags), "");
-
MESA_load_profile_string_def(profile, section, "json_cfg_file", json_cfg_file, sizeof(json_cfg_file), "");
+ MESA_load_profile_string_def(profile, section, "maat_redis_server", redis_ip, sizeof(redis_ip), "");
+ MESA_load_profile_string_def(profile, section, "maat_redis_port_range", redis_port_range, sizeof(redis_port_range), "6379");
+ MESA_load_profile_string_def(profile, section, "accept_tags", accept_tags, sizeof(accept_tags), "");
+ MESA_load_profile_int_def(profile, section, "log_level", &(log_level), LOG_LEVEL_FATAL);
- MESA_load_profile_string_def(profile, section, "maat_redis_server", redis_server, sizeof(redis_server), "");
- mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "%s:%s", "Maat Redis Ip", redis_server);
- MESA_load_profile_string_def(profile, section, "maat_redis_port_range", redis_port_range, sizeof(redis_server), "6379");
- mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "%s:%s", "Maat Redis Port", redis_port_range);
- mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "%s:%d", "Maat Redis_db_index", db_index);
ret=sscanf(redis_port_range,"%d-%d", &redis_port_begin, &redis_port_end);
if(ret==1)
{
@@ -1631,90 +1811,69 @@ static Maat_feather_t create_maat_feather(const char * instance_name, const char
}
else
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Invalid redis port range %s, MAAT init failed.", redis_port_range);
+ mesa_runtime_log(RLOG_LV_FATAL, "Invalid redis port range %s, MAAT init failed.", redis_port_range);
}
-
MESA_load_profile_string_def(profile, section, "inc_cfg_dir", inc_cfg_dir, sizeof(inc_cfg_dir), "");
MESA_load_profile_string_def(profile, section, "full_cfg_dir", ful_cfg_dir, sizeof(ful_cfg_dir), "");
MESA_load_profile_int_def(profile, section, "effect_interval_s", &(effect_interval), 60);
effect_interval *= 1000;//convert s to ms
- assert(strlen(inc_cfg_dir) != 0 || strlen(ful_cfg_dir) != 0 || strlen(redis_server)!=0 || strlen(json_cfg_file)!=0);
+ assert(strlen(inc_cfg_dir) != 0 || strlen(ful_cfg_dir) != 0 || strlen(redis_ip)!=0 || strlen(json_cfg_file)!=0);
- target = Maat_feather(max_thread, table_info, logger);
- Maat_set_feather_opt(target, MAAT_OPT_INSTANCE_NAME, instance_name, strlen(instance_name) + 1);
+ struct maat_options *opts = maat_options_new();
+ maat_options_set_logger(opts, log_path, (enum log_level)log_level);
+ maat_options_set_instance_name(opts, instance_name);
switch (input_mode)
{
case MAAT_INPUT_JSON:
- Maat_set_feather_opt(target, MAAT_OPT_JSON_FILE_PATH, json_cfg_file, strlen(json_cfg_file) + 1);
+ maat_options_set_json_file(opts, json_cfg_file);
break;
case MAAT_INPUT_REDIS:
- Maat_set_feather_opt(target, MAAT_OPT_REDIS_IP, redis_server, strlen(redis_server) + 1);
- Maat_set_feather_opt(target, MAAT_OPT_REDIS_PORT, &redis_port_select, sizeof(redis_port_select));
- Maat_set_feather_opt(target, MAAT_OPT_REDIS_INDEX, &db_index, sizeof(db_index));
+ maat_options_set_redis(opts, redis_ip, redis_port_select, db_index);
break;
- case MAAT_INPUT_FILE: Maat_set_feather_opt(target, MAAT_OPT_FULL_CFG_DIR, ful_cfg_dir, strlen(ful_cfg_dir) + 1);
- Maat_set_feather_opt(target, MAAT_OPT_INC_CFG_DIR, inc_cfg_dir, strlen(inc_cfg_dir) + 1);
+ case MAAT_INPUT_FILE:
+ maat_options_set_iris(opts, ful_cfg_dir, inc_cfg_dir);
break;
- default: mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Invalid MAAT Input Mode: %d.", input_mode);
+ default: mesa_runtime_log(RLOG_LV_FATAL, "Invalid MAAT Input Mode: %d.", input_mode);
goto error_out;
break;
}
+ maat_options_set_foreign_cont_dir(opts, "./verify_policy_files");
+ maat_options_set_rule_effect_interval_ms(opts, effect_interval);
+ maat_options_set_caller_thread_number(opts, max_thread);
- if(strcasecmp(table_name, "table_info_proxy") == 0)
- {
- MESA_load_profile_string_def(profile, section, "proxy_stat_file", maat_stat_file, sizeof(maat_stat_file), "");
- }
- if(strcasecmp(table_name, "table_info_security") ==0)
- {
- MESA_load_profile_string_def(profile, section, "security_stat_file", maat_stat_file, sizeof(maat_stat_file), "");
- }
-
- if(strlen(maat_stat_file) > 0 && maat_stat_on)
+ if(maat_perf_on)
{
- snprintf(maat_stat_db_file, VERIFY_PATH_MAX, "%s.%d", maat_stat_file, db_index);
- Maat_set_feather_opt(target, MAAT_OPT_STAT_FILE_PATH, maat_stat_db_file, strlen(maat_stat_db_file) + 1);
- Maat_set_feather_opt(target, MAAT_OPT_STAT_ON, NULL, 0);
+ maat_options_set_perf_on(opts);
}
- Maat_set_feather_opt(target, MAAT_OPT_FOREIGN_CONT_DIR, "./verify_policy_files", strlen("./verify_policy_files")+1);
-
- Maat_set_feather_opt(target, MAAT_OPT_EFFECT_INVERVAL_MS, &effect_interval, sizeof(effect_interval));
- Maat_set_feather_opt(target, MAAT_OPT_SCAN_DETAIL, &scan_detail, sizeof(scan_detail));
-
- ret = Maat_initiate_feather(target);
- if (ret < 0)
+ target = maat_new(opts, table_info);
+ if (!target)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s MAAT init failed.", __FUNCTION__);
+ mesa_runtime_log(RLOG_LV_FATAL, "%s MAAT init failed.", __FUNCTION__);
goto error_out;
}
-
+ maat_options_free(opts);
return target;
+
error_out:
- Maat_burn_feather(target);
+ maat_options_free(opts);
return NULL;
}
int proxy_policy_init(struct verify_policy * verify, const char* profile_path)
{
int ret = -1; int vsys_id=0;
- void *local_logger = NULL;
+ char log_path[VERIFY_PATH_MAX];
+ snprintf(log_path, sizeof(log_path), "logs/proxy.maat.log");
g_policy_rt = ALLOC(struct verify_policy_rt, 1);
-
- local_logger = MESA_create_runtime_log_handle("proxy_policy_maat", RLOG_LV_DEBUG);
- if(local_logger == NULL)
- {
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Create log runtime_log_handle error, init failed!");
- }
-
g_policy_rt->local_logger = verify->logger;
g_policy_rt->thread_num = verify->nr_work_threads;
-
- for(vsys_id=0; vsys_id < TRAFFIC_VSYS_ID_MAX; vsys_id++)
+ for(vsys_id=0; vsys_id < VSYS_ID_MAX; vsys_id++)
{
- g_policy_rt->maat[vsys_id][PXY_TABLE_MANIPULATION] = create_maat_feather("static", profile_path, "MAAT", "table_info_proxy", g_policy_rt->thread_num, local_logger, vsys_id);
- if (!g_policy_rt->maat[vsys_id][PXY_TABLE_MANIPULATION])
+ g_policy_rt->feather[vsys_id][PXY_TABLE_MANIPULATION] = create_maat_feather("static", profile_path, "MAAT", "table_info_proxy", g_policy_rt->thread_num, log_path, vsys_id);
+ if (!g_policy_rt->feather[vsys_id][PXY_TABLE_MANIPULATION])
{
goto error_out;
}
@@ -1723,7 +1882,8 @@ int proxy_policy_init(struct verify_policy * verify, const char* profile_path)
table_name[PXY_CTRL_SOURCE_ADDR] = "TSG_SECURITY_SOURCE_ADDR";
table_name[PXY_CTRL_DESTINATION_ADDR]="TSG_SECURITY_DESTINATION_ADDR";
table_name[PXY_CTRL_HTTP_URL] = "TSG_FIELD_HTTP_URL";
- table_name[PXY_CTRL_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST";
+ table_name[PXY_CTRL_HTTP_HOST] = "TSG_FIELD_HTTP_HOST";
+ table_name[PXY_CTRL_HTTP_HOST_CAT]="TSG_FIELD_HTTP_HOST_CAT";
table_name[PXY_CTRL_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR";
table_name[PXY_CTRL_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_BODY";
table_name[PXY_CTRL_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR";
@@ -1732,6 +1892,7 @@ int proxy_policy_init(struct verify_policy * verify, const char* profile_path)
table_name[PXY_CTRL_APP_ID] = "TSG_OBJ_APP_ID";
table_name[PXY_CTRL_DOH_QNAME]="TSG_FIELD_DOH_QNAME";
table_name[PXY_CTRL_DOH_HOST]="TSG_FIELD_DOH_HOST";
+ table_name[PXY_CTRL_DOH_HOST_CAT]="TSG_FIELD_DOH_HOST_CAT";
table_name[PXY_CTRL_IP_SRC_ASN]="TSG_SECURITY_SOURCE_ASN";
table_name[PXY_CTRL_IP_DST_ASN]="TSG_SECURITY_DESTINATION_ASN";
table_name[PXY_CTRL_IP_SRC_LOCATION]="TSG_SECURITY_SOURCE_LOCATION";
@@ -1741,14 +1902,21 @@ int proxy_policy_init(struct verify_policy * verify, const char* profile_path)
table_name[PXY_CTRL_APN]="TSG_FILED_GTP_APN";
for (int i = 0; i < __SCAN_TABLE_MAX; i++)
{
- g_policy_rt->scan_table_id[PXY_TABLE_MANIPULATION][i] = Maat_table_register(g_policy_rt->maat[vsys_id][PXY_TABLE_MANIPULATION], table_name[i]);
