ADD aaa-12 增加勾子函数判断报文是否需要重定向功能

RCA： SOL：修改人：chenling 检视人：
2019-08-08 14:53:53 +08:00 · 2019-08-08 14:53:53 +08:00 · 9abf35fe53
parent 9595330e0a
commit 9abf35fe53
6 changed files with 218 additions and 5 deletions
--- a/13
+++ b/13
@ -28,9 +28,9 @@ MAKE_FLAGS				+= -j$(shell cat /proc/cpuinfo | grep processor | wc -l)
 endif
 endif

-.PHONY : openrpc ulog demo conntrack netlink trace  redismq usermanager configm  database  webauth khashtable
+.PHONY : demo conntrack netlink trace openrpc redismq usermanager configm ulog database  webauth matchrule 

-all: openrpc ulog demo conntrack netlink trace  redismq usermanager configm  database  webauth khashtable
+all: demo conntrack netlink trace openrpc redismq usermanager configm ulog database  webauth matchrule 

 ifeq ($(OPT), install)
 #$(shell `find ../release -name "*.zip" -delete`)
@ -190,11 +190,18 @@ else
 	$(MLOG)make all $(MAKE_FLAGS) -C Product/build -f user.web-auth.Makefile MLOG=$(MLOG) DISABLE_WARRING=$(DIS_BUILD_WARRING) MAKE_TARGET=webauth
 endif	    

