Version 0.85

max197616 · Aug 6, 2017 · 82a2664 · 82a2664
1 parent 1ef9e73
commit 82a2664
Show file tree

Hide file tree

Showing 21 changed files with 1,402 additions and 491 deletions.
diff --git a/configure.ac b/configure.ac
@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.69])
-AC_INIT(extFilter, 0.80, [email protected])
+AC_INIT(extFilter, 0.85, [email protected])
 
 DPDK_HOME=
 DPDK_TARGET=
@@ -49,7 +49,7 @@ AC_MSG_CHECKING([for debug enabled])
 if test x"$debug" = x"true"; then
     CXXFLAGS="$CXXFLAGS -std=c++11 -O0 -g -Wall -pthread -msse -msse2 -msse3 -mssse3"
 else
-    CXXFLAGS="$CXXFLAGS -std=c++11 -O3 -Wall -fno-stack-protector -pthread -msse -msse2 -msse3 -mssse3"
+    CXXFLAGS="$CXXFLAGS -std=c++11 -O3 -Wall -fno-stack-protector -pthread -msse -msse2 -msse3 -mssse3 -march=native"
 fi
 
 AC_COMPILE_IFELSE([AC_LANG_SOURCE(

diff --git a/etc/extfilter.ini b/etc/extfilter.ini
@@ -1,5 +1,5 @@
 ; Переводить имя хоста в прописные буквы. Если url_normalization установлен в true, то не имеет значения.
-lower_host = true
+;lower_host = false
 
 domainlist = /usr/local/etc/extfilter/domains
 urllist = /usr/local/etc/extfilter/urls
@@ -20,8 +20,7 @@ redirect_url = http://notify.example.com?
 http_code = 302 Found
 
 ; Что добавлять в redirect_url, line - строка из файла url, url - запрещенный url, none - ничего
-url_additional_info=line
-
+url_additional_info = none
 
 ; посылать tcp rst в сторону сервера от имени клиента. Default: false
 rst_to_server = false
@@ -32,8 +31,8 @@ statistic_interval = 300
 ; Default: false
 match_url_exactly = false
 
-; Default: false
-block_undetected_ssl = false
+; Блокировать ssl по ip из файла с ip адресами в случае отсутствия SNI. Default: false
+block_ssl_no_sni = false
 
 ; Какие ядра использовать. Default: все ядра, кроме management.
 ; core_mask = 7
@@ -79,6 +78,12 @@ block_undetected_ssl = false
 ;[port 0]
 ;queues = 0,1; 1,2
 
+; Порт для отправки уведомлений через dpdk
+;[port 1]
+;type = sender
+; На какой mac адрес отправлять пакеты
+;mac = 00:01:02:03:04:05
+
 ; Группа оповещения 0
 ;[notify 0]
 ;http_code = 302 Found

diff --git a/include/config.h b/include/config.h
@@ -56,7 +56,7 @@
 #define PACKAGE_NAME "extFilter"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "extFilter 0.80"
+#define PACKAGE_STRING "extFilter 0.85"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "extfilter"
@@ -65,10 +65,10 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "0.80"
+#define PACKAGE_VERSION "0.85"
 
 /* Define to 1 if you have the ANSI C header files. */
 #define STDC_HEADERS 1
 
 /* Version number of package */
-#define VERSION "0.80"
+#define VERSION "0.85"
diff --git a/include/dpi.h b/include/dpi.h
@@ -18,4 +18,3 @@ struct dpi_flow_info
 	}
 };
 
-dpi_identification_result_t dpi_stateful_identify_application_protocol_new(dpi_library_state_t* state, const unsigned char* pkt, u_int32_t length, u_int32_t current_time, uint32_t hash);
diff --git a/include/dtypes.h b/include/dtypes.h
@@ -8,14 +8,15 @@
 
 enum entry_types
 {
-	E_TYPE_DOMAIN,
+	E_TYPE_DOMAIN=0,
 	E_TYPE_URL
 };
 
 enum port_types
 {
 	P_TYPE_SUBSCRIBER,
-	P_TYPE_NETWORK
+	P_TYPE_NETWORK,
+	P_TYPE_SENDER
 };
 
 struct entry_data

diff --git a/include/flow.h b/include/flow.h
@@ -12,9 +12,52 @@
 #include <Poco/Notification.h>
 #include <Poco/NotificationQueue.h>
 #include <Poco/Task.h>
+#include <api.h>
+
+//#define _SIMPLE_HASH 1
+
+extern "C" void dpi_reordering_tcp_delete_all_fragments(dpi_tracking_informations_t *victim);
 
