From 9abf35fe53dcd11c4f419affa015b9c2ea383f2b Mon Sep 17 00:00:00 2001
From: ChenLing <chenlinghy@cmhi.chinamobile.com>
Date: Thu, 8 Aug 2019 14:53:53 +0800
Subject: [PATCH] =?UTF-8?q?ADD=20=20aaa-12=20=E5=A2=9E=E5=8A=A0=E5=8B=BE?=
 =?UTF-8?q?=E5=AD=90=E5=87=BD=E6=95=B0=E5=88=A4=E6=96=AD=E6=8A=A5=E6=96=87?=
 =?UTF-8?q?=E6=98=AF=E5=90=A6=E9=9C=80=E8=A6=81=E9=87=8D=E5=AE=9A=E5=90=91?=
 =?UTF-8?q?=E5=8A=9F=E8=83=BD=20RCA=EF=BC=9A=20SOL=EF=BC=9A=20=E4=BF=AE?=
 =?UTF-8?q?=E6=94=B9=E4=BA=BA=EF=BC=9Achenling=20=E6=A3=80=E8=A7=86?=
 =?UTF-8?q?=E4=BA=BA=EF=BC=9A?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Makefile                                 |  15 +++-
 Product/build/module.matchrule.Makefile  |  79 +++++++++++++++++
 Product/modules/match_rule/Makefile      |  11 +++
 Product/modules/match_rule/k-matchrule.c | 105 +++++++++++++++++++++++
 Product/modules/match_rule/k-matchrule.h |  11 +++
 Product/modules/userhash/k-userhash.c    |   2 +-
 6 files changed, 218 insertions(+), 5 deletions(-)
 create mode 100755 Product/build/module.matchrule.Makefile
 create mode 100644 Product/modules/match_rule/Makefile
 create mode 100644 Product/modules/match_rule/k-matchrule.c
 create mode 100644 Product/modules/match_rule/k-matchrule.h

diff --git a/Makefile b/Makefile
index 936327a05..392e21bce 100755
--- a/Makefile
+++ b/Makefile
@@ -28,9 +28,9 @@ MAKE_FLAGS				+= -j$(shell cat /proc/cpuinfo | grep processor | wc -l)
 endif
 endif
 
-.PHONY : openrpc ulog demo conntrack netlink trace  redismq usermanager configm  database  webauth khashtable
+.PHONY : demo conntrack netlink trace openrpc redismq usermanager configm ulog database  webauth matchrule 
 
-all: openrpc ulog demo conntrack netlink trace  redismq usermanager configm  database  webauth khashtable
+all: demo conntrack netlink trace openrpc redismq usermanager configm ulog database  webauth matchrule 
 
 ifeq ($(OPT), install)
 #$(shell `find ../release -name "*.zip" -delete`)
@@ -190,11 +190,18 @@ else
 	$(MLOG)make all $(MAKE_FLAGS) -C Product/build -f user.web-auth.Makefile MLOG=$(MLOG) DISABLE_WARRING=$(DIS_BUILD_WARRING) MAKE_TARGET=webauth
 endif	    
 