-khashtable:
+matchrule:
 ifeq ($(OPT), clean)
 	$(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.khash.Makefile cleanall MLOG=$(MLOG) MAKE_TARGET=khashtable
+	$(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.matchrule.Makefile cleanall MLOG=$(MLOG) MAKE_TARGET=matchrule
 else ifeq ($(OPT), install)
 	$(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.khash.Makefile install DIR=$(DIR) MLOG=$(MLOG) MAKE_TARGET=khashtable
+	$(MLOG)make $(MAKE_FLAGS) -C Product/build -f module.matchrule.Makefile install DIR=$(DIR) MLOG=$(MLOG) MAKE_TARGET=matchrule
+
 else
 	$(MLOG)make all $(MAKE_FLAGS) -C Product/build -f module.khash.Makefile MLOG=$(MLOG) DISABLE_WARRING=$(DIS_BUILD_WARRING) MAKE_TARGET=khashtable
+	$(MLOG)make all $(MAKE_FLAGS) -C Product/build -f module.matchrule.Makefile MLOG=$(MLOG) DISABLE_WARRING=$(DIS_BUILD_WARRING) MAKE_TARGET=matchrule
 endif	     
+
+
+
--- a/Product/build/module.matchrule.Makefile
+++ b/Product/build/module.matchrule.Makefile
@ -0,0 +1,79 @@
+# target name, the target name must have the same name of c source file
+TARGET_NAME=matchrule
+
+# target 
+# for linux module driver: KO
+# for application: EXE
+# for dynamic library: DLL
+TARGET_TYPE = KO
+ 
+# target object
+# for application: APP
+# for device driver: DRV
+TARGET_OBJ  = DRV
+
+# custom install dir
+TARGET_BOX = 
+
+#debug mode or release mode
+DEBUG 			= TRUE
+
+PLAT_LINUX		?= TRUE
+PLAT_ARM64		?= FALSE
+
+VPATH = ../modules/match_rule
+
+# source code
+
+# set the source file, don't used .o because of ...
+
+COMMON_SRCS = k-matchrule.c
+
+# MRS Board Source Files
+PLAT_LINUX_SRCS = $(COMMON_SRCS)
+PLAT_ARM64_SRCS = $(COMMON_SRCS)
+
+# gcc CFLAGS
+PLAT_ARM64_CFLAGS := -I../../Common -I../common 
+PLAT_LINUX_CFLAGS := $(PLAT_ARM64_CFLAGS)
+
+
+PLAT_ARM64_LDFLAGS  := 
+PLAT_LINUX_LDFLAGS := $(PLAT_ARM64_LDFLAGS)
+
+
+#gcc libs
+ARM64_LIBS		:= 
+LINUX_LIBS		:= 
+
+ifeq	($(PLAT_ARM64), TRUE)
+DEPEND_LIB			+= 
+USER_CLEAN_ITEMS	+=
+endif
+
+ifeq	($(PLAT_LINUX), TRUE)
+DEPEND_LIB			+=
+USER_CLEAN_ITEMS	+=
+endif
+
+# this line must be at below of thus, because of...	
+include ../../Common/common.Makefile
+
+ifneq ($(MAKECMDGOALS), clean)
+ifneq ($(MAKECMDGOALS), cleanall)
+ifneq ($(notdir $(DEPEND_LIB)), $(wildcard $(DEPEND_LIB)))
+$(shell $(CP) $(DEPEND_LIB) ./)
+endif
+endif
+endif
+
+ifeq ($(MAKECMDGOALS), )
+$(shell find ./ -name "$(TARGET)-*.ko" -delete)
+else
+ifeq ($(MAKECMDGOALS), all)
+$(shell find ./ -name "$(TARGET)-*.ko" -delete)
+endif
+endif
+
+
+
--- a/Product/modules/match_rule/Makefile
+++ b/Product/modules/match_rule/Makefile
@ -0,0 +1,11 @@
+ifneq ($(KERNELRELEASE), )
+obj-m := k-matchrule.o 
+else
+#KDIR  	?= /opt/fsl-kernel/x86/linux-4.9.140
+KDIR  	?= /opt/fsl-kernel/arm64/linux-4.9.140
+#PWD		:= $(shell pwd)
+all:
+	make -C $(KDIR) M=$(PWD) modules
+clean:
+	make -C $(KDIR) M=$(PWD) clean
+endif
--- a/Product/modules/match_rule/k-matchrule.c
+++ b/Product/modules/match_rule/k-matchrule.c
@ -0,0 +1,105 @@
+#include <linux/errno.h>
+#include <linux/string.h>
+#include <linux/types.h>
+#include <net/net_namespace.h>
+#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
+#include <net/netfilter/nf_conntrack_tuple.h>
+#include <net/netfilter/nf_conntrack_l3proto.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
+#include <linux/skbuff.h>
+#include <net/netfilter/nf_conntrack_core.h>
+#include "../modules/userhash/k-userhash.h" 
+#include "../modules/usercfgrcv/usercfg_kinit.h"
+#include <asm-generic/int-ll64.h>
+#include <linux/netfilter.h>
+
+extern struct list_head hash_array[];
+extern freeauth_configure_t *kfreeauth;
+
+/*匹配免认证规则 */
+int judge(u_int8_t proto, __be32 sip, __be32 dip, __be16 dport )
+{
+    /*免认证规则要求是http报文,http基于tcp协议 */
+    if (proto != 6) return 0;
+
+    if ((sip != kfreeauth->sip) && (dip != kfreeauth->dip)) return 0;
+
+    if (dport != kfreeauth->dport) return 0;
+
+    return 1;
+}
+
+
+int match_rule(const struct sk_buff *skb,u_int16_t l3num,
+                    struct net *net,struct nf_conntrack_tuple *tuple)
+{
+    const struct nf_conntrack_l3proto *l3proto;
+	const struct nf_conntrack_l4proto *l4proto;
+    unsigned int nhoff;   /*nhoff表示L3首部在skb中的偏移 */
+	unsigned int protoff; 
+	u_int8_t protonum;
+    unsigned int dataoff; /*dataoff表示L4首部在skb中的偏移 */
+    int ret;
+    int result;
+
+    USERINFO *kresult;
+    kresult = (USERINFO *)kmalloc(sizeof(USERINFO), GFP_KERNEL);
+    if (NULL == kresult)
+    {
+        return ENOMEM;
+    }
+
+    /*获取版本号、源端口、目的端口、源IP、目的IP */
+    /*nf_ct_get_tuple函数主要根据协议号调用pkt_to_tuple生成一个tuple */
+    /*tcp/udp协议就是生成五元组(源ip、目的ip、源端口、目的端口、协议号)，icmp协议就是(id、code、type) */
+    ret = nf_ct_get_tuple(skb, nhoff, protoff, l3num, protonum, net, tuple,l3proto, l4proto);
+    if(ret == 0)
+    {
+        printk("resolve_normal_ct: Can't get tuple\n");
+        kfree(kresult);
+        return EIO; 
+    }
+ 
+    /*1.判断用户认证成功 ——非重定向
+    2.判断是否符合免认证规则 ——非重定向
+    3.判断目的端口是否是80—— 重定向标记
+    4.目的端口不是80的情况下，判断协议是否是DHCP和DNS，如果是DHCP和DNS——非重定向
+    5.其余包 drop*/
+    kresult = search_user(tuple->src.u3.ip);
+   
+    /*用户已经认证通过 */
+    if(kresult != NULL) 
+    {
+        kfree(kresult);
+        return NF_ACCEPT;
+    }
+  
+    /*报文匹配免认证规则 */
+    result = judge(tuple->dst.protonum, tuple->src.u3.ip, tuple->dst.u3.ip, tuple->dst.u.tcp.port );
+    if (result == 1)
+    {
+       kfree(kresult);
+       return NF_ACCEPT;
+    }
+    
+    /*80端口接入的HTTP报文重定向到Web Server */
+    if((tuple->dst.protonum == 6) && (tuple->dst.u.tcp.port == 80))
+    {
+        /*打重定向Mark标记 */
+        kfree(kresult);
+    }
+    else
+    {
+        /*dhcp报文 dns报文 默认放行 */
+        if((tuple->dst.u.tcp.port == 67) || (tuple->dst.u.tcp.port == 68) || (tuple->dst.u.tcp.port ==53))
+        {
+            kfree(kresult);
+            return NF_ACCEPT;
+        }
+        
+    }  
+
+    kfree(kresult);          
+    return NF_DROP;         
+}
+
--- a/Product/modules/match_rule/k-matchrule.h
+++ b/Product/modules/match_rule/k-matchrule.h
@ -0,0 +1,11 @@
+#ifndef K_MATCHRULR_H
+#define K_MATCHRULR_H
+
+/*匹配免认证规则 */
+int judge(u_int8_t proto, __be32 sip, __be32 dip, __be16 dport );
+
+int matcl_rule(const struct sk_buff *skb,u_int16_t l3num,
+                    struct net *net,struct nf_conntrack_tuple *tuple);
+
+#endif
+
--- a/Product/modules/userhash/k-userhash.c
+++ b/Product/modules/userhash/k-userhash.c
@ -7,7 +7,7 @@
 DEFINE_RWLOCK(g_obj_lock);

 /*定义大小为HASH_SIZE的hashtable */
-static struct list_head hash_array[HASH_SIZE];
+struct list_head hash_array[HASH_SIZE];

 /*init hashtable */
 void init_hashMap(void)