From 3b09645d2b0259962d7f1e8a0adf76ab4b00fc1c Mon Sep 17 00:00:00 2001 From: Junfeng Wang Date: Mon, 9 Sep 2019 02:37:32 +0000 Subject: Revert "add source code" This reverts commit 4b0f20eed87e8b1542f991e06f4868b05f36dd64. Reason for revert: Change-Id: I81a3d178c661bbc4e6fd9b0d6063a12bbfc0817c Signed-off-by: Junfeng Wang --- src/dpi.api | 42 -- src/dpi.api.h | 179 -------- src/dpi.c | 723 --------------------------------- src/dpi.h | 330 --------------- src/dpi_api.c | 160 -------- src/dpi_app_match.h | 124 ------ src/dpi_cli.c | 357 ---------------- src/dpi_node.c | 1035 ----------------------------------------------- src/dpi_plugin_doc.md | 107 ----- src/protocols/dpi_ssl.c | 247 ----------- 10 files changed, 3304 deletions(-) delete mode 100644 src/dpi.api delete mode 100644 src/dpi.api.h delete mode 100644 src/dpi.c delete mode 100644 src/dpi.h delete mode 100644 src/dpi_api.c delete mode 100644 src/dpi_app_match.h delete mode 100644 src/dpi_cli.c delete mode 100644 src/dpi_node.c delete mode 100644 src/dpi_plugin_doc.md delete mode 100644 src/protocols/dpi_ssl.c (limited to 'src') diff --git a/src/dpi.api b/src/dpi.api deleted file mode 100644 index b9fa99e..0000000 --- a/src/dpi.api +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (c) 2018 Intel, Travelping and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -option version = "1.0.0"; - -define dpi_flow_add_del { - u32 client_index; - u32 context; - u8 is_add; - u8 is_ipv6; - u8 src_ip[16]; - u8 dst_ip[16]; - u16 src_port; - u16 dst_port; - u32 vrf_id; - u8 protocol; -}; - -define dpi_flow_add_del_reply -{ - u32 context; - i32 retval; - u32 flow_id; -}; - -/* - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/dpi.api.h b/src/dpi.api.h deleted file mode 100644 index 3ee50db..0000000 --- a/src/dpi.api.h +++ /dev/null @@ -1,179 +0,0 @@ -/* - * VLIB API definitions 2019-09-02 14:52:52 - * Input file: dpi.api - * Automatically generated: please edit the input file NOT this file! - */ - -#include -#if defined(vl_msg_id)||defined(vl_union_id) \ - || defined(vl_printfun) ||defined(vl_endianfun) \ - || defined(vl_api_version)||defined(vl_typedefs) \ - || defined(vl_msg_name)||defined(vl_msg_name_crc_list) \ - || defined(vl_api_version_tuple) -/* ok, something was selected */ -#else -#warning no content included from dpi.api -#endif - -#define VL_API_PACKED(x) x __attribute__ ((packed)) - -/****** Message ID / handler enum ******/ - -#ifdef vl_msg_id -vl_msg_id(VL_API_DPI_FLOW_ADD_DEL, vl_api_dpi_flow_add_del_t_handler) -vl_msg_id(VL_API_DPI_FLOW_ADD_DEL_REPLY, vl_api_dpi_flow_add_del_reply_t_handler) -#endif -/****** Message names ******/ - -#ifdef vl_msg_name -vl_msg_name(vl_api_dpi_flow_add_del_t, 1) -vl_msg_name(vl_api_dpi_flow_add_del_reply_t, 1) -#endif -/****** Message name, crc list ******/ - -#ifdef vl_msg_name_crc_list -#define foreach_vl_msg_name_crc_dpi \ -_(VL_API_DPI_FLOW_ADD_DEL, dpi_flow_add_del, 52a12407) \ -_(VL_API_DPI_FLOW_ADD_DEL_REPLY, dpi_flow_add_del_reply, e467dfee) -#endif - -/****** Typedefs ******/ - -#ifdef vl_typedefs -#ifndef included_dpi_api -#define included_dpi_api -#ifndef _vl_api_defined_dpi_flow_add_del -#define _vl_api_defined_dpi_flow_add_del -typedef VL_API_PACKED(struct _vl_api_dpi_flow_add_del { - u16 _vl_msg_id; - u32 client_index; - u32 context; - u8 is_add; - u8 is_ipv6; - u8 src_ip[16]; - u8 dst_ip[16]; - u16 src_port; - u16 dst_port; - u32 vrf_id; - u8 protocol; -}) vl_api_dpi_flow_add_del_t; -#endif - -#ifndef _vl_api_defined_dpi_flow_add_del_reply -#define _vl_api_defined_dpi_flow_add_del_reply -typedef VL_API_PACKED(struct _vl_api_dpi_flow_add_del_reply { - u16 _vl_msg_id; - u32 context; - i32 retval; - u32 flow_id; -}) vl_api_dpi_flow_add_del_reply_t; -#endif - - -#endif -#endif - -/****** Print functions *****/ -#ifdef vl_printfun - -#ifdef LP64 -#define _uword_fmt "%lld" -#define _uword_cast (long long) -#else -#define _uword_fmt "%ld" -#define _uword_cast long -#endif - -#ifndef _vl_api_defined_dpi_flow_add_del_t_print -#define _vl_api_defined_dpi_flow_add_del_t_print -static inline void *vl_api_dpi_flow_add_del_t_print (vl_api_dpi_flow_add_del_t *a,void *handle) -{ - vl_print(handle, "vl_api_dpi_flow_add_del_t:\n"); - vl_print(handle, "_vl_msg_id: %u\n", a->_vl_msg_id); - vl_print(handle, "client_index: %u\n", a->client_index); - vl_print(handle, "context: %u\n", a->context); - vl_print(handle, "is_add: %u\n", a->is_add); - vl_print(handle, "is_ipv6: %u\n", a->is_ipv6); - vl_print(handle, "src_port: %u\n", a->src_port); - vl_print(handle, "dst_port: %u\n", a->dst_port); - vl_print(handle, "vrf_id: %u\n", a->vrf_id); - vl_print(handle, "protocol: %u\n", a->protocol); - return handle; -} - -#endif - -#ifndef _vl_api_defined_dpi_flow_add_del_reply_t_print -#define _vl_api_defined_dpi_flow_add_del_reply_t_print -static inline void *vl_api_dpi_flow_add_del_reply_t_print (vl_api_dpi_flow_add_del_reply_t *a,void *handle) -{ - vl_print(handle, "vl_api_dpi_flow_add_del_reply_t:\n"); - vl_print(handle, "_vl_msg_id: %u\n", a->_vl_msg_id); - vl_print(handle, "context: %u\n", a->context); - vl_print(handle, "retval: %ld\n", a->retval); - vl_print(handle, "flow_id: %u\n", a->flow_id); - return handle; -} - -#endif - - -#endif /* vl_printfun */ - -/****** Endian swap functions *****/ -#ifdef vl_endianfun - -#undef clib_net_to_host_uword -#ifdef LP64 -#define clib_net_to_host_uword clib_net_to_host_u64 -#else -#define clib_net_to_host_uword clib_net_to_host_u32 -#endif - -#ifndef _vl_api_defined_dpi_flow_add_del_t_endian -#define _vl_api_defined_dpi_flow_add_del_t_endian -static inline void vl_api_dpi_flow_add_del_t_endian (vl_api_dpi_flow_add_del_t *a) -{ - a->_vl_msg_id = clib_net_to_host_u16(a->_vl_msg_id); - a->client_index = clib_net_to_host_u32(a->client_index); - a->context = clib_net_to_host_u32(a->context); - /* a->is_add = a->is_add (no-op) */ - /* a->is_ipv6 = a->is_ipv6 (no-op) */ - a->src_port = clib_net_to_host_u16(a->src_port); - a->dst_port = clib_net_to_host_u16(a->dst_port); - a->vrf_id = clib_net_to_host_u32(a->vrf_id); - /* a->protocol = a->protocol (no-op) */ -} - -#endif - -#ifndef _vl_api_defined_dpi_flow_add_del_reply_t_endian -#define _vl_api_defined_dpi_flow_add_del_reply_t_endian -static inline void vl_api_dpi_flow_add_del_reply_t_endian (vl_api_dpi_flow_add_del_reply_t *a) -{ - a->_vl_msg_id = clib_net_to_host_u16(a->_vl_msg_id); - a->context = clib_net_to_host_u32(a->context); - a->retval = clib_net_to_host_u32(a->retval); - a->flow_id = clib_net_to_host_u32(a->flow_id); -} - -#endif - - -#endif /* vl_endianfun */ - -/****** Version tuple *****/ - -#ifdef vl_api_version_tuple - -vl_api_version_tuple(dpi.api, 1, 0, 0) - -#endif /* vl_api_version_tuple */ - -/****** API CRC (whole file) *****/ - -#ifdef vl_api_version -vl_api_version(dpi.api, 0x79814222) - -#endif - diff --git a/src/dpi.c b/src/dpi.c deleted file mode 100644 index 6423f3a..0000000 --- a/src/dpi.c +++ /dev/null @@ -1,723 +0,0 @@ -/* - *------------------------------------------------------------------ - * Copyright (c) 2018 Intel, Travelping and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *------------------------------------------------------------------ - */ - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -//#include -#include -#include -//#include -#include - -#include "dpi.h" - -dpi_main_t dpi_main; -dpi_entry_t *dpi_dbs = NULL; - -#if CLIB_DEBUG > 0 -#define dpi_debug clib_warning -#else -#define dpi_debug(...) \ - do { } while (0) -#endif - -/* Here rules are extracted from below link with BSD License - * https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging-all.rules */ - -dpi_app_match_rule