update filter

zhengyuli · May 11, 2015 · c162cdf · c162cdf
1 parent 5d62cf1
commit c162cdf
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 52 deletions.
diff --git a/src/app_service/app_service_manager.c b/src/app_service/app_service_manager.c
@@ -16,13 +16,10 @@
 
 /* AppService padding filter */
 #define APP_SERVICE_PADDING_BPF_FILTER "icmp"
-/* AppService ip fragment filter */
-#define APP_SERVICE_IP_FRAGMENT_BPF_FILTER                              \
-    "(tcp and (ip[6] & 0x20 != 0 or (ip[6] & 0x20 = 0 and ip[6:2] & 0x1fff != 0)))"
 /* AppService filter */
-#define APP_SERVICE_BPF_FILTER "(ip host %s and (tcp port %u or %s)) or "
+#define APP_SERVICE_BPF_FILTER "ip host %s or "
 /* AppService filter length */
-#define APP_SERVICE_BPF_FILTER_LENGTH 256
+#define APP_SERVICE_BPF_FILTER_LENGTH 64
 
 /* AppService master hash table rwlock */
 static pthread_rwlock_t appServiceHashTableMasterRWLock;
@@ -131,7 +128,7 @@ getFilterForEachAppService (void *data, void *args) {
 
     len = strlen (filter);
     snprintf (filter + len, APP_SERVICE_BPF_FILTER_LENGTH, APP_SERVICE_BPF_FILTER,
-              appSvc->ip, appSvc->port, APP_SERVICE_IP_FRAGMENT_BPF_FILTER);
+              appSvc->ip);
     return 0;
 }
 
@@ -147,7 +144,7 @@ getAppServicesFilter (void) {
     int ret;
     u_int svcNum;
     char *filter;
-    u_int filterLen;
+    u_int filterLen, len;
 
     pthread_rwlock_rdlock (&appServiceHashTableMasterRWLock);
 
@@ -161,17 +158,21 @@ getAppServicesFilter (void) {
     }
     memset (filter, 0, filterLen);
 
-    ret = hashLoopDo (appServiceHashTableMaster, getFilterForEachAppService, filter);
-    if (ret < 0) {
+    if (svcNum) {
+        strcat (filter, "((");
+        ret = hashLoopDo (appServiceHashTableMaster, getFilterForEachAppService, filter);
+        if (ret < 0) {
+            pthread_rwlock_unlock (&appServiceHashTableMasterRWLock);
+            LOGE ("Get BPF filter from each appService error.\n");
+            free (filter);
+            return NULL;
+        }
         pthread_rwlock_unlock (&appServiceHashTableMasterRWLock);
-        LOGE ("Get BPF filter from each appService error.\n");
-        free (filter);
-        return NULL;
-    }
-
-    pthread_rwlock_unlock (&appServiceHashTableMasterRWLock);
 
-    strcat (filter, APP_SERVICE_PADDING_BPF_FILTER);
+        len = strlen (filter);
+        snprintf (filter + len - 4, 32, ") and tcp) or icmp");
+    } else
+        strcat (filter, APP_SERVICE_PADDING_BPF_FILTER);
 
     return filter;
 }
@@ -701,7 +702,7 @@ syncAppServicesCache (void) {
     if (ret < 0 || ret != strlen (appSvcsStr))
         LOGE ("Dump to appServices cache file error.\n");
     else
-        LOGD ("Sync appServices cache success:\n%s\n", appSvcsStr);
+        LOGI ("Sync appServices cache success:\n%s\n", appSvcsStr);
 
     close (fd);
     free (appSvcsStr);
@@ -747,7 +748,7 @@ syncAppServicesBlacklistCache (void) {
     if (ret < 0 || ret != strlen (appSvcsStr))
         LOGE ("Dump to appServices blacklist cache file error.\n");
     else
-        LOGD ("Sync appServices blacklist cache success:\n%s\n", appSvcsStr);
+        LOGI ("Sync appServices blacklist cache success:\n%s\n", appSvcsStr);
 
     close (fd);
     free (appSvcsStr);

diff --git a/src/proto_detection/proto_detect_service.c b/src/proto_detection/proto_detect_service.c
@@ -89,6 +89,9 @@ protoDetectService (void *args) {
         goto exit;
     }
 
+    /* Display task schedule policy info */
+    displayTaskSchedPolicyInfo ("ProtoDetectService");
+
     pcapDev = getNetDevPcapDescForProtoDetection ();
     datalinkType = getNetDevDatalinkTypeForProtoDetection ();
     topologyEntrySendSock = getTopologyEntrySendSock ();
@@ -102,7 +105,7 @@ protoDetectService (void *args) {
     }
 
     /* Init ip context */
-    ret = initIpContext ();
+    ret = initIpContext (True);
     if (ret < 0) {
         LOGE ("Init ip context error.\n");
         goto destroyLogContext;
@@ -157,8 +160,7 @@ protoDetectService (void *args) {
             ret = ipDefragProcess (iph, &captureTime, &newIphdr);
             if (ret < 0)
                 LOGE ("Ip packet defragment error.\n");
-
-            if (newIphdr) {
+            else if (newIphdr) {
                 switch (newIphdr->ipProto) {
                     /* Tcp packet process */
                     case IPPROTO_TCP:

diff --git a/src/protocol/ip_packet.c b/src/protocol/ip_packet.c
@@ -30,6 +30,9 @@ static __thread listHead ipQueueExpireTimeoutList;
 /* Ip host fragment hash table */
 static __thread hashTablePtr ipQueueHashTable = NULL;
 