+ g_policy_rt->scan_table_id[PXY_TABLE_MANIPULATION][i] = maat_get_table_id(g_policy_rt->feather[vsys_id][PXY_TABLE_MANIPULATION], table_name[i]);
if (g_policy_rt->scan_table_id[PXY_TABLE_MANIPULATION][i] < 0)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Proxy HTTP Maat table %s register failed.", table_name[i]);
+ mesa_runtime_log(RLOG_LV_FATAL, "Proxy HTTP Maat table %s register failed.", table_name[i]);
goto error_out;
}
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Proxy policy register maat %p, table name %s, table id %d", g_policy_rt->maat[vsys_id][PXY_TABLE_MANIPULATION], table_name[i], g_policy_rt->scan_table_id[PXY_TABLE_MANIPULATION][i]);
+ mesa_runtime_log(RLOG_LV_DEBUG, "Proxy policy register maat %p, table name %s, table id %d", g_policy_rt->feather[vsys_id][PXY_TABLE_MANIPULATION], table_name[i], g_policy_rt->scan_table_id[PXY_TABLE_MANIPULATION][i]);
}
+
+ g_policy_rt->compile_table_id[PXY_TABLE_MANIPULATION]=maat_get_table_id(g_policy_rt->feather[vsys_id][PXY_TABLE_MANIPULATION], "PXY_CTRL_COMPILE");
+ if(g_policy_rt->compile_table_id[PXY_TABLE_MANIPULATION] >= 0)
+ {
+ maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id][PXY_TABLE_MANIPULATION], "PXY_CTRL_COMPILE",
+ compile_table_new_cb, compile_free_data, compile_dup_data, 0,NULL);
+ }
}
ret = 0;
error_out:
@@ -1757,19 +1925,14 @@ error_out:
int security_policy_init(struct verify_policy * verify, const char* profile_path)
{
- int vsys_id=0;
- int ret = -1;
-
- void *local_logger = MESA_create_runtime_log_handle("security_policy_maat", RLOG_LV_DEBUG);
- if(local_logger == NULL)
- {
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Create log runtime_log_handle error, init failed!");
- }
+ int ret = -1,vsys_id=0;
+ char log_path[VERIFY_PATH_MAX];
- for(vsys_id=0; vsys_id < TRAFFIC_VSYS_ID_MAX; vsys_id++)
+ snprintf(log_path, sizeof(log_path), "logs/security.maat.log");
+ for(vsys_id=0; vsys_id < VSYS_ID_MAX; vsys_id++)
{
- g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY] = create_maat_feather("static", profile_path, "MAAT", "table_info_security", g_policy_rt->thread_num, local_logger, vsys_id);
- if (!g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY])
+ g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY] = create_maat_feather("static", profile_path, "MAAT", "table_info_security", g_policy_rt->thread_num, log_path, vsys_id);;
+ if (!g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY])
{
goto error_out;
}
@@ -1777,17 +1940,22 @@ int security_policy_init(struct verify_policy * verify, const char* profile_path
table_name[TSG_SECURITY_SOURCE_ADDR] = "TSG_SECURITY_SOURCE_ADDR";
table_name[TSG_SECURITY_DESTINATION_ADDR] = "TSG_SECURITY_DESTINATION_ADDR";
table_name[TSG_SECURITY_HTTP_URL] = "TSG_FIELD_HTTP_URL";
- table_name[TSG_SECURITY_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST";
+ table_name[TSG_SECURITY_HTTP_HOST] = "TSG_FIELD_HTTP_HOST";
+ table_name[TSG_SECURITY_HTTP_HOST_CAT] = "TSG_FIELD_HTTP_HOST_CAT";
table_name[TSG_SECURITY_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR";
table_name[TSG_SECURITY_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_BODY";
table_name[TSG_SECURITY_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR";
table_name[TSG_SECURITY_HTTP_RES_BODY] = "TSG_FIELD_HTTP_RES_BODY";
table_name[TSG_SECURITY_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID";
- table_name[TSG_SECURITY_HTTPS_SNI] = "TSG_FIELD_SSL_SNI";
- table_name[TSG_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
- table_name[TSG_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
+ table_name[TSG_SECURITY_SSL_SNI] = "TSG_FIELD_SSL_SNI";
+ table_name[TSG_SECURITY_SSL_SNI_CAT] = "TSG_FIELD_SSL_SNI_CAT";
+ table_name[TSG_SECURITY_SSL_CN] = "TSG_FIELD_SSL_CN";
+ table_name[TSG_SECURITY_SSL_CN_CAT] = "TSG_FIELD_SSL_CN_CAT";
+ table_name[TSG_SECURITY_SSL_SAN] = "TSG_FIELD_SSL_SAN";
+ table_name[TSG_SECURITY_SSL_SAN_CAT] = "TSG_FIELD_SSL_SAN_CAT";
table_name[TSG_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME";
table_name[TSG_SECURITY_QUIC_SNI] = "TSG_FIELD_QUIC_SNI";
+ table_name[TSG_SECURITY_QUIC_SNI_CAT] = "TSG_FIELD_QUIC_SNI_CAT";
table_name[TSG_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
table_name[TSG_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM";
table_name[TSG_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO";
@@ -1814,15 +1982,36 @@ int security_policy_init(struct verify_policy * verify, const char* profile_path
for (int i = 0; i < __SECURITY_TABLE_MAX; i++)
{
- g_policy_rt->scan_table_id[TSG_TABLE_SECURITY][i] = Maat_table_register(g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], table_name[i]);
+ g_policy_rt->scan_table_id[TSG_TABLE_SECURITY][i] = maat_get_table_id(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], table_name[i]);
if (g_policy_rt->scan_table_id[TSG_TABLE_SECURITY][i] < 0)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Security policy maat table %s register failed.", table_name[i]);
+ mesa_runtime_log(RLOG_LV_FATAL, "Security policy maat table %s register failed.", table_name[i]);
goto error_out;
}
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Security policy register maat %p, table name %s, table id %d", g_policy_rt->maat[vsys_id][TSG_TABLE_SECURITY], table_name[i], g_policy_rt->scan_table_id[TSG_TABLE_SECURITY][i]);
+ mesa_runtime_log(RLOG_LV_DEBUG, "Security policy register maat %p, table name %s, table id %d", g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], table_name[i], g_policy_rt->scan_table_id[TSG_TABLE_SECURITY][i]);
}
+ g_policy_rt->compile_table_id[TSG_TABLE_SECURITY]=maat_get_table_id(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], "TSG_SECURITY_COMPILE");
+ if(g_policy_rt->compile_table_id[TSG_TABLE_SECURITY] >= 0)
+ {
+ maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], "TSG_SECURITY_COMPILE",
+ compile_table_new_cb, compile_free_data, compile_dup_data, 0,NULL);
+ }
+
+ g_policy_rt->compile_table_id[TSG_TRAFFIC_SHAPING]=maat_get_table_id(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], "TRAFFIC_SHAPING_COMPILE");
+ if(g_policy_rt->compile_table_id[TSG_TRAFFIC_SHAPING] >= 0)
+ {
+ maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], "TRAFFIC_SHAPING_COMPILE",
+ compile_table_new_cb, compile_free_data, compile_dup_data, 0,NULL);
+ }
+
+ g_policy_rt->compile_table_id[TSG_SERVICE_CHAINGNG]=maat_get_table_id(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], "SERVICE_CHAINING_COMPILE");
+ if(g_policy_rt->compile_table_id[TSG_SERVICE_CHAINGNG] >= 0)
+ {
+ maat_plugin_table_ex_schema_register(g_policy_rt->feather[vsys_id][TSG_TABLE_SECURITY], "SERVICE_CHAINING_COMPILE",
+ compile_table_new_cb, compile_free_data, compile_dup_data, 0,NULL);
+ }
+
for(int i = POLICY_ASN_USER_DEFINED; i < POLICY_FQDN_CAT_USER_DEFINED; i++)
{
ret = maat_ip_table_init(i, vsys_id, ip_table_free_cb, ip_table_dup_cb);
@@ -1831,7 +2020,6 @@ int security_policy_init(struct verify_policy * verify, const char* profile_path
goto error_out;
}
}
-
for(int i = POLICY_FQDN_CAT_USER_DEFINED; i <= POLICY_FQDN_CAT_BUILT_IN; i++)
{
ret = maat_fqdn_cat_table_init(i, vsys_id, fqdn_cat_new_data, fqdn_cat_free_data, fqdn_cat_dup_data);
@@ -1840,7 +2028,6 @@ int security_policy_init(struct verify_policy * verify, const char* profile_path
goto error_out;
}
}
-
for(int i=POLICY_TUNNEL_CATALOG; i <=POLICY_TUNNEL_LABEL; i++)
{
ret = maat_tunnel_table_init(i, vsys_id, tunnel_table_free_data, tunnel_table_dup_data);
diff --git a/platform/src/verify_policy.cpp b/platform/src/verify_policy.cpp
index 3601243..ce8ed18 100644
--- a/platform/src/verify_policy.cpp
+++ b/platform/src/verify_policy.cpp
@@ -49,33 +49,31 @@ const char * version()
static int signals[] = {SIGHUP, SIGPIPE, SIGUSR1};
-extern int proxy_policy_init(struct verify_policy * verify, const char* profile_path);
-