 #define IPV6_ADDR_LEN 16
 
+struct ext_dpi_flow_info
+{
+
+	u_int16_t srcport;
+	u_int16_t dstport;
+	u_int8_t l4prot;
+
+	union src_addr{ /** Addresses mantained in network byte order. **/
+		struct in6_addr ipv6_srcaddr;
+		u_int32_t ipv4_srcaddr;
+	} src_addr_t;
+	union dst_addr{
+		struct in6_addr ipv6_dstaddr;
+		u_int32_t ipv4_dstaddr;
+	} dst_addr_t;
+
+	dpi_flow_infos_t infos;
+	uint64_t last_timestamp;
+//	u_int64_t bytes;
+//	u_int32_t packets;
+
+	inline void free_mem(dpi_flow_cleaner_callback* flow_cleaner_callback)
+	{
+		if(flow_cleaner_callback != nullptr)
+			(*(flow_cleaner_callback))(infos.tracking.flow_specific_user_data);
+		if(infos.tracking.http_informations[0].temp_buffer != nullptr)
+			free(infos.tracking.http_informations[0].temp_buffer);
+		if(infos.tracking.http_informations[1].temp_buffer != nullptr)
+			free(infos.tracking.http_informations[1].temp_buffer);
+		if(infos.tracking.ssl_information[0].pkt_buffer != nullptr)
+			free(infos.tracking.ssl_information[0].pkt_buffer);
+		if(infos.tracking.ssl_information[1].pkt_buffer != nullptr)
+			free(infos.tracking.ssl_information[1].pkt_buffer);
+		dpi_reordering_tcp_delete_all_fragments(&(infos.tracking));
+	}
+};
+
+
 union ipv4_5tuple_host {
 	struct {
 		uint8_t  pad0;
@@ -66,6 +109,29 @@ struct ip_5tuple
 	uint8_t  proto;
 } __attribute__((__packed__));
 
+
+#ifdef __SIMPLE_HASH
+static inline uint32_t ipv4_hash_crc(const void *data, __rte_unused uint32_t data_len, uint32_t init_val)
+{
+	const union ipv4_5tuple_host *in = (const union ipv4_5tuple_host *)data;
+	return in->port_src+in->port_dst+in->ip_src+in->ip_dst+in->proto+init_val;
+}
+
+
+static inline uint32_t ipv6_hash_crc(const void *data, __rte_unused uint32_t data_len, uint32_t init_val)
+{
+	const union ipv6_5tuple_host *in = (const union ipv6_5tuple_host *)data;
+	u_int8_t i;
+	u_int32_t partsrc = 0, partdst = 0;
+	for(i=0; i< 16; i++){
+		partsrc += in->ip_src[i];
+		partdst += in->ip_dst[i];
+	}
+	return in->port_src+in->port_dst+partsrc+partdst+in->proto+init_val;
+}
+
+#else
+
 static inline uint32_t ipv4_hash_crc(const void *data, __rte_unused uint32_t data_len, uint32_t init_val)
 {
 	const union ipv4_5tuple_host *k;
@@ -113,6 +179,40 @@ static inline uint32_t ipv6_hash_crc(const void *data, __rte_unused uint32_t dat
 	return init_val;
 }
 
+#endif
+
+/// rte_hash holder
+class flowHash
+{
+private:
+	Poco::Logger& _logger;
+	struct rte_hash *ipv4_FlowHash;
+	struct rte_hash *ipv6_FlowHash;
+	uint32_t _flowHashSizeIPv4;
+	uint32_t _flowHashSizeIPv6;
+public:
+	flowHash(int socket_id, int thread_id, uint32_t flowHashSizeIPv4, uint32_t flowHashSizeIPv6);
+	~flowHash();
+	inline struct rte_hash *getIPv4Hash()
+	{
+		return ipv4_FlowHash;
+	}
+	inline struct rte_hash *getIPv6Hash()
+	{
+		return ipv6_FlowHash;
+	}
+	inline uint32_t getHashSizeIPv4()
+	{
+		return _flowHashSizeIPv4;
+	}
+	inline uint32_t getHashSizeIPv6()
+	{
+		return _flowHashSizeIPv6;
+	}
+
+};
+
+
 #if defined(__SSE2__)
 static inline xmm_t
 em_mask_key(void *key, xmm_t mask)