+/* Ip process purpose, for proto analysis or detect */
+static __thread boolean doProtoDetect = False;
+
 static void
 displayIphdr (iphdrPtr iph) {
     u_short offset, flags;
@@ -51,6 +54,28 @@ displayIphdr (iphdrPtr iph) {
           (iph->iphLen * 4), ntohs (iph->ipLen), offset, ((flags & IP_MF) ? 1 : 0));
 }
 
+/* Check ip packet to drop */
+static boolean
+ipPktShouldDrop (iphdrPtr iph) {
+    tcphdrPtr tcph;
+    char ipSrcStr [16], ipDestStr [16];
+
+    if (iph->ipProto == IPPROTO_TCP) {
+        tcph = (tcphdrPtr) ((u_char *) iph + (iph->iphLen * 4));
+
+        inet_ntop (AF_INET, (void *) &iph->ipSrc, ipSrcStr, sizeof (ipSrcStr));
+        inet_ntop (AF_INET, (void *) &iph->ipDest, ipDestStr, sizeof (ipDestStr));
+
+        if (getAppServiceProtoAnalyzer (ipSrcStr, ntohs (tcph->source)) ||
+            getAppServiceProtoAnalyzer (ipDestStr, ntohs (tcph->dest)))
+            return False;
+        else
+            return True;
+    }
+
+    return False;
+}
+
 static ipFragPtr
 newIpFrag (iphdrPtr iph) {
     u_short iphLen, ipLen, offset, end;
@@ -316,27 +341,6 @@ checkIpHeader (iphdrPtr iph) {
     return 0;
 }
 
-/* Check whether ip packet should be dropped */
-static boolean
-ipPktShouldDrop (iphdrPtr iph) {
-    tcphdrPtr tcph;
-    char ipSrcStr [16], ipDestStr [16];
-
-    if (iph->ipProto == IPPROTO_TCP) {
-        tcph = (tcphdrPtr) ((u_char *) iph + (iph->iphLen * 4));
-
-        inet_ntop (AF_INET, (void *) &iph->ipSrc, ipSrcStr, sizeof (ipSrcStr));
-        inet_ntop (AF_INET, (void *) &iph->ipDest, ipDestStr, sizeof (ipDestStr));
-
-        if (getAppServiceProtoAnalyzer (ipSrcStr, ntohs (tcph->source)) ||
-            getAppServiceProtoAnalyzer (ipDestStr, ntohs (tcph->dest)))
-            return False;
-        else
-            return True;
-    } else
-        return True;
-}
-
 /**
  * @brief Ip packet defragment processor.
  *
@@ -381,7 +385,10 @@ ipDefragProcess (iphdrPtr iph, timeValPtr tm, iphdrPtr *newIph) {
     if ((flags & IP_MF) == 0 && offset == 0) {
         if (ipq)
             delIpQueueFromHash (ipq);
-        *newIph = iph;
+        if (!doProtoDetect && ipPktShouldDrop (iph))
+            *newIph = NULL;
+        else
+            *newIph = iph;
         return 0;
     }
 
@@ -479,13 +486,11 @@ ipDefragProcess (iphdrPtr iph, timeValPtr tm, iphdrPtr *newIph) {
             return -1;
         } else {
             displayIphdr (tmpIph);
-
-            if (ipPktShouldDrop (tmpIph)) {
+            if (!doProtoDetect && ipPktShouldDrop (tmpIph)) {
                 free (tmpIph);
                 *newIph = NULL;
             } else
                 *newIph = tmpIph;
-
             return 0;
         }
     } else {
@@ -504,7 +509,9 @@ resetIpContext (void) {
 
 /* Init ip context */
 int
-initIpContext (void) {
+initIpContext (boolean protoDetectFlag) {
+    doProtoDetect = protoDetectFlag;
+
     initListHead (&ipQueueExpireTimeoutList);
 
     ipQueueHashTable = hashNew (DEFAULT_IPQUEUE_HASH_TABLE_SIZE);

diff --git a/src/protocol/ip_packet.h b/src/protocol/ip_packet.h
@@ -47,7 +47,7 @@ ipDefragProcess (iphdrPtr iph, timeValPtr tm, iphdrPtr *newIph);
 int
 resetIpContext (void);
 int
-initIpContext (void);
+initIpContext (boolean protoDetectFlag);
 void
 destroyIpContext (void);
 /*=======================Interfaces definition end=========================*/

diff --git a/src/protocol/ip_process_service.c b/src/protocol/ip_process_service.c
@@ -171,7 +171,7 @@ ipProcessService (void *args) {
     ipPktRecvSock = getIpPktRecvSock ();
 
     /* Init ip context */
-    ret = initIpContext ();
+    ret = initIpContext (False);
     if (ret < 0) {
         LOGE ("Init ip context error.\n");
         goto destroyLogContext;
@@ -212,10 +212,9 @@ ipProcessService (void *args) {
         ret = ipDefragProcess (iph, tm, &newIph);
         if (ret < 0)
             LOGE ("Ip packet defragment error.\n");
-
-        if (newIph) {
+        else if (newIph) {
             switch (newIph->ipProto) {
-                    /* Tcp packet dispatch */
+                /* Tcp packet dispatch */
                 case IPPROTO_TCP:
                     tcpPacketDispatch (newIph, tm);
                     break;