-static int verify_policy_init(struct verify_policy * verify, const char *profile)
+static int load_system_conf(struct verify_policy * verify, const char *profile)
{
int xret = -1;
xret = MESA_load_profile_uint_nodef(profile, "CONFIG", "thread-nu", &(verify->nr_work_threads));
if (xret < 0){
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Reading the number of running threads failed");
+ mesa_runtime_log(RLOG_LV_FATAL, "Reading the number of running threads failed");
}
xret = MESA_load_profile_short_nodef(profile, "LISTEN", "port", (short *)&(verify->listen_port));
if (xret < 0){
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Listen Port invalid");
+ mesa_runtime_log(RLOG_LV_FATAL, "Listen Port invalid");
}
- mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "%s:%d", "The Threads", verify->nr_work_threads);
- mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "%s:%d", "Libevent Port", verify->listen_port);
+ mesa_runtime_log(RLOG_LV_INFO, "%s:%d", "The Threads", verify->nr_work_threads);
+ mesa_runtime_log(RLOG_LV_INFO, "%s:%d", "Libevent Port", verify->listen_port);
return xret;
}
-enum verify_policy_type tsg_policy_type_str2idx(const char *action_str)
+enum compile_table_typle tsg_policy_type_str2idx(const char *action_str, int *table_id)
{
const char * policy_name[__SCAN_POLICY_MAX];
policy_name[TSG_TABLE_SECURITY] = "tsg_security";
policy_name[PXY_TABLE_MANIPULATION] = "pxy_manipulation";
- policy_name[PXY_TABLE_DEFENCE] = "active_defence";
policy_name[TSG_TRAFFIC_SHAPING] = "traffic_shaping";
policy_name[TSG_SERVICE_CHAINGNG] = "service_chaining";
+ policy_name[PXY_TABLE_DEFENCE] = "active_defence";
size_t i = 0;
@@ -84,11 +82,17 @@ enum verify_policy_type tsg_policy_type_str2idx(const char *action_str)
if (0 == strcasecmp(action_str, policy_name[i]))
break;
}
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[I] policyType= %s", action_str);
- return (enum verify_policy_type)i;
+ mesa_runtime_log(RLOG_LV_DEBUG, "[I] policyType= %s", action_str);
+
+ *table_id = i;
+ if(i == TSG_TRAFFIC_SHAPING || i == TSG_SERVICE_CHAINGNG)
+ {
+ i = TSG_TABLE_SECURITY;
+ }
+ return (enum compile_table_typle)i;
}
-int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_str, char *buff, char **p)
+int protoco_field_type_str2idx(enum compile_table_typle type, const char *action_str, char *buff, char **p)
{
size_t scan_table_max=0;
const char * table_name[__SECURITY_TABLE_MAX] ={0};
@@ -98,8 +102,9 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
case PXY_TABLE_MANIPULATION:
table_name[PXY_CTRL_SOURCE_ADDR]="TSG_SECURITY_SOURCE_ADDR";
table_name[PXY_CTRL_DESTINATION_ADDR]="TSG_SECURITY_DESTINATION_ADDR";
- table_name[PXY_CTRL_HTTP_URL] = "TSG_FIELD_HTTP_URL";
- table_name[PXY_CTRL_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST";
+ table_name[PXY_CTRL_HTTP_URL] ="TSG_FIELD_HTTP_URL";
+ table_name[PXY_CTRL_HTTP_HOST] = "TSG_FIELD_HTTP_HOST";
+ table_name[PXY_CTRL_HTTP_HOST_CAT] = "TSG_FIELD_HTTP_HOST_CAT";
table_name[PXY_CTRL_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR";
table_name[PXY_CTRL_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_BODY";
table_name[PXY_CTRL_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR";
@@ -108,6 +113,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
table_name[PXY_CTRL_APP_ID] = "TSG_OBJ_APP_ID";
table_name[PXY_CTRL_DOH_QNAME]="TSG_FIELD_DOH_QNAME";
table_name[PXY_CTRL_DOH_HOST]="TSG_FIELD_DOH_HOST";
+ table_name[PXY_CTRL_DOH_HOST_CAT]="TSG_FIELD_DOH_HOST_CAT";
table_name[PXY_CTRL_IMSI]="TSG_FILED_GTP_IMSI";
table_name[PXY_CTRL_PHONE_NUMBER]="TSG_FILED_GTP_PHONE_NUMBER";
table_name[PXY_CTRL_APN]="TSG_FILED_GTP_APN";
@@ -117,18 +123,23 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
table_name[TSG_SECURITY_SOURCE_ADDR]="TSG_SECURITY_SOURCE_ADDR";
table_name[TSG_SECURITY_DESTINATION_ADDR]="TSG_SECURITY_DESTINATION_ADDR";
table_name[TSG_SECURITY_HTTP_URL] = "TSG_FIELD_HTTP_URL";
- table_name[TSG_SECURITY_HTTP_FQDN] = "TSG_FIELD_HTTP_HOST";
+ table_name[TSG_SECURITY_HTTP_HOST] = "TSG_FIELD_HTTP_HOST";
+ table_name[TSG_SECURITY_HTTP_HOST_CAT] = "TSG_FIELD_HTTP_HOST_CAT";
table_name[TSG_SECURITY_HTTP_REQ_HDR] = "TSG_FIELD_HTTP_REQ_HDR";
table_name[TSG_SECURITY_HTTP_REQ_BODY] = "TSG_FIELD_HTTP_REQ_BODY";
table_name[TSG_SECURITY_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR";
table_name[TSG_SECURITY_HTTP_RES_BODY] = "TSG_FIELD_HTTP_RES_BODY";
table_name[TSG_SECURITY_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID";
table_name[TSG_SECURITY_APP_ID] = "TSG_OBJ_APP_ID";
- table_name[TSG_SECURITY_HTTPS_SNI] = "TSG_FIELD_SSL_SNI";
- table_name[TSG_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
- table_name[TSG_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
+ table_name[TSG_SECURITY_SSL_SNI] = "TSG_FIELD_SSL_SNI";
+ table_name[TSG_SECURITY_SSL_SNI_CAT] = "TSG_FIELD_SSL_SNI_CAT";
+ table_name[TSG_SECURITY_SSL_CN] = "TSG_FIELD_SSL_CN";
+ table_name[TSG_SECURITY_SSL_CN_CAT] = "TSG_FIELD_SSL_CN_CAT";
+ table_name[TSG_SECURITY_SSL_SAN] = "TSG_FIELD_SSL_SAN";
+ table_name[TSG_SECURITY_SSL_SAN_CAT] = "TSG_FIELD_SSL_SAN_CAT";
table_name[TSG_SECURITY_DNS_QNAME] = "TSG_FIELD_DNS_QNAME";
table_name[TSG_SECURITY_QUIC_SNI] = "TSG_FIELD_QUIC_SNI";
+ table_name[TSG_SECURITY_QUIC_SNI_CAT] = "TSG_FIELD_QUIC_SNI";
table_name[TSG_SECURITY_MAIL_ACCOUNT] = "TSG_FIELD_MAIL_ACCOUNT";
table_name[TSG_SECURITY_MAIL_FROM] = "TSG_FIELD_MAIL_FROM";
table_name[TSG_SECURITY_MAIL_TO] = "TSG_FIELD_MAIL_TO";
@@ -188,7 +199,7 @@ struct ipaddr *ip_to_stream_addr(const char *clientIp1, unsigned int clientPort1
v6_addr->dest=htons(serverPort1);
ip_addr->v6=v6_addr;
}
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[I] attributeName = ip, clientIp1=%s, clientPort1=%d, serverIp=%s, serverPort=%d, addr_type = %d",
+ mesa_runtime_log(RLOG_LV_DEBUG, "[I] attributeName = ip, clientIp1=%s, clientPort1=%d, serverIp=%s, serverPort=%d, addr_type = %d",
clientIp1, clientPort1, serverIp1, serverPort1, addr_type);
return ip_addr;
@@ -211,7 +222,7 @@ struct ipaddr *tunnel_to_stream_addr(const char *Ip, int addr_type)
inet_pton(AF_INET6,Ip,&(v6_addr->saddr));
ip_addr->v6=v6_addr;
}
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[I] attributeName = ip, clientIp1=%s, addr_type = %d", Ip, addr_type);
+ mesa_runtime_log(RLOG_LV_DEBUG, "[I] attributeName = ip, clientIp1=%s, addr_type = %d", Ip, addr_type);
return ip_addr;
}
@@ -277,11 +288,11 @@ static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_p
item = cJSON_GetObjectItem(subchild, "tableName");
if(item && item->type==cJSON_String)
{
- policy_query->verify_object[curr_id].protocol_field = protoco_field_type_str2idx(policy_query->type, item->valuestring, buff, &p);
- if ((policy_query->type == PXY_TABLE_MANIPULATION && policy_query->verify_object[curr_id].protocol_field == __SCAN_TABLE_MAX)
- || (policy_query->type == TSG_TABLE_SECURITY && policy_query->verify_object[curr_id].protocol_field == __SECURITY_TABLE_MAX))
+ policy_query->verify_object[curr_id].table_id = protoco_field_type_str2idx(policy_query->table_typle, item->valuestring, buff, &p);
+ if ((policy_query->table_typle == PXY_TABLE_MANIPULATION && policy_query->verify_object[curr_id].table_id == __SCAN_TABLE_MAX)
+ || (policy_query->table_typle == TSG_TABLE_SECURITY && policy_query->verify_object[curr_id].table_id == __SECURITY_TABLE_MAX))
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "policy table name error, table name = %s", item->valuestring);
+ mesa_runtime_log(RLOG_LV_FATAL, "policy table name error, table name = %s", item->valuestring);
goto finish;
}
}
@@ -294,6 +305,7 @@ static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_p
0 == strcasecmp(policy_query->verify_object[curr_id].attri_name, "destination"))
{
policy_query->verify_object[curr_id].ip_addr = get_ip_from_json(attributeValue, policy_query->verify_object[curr_id].attri_name);
+ policy_query->verify_object[curr_id].protocol= cJSON_GetObjectItem(attributeValue , "protocol")->valueint;