-khashtable:
+matchrule:
 ifeq ($(OPT), clean)
 	$(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.khash.Makefile cleanall MLOG=$(MLOG) MAKE_TARGET=khashtable
+	$(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.matchrule.Makefile cleanall MLOG=$(MLOG) MAKE_TARGET=matchrule
 else ifeq ($(OPT), install)
 	$(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.khash.Makefile install DIR=$(DIR) MLOG=$(MLOG) MAKE_TARGET=khashtable
+	$(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.matchrule.Makefile install DIR=$(DIR) MLOG=$(MLOG) MAKE_TARGET=matchrule
+
 else
 	$(MLOG)make all $(MAKE_FLAGS) -C Product/build -f module.khash.Makefile MLOG=$(MLOG) DISABLE_WARRING=$(DIS_BUILD_WARRING) MAKE_TARGET=khashtable
-endif	    
\ No newline at end of file
+	$(MLOG)make all $(MAKE_FLAGS) -C Product/build -f module.matchrule.Makefile MLOG=$(MLOG) DISABLE_WARRING=$(DIS_BUILD_WARRING) MAKE_TARGET=matchrule
+endif	     
+
+
+
diff --git a/Product/build/module.matchrule.Makefile b/Product/build/module.matchrule.Makefile
new file mode 100755
index 000000000..37f78e158
--- /dev/null
+++ b/Product/build/module.matchrule.Makefile
@@ -0,0 +1,79 @@
+# target name, the target name must have the same name of c source file
+TARGET_NAME=matchrule
+
+# target 
+# for linux module driver: KO
+# for application: EXE
+# for dynamic library: DLL
+TARGET_TYPE = KO
+ 
+# target object
+# for application: APP
+# for device driver: DRV
+TARGET_OBJ  = DRV
+
+# custom install dir
+TARGET_BOX = 
+
+#debug mode or release mode
+DEBUG 			= TRUE
+
+PLAT_LINUX		?= TRUE
+PLAT_ARM64		?= FALSE
+
+VPATH = ../modules/match_rule
+
+# source code
+
+# set the source file, don't used .o because of ...
+
+COMMON_SRCS = k-matchrule.c
+
+# MRS Board Source Files
+PLAT_LINUX_SRCS = $(COMMON_SRCS)
+PLAT_ARM64_SRCS = $(COMMON_SRCS)
+
+# gcc CFLAGS
+PLAT_ARM64_CFLAGS := -I../../Common -I../common 
+PLAT_LINUX_CFLAGS := $(PLAT_ARM64_CFLAGS)
+
+
+PLAT_ARM64_LDFLAGS  := 
+PLAT_LINUX_LDFLAGS := $(PLAT_ARM64_LDFLAGS)
+
+
+#gcc libs
+ARM64_LIBS		:= 
+LINUX_LIBS		:= 
+
+ifeq	($(PLAT_ARM64), TRUE)
+DEPEND_LIB			+= 
+USER_CLEAN_ITEMS	+=
+endif
+
+ifeq	($(PLAT_LINUX), TRUE)
+DEPEND_LIB			+=
+USER_CLEAN_ITEMS	+=
+endif
+
+# this line must be at below of thus, because of...	
+include ../../Common/common.Makefile
+
+ifneq ($(MAKECMDGOALS), clean)
+ifneq ($(MAKECMDGOALS), cleanall)
+ifneq ($(notdir $(DEPEND_LIB)), $(wildcard $(DEPEND_LIB)))
+$(shell $(CP) $(DEPEND_LIB) ./)
+endif
+endif
+endif
+
+ifeq ($(MAKECMDGOALS), )
+$(shell find ./ -name "$(TARGET)-*.ko" -delete)
+else
+ifeq ($(MAKECMDGOALS), all)
+$(shell find ./ -name "$(TARGET)-*.ko" -delete)
+endif
+endif
+
+
+
diff --git a/Product/modules/match_rule/Makefile b/Product/modules/match_rule/Makefile
new file mode 100644
index 000000000..f28882d97
--- /dev/null
+++ b/Product/modules/match_rule/Makefile
@@ -0,0 +1,11 @@
+ifneq ($(KERNELRELEASE), )
+obj-m := k-matchrule.o 
+else
+#KDIR  	?= /opt/fsl-kernel/x86/linux-4.9.140
+KDIR  	?= /opt/fsl-kernel/arm64/linux-4.9.140
+#PWD		:= $(shell pwd)
+all:
+	make -C $(KDIR) M=$(PWD) modules
+clean:
+	make -C $(KDIR) M=$(PWD) clean
+endif
diff --git a/Product/modules/match_rule/k-matchrule.c b/Product/modules/match_rule/k-matchrule.c
new file mode 100644
index 000000000..3d096739f
--- /dev/null
+++ b/Product/modules/match_rule/k-matchrule.c
@@ -0,0 +1,105 @@
+#include <linux/errno.h>
+#include <linux/string.h>
+#include <linux/types.h>
+#include <net/net_namespace.h>
+#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
+#include <net/netfilter/nf_conntrack_tuple.h>