app_match_rules[] = { - {"www.cisco.com", NULL, "Cisco", DPI_APP_CISCO} - , - {"*.google.com", NULL, "Google", DPI_APP_GOOGLE} - , - {"www.bing.com", NULL, "Bing", DPI_APP_BING} - , - {"www.msn.com", NULL, "MSN", DPI_APP_MSN} - , - {"www.yahoo.com", NULL, "", DPI_APP_YAHOO} - , - {"mail.yahoo.com", NULL, "YahooMail", DPI_APP_YAHOOMAIL} - , - {"www.intel.com", NULL, "Intel", DPI_APP_INTEL} - , - {"*.amazon.com", NULL, "Amazon", DPI_APP_AMAZON} - , - {"*.amd.com", NULL, "AMD", DPI_APP_AMD} - , - {"*.baidu.com", NULL, "Baidu", DPI_APP_BAIDU} - , - {"*.apple.com", NULL, "Apple", DPI_APP_APPLE} - , - {"*.facebook.com", NULL, "Facebook", DPI_APP_FACEBOOK} - , - {"*.ebay.com", NULL, "Ebay", DPI_APP_EBAY} - , - {"*.github.com", NULL, "GitHub", DPI_APP_GITHUB} - , - {"*.gmail.com", NULL, "Gmail", DPI_APP_GMAIL} - , - {"*.qq.com", NULL, "QQ", DPI_APP_QQ} - , - {"weixin.qq.com", NULL, "Wechat", DPI_APP_WECHAT} - , - {"*.pinterest.com", NULL, "", DPI_APP_PINTEREST} - , - {"*.lenovo.com", NULL, "Levono", DPI_APP_LENOVO} - , - {"*.linkedin.com", NULL, "LinkedIn", DPI_APP_LINKEDIN} - , - {"*.skype.com", NULL, "Skype", DPI_APP_SKYPE} - , - {"*.microsoft.com", NULL, "Microsoft", DPI_APP_MICROSOFT} - , - {"*.netflix.com", NULL, "Netflix", DPI_APP_NETFLIX} - , - {"*.nokia.com", NULL, "Nokia", DPI_APP_NOKIA} - , - {"*.nvidia.com", NULL, "nVIDIA", DPI_APP_NVIDIA} - , - {"*.office365.com", NULL, "Office", DPI_APP_OFFICE} - , - {"*.oracle.com", NULL, "Oracle", DPI_APP_ORACLE} - , - {"*.Outlook.com", NULL, "Outlook", DPI_APP_OUTLOOK} - , - {"*.pandora.com", NULL, "Pandora", DPI_APP_PANDORA} - , - {"*.paypal.com", NULL, "Paypal", DPI_APP_PAYPAL} - , - {"*.sina.com", NULL, "Sina", DPI_APP_SINA} - , - {"*.sogou.com", NULL, "Sogou", DPI_APP_SOGOU} - , - {"*.symantec.com", NULL, "Symantec", DPI_APP_SYMANTEC} - , - {"*.taobao.com", NULL, "Taobao", DPI_APP_TAOBAO} - , - {"*.twitter.com", NULL, "Twitter", DPI_APP_TWITTER} - , - {"*.ups.com", NULL, "UPS", DPI_APP_UPS} - , - {"*.visa.com", NULL, "VISA", DPI_APP_VISA} - , - {"*.mcafee.com", NULL, "Mcafee", DPI_APP_MCAFEE} - , - {"*.vmware.com", NULL, "VMWare", DPI_APP_VMWARE} - , - {"*.wordpress.com", NULL, "Wordpress", DPI_APP_WORDPRESS} - , - {"www.adobe.com", NULL, "Adobe", DPI_APP_ADOBE} - , - {"www.akamai.com", NULL, "Akamai", DPI_APP_AKAMAI} - , - {"*.alienvault.com", NULL, "Alienvault", DPI_APP_ALIENVAULT} - , - {"www.bitcomet.com", NULL, "Bitcomet", DPI_APP_BITCOMET} - , - {"www.checkpoint.com", NULL, "Checkpoint", DPI_APP_CHECKPOINT} - , - {"*.bloomberg.com", NULL, "Bloomberg", DPI_APP_BLOOMBERG} - , - {"www.dell.com", NULL, "DELL", DPI_APP_DELL} - , - {"www.f5.com", NULL, "F5", DPI_APP_F5} - , - {"www.fireeye.com", NULL, "Fireeye", DPI_APP_FIREEYE} - , - {"*.dropbox.com", NULL, "", DPI_APP_DROPBOX} - , - - {NULL, NULL, NULL, 0} -}; - -int -dpi_event_handler (unsigned int id, unsigned long long from, - unsigned long long to, unsigned int flags, void *ctx) -{ - (void) from; - (void) to; - (void) flags; - - dpi_cb_args_t *args = (dpi_cb_args_t *) ctx; - - args->res = 1; - args->id = id; - - return 0; -} - -int -dpi_search_host_protocol (dpi_flow_info_t * flow, - char *str_to_match, - u32 str_to_match_len, - u16 master_protocol_id, u32 * host_protocol_id) -{ - dpi_main_t *dm = &dpi_main; - dpi_entry_t entry = dm->default_db; - dpi_cb_args_t args = { }; - int ret; - - /* First search default database */ - ret = hs_scan_stream (flow->stream, - (const char *) str_to_match, str_to_match_len, 0, - entry.scratch, dpi_event_handler, (void *) &args); - if ((ret != HS_SUCCESS) && (ret != HS_SCAN_TERMINATED)) - { - return DPI_PROTOCOL_UNKNOWN; - } - else - { - flow->app_id = args.id; - flow->detect_done = 1; - goto done; - } - -done: - if (flow->app_id != ~0) - { - /* Move the protocol to right position */ - flow->detected_protocol[1] = master_protocol_id, - flow->detected_protocol[0] = flow->app_id; - *host_protocol_id = flow->app_id; - - return (flow->detected_protocol[0]); - } - - return DPI_PROTOCOL_UNKNOWN; -} - -char * -host2hex (const char *str) -{ - int len, i; - char *hexbuf, *buf; - - len = strlen (str); - hexbuf = (char *) malloc (len * 4 + 1); - if (!hexbuf) - return (NULL); - - for (i = 0, buf = hexbuf; i < len; i++, buf += 4) - { - snprintf (buf, 5, "\\x%02x", (const char) str[i]); - } - *buf = '\0'; - - return hexbuf; -} - -int -dpi_create_db_entry (dpi_entry_t * entry, u32 num, u32 mode) -{ - hs_compile_error_t *compile_err; - - if (hs_compile_multi - ((const char **) entry->expressions, entry->flags, entry->ids, - num, mode, NULL, &entry->database, &compile_err) != HS_SUCCESS) - { - return -1; - } - - if (hs_alloc_scratch (entry->database, &entry->scratch) != HS_SUCCESS) - { - hs_free_database (entry->database); - entry->database = NULL; - return -1; - } - - return 0; -} - - -int -dpi_flow_add_del (dpi_add_del_flow_args_t * a, u32 * flow_idp) -{ - dpi_main_t *dm = &dpi_main; - vnet_main_t *vnm = dm->vnet_main; - dpi4_flow_key_t key4; - dpi6_flow_key_t key6; - dpi_flow_entry_t *p; - u32 is_ip6 = a->is_ipv6; - u32 flow_id; - dpi_flow_entry_t *flow; - - int not_found; - if (!is_ip6) - { - key4.key[0] = a->src_ip.ip4.as_u32 - | (((u64) a->dst_ip.ip4.as_u32) << 32); - key4.key[1] = (((u64) a->protocol) << 32) - | ((u32) clib_host_to_net_u16 (a->src_port) << 16) - | clib_host_to_net_u16 (a->dst_port); - key4.key[2] = (u64) a->fib_index; - - not_found = - clib_bihash_search_inline_24_8 (&dm->dpi4_flow_by_key, &key4); - p = (void *) &key4.value; - } - else - { - key6.key[0] = a->src_ip.ip6.as_u64[0]; - key6.key[1] = a->src_ip.ip6.as_u64[1]; - key6.key[2] = a->dst_ip.ip6.as_u64[0]; - key6.key[3] = a->dst_ip.ip6.as_u64[1]; - key6.key[4] = (((u64) a->protocol) << 32) - | ((u32) clib_host_to_net_u16 (a->src_port) << 16) - | clib_host_to_net_u16 (a->dst_port); - key6.key[5] = (u64) a->fib_index; - - not_found = - clib_bihash_search_inline_48_8 (&dm->dpi6_flow_by_key, &key6); - p = (void *) &key6.value; - } - - if (not_found) - p = 0; - - if (a->is_add) - { - - /* adding a flow entry: entry must not already exist */ - if (p) - return VNET_API_ERROR_TUNNEL_EXIST; - - pool_get_aligned (dm->dpi_flows, flow, CLIB_CACHE_LINE_BYTES); - clib_memset (flow, 0, sizeof (*flow)); - flow_id = flow - dm->dpi_flows; - - /* copy from arg structure */ -#define _(x) flow->key.x = a->x; - foreach_copy_field; -#undef _ - - flow->next_index = DPI_INPUT_NEXT_IP4_LOOKUP; - flow->flow_index = ~0; - - pool_get_aligned (dm->dpi_infos, flow->info, CLIB_CACHE_LINE_BYTES); - clib_memset (flow->info, 0, sizeof (*flow->info)); - flow->info->app_id = ~0; - - int add_failed; - if (is_ip6) - { - key6.value = (u64) flow_id; - add_failed = clib_bihash_add_del_48_8 (&dm->dpi6_flow_by_key, - &key6, 1 /*add */ ); - } - else - { - key4.value = (u64) flow_id; - add_failed = clib_bihash_add_del_24_8 (&dm->dpi4_flow_by_key, - &key4, 1 /*add */ ); - } - - if (add_failed) - { - pool_put (dm->dpi_infos, flow->info); - pool_put (dm->dpi_flows, flow); - return VNET_API_ERROR_INVALID_REGISTRATION; - } - - /* Open a Hyperscan stream for each flow */ - hs_error_t err = hs_open_stream (dm->default_db.database, 0, - &(flow->info->stream)); - if (err != HS_SUCCESS) - { - pool_put (dm->dpi_infos, flow->info); - pool_put (dm->dpi_flows, flow); - return VNET_API_ERROR_INVALID_REGISTRATION; - } - } - else - { - /* deleting a flow: flow must exist */ - if (!p) - return VNET_API_ERROR_NO_SUCH_ENTRY; - - flow_id = is_ip6 ? key6.value : key4.value; - flow_id = (u32) (flow_id & (u32) (~0)); - flow = pool_elt_at_index (dm->dpi_flows, flow_id); - - if (!is_ip6) - clib_bihash_add_del_24_8 (&dm->dpi4_flow_by_key, &key4, 0 /*del */ ); - else - clib_bihash_add_del_48_8 (&dm->dpi6_flow_by_key, &key6, 0 /*del */ ); - - if (flow->flow_index != ~0) - vnet_flow_del (vnm, flow->flow_index); - - /* Close the Hyperscan stream for each flow */ - hs_error_t err = hs_close_stream (flow->info->stream, NULL, - NULL, NULL); - if (err != HS_SUCCESS) - { - return VNET_API_ERROR_INVALID_REGISTRATION; - } - - pool_put (dm->dpi_infos, flow->info); - pool_put (dm->dpi_flows, flow); - } - - if (flow_idp) - *flow_idp = flow_id; - - return 0; -} - -int -dpi_reverse_flow_add_del (dpi_add_del_flow_args_t * a, u32 flow_id) -{ - dpi_main_t *dm = &dpi_main; - vnet_main_t *vnm = dm->vnet_main; - dpi4_flow_key_t key4; - dpi6_flow_key_t