cmhi
/
secgateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ADD aaa-12 增加勾子函数判断报文是否需要重定向功能 

RCA:
SOL:
修改人:chenling
检视人:
This commit is contained in:
ChenLing 2019-08-08 14:53:53 +08:00
parent 9595330e0a
commit 9abf35fe53
6 changed files with 218 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Makefile
View File

@ -28,9 +28,9 @@ MAKE_FLAGS += -j$(shell cat /proc/cpuinfo | grep processor | wc -l)
endif endif
endif endif
.PHONY : openrpc ulog demo conntrack netlink trace redismq usermanager configm database webauth khashtable .PHONY : demo conntrack netlink trace openrpc redismq usermanager configm ulog database webauth matchrule
all: openrpc ulog demo conntrack netlink trace redismq usermanager configm database webauth khashtable all: demo conntrack netlink trace openrpc redismq usermanager configm ulog database webauth matchrule
ifeq ($(OPT), install) ifeq ($(OPT), install)
#$(shell `find ../release -name "*.zip" -delete`) #$(shell `find ../release -name "*.zip" -delete`)
@ -190,11 +190,18 @@ else
$(MLOG)make all $(MAKE_FLAGS) -C Product/build -f user.web-auth.Makefile MLOG=$(MLOG) DISABLE_WARRING=$(DIS_BUILD_WARRING) MAKE_TARGET=webauth $(MLOG)make all $(MAKE_FLAGS) -C Product/build -f user.web-auth.Makefile MLOG=$(MLOG) DISABLE_WARRING=$(DIS_BUILD_WARRING) MAKE_TARGET=webauth
endif endif
khashtable: matchrule:
ifeq ($(OPT), clean) ifeq ($(OPT), clean)
$(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.khash.Makefile cleanall MLOG=$(MLOG) MAKE_TARGET=khashtable $(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.khash.Makefile cleanall MLOG=$(MLOG) MAKE_TARGET=khashtable
$(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.matchrule.Makefile cleanall MLOG=$(MLOG) MAKE_TARGET=matchrule
else ifeq ($(OPT), install) else ifeq ($(OPT), install)
$(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.khash.Makefile install DIR=$(DIR) MLOG=$(MLOG) MAKE_TARGET=khashtable $(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.khash.Makefile install DIR=$(DIR) MLOG=$(MLOG) MAKE_TARGET=khashtable
$(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.matchrule.Makefile install DIR=$(DIR) MLOG=$(MLOG) MAKE_TARGET=matchrule
else else
$(MLOG)make all $(MAKE_FLAGS) -C Product/build -f module.khash.Makefile MLOG=$(MLOG) DISABLE_WARRING=$(DIS_BUILD_WARRING) MAKE_TARGET=khashtable $(MLOG)make all $(MAKE_FLAGS) -C Product/build -f module.khash.Makefile MLOG=$(MLOG) DISABLE_WARRING=$(DIS_BUILD_WARRING) MAKE_TARGET=khashtable
$(MLOG)make all $(MAKE_FLAGS) -C Product/build -f module.matchrule.Makefile MLOG=$(MLOG) DISABLE_WARRING=$(DIS_BUILD_WARRING) MAKE_TARGET=matchrule
endif endif

79
Product/build/module.matchrule.Makefile Executable file
View File

@ -0,0 +1,79 @@
# target name, the target name must have the same name of c source file
TARGET_NAME=matchrule
# target
# for linux module driver: KO
# for application: EXE
# for dynamic library: DLL
TARGET_TYPE = KO
# target object
# for application: APP
# for device driver: DRV
TARGET_OBJ = DRV
# custom install dir
TARGET_BOX =
#debug mode or release mode
DEBUG = TRUE
PLAT_LINUX ?= TRUE
PLAT_ARM64 ?= FALSE
VPATH = ../modules/match_rule
# source code
# set the source file, don't used .o because of ...
COMMON_SRCS = k-matchrule.c
# MRS Board Source Files
PLAT_LINUX_SRCS = $(COMMON_SRCS)
PLAT_ARM64_SRCS = $(COMMON_SRCS)
# gcc CFLAGS
PLAT_ARM64_CFLAGS := -I../../Common -I../common
PLAT_LINUX_CFLAGS := $(PLAT_ARM64_CFLAGS)
PLAT_ARM64_LDFLAGS :=
PLAT_LINUX_LDFLAGS := $(PLAT_ARM64_LDFLAGS)
#gcc libs
ARM64_LIBS :=
LINUX_LIBS :=
ifeq ($(PLAT_ARM64), TRUE)
DEPEND_LIB +=
USER_CLEAN_ITEMS +=
endif
ifeq ($(PLAT_LINUX), TRUE)
DEPEND_LIB +=
USER_CLEAN_ITEMS +=
endif
# this line must be at below of thus, because of...
include ../../Common/common.Makefile
ifneq ($(MAKECMDGOALS), clean)
ifneq ($(MAKECMDGOALS), cleanall)
ifneq ($(notdir $(DEPEND_LIB)), $(wildcard $(DEPEND_LIB)))
$(shell $(CP) $(DEPEND_LIB) ./)
endif
endif
endif
ifeq ($(MAKECMDGOALS), )
$(shell find ./ -name "$(TARGET)-*.ko" -delete)
else
ifeq ($(MAKECMDGOALS), all)
$(shell find ./ -name "$(TARGET)-*.ko" -delete)
endif
endif