+#include <net/netfilter/nf_conntrack_l3proto.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
+#include <linux/skbuff.h>
+#include <net/netfilter/nf_conntrack_core.h>
+#include "../modules/userhash/k-userhash.h" 
+#include "../modules/usercfgrcv/usercfg_kinit.h"
+#include <asm-generic/int-ll64.h>
+#include <linux/netfilter.h>
+
+extern struct list_head hash_array[];
+extern freeauth_configure_t *kfreeauth;
+
+/*匹配免认证规则 */
+int judge(u_int8_t proto, __be32 sip, __be32 dip, __be16 dport )
+{
+    /*免认证规则要求是http报文,http基于tcp协议 */
+    if (proto != 6) return 0;
+
+    if ((sip != kfreeauth->sip) && (dip != kfreeauth->dip)) return 0;
+
+    if (dport != kfreeauth->dport) return 0;
+
+    return 1;
+}
+
+
+int match_rule(const struct sk_buff *skb,u_int16_t l3num,
+                    struct net *net,struct nf_conntrack_tuple *tuple)
+{
+    const struct nf_conntrack_l3proto *l3proto;
+	const struct nf_conntrack_l4proto *l4proto;
+    unsigned int nhoff;   /*nhoff表示L3首部在skb中的偏移 */
+	unsigned int protoff; 
+	u_int8_t protonum;
+    unsigned int dataoff; /*dataoff表示L4首部在skb中的偏移 */
+    int ret;
+    int result;
+
+    USERINFO *kresult;
+    kresult = (USERINFO *)kmalloc(sizeof(USERINFO), GFP_KERNEL);
+    if (NULL == kresult)
+    {
+        return ENOMEM;
+    }
+
+    /*获取版本号、源端口、目的端口、源IP、目的IP */
+    /*nf_ct_get_tuple函数主要根据协议号调用pkt_to_tuple生成一个tuple */
+    /*tcp/udp协议就是生成五元组(源ip、目的ip、源端口、目的端口、协议号)，icmp协议就是(id、code、type) */
+    ret = nf_ct_get_tuple(skb, nhoff, protoff, l3num, protonum, net, tuple,l3proto, l4proto);
+    if(ret == 0)
+    {
+        printk("resolve_normal_ct: Can't get tuple\n");
+        kfree(kresult);
+        return EIO; 
+    }
+ 
+    /*1.判断用户认证成功 ——非重定向
+    2.判断是否符合免认证规则 ——非重定向
+    3.判断目的端口是否是80—— 重定向标记
+    4.目的端口不是80的情况下，判断协议是否是DHCP和DNS，如果是DHCP和DNS——非重定向
+    5.其余包 drop*/
+    kresult = search_user(tuple->src.u3.ip);
+   
+    /*用户已经认证通过 */
+    if(kresult != NULL) 
+    {
+        kfree(kresult);
+        return NF_ACCEPT;
+    }
+  
+    /*报文匹配免认证规则 */
+    result = judge(tuple->dst.protonum, tuple->src.u3.ip, tuple->dst.u3.ip, tuple->dst.u.tcp.port );
+    if (result == 1)
+    {
+       kfree(kresult);
+       return NF_ACCEPT;
+    }
+    
+    /*80端口接入的HTTP报文重定向到Web Server */
+    if((tuple->dst.protonum == 6) && (tuple->dst.u.tcp.port == 80))
+    {
+        /*打重定向Mark标记 */
+        kfree(kresult);
+    }
+    else
+    {
+        /*dhcp报文 dns报文 默认放行 */
+        if((tuple->dst.u.tcp.port == 67) || (tuple->dst.u.tcp.port == 68) || (tuple->dst.u.tcp.port ==53))
+        {
+            kfree(kresult);
+            return NF_ACCEPT;
+        }
+        
+    }  
+
+    kfree(kresult);          
+    return NF_DROP;         
+}
+
diff --git a/Product/modules/match_rule/k-matchrule.h b/Product/modules/match_rule/k-matchrule.h
new file mode 100644
index 000000000..043795d82
--- /dev/null
+++ b/Product/modules/match_rule/k-matchrule.h
@@ -0,0 +1,11 @@
+#ifndef K_MATCHRULR_H
+#define K_MATCHRULR_H
+
+/*匹配免认证规则 */
+int judge(u_int8_t proto, __be32 sip, __be32 dip, __be16 dport );
+
+int matcl_rule(const struct sk_buff *skb,u_int16_t l3num,
+                    struct net *net,struct nf_conntrack_tuple *tuple);
+
+#endif
+
diff --git a/Product/modules/userhash/k-userhash.c b/Product/modules/userhash/k-userhash.c
index 054df99c4..85737bf01 100644
--- a/Product/modules/userhash/k-userhash.c
+++ b/Product/modules/userhash/k-userhash.c
@@ -7,7 +7,7 @@
 DEFINE_RWLOCK(g_obj_lock);
 
 /*定义大小为HASH_SIZE的hashtable */
-static struct list_head hash_array[HASH_SIZE];
+struct list_head hash_array[HASH_SIZE];
 
 /*init hashtable */
 void init_hashMap(void)