key6; - dpi_flow_entry_t *p; - u32 is_ip6 = a->is_ipv6; - dpi_flow_entry_t *flow; - - int not_found; - if (!is_ip6) - { - key4.key[0] = a->dst_ip.ip4.as_u32 - | (((u64) a->src_ip.ip4.as_u32) << 32); - key4.key[1] = (((u64) a->protocol) << 32) - | ((u32) clib_host_to_net_u16 (a->dst_port) << 16) - | clib_host_to_net_u16 (a->src_port); - key4.key[2] = (u64) a->fib_index; - - not_found = - clib_bihash_search_inline_24_8 (&dm->dpi4_flow_by_key, &key4); - p = (void *) &key4.value; - } - else - { - key6.key[0] = a->dst_ip.ip6.as_u64[0]; - key6.key[1] = a->dst_ip.ip6.as_u64[1]; - key6.key[2] = a->dst_ip.ip6.as_u64[0]; - key6.key[3] = a->dst_ip.ip6.as_u64[1]; - key6.key[4] = (((u64) a->protocol) << 32) - | ((u32) a->dst_port << 16) | (a->src_port); - key6.key[5] = (u64) a->fib_index; - - not_found = - clib_bihash_search_inline_48_8 (&dm->dpi6_flow_by_key, &key6); - p = (void *) &key6.value; - } - - if (not_found) - p = 0; - - if (a->is_add) - { - - /* adding a flow entry: entry must not already exist */ - if (p) - return VNET_API_ERROR_TUNNEL_EXIST; - - int add_failed; - if (is_ip6) - { - key6.value = (u64) flow_id | ((u64) 1 << 63); - add_failed = clib_bihash_add_del_48_8 (&dm->dpi6_flow_by_key, - &key6, 1 /*add */ ); - } - else - { - key4.value = (u64) flow_id | ((u64) 1 << 63); - add_failed = clib_bihash_add_del_24_8 (&dm->dpi4_flow_by_key, - &key4, 1 /*add */ ); - } - - if (add_failed) - { - return VNET_API_ERROR_INVALID_REGISTRATION; - } - } - else - { - /* deleting a flow: flow must exist */ - if (!p) - return VNET_API_ERROR_NO_SUCH_ENTRY; - - flow_id = is_ip6 ? key6.value : key4.value; - flow = pool_elt_at_index (dm->dpi_flows, flow_id); - - if (!is_ip6) - clib_bihash_add_del_24_8 (&dm->dpi4_flow_by_key, &key4, 0 /*del */ ); - else - clib_bihash_add_del_48_8 (&dm->dpi6_flow_by_key, &key6, 0 /*del */ ); - - if (flow->flow_index != ~0) - vnet_flow_del (vnm, flow->flow_index); - - pool_put (dm->dpi_flows, flow); - } - - return 0; -} - -int -dpi_tcp_reass (tcp_reass_args_t * a) -{ - dpi_main_t *dm = &dpi_main; - dpi_flow_entry_t *flow; - - flow = pool_elt_at_index (dm->dpi_flows, a->flow_id); - if (flow == NULL) - return -1; - - flow->reass_en = a->reass_en; - flow->reass_dir = a->reass_dir; - return 0; -} - -int -dpi_add_del_rx_flow (u32 hw_if_index, u32 flow_id, int is_add, u32 is_ipv6) -{ - dpi_main_t *dm = &dpi_main; - vnet_main_t *vnm = dm->vnet_main; - dpi_flow_entry_t *dpi_flow; - vnet_flow_t *vent_flow; - - ip_port_and_mask_t src_port; - ip_port_and_mask_t dst_port; - - - dpi_flow = pool_elt_at_index (dm->dpi_flows, flow_id); - - src_port.port = dpi_flow->key.dst_port; - src_port.mask = ~0; - dst_port.port = dpi_flow->key.dst_port; - dst_port.mask = ~0; - - if (is_add) - { - if (dpi_flow->flow_index == ~0) - { - if (!is_ipv6) - { - ip4_address_and_mask_t src_addr4; - ip4_address_and_mask_t dst_addr4; - src_addr4.addr = dpi_flow->key.src_ip.ip4; - src_addr4.mask.as_u32 = ~0; - dst_addr4.addr = dpi_flow->key.dst_ip.ip4; - dst_addr4.mask.as_u32 = ~0; - - vnet_flow_t flow4 = { - .actions = - VNET_FLOW_ACTION_REDIRECT_TO_NODE | VNET_FLOW_ACTION_MARK, - .mark_flow_id = flow_id + dm->flow_id_start, - .redirect_node_index = 0, - .type = VNET_FLOW_TYPE_IP4_N_TUPLE, - .ip4_n_tuple = { - .src_addr = src_addr4, - .dst_addr = dst_addr4, - .src_port = src_port, - .dst_port = dst_port, - .protocol = dpi_flow->key.protocol, - } - , - }; - vent_flow = &flow4; - } - else - { - ip6_address_and_mask_t src_addr6; - ip6_address_and_mask_t dst_addr6; - src_addr6.addr.as_u64[0] = dpi_flow->key.src_ip.ip6.as_u64[0]; - src_addr6.addr.as_u64[1] = dpi_flow->key.src_ip.ip6.as_u64[1]; - src_addr6.mask.as_u64[0] = ~0; - src_addr6.mask.as_u64[1] = ~0; - dst_addr6.addr.as_u64[0] = dpi_flow->key.dst_ip.ip6.as_u64[0]; - dst_addr6.addr.as_u64[1] = dpi_flow->key.dst_ip.ip6.as_u64[1]; - dst_addr6.mask.as_u64[0] = ~0; - dst_addr6.mask.as_u64[1] = ~0; - - vnet_flow_t flow6 = { - .actions = - VNET_FLOW_ACTION_REDIRECT_TO_NODE | VNET_FLOW_ACTION_MARK, - .mark_flow_id = flow_id + dm->flow_id_start, - .redirect_node_index = 0, - .type = VNET_FLOW_TYPE_IP6_N_TUPLE, - .ip6_n_tuple = { - .src_addr = src_addr6, - .dst_addr = dst_addr6, - .src_port = src_port, - .dst_port = dst_port, - .protocol = dpi_flow->key.protocol, - } - , - }; - vent_flow = &flow6; - } - vnet_flow_add (vnm, vent_flow, &(dpi_flow->flow_index)); - } - return vnet_flow_enable (vnm, dpi_flow->flow_index, hw_if_index); - } - - /* flow index is removed when the flow is deleted */ - return vnet_flow_disable (vnm, dpi_flow->flow_index, hw_if_index); -} - -void -dpi_flow_bypass_mode (u32 sw_if_index, u8 is_ip6, u8 is_enable) -{ - if (is_ip6) - vnet_feature_enable_disable ("ip6-unicast", "dpi6-input", - sw_if_index, is_enable, 0, 0); - else - vnet_feature_enable_disable ("ip4-unicast", "dpi4-input", - sw_if_index, is_enable, 0, 0); -} - -int -dpi_init_hs_database (dpi_entry_t * entry) -{ - u32 i, j; - u32 rule_num = 0; - unsigned char *free_list; - int rv; - - for (i = 0; - (app_match_rules[i].host != NULL - || app_match_rules[i].pattern != NULL); i++) - { - rule_num++; - } - - entry->expressions = (regex_t *) calloc (sizeof (char *), rule_num + 1); - if (entry->expressions == NULL) - return -1; - - entry->ids = (u32 *) calloc (sizeof (u32), rule_num + 1); - if (entry->ids == NULL) - { - free (entry->expressions); - return -1; - } - - entry->flags = (u32 *) calloc (sizeof (u32), rule_num + 1); - if (entry->ids == NULL) - { - free (entry->expressions); - free (entry->ids); - return -1; - } - - free_list = (unsigned char *) calloc (sizeof (unsigned char), rule_num + 1); - if (free_list == NULL) - { - free (entry->expressions); - free (entry->ids); - free (entry->flags); - return -1; - } - - /* first choose pattern, otherwise choose host */ - for (i = 0, j = 0; - (app_match_rules[i].host != NULL - || app_match_rules[i].pattern != NULL); i++) - { - if (app_match_rules[i].pattern) - { - entry->expressions[j] = (regex_t) (app_match_rules[i].pattern); - entry->ids[j] = app_match_rules[i].app_id; - entry->flags[j] = HS_FLAG_SINGLEMATCH; - free_list[j] = 0; - ++j; - } - else - { - /* need to allocate additional buffer for rules */ - entry->expressions[j] = - (regex_t) host2hex (app_match_rules[i].host); - if (entry->expressions[j] != NULL) - { - entry->ids[j] = app_match_rules[i].app_id; - entry->flags[j] = HS_FLAG_SINGLEMATCH; - free_list[j] = 1; - ++j; - } - } - } - - rv = dpi_create_db_entry (entry, j, HS_MODE_STREAM); - - /* Need to free additional buffers */ - for (i = 0; i < j; ++i) - { - if (free_list[i]) - free (entry->expressions[i]); - } - - free (entry->expressions); - free (entry->ids); - free (entry->flags); - free (free_list); - return rv; -} - -#define DPI_HASH_NUM_BUCKETS (2 * 1024) -#define DPI_HASH_MEMORY_SIZE (1 << 20) - -clib_error_t * -dpi_init (vlib_main_t * vm) -{ - dpi_main_t *dm = &dpi_main; - - dm->vnet_main = vnet_get_main (); - dm->vlib_main = vm; - - vnet_flow_get_range (dm->vnet_main, "dpi", 1024 * 1024, &dm->flow_id_start); - - /* initialize the flow hash */ - clib_bihash_init_24_8 (&dm->dpi4_flow_by_key, "dpi4", - DPI_HASH_NUM_BUCKETS, DPI_HASH_MEMORY_SIZE); - clib_bihash_init_48_8 (&dm->dpi6_flow_by_key, "dpi6", - DPI_HASH_NUM_BUCKETS, DPI_HASH_MEMORY_SIZE); - - /* Init default Hyperscan database */ - dpi_init_hs_database (&dm->default_db); - - return 0; -} - -VLIB_INIT_FUNCTION (dpi_init); - -/* *INDENT-OFF* */ -VLIB_PLUGIN_REGISTER () = { -// .version = VPP_BUILD_VER, - .description = "Deep Packet Inspection", -}; -/* *INDENT-ON* */ - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/dpi.h b/src/dpi.h deleted file mode 100644 index e3d0add..0000000 --- a/src/dpi.h +++ /dev/null @@ -1,330 +0,0 @@ -/* - *------------------------------------------------------------------ - * Copyright (c) 2018 Intel, Travelping and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *------------------------------------------------------------------ - */ - -#ifndef included_vnet_dpi_h -#define included_vnet_dpi_h - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include "dpi_app_match.h" - -typedef u8 *regex_t; - -typedef struct -{ - u8 *name; - regex_t *expressions; - u32 *flags; - u32 *ids; - hs_database_t *database; - hs_scratch_t *scratch; - u32 ref_cnt; -} dpi_entry_t; - -typedef struct -{ - int res; - u32 id; -} dpi_cb_args_t; - -typedef struct -{ - union - { - struct - { - ip46_address_t src_ip; - ip46_address_t dst_ip; - u16 src_port; - u16 dst_port; - u8 protocol; - u32 fib_index; - }; - u64 key[6]; - }; -} dpi_flow_key_t; - -typedef clib_bihash_kv_24_8_t dpi4_flow_key_t; -typedef clib_bihash_kv_48_8_t dpi6_flow_key_t; - -typedef struct -{ - /* SSL */ - u8 ssl_stage; - u8 ssl_got_server_cert; -} dpi_flow_tcp_t; - -typedef struct -{ - /* TBD */ -} dpi_flow_udp_t; - -typedef struct segment_ -{ - u32 send_sn; - u8 *data; - u32 len; - u32 bi; /* vlib buffer index */ - struct segment_ *next; -} segment; - -typedef struct tcp_stream_ -{ - u32 send_sn; /* expected segment sn */ - u32 ack_sn; /* acked segment sn */ - segment *seg_queue; /* store out-of-order segments */ -} tcp_stream_t; - -typedef struct dpi_flow_info -{ - /* Required for pool_get_aligned */ - CLIB_CACHE_LINE_ALIGN_MARK (cacheline0); - - u16 detected_protocol[2]; - u16 protocol_stack_info; - u16 pkt_num; - u16 pkt_direct_counter[2]; - - hs_stream_t *stream; - u8 detect_begin; - u8 detect_done; - u32 app_id; /* L7 APP ID */ - - u16 guessed_protocol_id; - u16 guessed_host_protocol_id; - - u8 max_more_pkts_to_check; - - int (*more_pkts_func) (u8 * payload, u32 payload_len, - struct dpi_flow_info * flow); - - u16 dst_port; - u8 l4_protocol; - union - { - dpi_flow_tcp_t tcp; - dpi_flow_udp_t udp; - } l4; - - u8 ssl_cert_detected:4; - u8 ssl_cert_num_checks:4; - - union - { - struct - { - char server_cert[64]; - } ssl; - /* TBD: Add more protocols */ - } protos; -} dpi_flow_info_t; - -typedef enum -{ - TCP_STATE_SYN = 1, - TCP_STATE_SYN_ACK = 2, - TCP_STATE_ACK = 3, - TCP_STATE_ESTABLISH = 4, - TCP_STATE_FIN1 = 5, - TCP_STATE_CLOSE = 6, -} tcp_state_t; - -/* tcp packet direction */ -#define DIR_C2S 0 -#define DIR_S2C 1 - -/* tcp reassembly side */ -#define REASS_C2S 0 -#define REASS_S2C 1 -#define REASS_BOTH 2 - -/* Macros to handle sequence numbers */ -#define SN_LT(a,b) ((int)((a) - (b)) < 0) -#define SN_GT(a,b) ((int)((a) - (b)) > 0) -#define SN_EQ(a,b) ((int)((a) - (b)) == 0) - -typedef struct -{ - /* Required for pool_get_aligned */ - CLIB_CACHE_LINE_ALIGN_MARK (cacheline0); - - u32 flow_index; /* infra flow index */ - u32 next_index; - - u8 check_more_pkts:1; - u8 pkt_dir:1; - u8 forward_is_c2s:1; - u8 consumed:1; - u8 reass_en:1; - u8 reass_dir:2; - - dpi_flow_key_t key; - dpi_flow_info_t *info; - - /* TCP stream reassembly */ - tcp_state_t tcp_state; - tcp_stream_t c2s; - tcp_stream_t s2c; - segment *first_seg; - -} dpi_flow_entry_t; - -typedef struct -{ - u32 flow_id; - u8 reass_en; - u8 reass_dir; -} tcp_reass_args_t; - -typedef struct -{ - u8 is_add; - u8 is_ipv6; - ip46_address_t src_ip; - ip46_address_t dst_ip; - u16 src_port; - u16 dst_port; - u8 protocol; - u32 fib_index; -} dpi_add_del_flow_args_t; - -typedef struct -{ - u32 app_id; - u32 db_id; -} dpi_adr_t; - -typedef struct -{ - /* lookup tunnel by key */ - clib_bihash_24_8_t dpi4_flow_by_key; - clib_bihash_48_8_t dpi6_flow_by_key; - - /* vector of dpi flow instances */ - dpi_flow_entry_t *dpi_flows; - u32 flow_id_start; - dpi_flow_info_t *dpi_infos; - segment *seg_pool; - - /* Default hyperscan database */ - dpi_entry_t default_db; - - /* graph node state */ - uword *bm_ip4_bypass_enabled_by_sw_if; - uword *bm_ip6_bypass_enabled_by_sw_if; - - /* API message ID base */ - u16 msg_id_base; - - /* convenience */ - vlib_main_t *vlib_main; - vnet_main_t *vnet_main; -} dpi_main_t; - -extern dpi_main_t dpi_main; - -#define foreach_copy_field \ -_(src_ip) \ -_(dst_ip) \ -_(src_port) \ -_(dst_port) \ -_(protocol) \ -_(fib_index) - - -#define dpi_enqueue_tcp_segments(seg,vm,node,next_index,to_next,n_left_to_next,bi0,next0) \ -while(seg) \ - { \ - bi0 = seg->bi; \ - to_next[0] = bi0; \ - to_next++; \ - n_left_to_next--; \ - next0 = flow0->next_index; \ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, \ - to_next, n_left_to_next, \ - bi0, next0); \ - prev_seg = seg; \ - seg=seg->next; \ - pool_put(dm->seg_pool, prev_seg); \ - } - - -#define get_u16_t(X,O) (*(u16 *)(((u8 *)X) + O)) -#define DPI_MAX_SSL_REQUEST_SIZE 10000 - -int dpi_flow_add_del (dpi_add_del_flow_args_t * a, u32 * flow_idp); -int dpi_reverse_flow_add_del (dpi_add_del_flow_args_t * a, u32 flow_id); -int dpi_add_del_rx_flow (u32 hw_if_index, u32 flow_id, int is_add, - u32 is_ipv6); -int dpi_tcp_reass (tcp_reass_args_t * a); -void dpi_flow_bypass_mode (u32 sw_if_index, u8 is_ip6, u8 is_enable); -int dpi_search_host_protocol (dpi_flow_info_t * flow, - char *str_to_match, - u32 str_to_match_len, - u16 master_protocol_id, u32 * host_protocol_id); -void dpi_search_tcp_ssl (u8 * payload, u32 payload_len, - dpi_flow_info_t * flow); - -void dpi_detect_application (u8 * payload, u32 payload_len, - dpi_flow_info_t * flow); - -typedef enum -{ - DPI_PROTOCOL_UNKNOWN = 0, - DPI_PROTOCOL_SSL = 1, - DPI_PROTOCOL_SSL_NO_CERT = 2, - DPI_N_PROTOCOL -} dpi_protocol_id_t; - -#define foreach_dpi_input_next \ -_(DROP, "error-drop") \ -_(IP4_LOOKUP, "ip4-lookup") - -typedef enum -{ -#define _(s,n) DPI_INPUT_NEXT_##s, - foreach_dpi_input_next -#undef _ - DPI_INPUT_N_NEXT, -} dpi_input_next_t; - -#endif /* included_vnet_dpi_h */ - - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/dpi_api.c b/src/dpi_api.c deleted file mode 100644 index d8fa690..0000000 --- a/src/dpi_api.c +++ /dev/null @@ -1,160 +0,0 @@ -/* - *------------------------------------------------------------------ - * Copyright (c) 2018 Intel, Travelping and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *------------------------------------------------------------------ -* -*/ - -#include -#include -#include -#include - -#include -#include - -#include "dpi.h" - - -#define vl_msg_id(n,h) n, -typedef enum -{ -#include "dpi.api.h" - /* We'll want to know how many messages IDs we need... */ - VL_MSG_FIRST_AVAILABLE, -} vl_msg_id_t; -#undef vl_msg_id - -/* define message structures */ -#define vl_typedefs -#include "dpi.api.h" -#undef vl_typedefs - -/* define generated endian-swappers */ -#define vl_endianfun -#include "dpi.api.h" -#undef vl_endianfun - -/* instantiate all the print functions we know about */ -#define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__) -#define vl_printfun -#include "dpi.api.h" -#undef vl_printfun - -/* Get the API version number */ -#define vl_api_version(n,v) static u32 api_version=(v); -#include "dpi.api.h" -#undef vl_api_version - -#define vl_msg_name_crc_list -#include "dpi.api.h" -#undef vl_msg_name_crc_list - -#define REPLY_MSG_ID_BASE dm->msg_id_base -#include - -static void -setup_message_id_table (dpi_main_t * dm, api_main_t * am) -{ -#define _(id,n,crc) \ - vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id + dm->msg_id_base); - foreach_vl_msg_name_crc_dpi; -#undef _ -} - -#define foreach_dpi_plugin_api_msg \ -_(DPI_FLOW_ADD_DEL, dpi_flow_add_del) - - -/* API message handler */ -static void -vl_api_dpi_flow_add_del_t_handler (vl_api_dpi_flow_add_del_t * mp) -{ - vl_api_dpi_flow_add_del_reply_t *rmp = NULL; - dpi_main_t *dm = &dpi_main; - int rv = 0; - u32 fib_index; - u32 flow_id = ~0; - - fib_index = fib_table_find (fib_ip_proto (mp->is_ipv6), ntohl (mp->vrf_id)); - if (fib_index == ~0) - { - rv = VNET_API_ERROR_NO_SUCH_FIB; - goto out; - } - - dpi_add_del_flow_args_t a = { - .is_add = mp->is_add, - .is_ipv6 = mp->is_ipv6, - .src_ip = to_ip46 (mp->is_ipv6, mp->src_ip), - .dst_ip = to_ip46 (mp->is_ipv6, mp->dst_ip), - .src_port = ntohs (mp->src_port), - .dst_port = ntohs (mp->dst_port), - .protocol = mp->protocol, - .fib_index = fib_index, - }; - - /* Check src ip and dst ip are different */ - if (ip46_address_cmp (&a.dst_ip, &a.src_ip) == 0) - { - rv = VNET_API_ERROR_SAME_SRC_DST; - goto out; - } - - rv = dpi_flow_add_del (&a, &flow_id); - -out: - /* *INDENT-OFF* */ - REPLY_MACRO2(VL_API_DPI_FLOW_ADD_DEL_REPLY, - ({ - rmp->flow_id = htonl (flow_id); - })); - /* *INDENT-ON* */ -} - -static clib_error_t * -dpi_api_hookup (vlib_main_t * vm) -{ - dpi_main_t *dm = &dpi_main; - - u8 *name = format (0, "dpi_%08x%c", api_version, 0); - dm->msg_id_base = vl_msg_api_get_msg_ids - ((char *) name, VL_MSG_FIRST_AVAILABLE); - -#define _(N,n) \ - vl_msg_api_set_handlers((VL_API_##N + dm->msg_id_base), \ - #n, \ - vl_api_##n##_t_handler, \ - vl_noop_handler, \ - vl_api_##n##_t_endian, \ - vl_api_##n##_t_print, \ - sizeof(vl_api_##n##_t), 1); - foreach_dpi_plugin_api_msg; -#undef _ - - /* Add our API messages to the global name_crc hash table */ - setup_message_id_table (dm, &api_main); - - return 0; -} - -VLIB_API_INIT_FUNCTION (dpi_api_hookup); - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/dpi_app_match.h b/src/dpi_app_match.h deleted file mode 100644 index dde4857..0000000 --- a/src/dpi_app_match.h +++ /dev/null @@ -1,124 +0,0 @@ -/* - *------------------------------------------------------------------ - * Copyright (c) 2019 Intel, Travelping and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *------------------------------------------------------------------ - */ - -/* -#************************************************************* -# Copyright (c) 2003-2017, Emerging Threats -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the -# following conditions are met: -# -# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following -# disclaimer. -# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the -# following disclaimer in the documentation and/or other materials provided with the distribution. -# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# -#************************************************************* -*/ - -#ifndef dpi_app_match_h -#define dpi_app_match_h - -typedef enum -{ - DPI_APP_CISCO = 1, - DPI_APP_GOOGLE = 2, - DPI_APP_BING = 3, - DPI_APP_MSN = 4, - DPI_APP_YAHOO = 5, - DPI_APP_YAHOOMAIL = 6, - DPI_APP_INTEL = 7, - DPI_APP_AMAZON = 8, - DPI_APP_AMD = 9, - DPI_APP_BAIDU = 10, - DPI_APP_APPLE = 11, - DPI_APP_FACEBOOK = 12, - DPI_APP_EBAY = 13, - DPI_APP_GITHUB = 14, - DPI_APP_GMAIL = 15, - DPI_APP_QQ = 16, - DPI_APP_WECHAT = 17, - DPI_APP_PINTEREST = 18, - DPI_APP_LENOVO = 19, - DPI_APP_LINKEDIN = 20, - DPI_APP_SKYPE = 21, - DPI_APP_MICROSOFT = 22, - DPI_APP_NETFLIX = 23, - DPI_APP_NOKIA = 24, - DPI_APP_NVIDIA = 25, - DPI_APP_OFFICE = 26, - DPI_APP_ORACLE = 27, - DPI_APP_OUTLOOK = 28, - DPI_APP_PANDORA = 29, - DPI_APP_PAYPAL = 30, - DPI_APP_SINA = 31, - DPI_APP_SOGOU = 32, - DPI_APP_SYMANTEC = 33, - DPI_APP_TAOBAO = 34, - DPI_APP_TWITTER = 35, - DPI_APP_UPS = 36, - DPI_APP_VISA = 37, - DPI_APP_MCAFEE = 38, - DPI_APP_VMWARE = 39, - DPI_APP_WORDPRESS = 40, - DPI_APP_ADOBE = 41, - DPI_APP_AKAMAI = 42, - DPI_APP_ALIENVAULT = 43, - DPI_APP_BITCOMET = 44, - DPI_APP_CHECKPOINT = 45, - DPI_APP_BLOOMBERG = 46, - DPI_APP_DELL = 47, - DPI_APP_F5 = 48, - DPI_APP_FIREEYE = 49, - DPI_APP_DROPBOX = 50, - - /* last app ID */ - DPI_N_APPLICATIONS = 51, -} dpi_application_id_t; - -typedef struct dpi_app_match_rule_ -{ - char *host; - char *pattern; - char *app_name; - u32 app_id; -} dpi_app_match_rule; - -#define DPI_MAX_APP_NUM DPI_N_APPLICATIONS -extern dpi_app_match_rule app_match_rules[]; - - -#endif /* dpi_app_match_h */ - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/dpi_cli.c b/src/dpi_cli.c deleted file mode 100644 index 4fbc760..0000000 --- a/src/dpi_cli.c +++ /dev/null @@ -1,357 +0,0 @@ -/* - *------------------------------------------------------------------ - * Copyright (c) 2018 Intel, Travelping and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *------------------------------------------------------------------ - */ - -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -//#include -#include "dpi.h" - - -extern dpi_main_t dpi_main; -extern dpi_entry_t *dpi_dbs; - -static clib_error_t * -dpi_flow_add_del_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd_arg) -{ - unformat_input_t _line_input, *line_input = &_line_input; - ip46_address_t src_ip = ip46_address_initializer; - ip46_address_t dst_ip = ip46_address_initializer; - u16 src_port = 0, dst_port = 0; - u8 is_add = 0; - u8 ipv4_set = 0; - u8 ipv6_set = 0; - u32 tmp; - int rv; - u8 protocol = 0; - u32 table_id; - u32 fib_index = 0; - u32 dpi_flow_id; - - if (!unformat_user (input, unformat_line_input, line_input)) - return 0; - - while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) - { - if (unformat (line_input, "add")) - is_add = 1; - else if (unformat (line_input, "del")) - is_add = 0; - else if (unformat (line_input, "src-ip %U", unformat_ip46_address, - &src_ip, IP46_TYPE_ANY)) - { - ip46_address_is_ip4 (&src_ip) ? (ipv4_set = 1) : (ipv6_set = 1); - } - else if (unformat (line_input, "dst-ip %U", unformat_ip46_address, - &dst_ip, IP46_TYPE_ANY)) - { - ip46_address_is_ip4 (&dst_ip) ? (ipv4_set = 1) : (ipv6_set = 1); - } - else if (unformat (line_input, "src-port %d", &tmp)) - src_port = (u16) tmp; - else if (unformat (line_input, "dst-port %d", &tmp)) - dst_port = (u16) tmp; - else - if (unformat (line_input, "protocol %U", unformat_ip_protocol, &tmp)) - protocol = (u8) tmp; - else if (unformat (line_input, "protocol %u", &tmp)) - protocol = (u8) tmp; - else if (unformat (line_input, "vrf-id %d", &table_id)) - { - fib_index = fib_table_find (fib_ip_proto (ipv6_set), table_id); - } - else - return clib_error_return (0, "parse error: '%U'", - format_unformat_error, line_input); - } - - unformat_free (line_input); - - if (ipv4_set && ipv6_set) - return clib_error_return (0, "both IPv4 and IPv6 addresses specified"); - - dpi_add_del_flow_args_t a = {.is_add = is_add, - .is_ipv6 = ipv6_set, -#define _(x) .x = x, - foreach_copy_field -#undef _ - }; - - /* Add normal flow */ - rv = dpi_flow_add_del (&a, &dpi_flow_id); - if (rv < 0) - return clib_error_return (0, "flow error: %d", rv); - - /* Add reverse flow */ - rv = dpi_reverse_flow_add_del (&a, dpi_flow_id); - if (rv < 0) - return clib_error_return (0, "reverse flow error: %d", rv); - - return 0; -} - -/* *INDENT-OFF* */ -VLIB_CLI_COMMAND (dpi_flow_add_del_command, static) = { - .path = "dpi flow", - .short_help = "dpi flow [add | del] " - "[src-ip ] [dst-ip ] " - "[src-port ] [dst-port ] " - "[protocol ] [vrf-id ]", - .function = dpi_flow_add_del_command_fn, -}; -/* *INDENT-ON* */ - -static clib_error_t * -dpi_tcp_reass_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd_arg) -{ - unformat_input_t _line_input, *line_input = &_line_input; - u32 flow_id = ~0; - u8 reass_en = 0; - u8 reass_dir = 0; - int rv; - - if (!unformat_user (input, unformat_line_input, line_input)) - return 0; - - while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) - { - if (unformat (line_input, "flow_id %d", &flow_id)) - ; - else if (unformat (line_input, "enable")) - { - reass_en = 1; - } - else if (unformat (line_input, "disable")) - { - reass_en = 0; - } - else if (unformat (line_input, "client")) - { - reass_dir = REASS_C2S; - } - else if (unformat (line_input, "server")) - { - reass_dir = REASS_S2C; - } - else if (unformat (line_input, "both")) - { - reass_dir = REASS_BOTH; - } - else - return clib_error_return (0, "parse error: '%U'", - format_unformat_error, line_input); - } - - unformat_free (line_input); - - tcp_reass_args_t a = {.flow_id = flow_id, - .reass_en = reass_en, - .reass_dir = reass_dir, - }; - - rv = dpi_tcp_reass (&a); - if (rv < 0) - return clib_error_return (0, "flow error: %d", rv); - - return 0; -} - -/* *INDENT-OFF* */ -VLIB_CLI_COMMAND (dpi_tcp_reass_command, static) = { - .path = "dpi tcp reass", - .short_help = "dpi tcp reass flow_id " - "[ ]", - .function = dpi_tcp_reass_command_fn, -}; -/* *INDENT-ON* */ - -static clib_error_t * -dpi_flow_offload_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - unformat_input_t _line_input, *line_input = &_line_input; - dpi_main_t *dm = &dpi_main; - vnet_main_t *vnm = dm->vnet_main; - u32 rx_flow_id = ~0; - u32 hw_if_index = ~0; - int is_add = 1; - u32 is_ipv6 = 0; - dpi_flow_entry_t *flow; - vnet_hw_interface_t *hw_if; - u32 rx_fib_index = ~0; - - /* Get a line of input. */ - if (!unformat_user (input, unformat_line_input, line_input)) - return 0; - - while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) - { - if (unformat (line_input, "hw %U", unformat_vnet_hw_interface, vnm, - &hw_if_index)) - continue; - if (unformat (line_input, "rx %d", &rx_flow_id)) - continue; - if (unformat (line_input, "del")) - { - is_add = 0; - continue; - } - return clib_error_return (0, "unknown input `%U'", - format_unformat_error, line_input); - } - - if (rx_flow_id == ~0) - return clib_error_return (0, "missing rx flow"); - if (hw_if_index == ~0) - return clib_error_return (0, "missing hw interface"); - - flow = pool_elt_at_index (dm->dpi_flows, rx_flow_id); - - hw_if = vnet_get_hw_interface (vnm, hw_if_index); - - is_ipv6 = ip46_address_is_ip4 (&(flow->key.src_ip)) ? 