diff --git a/include/main.h b/include/main.h
@@ -17,6 +17,8 @@
 #define RTE_TEST_RX_DESC_DEFAULT 128
 #define RTE_TEST_TX_DESC_DEFAULT 512
 
+#define EXTF_MAX_PKT_BURST 32
+
 class AhoCorasickPlus;
 class Patricia;
 class ACL;
@@ -34,14 +36,21 @@ struct lcore_rx_queue {
 	uint8_t queue_id;
 } __rte_cache_aligned;
 
+struct mbuf_table
+{
+	uint16_t len;
+	struct rte_mbuf* m_table[EXTF_MAX_PKT_BURST];
+};
+
 struct lcore_conf {
 	uint16_t n_rx_queue;
 	struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE];
-	uint16_t tx_queue_id[RTE_MAX_ETHPORTS];
 	struct rte_acl_ctx *cur_acx_ipv4, *new_acx_ipv4;
 	struct rte_acl_ctx *cur_acx_ipv6, *new_acx_ipv6;
-	// TODO add WorkerConfig???
-/*	struct mbuf_table tx_mbufs[RTE_MAX_ETHPORTS];*/
+	uint8_t sender_port;
+	uint16_t tx_queue;
+	uint16_t tx_queue_id[RTE_MAX_ETHPORTS];
+	struct mbuf_table tx_mbufs[RTE_MAX_ETHPORTS];
 } __rte_cache_aligned;
 
 
@@ -66,17 +75,12 @@ class extFilter: public Poco::Util::ServerApplication
 	/**
 	    Load domains for blocking.
 	**/
-	void loadDomains(std::string &fn, AhoCorasickPlus *_dm_atm,DomainsMatchType *_dm_map);
-
-	/**
-	    Load URLs for blocking.
-	**/
-	void loadURLs(std::string &fn, AhoCorasickPlus *dm_atm);
+	void loadDomains(std::string &fn, AhoCorasickPlus *_dm_atm);
 
 	/**
 	    Load domains and urls into one database.
 	**/
-	void loadDomainsURLs(std::string &domains, std::string &urls, AhoCorasickPlus *dm_atm, EntriesData *ed);
+	void loadDomainsURLs(std::string &domains, std::string &urls, AhoCorasickPlus *dm_atm);
 
 	std::string &getSSLFile()
 	{
@@ -176,7 +180,8 @@ class extFilter: public Poco::Util::ServerApplication
 
 	static struct ether_addr ports_eth_addr[RTE_MAX_ETHPORTS];
 private:
-	int initPort(uint8_t port, struct ether_addr *addr);
+	int initPort(uint8_t port, struct ether_addr *addr, bool no_promisc = false);
+	int initSenderPort(uint8_t port, struct ether_addr *addr, uint8_t nb_tx_queue);
 	int initMemory(uint8_t nb_ports);
 	int initACL();
 
@@ -199,7 +204,7 @@ class extFilter: public Poco::Util::ServerApplication
 
 	bool _lower_host;
 	bool _match_url_exactly;
-	bool _block_undetected_ssl;
+	bool _block_ssl_no_sni;
 	bool _http_redirect;
 	bool _url_normalization;
 	bool _remove_dot;
@@ -243,6 +248,7 @@ class extFilter: public Poco::Util::ServerApplication
 	std::string _notify_acl_file;
 	int _cmdline_port;
 	Poco::Net::IPAddress _cmdline_ip;
+	uint8_t _dpdk_send_port;
 };
Original file line number	Diff line number	Diff line change
Expand Up		@@ -18,4 +18,3 @@ struct dpi_flow_info
		}
		};

		dpi_identification_result_t dpi_stateful_identify_application_protocol_new(dpi_library_state_t* state, const unsigned char* pkt, u_int32_t length, u_int32_t current_time, uint32_t hash);