goto end;
}
@@ -311,8 +323,8 @@ static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_p
p += snprintf(p, sizeof(buff) - (p - buff), ", district = %s",policy_query->verify_object[curr_id].district);
}
- if(policy_query->verify_object[curr_id].protocol_field == PXY_CTRL_APP_ID ||
- policy_query->verify_object[curr_id].protocol_field == TSG_SECURITY_FLAG)
+ if(policy_query->verify_object[curr_id].table_id == PXY_CTRL_APP_ID ||
+ policy_query->verify_object[curr_id].table_id == TSG_SECURITY_FLAG)
{
item = cJSON_GetObjectItem(attributeValue, "numeric");
if(item && item->type==cJSON_Number)
@@ -330,7 +342,7 @@ static int get_attribute_from_json(int curr_id, cJSON* subchild, struct verify_p
p += snprintf(p, sizeof(buff) - (p - buff), ", content = %s",policy_query->verify_object[curr_id].keyword);
}
}
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[I] %s", buff);
+ mesa_runtime_log(RLOG_LV_DEBUG, "[I] %s", buff);
memset(buff, 0, VERIFY_STRING_MAX);
end:
xret = 1;
@@ -347,7 +359,7 @@ cJSON *get_query_from_request(const char *data, int thread_id)
cJSON* data_json = cJSON_Parse(data);
if(data_json == NULL)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "invalid policy parameter");
+ mesa_runtime_log(RLOG_LV_FATAL, "invalid policy parameter");
return NULL;
}
cJSON *policy_obj=NULL, *data_obj=NULL;
@@ -365,24 +377,15 @@ cJSON *get_query_from_request(const char *data, int thread_id)
{
for (subitem = item->child; subitem != NULL; subitem = subitem->next)
{
+ int compile_table_id=0;
verify_policy = ALLOC(struct verify_policy_query, 1);
item = cJSON_GetObjectItem(subitem,"policyType");
if(item && item->type==cJSON_String)
{
- verify_policy->type = tsg_policy_type_str2idx(item->valuestring);
- if(verify_policy->type == TSG_TRAFFIC_SHAPING)
- {
- verify_policy->shaping=1;
- verify_policy->type = TSG_TABLE_SECURITY;
- }
- if(verify_policy->type == TSG_SERVICE_CHAINGNG)
+ verify_policy->table_typle = tsg_policy_type_str2idx(item->valuestring, &compile_table_id);
+ if (verify_policy->table_typle >= __SCAN_POLICY_MAX)
{
- verify_policy->shaping=2;
- verify_policy->type = TSG_TABLE_SECURITY;
- }
- if (verify_policy->type >= __SCAN_POLICY_MAX)
- {
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "policy type error, policy id = %d", verify_policy->type);
+ mesa_runtime_log(RLOG_LV_FATAL, "policy type error, policy id = %d", verify_policy->table_typle);
goto free;
}
}
@@ -398,10 +401,11 @@ cJSON *get_query_from_request(const char *data, int thread_id)
{
goto free;
}
+
attributes = cJSON_GetObjectItem(item,"attributes");
if(attributes && attributes->type==cJSON_Array)
{
- void *ctx = pangu_http_ctx_new(thread_id);
+ void *ctx = policy_scan_ctx_new(thread_id, verify_policy->vsys_id, verify_policy->table_typle, compile_table_id);
for (subchild = attributes->child; subchild != NULL; subchild = subchild->next)
{
@@ -410,7 +414,7 @@ cJSON *get_query_from_request(const char *data, int thread_id)
{
goto free;
}
- hit_cnt = verify_policy_scan(verify_policy->vsys_id, verify_policy->type, &verify_policy->verify_object[i], data_obj, ctx);
+ hit_cnt = policy_verify_scan(verify_policy->vsys_id, verify_policy->table_typle, &verify_policy->verify_object[i], data_obj, ctx);
if(0 == strcasecmp(verify_policy->verify_object[i].attri_name, "source") ||
0 == strcasecmp(verify_policy->verify_object[i].attri_name, "destination"))
{
@@ -424,7 +428,7 @@ cJSON *get_query_from_request(const char *data, int thread_id)
i++;
}
- http_hit_policy_list(verify_policy->type, verify_policy->shaping, hit_cnt, data_obj, ctx);
+ http_hit_policy_list(verify_policy->vsys_id, verify_policy->table_typle, compile_table_id, hit_cnt, data_obj, ctx);
int item = 0;
cJSON *verfifySession = cJSON_CreateObject();
@@ -433,7 +437,7 @@ cJSON *get_query_from_request(const char *data, int thread_id)
cJSON_AddItemToObject(verfifySession, "attributes", attributes);
for (item = 0; item < i; item++)
{
- http_get_scan_status(&verify_policy->verify_object[item], verify_policy->type, verify_policy->shaping, attributes,data_obj, ctx);
+ http_get_scan_status(&verify_policy->verify_object[item], verify_policy->table_typle, attributes,data_obj, ctx);
}
pangu_http_ctx_free(ctx);
}
@@ -495,13 +499,13 @@ void evhttp_request_cb(struct evhttp_request *evh_req, void *arg)
if (evhttp_request_get_command(evh_req) != EVHTTP_REQ_POST)
{
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "FAILED (post type)");
+ mesa_runtime_log(RLOG_LV_DEBUG, "FAILED (post type)");
goto error;
}
evbuf_body = evhttp_request_get_input_buffer(evh_req);
if (!evbuf_body || 0==(inputlen = evbuffer_get_length(evbuf_body)) ||!(input = (char *)evbuffer_pullup(evbuf_body,inputlen)))
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed to get post data information.");
+ mesa_runtime_log(RLOG_LV_FATAL, "Failed to get post data information.");
goto error;
}
@@ -512,7 +516,7 @@ void evhttp_request_cb(struct evhttp_request *evh_req, void *arg)
}
policy_payload = cJSON_PrintUnformatted(policy_obj);
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "[O] %s", policy_payload);
+ mesa_runtime_log(RLOG_LV_DEBUG, "[O] %s", policy_payload);
evhttp_socket_send(evh_req, policy_payload);
cJSON_Delete(policy_obj);
@@ -534,13 +538,13 @@ void * verify_policy_thread_func(void * arg)
thread_ctx->base = event_base_new();
if (! thread_ctx->base)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Can'thread_ctx allocate event base");
+ mesa_runtime_log(RLOG_LV_FATAL, "Can'thread_ctx allocate event base");
goto finish;
}
thread_ctx->http = evhttp_new(thread_ctx->base);
if (!thread_ctx->http)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "couldn'thread_ctx create evhttp. Exiting.");
+ mesa_runtime_log(RLOG_LV_FATAL, "couldn'thread_ctx create evhttp. Exiting.");
goto error;
}
@@ -549,10 +553,10 @@ void * verify_policy_thread_func(void * arg)
bound = evhttp_accept_socket_with_handle(thread_ctx->http, thread_ctx->accept_fd);
if (bound != NULL)
{
- mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Bound(%p) to port %d - Awaiting connections ... ", bound,
+ mesa_runtime_log(RLOG_LV_INFO, "Bound(%p) to port %d - Awaiting connections ... ", bound,
g_verify_proxy->listen_port);
}
- mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Work thread %u is run...", thread_ctx->id);
+ mesa_runtime_log(RLOG_LV_INFO, "Work thread %u is run...", thread_ctx->id);
event_base_dispatch(thread_ctx->base);
error:
@@ -655,7 +659,7 @@ err:
return fd;
}
-int pangu_policy_work_thread_run(struct verify_policy * verify)
+int verify_policy_work_thread_run(struct verify_policy * verify)
{
int xret = 0;
unsigned int tid = 0;
@@ -668,7 +672,7 @@ int pangu_policy_work_thread_run(struct verify_policy * verify)
evutil_socket_t accept_fd = evhttp_listen_socket_byuser((struct sockaddr*)&sin, sizeof(struct sockaddr_in),LEV_OPT_REUSEABLE_PORT|LEV_OPT_CLOSE_ON_FREE, -1);
if (accept_fd < 0)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Could not create a listen!");
+ mesa_runtime_log(RLOG_LV_FATAL, "Could not create a listen!");
goto finish;
}
@@ -682,18 +686,15 @@ int pangu_policy_work_thread_run(struct verify_policy * verify)
if (pthread_create(&thread_ctx->pid, thread_ctx->attr, thread_ctx->routine, thread_ctx))
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s", strerror(errno));
+ mesa_runtime_log(RLOG_LV_FATAL, "%s", strerror(errno));
goto finish;
}
if (pthread_detach(thread_ctx->pid))
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "%s", strerror(errno));
+ mesa_runtime_log(RLOG_LV_FATAL, "%s", strerror(errno));
goto finish;
}
}
- FOREVER{
- sleep(1);
- }
finish:
return xret;
}
@@ -749,14 +750,14 @@ int breakpad_init_minidump_upload(struct breakpad_instance * instance, const cha
if (unlikely(ret < 0))
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "breakpad_upload_url is necessary, failed. ");