11
Product/modules/match_rule/Makefile Normal file
View File

@ -0,0 +1,11 @@
ifneq ($(KERNELRELEASE), )
obj-m := k-matchrule.o
else
#KDIR ?= /opt/fsl-kernel/x86/linux-4.9.140
KDIR ?= /opt/fsl-kernel/arm64/linux-4.9.140
#PWD := $(shell pwd)
all:
make -C $(KDIR) M=$(PWD) modules
clean:
make -C $(KDIR) M=$(PWD) clean
endif

105
Product/modules/match_rule/k-matchrule.c Normal file
View File

@ -0,0 +1,105 @@
#include <linux/errno.h>
#include <linux/string.h>
#include <linux/types.h>
#include <net/net_namespace.h>
#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
#include <net/netfilter/nf_conntrack_tuple.h>
#include <net/netfilter/nf_conntrack_l3proto.h>
#include <net/netfilter/nf_conntrack_l4proto.h>
#include <linux/skbuff.h>
#include <net/netfilter/nf_conntrack_core.h>
#include "../modules/userhash/k-userhash.h"
#include "../modules/usercfgrcv/usercfg_kinit.h"
#include <asm-generic/int-ll64.h>
#include <linux/netfilter.h>
extern struct list_head hash_array[];
extern freeauth_configure_t *kfreeauth;
/*匹配免认证规则 */
int judge(u_int8_t proto, __be32 sip, __be32 dip, __be16 dport )
{
/*免认证规则要求是http报文,http基于tcp协议 */
if (proto != 6) return 0;
if ((sip != kfreeauth->sip) && (dip != kfreeauth->dip)) return 0;
if (dport != kfreeauth->dport) return 0;
return 1;
}
int match_rule(const struct sk_buff *skb,u_int16_t l3num,
struct net *net,struct nf_conntrack_tuple *tuple)
{
const struct nf_conntrack_l3proto *l3proto;
const struct nf_conntrack_l4proto *l4proto;
unsigned int nhoff; /*nhoff表示L3首部在skb中的偏移 */
unsigned int protoff;
u_int8_t protonum;
unsigned int dataoff; /*dataoff表示L4首部在skb中的偏移 */
int ret;
int result;
USERINFO *kresult;
kresult = (USERINFO *)kmalloc(sizeof(USERINFO), GFP_KERNEL);
if (NULL == kresult)
{
return ENOMEM;
}
/*获取版本号、源端口、目的端口、源IP、目的IP */
/*nf_ct_get_tuple函数主要根据协议号调用pkt_to_tuple生成一个tuple */
/*tcp/udp协议就是生成五元组(源ip、目的ip、源端口、目的端口、协议号)icmp协议就是(id、code、type) */
ret = nf_ct_get_tuple(skb, nhoff, protoff, l3num, protonum, net, tuple,l3proto, l4proto);
if(ret == 0)
{
printk("resolve_normal_ct: Can't get tuple\n");
kfree(kresult);
return EIO;
}
/*1.判断用户认证成功 ——非重定向
2.
3.80
4.80DHCP和DNSDHCP和DNS
5. drop*/
kresult = search_user(tuple->src.u3.ip);
/*用户已经认证通过 */
if(kresult != NULL)
{
kfree(kresult);
return NF_ACCEPT;
}
/*报文匹配免认证规则 */
result = judge(tuple->dst.protonum, tuple->src.u3.ip, tuple->dst.u3.ip, tuple->dst.u.tcp.port );
if (result == 1)
{
kfree(kresult);
return NF_ACCEPT;
}
/*80端口接入的HTTP报文重定向到Web Server */
if((tuple->dst.protonum == 6) && (tuple->dst.u.tcp.port == 80))
{
/*打重定向Mark标记 */
kfree(kresult);
}
else
{
/*dhcp报文 dns报文 默认放行 */
if((tuple->dst.u.tcp.port == 67) || (tuple->dst.u.tcp.port == 68) || (tuple->dst.u.tcp.port ==53))
{
kfree(kresult);
return NF_ACCEPT;
}
}
kfree(kresult);
return NF_DROP;
}

11
Product/modules/match_rule/k-matchrule.h Normal file
View File

@ -0,0 +1,11 @@
#ifndef K_MATCHRULR_H
#define K_MATCHRULR_H
/*匹配免认证规则 */
int judge(u_int8_t proto, __be32 sip, __be32 dip, __be16 dport );
int matcl_rule(const struct sk_buff *skb,u_int16_t l3num,
struct net *net,struct nf_conntrack_tuple *tuple);
#endif

2
Product/modules/userhash/k-userhash.c
View File

@ -7,7 +7,7 @@
DEFINE_RWLOCK(g_obj_lock); DEFINE_RWLOCK(g_obj_lock);
/*定义大小为HASH_SIZE的hashtable */ /*定义大小为HASH_SIZE的hashtable */
static struct list_head hash_array[HASH_SIZE]; struct list_head hash_array[HASH_SIZE];
/*init hashtable */ /*init hashtable */
void init_hashMap(void) void init_hashMap(void)