+ mesa_runtime_log(RLOG_LV_FATAL, "breakpad_upload_url is necessary, failed. ");
goto errout;
}
ret = readlink("/proc/self/exe", execpath, sizeof(execpath));
if(unlikely(ret < 0))
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Failed at readlink /proc/self/exec: %s", strerror(errno));
+ mesa_runtime_log(RLOG_LV_FATAL, "Failed at readlink /proc/self/exec: %s", strerror(errno));
/* after log, reset errno */
errno = 0;
goto errout;
@@ -857,7 +858,7 @@ struct breakpad_instance * breakpad_init(const char * profile)
ret = setrlimit(RLIMIT_CORE, &__rlimit_vars);
if (ret < 0)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "setrlimit(RLIMIT_CORE, 0) failed: %s", strerror(errno));
+ mesa_runtime_log(RLOG_LV_FATAL, "setrlimit(RLIMIT_CORE, 0) failed: %s", strerror(errno));
/* after log, reset errno */
errno = 0;
}
@@ -866,7 +867,7 @@ struct breakpad_instance * breakpad_init(const char * profile)
MESA_load_profile_uint_def(profile, "system", "enable_breakpad", &instance->en_breakpad, 1);
if (instance->en_breakpad <= 0)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Breakpad Crash Reporting System is disabled. ");
+ mesa_runtime_log(RLOG_LV_FATAL, "Breakpad Crash Reporting System is disabled. ");
return instance;
}
@@ -885,7 +886,7 @@ struct breakpad_instance * breakpad_init(const char * profile)
ret = breakpad_init_minidump_upload(instance, profile);
if (ret < 0)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Breakpad upload init failed, using local breakpad dumpfile");
+ mesa_runtime_log(RLOG_LV_FATAL, "Breakpad upload init failed, using local breakpad dumpfile");
instance->en_breakpad_upload = 0;
}
@@ -894,7 +895,7 @@ struct breakpad_instance * breakpad_init(const char * profile)
ret = setrlimit(RLIMIT_CORE, &__rlimit_vars);
if (ret < 0)
{
- mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "setrlimit(RLIMIT_CORE, 0) failed: %s", strerror(errno));
+ mesa_runtime_log(RLOG_LV_FATAL, "setrlimit(RLIMIT_CORE, 0) failed: %s", strerror(errno));
/* after log, reset errno */
errno = 0;
}
@@ -912,8 +913,8 @@ struct breakpad_instance * breakpad_init(const char * profile)
google_breakpad::MinidumpDescriptor(instance->minidump_dir_prefix), NULL,
tfe_breakpad_dump_to_file, NULL, true, -1);
}
- mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Breakpad Crash Report is enable. ");
- mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Minidump Dir: %s", instance->minidump_dir_prefix);
+ mesa_runtime_log(RLOG_LV_INFO, "Breakpad Crash Report is enable. ");
+ mesa_runtime_log(RLOG_LV_INFO, "Minidump Dir: %s", instance->minidump_dir_prefix);
return instance;
}
@@ -922,7 +923,7 @@ void __signal_handler_cb(int sig)
switch (sig)
{
case SIGHUP:
- mesa_runtime_log(RLOG_LV_INFO, MODULE_NAME, "Reload log config");
+ mesa_runtime_log(RLOG_LV_INFO, "Reload log config");
MESA_handle_runtime_log_reconstruction(NULL);
break;
case SIGPIPE:
@@ -961,21 +962,21 @@ int main(int argc, char * argv[])
g_verify_proxy->logger = verify_syslog_init(main_profile);
CHECK_OR_EXIT(g_verify_proxy->logger != NULL, "Failed at init log module. Exit.");
- ret = verify_policy_init(g_verify_proxy, main_profile);
+ ret = load_system_conf(g_verify_proxy, main_profile);
CHECK_OR_EXIT(ret == 0, "Failed at loading profile %s, Exit.", main_profile);
ret = proxy_policy_init(g_verify_proxy, main_profile);
- CHECK_OR_EXIT(ret == 0, "Failed at init panggu module, Exit.");
+ CHECK_OR_EXIT(ret == 0, "Failed at init proxy module, Exit.");
clock_gettime(CLOCK_REALTIME, &(end_time));
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Read table_info_proxy.conf, take time %lu(s)", end_time.tv_sec - start_time.tv_sec);
+ mesa_runtime_log(RLOG_LV_DEBUG, "Read table_info_proxy.conf, take time %lu(s)", end_time.tv_sec - start_time.tv_sec);
printf("Read table_info_proxy.conf, take time %lu(s)\n", end_time.tv_sec - start_time.tv_sec);
clock_gettime(CLOCK_REALTIME, &(start_time));
ret = security_policy_init(g_verify_proxy, main_profile);
CHECK_OR_EXIT(ret == 0, "Failed at init security module, Exit.");
clock_gettime(CLOCK_REALTIME, &(end_time));
- mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Read table_info_security.conf, take time %lu(s)", end_time.tv_sec - start_time.tv_sec);
+ mesa_runtime_log(RLOG_LV_DEBUG, "Read table_info_security.conf, take time %lu(s)", end_time.tv_sec - start_time.tv_sec);
printf("Read table_info_security.conf, take time %lu(s)\n", end_time.tv_sec - start_time.tv_sec);
g_verify_proxy->breakpad = breakpad_init(main_profile);
@@ -986,7 +987,11 @@ int main(int argc, char * argv[])
signal(signals[i], __signal_handler_cb);
}
- ret = pangu_policy_work_thread_run(g_verify_proxy);
+ ret = verify_policy_work_thread_run(g_verify_proxy);
+
+ FOREVER{
+ sleep(1);
+ }
return ret;
}
diff --git a/resource/table_info_proxy.conf b/resource/table_info_proxy.conf
index 5f2cca0..b6f09aa 100644
--- a/resource/table_info_proxy.conf
+++ b/resource/table_info_proxy.conf
@@ -1,56 +1,394 @@
-#each collumn seperate with '\t'
-#id (0~65535)
-#name string
-#type one of ip,expr,expr_plus,digest,intval,compile or plugin
-#src_charset one of GBK,BIG5,UNICODE,UTF8
-#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/'
-#do_merege [yes/no]
-#cross cache [number]
-#quick mode [quickon/quickoff], default [quickoff]
-#For ip/intval/digest/compile/group
-#id name type
-#
-#For plugin table
-#id name type json_descr
-#
-#For expr/expr_plus Table
-#id name type src_charset dst_charset do_merge cross_cache quick_mode
-0 PXY_CTRL_COMPILE compile escape --
-1 GROUP_COMPILE_RELATION group2compile --
-2 GROUP_GROUP_RELATION group2group --
-3 TSG_OBJ_IP_ADDR ip_plus ---
-3 TSG_OBJ_IP_LEARNING_ADDR ip_plus UTF8 UTF8 no 0
-4 TSG_OBJ_URL expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff
-5 TSG_FIELD_HTTP_URL virtual TSG_OBJ_URL --
-6 TSG_OBJ_FQDN expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0 quickoff
-7 TSG_OBJ_FQDN_CAT intval UTF8 UTF8 yes 0
-8 TSG_FIELD_HTTP_HOST virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
-9 TSG_OBJ_HTTP_SIGNATURE expr_plus UTF8 UTF8 yes 0 quickoff
-10 TSG_FIELD_HTTP_REQ_HDR virtual TSG_OBJ_HTTP_SIGNATURE --
-11 TSG_FIELD_HTTP_RES_HDR virtual TSG_OBJ_HTTP_SIGNATURE --
-12 TSG_OBJ_KEYWORDS expr UTF8 GBK/BIG5/UNICODE/UTF8/unicode_ascii_esc/unicode_ascii_aligned/unicode_ncr_dec/unicode_ncr_hex/windows-1251 yes 128 quickoff
-13 TSG_FIELD_HTTP_REQ_BODY virtual TSG_OBJ_KEYWORDS --
-14 TSG_FIELD_HTTP_RES_BODY virtual TSG_OBJ_KEYWORDS --
-15 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 yes 0 quickon
-16 TSG_OBJ_APP_ID intval UTF8 UTF8 yes 0
-17 TSG_SECURITY_SOURCE_ADDR virtual TSG_OBJ_IP_ADDR --
-18 TSG_SECURITY_DESTINATION_ADDR virtual TSG_OBJ_IP_ADDR --
-19 TSG_SECURITY_ADDR composition {"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"}
-20 TSG_IP_ASN_BUILT_IN ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
-21 TSG_IP_ASN_USER_DEFINED ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
-22 TSG_IP_LOCATION_BUILT_IN ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
-23 TSG_IP_LOCATION_USER_DEFINED ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":18,"estimate_size":4194304}
-24 TSG_OBJ_AS_NUMBER expr UTF8 UTF8/GBK yes 0
-25 TSG_SECURITY_SOURCE_ASN virtual TSG_OBJ_AS_NUMBER --
-26 TSG_SECURITY_DESTINATION_ASN virtual TSG_OBJ_AS_NUMBER --
-27 TSG_OBJ_GEO_LOCATION expr UTF8 UTF8/GBK yes 0
-28 TSG_SECURITY_SOURCE_LOCATION virtual TSG_OBJ_GEO_LOCATION --
-29 TSG_SECURITY_DESTINATION_LOCATION virtual TSG_OBJ_GEO_LOCATION --
-30 TSG_FIELD_DOH_QNAME virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
-31 TSG_FIELD_DOH_HOST virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
-32 TSG_OBJ_IMSI expr UTF8 UTF8 yes 0
-33 TSG_OBJ_PHONE_NUMBER expr UTF8 UTF8 yes 0
-34 TSG_OBJ_APN expr UTF8 UTF8 yes 0
-35 TSG_FILED_GTP_IMSI virtual TSG_OBJ_IMSI --
-36 TSG_FILED_GTP_PHONE_NUMBER virtual TSG_OBJ_PHONE_NUMBER --
-37 TSG_FILED_GTP_APN virtual TSG_OBJ_APN --
+[
+ {
+ "table_id":0,
+ "table_name":"PXY_CTRL_COMPILE",
+ "table_type":"compile",
+ "user_region_encoded":"escape",
+ "valid_column":8,
+ "custom": {
+ "compile_id":1,
+ "service_id":2,
+ "action":3,
+ "do_blacklist":4,
+ "do_log":5,
+ "tags":6,
+ "user_region":7,
+ "clause_num":9,
+ "evaluation_order":10
+ }
+ },
+ {
+ "table_id":1,
+ "table_name":"GROUP_PXY_CTRL_COMPILE_RELATION",
+ "table_type":"group2compile",
+ "associated_compile_table_id":0,
+ "valid_column":3,
+ "custom": {
+ "group_id":1,
+ "compile_id":2,
+ "not_flag":4,
+ "virtual_table_name":5,
+ "clause_index":6
+ }
+ },
+ {
+ "table_id":2,
+ "table_name":"GROUP_GROUP_RELATION",
+ "table_type":"group2group",
+ "valid_column":3,
+ "custom": {
+ "group_id":1,
+ "super_group_id":2
+ }
+ },
+ {
+ "table_id":3,
+ "table_name":"TSG_OBJ_IP",
+ "db_tables":["TSG_OBJ_IP_ADDR","TSG_OBJ_IP_LEARNING_ADDR"],
+ "table_type":"ip_plus",
+ "valid_column":11,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "addr_type":3,
+ "addr_format":4,
+ "ip1":5,
+ "ip2":6,
+ "port_format":7,
+ "port1":8,
+ "port2":9,
+ "protocol":10
+ }
+ },
+ {
+ "table_id":4,
+ "table_name":"TSG_OBJ_URL",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":5,
+ "table_name":"TSG_FIELD_HTTP_URL",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_URL"
+ },
+ {
+ "table_id":6,
+ "table_name":"TSG_OBJ_FQDN",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":7,
+ "table_name":"TSG_OBJ_FQDN_CAT",
+ "table_type":"intval",
+ "valid_column":5,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "low_bound":3,
+ "up_bound":4
+ }
+ },
+ {
+ "table_id":8,
+ "table_name":"TSG_FIELD_HTTP_HOST",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN"
+ },
+ {
+ "table_id":9,
+ "table_name":"TSG_FIELD_HTTP_HOST_CAT",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN_CAT"
+ },
+ {
+ "table_id":10,
+ "table_name":"TSG_OBJ_HTTP_SIGNATURE",
+ "table_type":"expr_plus",
+ "valid_column":8,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "district":3,
+ "keywords":4,
+ "expr_type":5,
+ "match_method":6,
+ "is_hexbin":7
+ }
+ },
+ {
+ "table_id":11,
+ "table_name":"TSG_FIELD_HTTP_REQ_HDR",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_HTTP_SIGNATURE"
+ },
+ {
+ "table_id":12,
+ "table_name":"TSG_FIELD_HTTP_RES_HDR",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_HTTP_SIGNATURE"
+ },
+ {
+ "table_id":13,
+ "table_name":"TSG_OBJ_KEYWORDS",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":14,
+ "table_name":"TSG_FIELD_HTTP_REQ_BODY",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_KEYWORDS"
+ },
+ {
+ "table_id":15,
+ "table_name":"TSG_FIELD_HTTP_RES_BODY",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_KEYWORDS"
+ },
+ {
+ "table_id":16,
+ "table_name":"TSG_OBJ_SUBSCRIBER_ID",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":17,
+ "table_name":"TSG_OBJ_APP_ID",
+ "table_type":"intval",
+ "valid_column":5,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "low_bound":3,
+ "up_bound":4
+ }
+ },
+ {
+ "table_id":18,
+ "table_name":"TSG_SECURITY_SOURCE_ADDR",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_IP"
+ },
+ {
+ "table_id":19,
+ "table_name":"TSG_SECURITY_DESTINATION_ADDR",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_IP"
+ },
+ {
+ "table_id":20,
+ "table_name":"TSG_IP_ASN_BUILT_IN",
+ "table_type":"ip_plugin",
+ "valid_column":19,
+ "custom": {
+ "item_id":1,
+ "ip_type":3,
+ "start_ip":4,
+ "end_ip":5,
+ "addr_format":7
+ }
+ },
+ {
+ "table_id":21,
+ "table_name":"TSG_IP_ASN_USER_DEFINED",
+ "table_type":"ip_plugin",
+ "valid_column":19,
+ "custom": {
+ "item_id":1,
+ "ip_type":3,
+ "start_ip":4,
+ "end_ip":5,
+ "addr_format":7
+ }
+ },
+ {
+ "table_id":22,
+ "table_name":"TSG_IP_LOCATION_BUILT_IN",
+ "table_type":"ip_plugin",
+ "valid_column":19,
+ "custom": {
+ "item_id":1,
+ "ip_type":3,
+ "start_ip":4,
+ "end_ip":5,
+ "addr_format":7
+ }
+ },
+ {
+ "table_id":23,
+ "table_name":"TSG_IP_LOCATION_USER_DEFINED",
+ "table_type":"ip_plugin",
+ "valid_column":19,
+ "custom": {
+ "item_id":1,
+ "ip_type":3,
+ "start_ip":4,
+ "end_ip":5,
+ "addr_format":7
+ }
+ },
+ {
+ "table_id":24,
+ "table_name":"TSG_OBJ_AS_NUMBER",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":25,
+ "table_name":"TSG_SECURITY_SOURCE_ASN",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_AS_NUMBER"
+ },
+ {
+ "table_id":26,
+ "table_name":"TSG_SECURITY_DESTINATION_ASN",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_AS_NUMBER"
+ },
+ {
+ "table_id":27,
+ "table_name":"TSG_OBJ_GEO_LOCATION",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":28,
+ "table_name":"TSG_SECURITY_SOURCE_LOCATION",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_GEO_LOCATION"
+ },
+ {
+ "table_id":29,
+ "table_name":"TSG_SECURITY_DESTINATION_LOCATION",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_GEO_LOCATION"
+ },
+ {
+ "table_id":30,
+ "table_name":"TSG_FIELD_DOH_QNAME",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN"
+ },
+ {
+ "table_id":31,
+ "table_name":"TSG_FIELD_DOH_HOST",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN"
+ },
+ {
+ "table_id":32,
+ "table_name":"TSG_FIELD_DOH_HOST_CAT",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN_CAT"
+ },
+ {
+ "table_id":33,
+ "table_name":"TSG_OBJ_IMSI",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":34,
+ "table_name":"TSG_OBJ_PHONE_NUMBER",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":35,
+ "table_name":"TSG_OBJ_APN",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":36,
+ "table_name":"TSG_FILED_GTP_IMSI",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_IMSI"
+ },
+ {
+ "table_id":37,
+ "table_name":"TSG_FILED_GTP_PHONE_NUMBER",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_PHONE_NUMBER"
+ },
+ {
+ "table_id":38,
+ "table_name":"TSG_FILED_GTP_APN",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_APN"
+ }
+] \ No newline at end of file
diff --git a/resource/table_info_security.conf b/resource/table_info_security.conf
index c4145b0..1cd5811 100644
--- a/resource/table_info_security.conf
+++ b/resource/table_info_security.conf
@@ -1,77 +1,678 @@
-#each collumn seperate with '\t'
-#id (0~65535)
-#name string
-#type one of ip,expr,expr_plus,digest,intval,compile or plugin
-#src_charset one of GBK,BIG5,UNICODE,UTF8
-#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/'
-#do_merege yes or no
-#cross cache 0~max
-#quickswitch quickon or quick off
-#id name type src_charset dst_charset do_merge cross_cache quickswitch
-0 TSG_SECURITY_COMPILE compile escape --
-0 TRAFFIC_SHAPING_COMPILE compile escape --
-0 SERVICE_CHAINING_COMPILE compile escape --
-1 GROUP_COMPILE_RELATION group2compile --
-2 GROUP_GROUP_RELATION group2group --
-3 TSG_OBJ_IP_ADDR ip_plus UTF8 UTF8 no 0
-3 TSG_OBJ_IP_LEARNING_ADDR ip_plus UTF8 UTF8 no 0
-4 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 yes 0
-5 TSG_OBJ_ACCOUNT expr UTF8 UTF8 yes 0
-6 TSG_OBJ_URL expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0
-7 TSG_OBJ_FQDN expr UTF8 UTF8 yes 0
-8 TSG_OBJ_FQDN_CAT intval UTF8 UTF8 yes 0
-9 TSG_OBJ_KEYWORDS expr UTF8 GBK/UNICODE/UTF8/url_encode_gb2312/url_encode_utf8 yes 0
-10 TSG_OBJ_APP_ID intval UTF8 UTF8 yes 0
-11 TSG_OBJ_HTTP_SIGNATURE expr_plus UTF8 UTF8/GBK yes 0
-12 TSG_FIELD_HTTP_HOST virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
-13 TSG_FIELD_HTTP_URL virtual TSG_OBJ_URL --
-14 TSG_FIELD_HTTP_REQ_HDR virtual TSG_OBJ_HTTP_SIGNATURE --
-15 TSG_FIELD_HTTP_RES_HDR virtual TSG_OBJ_HTTP_SIGNATURE --
-16 TSG_FIELD_HTTP_REQ_BODY virtual TSG_OBJ_KEYWORDS --
-17 TSG_FIELD_HTTP_RES_BODY virtual TSG_OBJ_KEYWORDS --
-18 TSG_FIELD_SSL_SNI virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
-19 TSG_FIELD_SSL_CN virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
-20 TSG_FIELD_SSL_SAN virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
-21 TSG_FIELD_DNS_QNAME virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
-22 TSG_FIELD_QUIC_SNI virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
-23 TSG_FIELD_MAIL_ACCOUNT virtual TSG_OBJ_ACCOUNT --
-24 TSG_FIELD_MAIL_FROM virtual TSG_OBJ_ACCOUNT --
-25 TSG_FIELD_MAIL_TO virtual TSG_OBJ_ACCOUNT --
-26 TSG_FIELD_MAIL_SUBJECT virtual TSG_OBJ_KEYWORDS --
-27 TSG_FIELD_MAIL_CONTENT virtual TSG_OBJ_KEYWORDS --
-28 TSG_FIELD_MAIL_ATT_NAME virtual TSG_OBJ_KEYWORDS --
-29 TSG_FIELD_MAIL_ATT_CONTENT virtual TSG_OBJ_KEYWORDS --
-30 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL --
-31 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS --
-32 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT --
-33 TSG_SECURITY_SOURCE_ADDR virtual TSG_OBJ_IP_ADDR --
-34 TSG_SECURITY_DESTINATION_ADDR virtual TSG_OBJ_IP_ADDR --
-35 TSG_SECURITY_ADDR composition {"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"}
-36 TSG_IP_ASN_BUILT_IN ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
-37 TSG_IP_ASN_USER_DEFINED ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":7,"estimate_size":4194304}
-38 TSG_IP_LOCATION_BUILT_IN ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":19,"estimate_size":4194304}
-39 TSG_IP_LOCATION_USER_DEFINED ip_plugin {"row_id":1,"ip_type":3,"start_ip":4,"end_ip":5,"valid":19,"estimate_size":4194304}
-40 TSG_OBJ_AS_NUMBER expr UTF8 UTF8/GBK yes 0
-41 TSG_SECURITY_SOURCE_ASN virtual TSG_OBJ_AS_NUMBER --
-42 TSG_SECURITY_DESTINATION_ASN virtual TSG_OBJ_AS_NUMBER --
-43 TSG_OBJ_GEO_LOCATION expr UTF8 UTF8/GBK yes 0
-44 TSG_SECURITY_SOURCE_LOCATION virtual TSG_OBJ_GEO_LOCATION --
-45 TSG_SECURITY_DESTINATION_LOCATION virtual TSG_OBJ_GEO_LOCATION --
-46 TSG_FQDN_CATEGORY_BUILT_IN fqdn_plugin {"row_id":1,"is_suffix_match":4,"fqdn":3,"valid":5} --
-47 TSG_FQDN_CATEGORY_USER_DEFINED fqdn_plugin {"row_id":1,"is_suffix_match":4,"fqdn":3,"valid":5} --
-48 TSG_FIELD_SIP_ORIGINATOR_DESCRIPTION virtual TSG_OBJ_ACCOUNT --
-49 TSG_FIELD_SIP_RESPONDER_DESCRIPTION virtual TSG_OBJ_ACCOUNT --
-50 TSG_OBJ_IMSI expr UTF8 UTF8 yes 0
-51 TSG_OBJ_PHONE_NUMBER expr UTF8 UTF8 yes 0
-52 TSG_OBJ_APN expr UTF8 UTF8 yes 0
-53 TSG_FILED_GTP_IMSI virtual TSG_OBJ_IMSI --
-54 TSG_FILED_GTP_PHONE_NUMBER virtual TSG_OBJ_PHONE_NUMBER --
-55 TSG_FILED_GTP_APN virtual TSG_OBJ_APN --
-56 TSG_DECYPTION_EXCLUSION_SSL_SNI virtual ["TSG_OBJ_FQDN","TSG_OBJ_FQDN_CAT"] --
-57 TSG_OBJ_TUNNEL_ID intval UTF8 UTF8 yes 0
-58 TSG_TUNNEL_CATALOG bool_plugin {"row_id":1,"bool_expr":4,"valid":5} --
-59 TSG_TUNNEL_ENDPOINT ip_plugin {"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":6,"estimate_size":4194304}
-60 TSG_TUNNEL_LABEL plugin {"key":2,"valid":3} --
-61 TSG_SECURITY_TUNNEL virtual TSG_OBJ_TUNNEL_ID --
-62 TSG_OBJ_FLAG flag --
-63 TSG_SECURITY_FLAG virtual TSG_OBJ_FLAG --
+[
+ {
+ "table_id":0,
+ "table_name":"TSG_SECURITY_COMPILE",
+ "table_type":"compile",
+ "user_region_encoded":"escape",
+ "valid_column":8,
+ "custom": {
+ "compile_id":1,
+ "service_id":2,
+ "action":3,
+ "do_blacklist":4,
+ "do_log":5,
+ "tags":6,
+ "user_region":7,
+ "clause_num":9,
+ "evaluation_order":10
+ }
+ },
+ {
+ "table_id":1,
+ "table_name":"GROUP_SECURITY_COMPILE_RELATION",
+ "table_type":"group2compile",
+ "associated_compile_table_id":0,
+ "valid_column":3,
+ "custom": {
+ "group_id":1,
+ "compile_id":2,
+ "not_flag":4,
+ "virtual_table_name":5,
+ "clause_index":6
+ }
+ },
+ {
+ "table_id":2,
+ "table_name":"TRAFFIC_SHAPING_COMPILE",
+ "table_type":"compile",
+ "user_region_encoded":"escape",
+ "valid_column":8,
+ "custom": {
+ "compile_id":1,
+ "service_id":2,
+ "action":3,
+ "do_blacklist":4,
+ "do_log":5,
+ "tags":6,
+ "user_region":7,
+ "clause_num":9,
+ "evaluation_order":10
+ }
+ },
+ {
+ "table_id":3,
+ "table_name":"GROUP_SHAPING_COMPILE_RELATION",
+ "table_type":"group2compile",
+ "associated_compile_table_id":2,
+ "valid_column":3,
+ "custom": {
+ "group_id":1,
+ "compile_id":2,
+ "not_flag":4,
+ "virtual_table_name":5,
+ "clause_index":6
+ }
+ },
+ {
+ "table_id":4,
+ "table_name":"SERVICE_CHAINING_COMPILE",
+ "table_type":"compile",
+ "user_region_encoded":"escape",
+ "valid_column":8,
+ "custom": {
+ "compile_id":1,
+ "service_id":2,
+ "action":3,
+ "do_blacklist":4,
+ "do_log":5,
+ "tags":6,
+ "user_region":7,
+ "clause_num":9,
+ "evaluation_order":10
+ }
+ },
+ {
+ "table_id":5,
+ "table_name":"GROUP_SERVICE_CHAINING_COMPILE_RELATION",
+ "table_type":"group2compile",
+ "associated_compile_table_id":4,
+ "valid_column":3,
+ "custom": {
+ "group_id":1,
+ "compile_id":2,
+ "not_flag":4,
+ "virtual_table_name":5,
+ "clause_index":6
+ }
+ },
+ {
+ "table_id":6,
+ "table_name":"GROUP_GROUP_RELATION",
+ "table_type":"group2group",
+ "valid_column":3,
+ "custom": {
+ "group_id":1,
+ "super_group_id":2
+ }
+ },
+ {
+ "table_id":7,
+ "table_name":"TSG_OBJ_IP",
+ "db_tables":["TSG_OBJ_IP_ADDR","TSG_OBJ_IP_LEARNING_ADDR"],
+ "table_type":"ip_plus",
+ "valid_column":11,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "addr_type":3,
+ "addr_format":4,
+ "ip1":5,
+ "ip2":6,
+ "port_format":7,
+ "port1":8,
+ "port2":9,
+ "protocol":10
+ }
+ },
+ {
+ "table_id":8,
+ "table_name":"TSG_OBJ_SUBSCRIBER_ID",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":9,
+ "table_name":"TSG_OBJ_ACCOUNT",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":10,
+ "table_name":"TSG_OBJ_URL",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":11,
+ "table_name":"TSG_OBJ_FQDN",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":12,
+ "table_name":"TSG_OBJ_FQDN_CAT",
+ "table_type":"intval",
+ "valid_column":5,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "low_bound":3,
+ "up_bound":4
+ }
+ },
+ {
+ "table_id":13,
+ "table_name":"TSG_OBJ_KEYWORDS",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":14,
+ "table_name":"TSG_OBJ_APP_ID",
+ "table_type":"intval",
+ "valid_column":5,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "low_bound":3,
+ "up_bound":4
+ }
+ },
+ {
+ "table_id":15,
+ "table_name":"TSG_OBJ_HTTP_SIGNATURE",
+ "table_type":"expr_plus",
+ "valid_column":8,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "district":3,
+ "keywords":4,
+ "expr_type":5,
+ "match_method":6,
+ "is_hexbin":7
+ }
+ },
+ {
+ "table_id":16,
+ "table_name":"TSG_FIELD_HTTP_HOST",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN"
+ },
+ {
+ "table_id":17,
+ "table_name":"TSG_FIELD_HTTP_HOST_CAT",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN_CAT"
+ },
+ {
+ "table_id":18,
+ "table_name":"TSG_FIELD_HTTP_URL",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_URL"
+ },
+ {
+ "table_id":19,
+ "table_name":"TSG_FIELD_HTTP_REQ_HDR",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_HTTP_SIGNATURE"
+ },
+ {
+ "table_id":20,
+ "table_name":"TSG_FIELD_HTTP_RES_HDR",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_HTTP_SIGNATURE"
+ },
+ {
+ "table_id":21,
+ "table_name":"TSG_FIELD_HTTP_REQ_BODY",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_KEYWORDS"
+ },
+ {
+ "table_id":22,
+ "table_name":"TSG_FIELD_HTTP_RES_BODY",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_KEYWORDS"
+ },
+ {
+ "table_id":23,
+ "table_name":"TSG_FIELD_SSL_SNI",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN"
+ },
+ {
+ "table_id":24,
+ "table_name":"TSG_FIELD_SSL_SNI_CAT",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN_CAT"
+ },
+ {
+ "table_id":25,
+ "table_name":"TSG_FIELD_SSL_CN",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN"
+ },
+ {
+ "table_id":26,
+ "table_name":"TSG_FIELD_SSL_CN_CAT",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN_CAT"
+ },
+ {
+ "table_id":27,
+ "table_name":"TSG_FIELD_SSL_SAN",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN"
+ },
+ {
+ "table_id":28,
+ "table_name":"TSG_FIELD_SSL_SAN_CAT",
+ "table_type":"virtual",
+ "physical_table":"TSG_OBJ_FQDN_CAT"
+ },
+ {
+ "table_id":29,
+ "table_name":"TSG_FIELD_DNS_QNAME",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN"
+ },
+ {
+ "table_id":30,
+ "table_name":"TSG_FIELD_QUIC_SNI",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN"
+ },
+ {
+ "table_id":31,
+ "table_name":"TSG_FIELD_QUIC_SNI_CAT",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN_CAT"
+ },
+ {
+ "table_id":32,
+ "table_name":"TSG_FIELD_MAIL_ACCOUNT",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_ACCOUNT"
+ },
+ {
+ "table_id":33,
+ "table_name":"TSG_FIELD_MAIL_FROM",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_ACCOUNT"
+ },
+ {
+ "table_id":34,
+ "table_name":"TSG_FIELD_MAIL_TO",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_ACCOUNT"
+ },
+ {
+ "table_id":35,
+ "table_name":"TSG_FIELD_MAIL_SUBJECT",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_KEYWORDS"
+ },
+ {
+ "table_id":36,
+ "table_name":"TSG_FIELD_MAIL_CONTENT",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_KEYWORDS"
+ },
+ {
+ "table_id":37,
+ "table_name":"TSG_FIELD_MAIL_ATT_NAME",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_KEYWORDS"
+ },
+ {
+ "table_id":38,
+ "table_name":"TSG_FIELD_MAIL_ATT_CONTENT",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_KEYWORDS"
+ },
+ {
+ "table_id":39,
+ "table_name":"TSG_FIELD_FTP_URI",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_URL"
+ },
+ {
+ "table_id":40,
+ "table_name":"TSG_FIELD_FTP_CONTENT",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_KEYWORDS"
+ },
+ {
+ "table_id":41,
+ "table_name":"TSG_FIELD_FTP_ACCOUNT",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_ACCOUNT"
+ },
+ {
+ "table_id":42,
+ "table_name":"TSG_SECURITY_SOURCE_ADDR",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_IP"
+ },
+ {
+ "table_id":43,
+ "table_name":"TSG_SECURITY_DESTINATION_ADDR",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_IP"
+ },
+ {
+ "table_id":44,
+ "table_name":"TSG_IP_ASN_BUILT_IN",
+ "table_type":"ip_plugin",
+ "valid_column":19,
+ "custom": {
+ "item_id":1,
+ "ip_type":3,
+ "start_ip":4,
+ "end_ip":5,
+ "addr_format":7
+ }
+ },
+ {
+ "table_id":45,
+ "table_name":"TSG_IP_ASN_USER_DEFINED",
+ "table_type":"ip_plugin",
+ "valid_column":19,
+ "custom": {
+ "item_id":1,
+ "ip_type":3,
+ "start_ip":4,
+ "end_ip":5,
+ "addr_format":7
+ }
+ },
+ {
+ "table_id":46,
+ "table_name":"TSG_IP_LOCATION_BUILT_IN",
+ "table_type":"ip_plugin",
+ "valid_column":19,
+ "custom": {
+ "item_id":1,
+ "ip_type":3,
+ "start_ip":4,
+ "end_ip":5,
+ "addr_format":7
+ }
+ },
+ {
+ "table_id":47,
+ "table_name":"TSG_IP_LOCATION_USER_DEFINED",
+ "table_type":"ip_plugin",
+ "valid_column":19,
+ "custom": {
+ "item_id":1,
+ "ip_type":3,
+ "start_ip":4,
+ "end_ip":5,
+ "addr_format":7
+ }
+ },
+ {
+ "table_id":48,
+ "table_name":"TSG_OBJ_AS_NUMBER",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":49,
+ "table_name":"TSG_SECURITY_SOURCE_ASN",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_AS_NUMBER"
+ },
+ {
+ "table_id":50,
+ "table_name":"TSG_SECURITY_DESTINATION_ASN",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_AS_NUMBER"
+ },
+ {
+ "table_id":51,
+ "table_name":"TSG_OBJ_GEO_LOCATION",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":52,
+ "table_name":"TSG_SECURITY_SOURCE_LOCATION",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_GEO_LOCATION"
+ },
+ {
+ "table_id":53,
+ "table_name":"TSG_SECURITY_DESTINATION_LOCATION",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_GEO_LOCATION"
+ },
+ {
+ "table_id":54,
+ "table_name":"TSG_FQDN_CATEGORY_BUILT_IN",
+ "table_type":"fqdn_plugin",
+ "valid_column":5,
+ "custom": {
+ "item_id":1,
+ "suffix_match_method":4,
+ "fqdn":3
+ }
+ },
+ {
+ "table_id":55,
+ "table_name":"TSG_FQDN_CATEGORY_USER_DEFINED",
+ "table_type":"fqdn_plugin",
+ "valid_column":5,
+ "custom": {
+ "item_id":1,
+ "suffix_match_method":4,
+ "fqdn":3
+ }
+ },
+ {
+ "table_id":56,
+ "table_name":"TSG_FIELD_SIP_ORIGINATOR_DESCRIPTION",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_ACCOUNT"
+ },
+ {
+ "table_id":57,
+ "table_name":"TSG_FIELD_SIP_RESPONDER_DESCRIPTION",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_ACCOUNT"
+ },
+ {
+ "table_id":58,
+ "table_name":"TSG_OBJ_IMSI",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":59,
+ "table_name":"TSG_OBJ_PHONE_NUMBER",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":60,
+ "table_name":"TSG_OBJ_APN",
+ "table_type":"expr",
+ "valid_column":7,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "keywords":3,
+ "expr_type":4,
+ "match_method":5,
+ "is_hexbin":6
+ }
+ },
+ {
+ "table_id":61,
+ "table_name":"TSG_FILED_GTP_IMSI",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_IMSI"
+ },
+ {
+ "table_id":62,
+ "table_name":"TSG_FILED_GTP_PHONE_NUMBER",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_PHONE_NUMBER"
+ },
+ {
+ "table_id":63,
+ "table_name":"TSG_FILED_GTP_APN",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_APN"
+ },
+ {
+ "table_id":64,
+ "table_name":"TSG_DECYPTION_EXCLUSION_SSL_SNI",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FQDN"
+ },
+ {
+ "table_id":65,
+ "table_name":"TSG_OBJ_TUNNEL_ID",
+ "table_type":"intval",
+ "valid_column":5,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "low_bound":3,
+ "up_bound":4
+ }
+ },
+ {
+ "table_id":66,
+ "table_name":"TSG_TUNNEL_CATALOG",
+ "table_type":"bool_plugin",
+ "valid_column":5,
+ "custom": {
+ "item_id":1,
+ "bool_expr":4
+ }
+ },
+ {
+ "table_id":67,
+ "table_name":"TSG_TUNNEL_ENDPOINT",
+ "table_type":"ip_plugin",
+ "valid_column":6,
+ "custom": {
+ "item_id":1,
+ "ip_type":2,
+ "start_ip":3,
+ "end_ip":4,
+ "addr_format":7
+ }
+ },
+ {
+ "table_id":68,
+ "table_name":"TSG_TUNNEL_LABEL",
+ "table_type":"plugin",
+ "valid_column":4,
+ "custom": {
+ "key":1,
+ "key_type":"pointer",
+ "tag":3
+ }
+ },
+ {
+ "table_id":69,
+ "table_name":"TSG_SECURITY_TUNNEL",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_TUNNEL_ID"
+ },
+ {
+ "table_id":70,
+ "table_name":"TSG_OBJ_FLAG",
+ "table_type":"flag",
+ "valid_column":5,
+ "custom": {
+ "item_id":1,
+ "group_id":2,
+ "flag":3,
+ "flag_mask":4
+ }
+ },
+ {
+ "table_id":71,
+ "table_name":"TSG_SECURITY_FLAG",
+ "table_type":"virtual",
+ "physical_table": "TSG_OBJ_FLAG"
+ }
+] \ No newline at end of file
diff --git a/scan/CMakeLists.txt b/scan/CMakeLists.txt
deleted file mode 100644
index 1527e23..0000000
--- a/scan/CMakeLists.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-add_library(policy_scan src/policy_scan.cpp)
-target_include_directories(policy_scan PUBLIC ${CMAKE_CURRENT_LIST_DIR}/incluce)
-target_link_libraries(policy_scan PUBLIC common pthread cjson maatframe)
-
-
-
diff --git a/scan/include/policy_scan.h b/scan/include/policy_scan.h
deleted file mode 100644
index 7f97345..0000000
--- a/scan/include/policy_scan.h
+++ /dev/null
@@ -1,13 +0,0 @@
-/*************************************************************************
- > File Name: policy_scan.h
- > Author:
- > Mail:
- > Created Time: 2019年08月26日 星期一 19时30分49秒
- ************************************************************************/
-
-#ifndef _PANGGU_HTTP_H
-#define _PANGGU_HTTP_H
-
-extern int proxy_policy_init(struct verify_policy * verify, const char* profile_path);
-
-#endif
diff --git a/vendor/CMakeLists.txt b/vendor/CMakeLists.txt
index e8140e9..e629e50 100644
--- a/vendor/CMakeLists.txt
+++ b/vendor/CMakeLists.txt
@@ -112,7 +112,7 @@ set_property(TARGET MESA_prof_load PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_L
set_property(TARGET MESA_prof_load PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR})
add_library(maatframe SHARED IMPORTED GLOBAL)
-set_property(TARGET maatframe PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/libmaatframe.so)
+set_property(TARGET maatframe PROPERTY IMPORTED_LOCATION ${MESA_FRAMEWORK_LIB_DIR}/libmaat4.so)
set_property(TARGET maatframe PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${MESA_FRAMEWORK_INCLUDE_DIR})
### pcre2
generated by cgit v1.2.3 (git 2.39.1) at 2025-12-30 16:15:28 +0000