0 : 1; - - if (is_ipv6) - { - ip6_main_t *im6 = &ip6_main; - rx_fib_index = - vec_elt (im6->fib_index_by_sw_if_index, hw_if->sw_if_index); - } - else - { - ip4_main_t *im4 = &ip4_main; - rx_fib_index = - vec_elt (im4->fib_index_by_sw_if_index, hw_if->sw_if_index); - } - - if (flow->key.fib_index != rx_fib_index) - return clib_error_return (0, "interface/flow fib mismatch"); - - if (dpi_add_del_rx_flow (hw_if_index, rx_flow_id, is_add, is_ipv6)) - return clib_error_return (0, "error %s flow", - is_add ? "enabling" : "disabling"); - - return 0; -} - -/* *INDENT-OFF* */ -VLIB_CLI_COMMAND (dpi_flow_offload_command, static) = { - .path = "dpi set flow-offload", - .short_help = - "dpi set flow-offload hw rx [del]", - .function = dpi_flow_offload_command_fn, -}; -/* *INDENT-ON* */ - -static clib_error_t * -dpi_set_flow_bypass (u32 is_ip6, - unformat_input_t * input, vlib_cli_command_t * cmd) -{ - unformat_input_t _line_input, *line_input = &_line_input; - vnet_main_t *vnm = vnet_get_main (); - clib_error_t *error = 0; - u32 sw_if_index, is_enable; - - sw_if_index = ~0; - is_enable = 1; - - if (!unformat_user (input, unformat_line_input, line_input)) - return 0; - - while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) - { - if (unformat_user (line_input, unformat_vnet_sw_interface, vnm, - &sw_if_index)) - ; - else if (unformat (line_input, "del")) - is_enable = 0; - else - { - error = unformat_parse_error (line_input); - goto done; - } - } - - if (~0 == sw_if_index) - { - error = clib_error_return (0, "unknown interface `%U'", - format_unformat_error, line_input); - goto done; - } - - dpi_flow_bypass_mode (sw_if_index, is_ip6, is_enable); - -done: - unformat_free (line_input); - - return error; -} - -static clib_error_t * -dpi_set_ip4_flow_bypass_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - return dpi_set_flow_bypass (0, input, cmd); -} - -/* *INDENT-OFF* */ -VLIB_CLI_COMMAND (dpi_set_ip4_flow_bypass_command, static) = -{ - .path = "dpi set ip4 flow-bypass", - .short_help = "dpi set ip4 flow-bypass [del]", - .function = dpi_set_ip4_flow_bypass_command_fn, -}; -/* *INDENT-ON* */ - -static clib_error_t * -dpi_set_ip6_flow_bypass_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - return dpi_set_flow_bypass (0, input, cmd); -} - -/* *INDENT-OFF* */ -VLIB_CLI_COMMAND (dpi_set_ip6_flow_bypass_command, static) = -{ - .path = "dpi set ip6 flow-bypass", - .short_help = "dpi set ip6 flow-bypass [del]", - .function = dpi_set_ip6_flow_bypass_command_fn, -}; -/* *INDENT-ON* */ - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/dpi_node.c b/src/dpi_node.c deleted file mode 100644 index 6b5f9c1..0000000 --- a/src/dpi_node.c +++ /dev/null @@ -1,1035 +0,0 @@ -/* - * Copyright (c) 2019 Intel and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -//#include -#include -#include - -#include "dpi.h" - -vlib_node_registration_t dpi4_input_node; -vlib_node_registration_t dpi6_input_node; -vlib_node_registration_t dpi4_flow_input_node; -vlib_node_registration_t dpi6_flow_input_node; - - -#define foreach_dpi_input_error \ - _(NONE, "no error") \ - _(NO_SUCH_FLOW, "flow not existed") - -typedef enum -{ -#define _(sym,str) DPI_INPUT_ERROR_##sym, - foreach_dpi_input_error -#undef _ - DPI_INPUT_N_ERROR, -} dpi_input_error_t; - -static char *dpi_input_error_strings[] = { -#define _(sym,string) string, - foreach_dpi_input_error -#undef _ -}; - -typedef struct -{ - u32 next_index; - u32 flow_id; - u32 app_id; - u32 error; -} dpi_rx_trace_t; - -/* *INDENT-OFF* */ -VNET_FEATURE_INIT (dpi4_input, static) = -{ - .arc_name = "ip4-unicast", - .node_name = "dpi4-input", - .runs_before = VNET_FEATURES ("ip4-lookup"), -}; - -VNET_FEATURE_INIT (dpi6_input, static) = -{ - .arc_name = "ip6-unicast", - .node_name = "dpi6-input", - .runs_before = VNET_FEATURES ("ip6-lookup"), -}; -/* *INDENT-on* */ - -static u8 * -format_dpi_rx_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - dpi_rx_trace_t *t = va_arg (*args, dpi_rx_trace_t *); - - if (t->flow_id == ~0) - return format (s, "DPI error - flow %d does not exist", - t->flow_id); - - return format (s, "DPI from flow %d app_id %d next %d error %d", - t->flow_id, t->app_id, t->next_index, t->error); -} - - - -static inline int -parse_ip4_packet_and_lookup (ip4_header_t * ip4, u32 fib_index, - dpi4_flow_key_t * key4, - int * not_found, u64 * flow_id) -{ - dpi_main_t *dm = &dpi_main; - u8 protocol = ip4_is_fragment (ip4) ? 0xfe : ip4->protocol; - u16 src_port = 0; - u16 dst_port = 0; - dpi_flow_entry_t *flow; - - key4->key[0] = ip4->src_address.as_u32 - | (((u64) ip4->dst_address.as_u32) << 32); - - if (protocol == IP_PROTOCOL_UDP || protocol == IP_PROTOCOL_TCP) - { - /* tcp and udp ports have the same offset */ - udp_header_t * udp = ip4_next_header (ip4); - src_port = udp->src_port; - dst_port = udp->dst_port; - } - - key4->key[1] = (((u64) protocol) << 32) | ((u32) src_port << 16) | dst_port; - key4->key[2] = (u64) fib_index; - - key4->value = ~0; - *not_found = clib_bihash_search_inline_24_8 (&dm->dpi4_flow_by_key, key4); - *flow_id = key4->value; - - /* not found, then create new SW flow dynamically */ - if (*not_found) - { - int add_failed; - pool_get_aligned(dm->dpi_flows, flow, CLIB_CACHE_LINE_BYTES); - clib_memset(flow, 0, sizeof(*flow)); - *flow_id = flow - dm->dpi_flows; - - flow->next_index = DPI_INPUT_NEXT_IP4_LOOKUP; - flow->flow_index = ~0; - - pool_get_aligned(dm->dpi_infos, flow->info, CLIB_CACHE_LINE_BYTES); - clib_memset(flow->info, 0, sizeof(*flow->info)); - flow->info->app_id = ~0; - - /* Add forwarding flow entry */ - key4->value = *flow_id; - add_failed = clib_bihash_add_del_24_8 (&dm->dpi4_flow_by_key, key4, - 1 /*add */); - - if (add_failed) - { - pool_put(dm->dpi_infos, flow->info); - pool_put(dm->dpi_flows, flow); - return -1; - } - - /* Add reverse flow entry*/ - key4->key[0] = ip4->dst_address.as_u32 - | (((u64) ip4->src_address.as_u32) << 32); - key4->key[1] = (((u64) protocol) << 32) | ((u32) dst_port << 16) - | src_port; - key4->key[2] = (u64) fib_index; - key4->value = (u64) flow_id | ((u64) 1 << 63); - add_failed = clib_bihash_add_del_24_8 (&dm->dpi4_flow_by_key, key4, - 1 /*add */); - - if (add_failed) - { - pool_put(dm->dpi_infos, flow->info); - pool_put(dm->dpi_flows, flow); - return -1; - } - - /* Open a Hyperscan stream for each flow */ - hs_error_t err = hs_open_stream (dm->default_db.database, 0, - &(flow->info->stream)); - - if (err != HS_SUCCESS) - { - pool_put(dm->dpi_infos, flow->info); - pool_put(dm->dpi_flows, flow); - return -1; - } - } - - return 0; -} - -static inline int -parse_ip6_packet_and_lookup (ip6_header_t * ip6, u32 fib_index, - dpi6_flow_key_t * key6, - int * not_found, u64 * flow_id) -{ - dpi_main_t *dm = &dpi_main; - u8 protocol = ip6->protocol; - u16 src_port = 0; - u16 dst_port = 0; - dpi_flow_entry_t *flow; - - key6->key[0] = ip6->src_address.as_u64[0]; - key6->key[1] = ip6->src_address.as_u64[1]; - key6->key[2] = ip6->dst_address.as_u64[0]; - key6->key[3] = ip6->dst_address.as_u64[1]; - - if (protocol == IP_PROTOCOL_UDP || protocol == IP_PROTOCOL_TCP) - { - /* tcp and udp ports have the same offset */ - udp_header_t * udp = ip6_next_header(ip6); - src_port = udp->src_port; - dst_port = udp->dst_port; - } - - key6->key[4] = (((u64) protocol) << 32) - | ((u32) src_port << 16) - | dst_port; - key6->key[5] = (u64) fib_index; - - key6->value = ~0; - *not_found = clib_bihash_search_inline_48_8 (&dm->dpi6_flow_by_key, key6); - *flow_id = key6->value; - - /* not found, then create new SW flow dynamically */ - if (*not_found) - { - int add_failed; - pool_get_aligned(dm->dpi_flows, flow, CLIB_CACHE_LINE_BYTES); - clib_memset(flow, 0, sizeof(*flow)); - *flow_id = flow - dm->dpi_flows; - - flow->next_index = DPI_INPUT_NEXT_IP4_LOOKUP; - flow->flow_index = ~0; - - pool_get_aligned(dm->dpi_infos, flow->info, CLIB_CACHE_LINE_BYTES); - clib_memset(flow->info, 0, sizeof(*flow->info)); - flow->info->app_id = ~0; - - /* Add forwarding flow entry */ - key6->value = (u64) flow_id; - add_failed = clib_bihash_add_del_48_8 (&dm->dpi6_flow_by_key, - key6, 1 /*add */ ); - if (add_failed) - { - pool_put(dm->dpi_infos, flow->info); - pool_put(dm->dpi_flows, flow); - return -1; - } - - /* Add reverse flow entry*/ - key6->key[0] = ip6->dst_address.as_u64[0]; - key6->key[1] = ip6->dst_address.as_u64[1]; - key6->key[2] = ip6->src_address.as_u64[0]; - key6->key[3] = ip6->src_address.as_u64[1]; - key6->key[4] = (((u64) protocol) << 32) - | ((u32) dst_port << 16) - | src_port; - key6->key[5] = (u64) fib_index; - key6->value = (u64) flow_id | ((u64) 1 << 63); - add_failed = clib_bihash_add_del_48_8 (&dm->dpi6_flow_by_key, - key6, 1 /*add */ ); - - if (add_failed) - { - pool_put(dm->dpi_infos, flow->info); - pool_put(dm->dpi_flows, flow); - return -1; - } - - /* Open a Hyperscan stream for each flow */ - hs_error_t err = hs_open_stream (dm->default_db.database, 0, - &(flow->info->stream)); - - if (err != HS_SUCCESS) - { - pool_put(dm->dpi_infos, flow->info); - pool_put(dm->dpi_flows, flow); - return -1; - } - } - - return 0; -} - -static inline void -dpi_trim_overlap(u32 left_sn, segment *seg) -{ - int overlap_len; - - overlap_len = left_sn - seg->send_sn; - /* trim leading overlap bytes */ - seg->data += overlap_len; - seg->len -= overlap_len; - seg->send_sn += overlap_len; - - /* trim the right overlap bytes */ - if( seg->next - && (seg->send_sn+seg->len) > (seg->next->send_sn) ) - { - overlap_len = (seg->send_sn+seg->len) - (seg->next->send_sn); - if(seg->len > overlap_len) - { - seg->len -= overlap_len; - } - } -} - -/* - * re-order out-of-order segments, and handle overlap segments. - * */ -static inline void -dpi_handle_tcp_segments (dpi_flow_entry_t *flow, tcp_stream_t *stream, - u32 bi, u8 *pkt, u32 payload_len) -{ - dpi_main_t *dm = &dpi_main; - u32 send_sn; - u32 ack_sn; - u32 next_sn; - u32 left_sn; - segment *first_seg = 0; - segment *seg = 0; - segment *new_seg = 0; - tcp_header_t *tcp = (tcp_header_t *)pkt; - u8 *payload = pkt + tcp_doff(tcp) * 4; - - if((tcp->flags & TCP_FLAG_ACK) == TCP_FLAG_ACK) - { - ack_sn = clib_net_to_host_u32(tcp->ack_number); - if(ack_sn != stream->ack_sn) - { - stream->ack_sn = ack_sn; - } - } - - send_sn = clib_net_to_host_u32(tcp->seq_number); - next_sn = send_sn + payload_len; - - /* Handle fully overlapping segments */ - if(SN_GT(stream->send_sn, next_sn)) - { - flow->consumed = 1; - return; - } - - if(SN_LT(stream->send_sn, send_sn)) - { - /* Store out-of-order segments to segment queue */ - for(seg=stream->seg_queue; seg; seg=seg->next) - { - if (send_sn < seg->send_sn ) - break; - } - - pool_get_aligned (dm->seg_pool, new_seg, CLIB_CACHE_LINE_BYTES); - new_seg->bi = bi; - new_seg->send_sn = send_sn; - new_seg->data = payload; - new_seg->len = payload_len; - - /* Insert new segment to right position of segment queue */ - if(seg == stream->seg_queue) - { - new_seg->next = stream->seg_queue; - stream->seg_queue = new_seg; - stream->send_sn = seg->send_sn; - left_sn = stream->send_sn; - } - else - { - new_seg->next = seg->next; - seg->next = new_seg; - left_sn = seg->send_sn; - } - - /* trim overlapped packet */ - dpi_trim_overlap(left_sn, new_seg); - - flow->consumed = 1; - } - else - { - pool_get_aligned(dm->seg_pool, first_seg, CLIB_CACHE_LINE_BYTES); - first_seg->bi = bi; - first_seg->send_sn = send_sn; - first_seg->data = payload; - first_seg->len = payload_len; - first_seg->next = stream->seg_queue; - - /* trim overlapped packet */ - dpi_trim_overlap (stream->send_sn, first_seg); - - /* reassemble continuous segments and move forward to scan */ - for (seg = first_seg; seg->next; seg = seg->next) - { - if (seg->send_sn + seg->len != seg->next->send_sn) - break; - } - - /* left non-continuous segments */ - stream->seg_queue = seg->next; - stream->send_sn = seg->send_sn + seg->len; - - flow->first_seg = first_seg; - seg->next = 0; - - /* scan ordered segments */ - for (seg = first_seg; seg; seg = seg->next) - { - /* detect layer 7 application for single segment */ - dpi_detect_application (seg->data, seg->len, flow->info); - if(flow->info->detect_done) - break; - } - } -} - -static inline int -dpi_handle_tcp_stream (dpi_flow_entry_t *flow, u32 bi, - u8 *pkt, u32 payload_len, u8 is_reverse) -{ - tcp_header_t *tcp; - tcp_stream_t *stream; - - tcp = (tcp_header_t *)pkt; - if((tcp->flags & (TCP_FLAG_SYN|TCP_FLAG_ACK)) == TCP_FLAG_SYN) - { - flow->c2s.send_sn = clib_net_to_host_u32(tcp->seq_number) + 1; - flow->pkt_dir = DIR_C2S; - flow->forward_is_c2s = !is_reverse; - flow->tcp_state = TCP_STATE_SYN; - } - else - { - /* - forward_is_c2s | is_reverse - 0 1 - 0 s2c(1) c2s(0) - 1 c2s(0) s2c(1) - */ - flow->pkt_dir = (flow->forward_is_c2s == is_reverse); - } - - switch(flow->tcp_state) - { - case TCP_STATE_SYN: - { - if(flow->pkt_dir != DIR_S2C) - break; - - if((tcp->flags & (TCP_FLAG_SYN|TCP_FLAG_ACK)) - != (TCP_FLAG_SYN|TCP_FLAG_ACK)) - break; - - flow->s2c.send_sn = clib_net_to_host_u32(tcp->seq_number) + 1; - flow->s2c.ack_sn = clib_net_to_host_u32(tcp->ack_number) + 1; - flow->tcp_state = TCP_STATE_SYN_ACK; - break; - } - - case TCP_STATE_SYN_ACK: - { - if(flow->pkt_dir != DIR_C2S) - break; - - flow->c2s.ack_sn = clib_net_to_host_u32(tcp->ack_number) + 1; - flow->tcp_state = TCP_STATE_ESTABLISH; - break; - } - - case TCP_STATE_ACK: - case TCP_STATE_ESTABLISH: - case TCP_STATE_FIN1: - { - stream = (flow->pkt_dir == DIR_C2S)? &(flow->c2s) : &(flow->s2c); - if( (flow->reass_dir == REASS_BOTH) - || ((flow->pkt_dir==DIR_C2S) && (flow->reass_dir==REASS_C2S)) - || ((flow->pkt_dir==DIR_S2C) && (flow->reass_dir==REASS_S2C)) ) - { - dpi_handle_tcp_segments(flow, stream, bi, pkt, payload_len); - } - - break; - } - - case TCP_STATE_CLOSE: - { - /* Free all segments in the queue */ - break; - } - } - - return 0; -} - -void -dpi_detect_application (u8 *payload, u32 payload_len, - dpi_flow_info_t *flow) -{ - - /* detect if payload is SSL's payload for default port */ - dpi_search_tcp_ssl(payload, payload_len, flow); - - /* TBD: add detect if is SSL's payload with non default port*/ - -} - -always_inline uword -dpi_input_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame, u32 is_ip4) -{ - dpi_main_t *dm = &dpi_main; - u32 *from, *to_next, n_left_from, n_left_to_next, next_index; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0, next0 = 0; - vlib_buffer_t *b0; - ip4_header_t *ip40; - ip6_header_t *ip60; - tcp_header_t *tcp0; - udp_header_t *udp0; - dpi4_flow_key_t key40; - dpi6_flow_key_t key60; - u32 fib_index0 = ~0; - u64 flow_id0 = ~0; - u32 flow_index0 = ~0; - int not_found0 = 0; - u8 is_reverse0 = 0; - dpi_flow_entry_t *flow0 = 0; - u32 ip_len0, l4_len0, payload_len0; - u8 protocol0; - u8 *l4_pkt0, *payload0; - u16 dst_port = 0; - segment *seg = 0; - segment *prev_seg = 0; - - bi0 = to_next[0] = from[0]; - b0 = vlib_get_buffer (vm, bi0); - ip_len0 = vlib_buffer_length_in_chain (vm, b0); - - if (is_ip4) - { - ip40 = vlib_buffer_get_current (b0); - ip4_main_t *im4 = &ip4_main; - fib_index0 = vec_elt (im4->fib_index_by_sw_if_index, - vnet_buffer(b0)->sw_if_index[VLIB_RX]); - parse_ip4_packet_and_lookup(ip40, fib_index0, &key40, - ¬_found0, &flow_id0); - } - else - { - ip60 = vlib_buffer_get_current (b0); - ip6_main_t *im6 = &ip6_main; - fib_index0 = vec_elt (im6->fib_index_by_sw_if_index, - vnet_buffer(b0)->sw_if_index[VLIB_RX]); - parse_ip6_packet_and_lookup(ip60, fib_index0, &key60, - ¬_found0, &flow_id0); - } - - is_reverse0 = (u8)((flow_id0 >> 63) & 0x1); - flow_index0 = (u32)(flow_id0 & (u32)(~0)); - flow0 = pool_elt_at_index (dm->dpi_flows, flow_index0); - /* have detected successfully, directly return */ - if(flow0->info->detect_done) - goto enqueue0; - - /* check layer4 */ - if (is_ip4) - { - l4_pkt0 = (u8 *)(ip40 + 1); - l4_len0 = ip_len0 - sizeof(ip4_header_t); - protocol0 = ip40->protocol; - } - else - { - l4_pkt0 = (u8 *)(ip60 + 1); - l4_len0 = ip_len0 - sizeof(ip6_header_t); - protocol0 = ip60->protocol; - } - - if((protocol0 == IP_PROTOCOL_TCP) && (l4_len0 >= 20)) - { - tcp0 = (tcp_header_t *)l4_pkt0; - payload_len0 = l4_len0 - tcp_doff(tcp0) * 4; - payload0 = l4_pkt0 + tcp_doff(tcp0) * 4; - dst_port = tcp0->dst_port; - } - else if ((protocol0 == IP_PROTOCOL_UDP) && (l4_len0 >= 8)) - { - udp0 = (udp_header_t *)l4_pkt0; - payload_len0 = l4_len0 - sizeof(udp_header_t); - payload0 = l4_pkt0 + sizeof(udp_header_t); - dst_port = udp0->dst_port; - } - else - { - payload_len0 = l4_len0; - payload0 = l4_pkt0; - } - - flow0->info->l4_protocol = protocol0; - flow0->info->dst_port = dst_port; - - /* TCP stream reassembly and detect a protocol pdu */ - if((protocol0 == IP_PROTOCOL_TCP) && (flow0->reass_en)) - { - dpi_handle_tcp_stream(flow0, bi0, l4_pkt0, payload_len0, is_reverse0); - - /* This packet has been consumed, retrieve next packet */ - if(flow0->consumed) - goto trace0; - - /* send out continuous scanned segments */ - seg=flow0->first_seg; - dpi_enqueue_tcp_segments(seg,vm,node,next_index,to_next,n_left_to_next,bi0,next0); - flow0->first_seg = 0; - - /* Here detected successfully, send out remaining segments in seg_queue */ - if(flow0->info->detect_done) - { - seg=flow0->c2s.seg_queue; - dpi_enqueue_tcp_segments(seg,vm,node,next_index,to_next,n_left_to_next,bi0,next0); - flow0->c2s.seg_queue = 0; - - seg=flow0->s2c.seg_queue; - dpi_enqueue_tcp_segments(seg,vm,node,next_index,to_next,n_left_to_next,bi0,next0); - flow0->s2c.seg_queue = 0; - } - goto trace0; - } - else - { - /* detect layer 7 application for single packet */ - dpi_detect_application (payload0, payload_len0, flow0->info); - } - -enqueue0: - to_next[0] = bi0; - to_next++; - n_left_to_next--; - next0 = flow0->next_index; - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - -trace0: - if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED)) - { - dpi_rx_trace_t *tr - = vlib_add_trace (vm, node, b0, sizeof (*tr)); - tr->app_id = flow0->info->app_id; - tr->next_index = next0; - tr->error = b0->error; - tr->flow_id = flow_index0; - } - - from += 1; - n_left_from -= 1; - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - return frame->n_vectors; -} - -VLIB_NODE_FN (dpi4_input_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return dpi_input_inline (vm, node, frame, /* is_ip4 */ 1); -} - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (dpi4_input_node) = -{ - .name = "dpi4-input", - .vector_size = sizeof (u32), - .n_errors = DPI_INPUT_N_ERROR, - .error_strings = dpi_input_error_strings, - .n_next_nodes = DPI_INPUT_N_NEXT, - .next_nodes = { -#define _(s,n) [DPI_INPUT_NEXT_##s] = n, - foreach_dpi_input_next -#undef _ - }, - .format_trace = format_dpi_rx_trace, -}; - -/* *INDENT-ON* */ - -/* Dummy init function to get us linked in. */ -static clib_error_t * -dpi4_input_init (vlib_main_t * vm) -{ - return 0; -} - -VLIB_INIT_FUNCTION (dpi4_input_init); - - -VLIB_NODE_FN (dpi6_input_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return dpi_input_inline (vm, node, frame, /* is_ip4 */ 0); -} - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (dpi6_input_node) = -{ - .name = "dpi6-input", - .vector_size = sizeof (u32), - .n_errors = DPI_INPUT_N_ERROR, - .error_strings = dpi_input_error_strings, - .n_next_nodes = DPI_INPUT_N_NEXT, - .next_nodes = { -#define _(s,n) [DPI_INPUT_NEXT_##s] = n, - foreach_dpi_input_next -#undef _ - }, - .format_trace = format_dpi_rx_trace, -}; -/* *INDENT-ON* */ - -/* Dummy init function to get us linked in. */ -static clib_error_t * -dpi6_input_init (vlib_main_t * vm) -{ - return 0; -} - -VLIB_INIT_FUNCTION (dpi6_input_init); - - - -#define foreach_dpi_flow_input_next \ -_(DROP, "error-drop") \ -_(IP4_LOOKUP, "ip4-lookup") - -typedef enum -{ -#define _(s,n) DPI_FLOW_NEXT_##s, - foreach_dpi_flow_input_next -#undef _ - DPI_FLOW_N_NEXT, -} dpi_flow_input_next_t; - -#define foreach_dpi_flow_error \ - _(NONE, "no error") \ - _(IP_CHECKSUM_ERROR, "Rx ip checksum errors") \ - _(IP_HEADER_ERROR, "Rx ip header errors") \ - _(UDP_CHECKSUM_ERROR, "Rx udp checksum errors") \ - _(UDP_LENGTH_ERROR, "Rx udp length errors") - -typedef enum -{ -#define _(f,s) DPI_FLOW_ERROR_##f, - foreach_dpi_flow_error -#undef _ - DPI_FLOW_N_ERROR, -} dpi_flow_error_t; - -static char *dpi_flow_error_strings[] = { -#define _(n,s) s, - foreach_dpi_flow_error -#undef _ -}; - -static_always_inline u8 -dpi_check_ip4 (ip4_header_t * ip4, u16 payload_len) -{ - u16 ip_len = clib_net_to_host_u16 (ip4->length); - return ip_len > payload_len || ip4->ttl == 0 - || ip4->ip_version_and_header_length != 0x45; -} - -static_always_inline u8 -dpi_check_ip6 (ip6_header_t * ip6, u16 payload_len) -{ - u16 ip_len = clib_net_to_host_u16 (ip6->payload_length); - return ip_len > (payload_len - sizeof (ip6_header_t)) - || ip6->hop_limit == 0 - || (ip6->ip_version_traffic_class_and_flow_label >> 28) != 0x6; -} - -always_inline uword -dpi_flow_input_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame, u32 is_ip4) -{ - dpi_main_t *dm = &dpi_main; - u32 *from, *to_next, n_left_from, n_left_to_next, next_index; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0, next0 = DPI_FLOW_NEXT_IP4_LOOKUP; - vlib_buffer_t *b0; - ip4_header_t *ip40; - ip6_header_t *ip60; - tcp_header_t *tcp0; - udp_header_t *udp0; - u32 flow_id0 = ~0; - u32 flow_index0 = ~0; - u32 is_reverse0 = 0; - dpi_flow_entry_t *flow0; - u32 ip_len0, l4_len0, payload_len0; - u8 protocol0; - u8 *l4_pkt0, *payload0; - u16 dst_port = 0; - segment *seg = 0; - segment *prev_seg = 0; - - bi0 = to_next[0] = from[0]; - b0 = vlib_get_buffer (vm, bi0); - ip_len0 = vlib_buffer_length_in_chain (vm, b0); - - if (is_ip4) - { - ip40 = vlib_buffer_get_current (b0); - dpi_check_ip4 (ip40, ip_len0); - } - else - { - ip60 = vlib_buffer_get_current (b0); - dpi_check_ip6 (ip60, ip_len0); - } - - ASSERT (b0->flow_id != 0); - flow_id0 = b0->flow_id - dm->flow_id_start; - - is_reverse0 = (u32) ((flow_id0 >> 31) & 0x1); - flow_index0 = (u32) (flow_id0 & (u32) (~(1 << 31))); - flow0 = pool_elt_at_index (dm->dpi_flows, flow_index0); - - /* have detected successfully, directly return */ - if (flow0->info->detect_done) - goto enqueue0; - - /* check layer4 */ - if (is_ip4) - { - l4_pkt0 = (u8 *) (ip40 + 1); - l4_len0 = ip_len0 - sizeof (ip4_header_t); - protocol0 = ip40->protocol; - } - else - { - l4_pkt0 = (u8 *) (ip60 + 1); - l4_len0 = ip_len0 - sizeof (ip6_header_t); - protocol0 = ip60->protocol; - } - - if ((protocol0 == IP_PROTOCOL_TCP) && (l4_len0 >= 20)) - { - tcp0 = (tcp_header_t *) l4_pkt0; - payload_len0 = l4_len0 - tcp_doff (tcp0) * 4; - payload0 = l4_pkt0 + tcp_doff (tcp0) * 4; - dst_port = tcp0->dst_port; - } - else if ((protocol0 == IP_PROTOCOL_UDP) && (l4_len0 >= 8)) - { - udp0 = (udp_header_t *) l4_pkt0; - payload_len0 = l4_len0 - sizeof (udp_header_t); - payload0 = l4_pkt0 + sizeof (udp_header_t); - dst_port = udp0->dst_port; - } - else - { - payload_len0 = l4_len0; - payload0 = l4_pkt0; - } - - flow0->info->l4_protocol = protocol0; - flow0->info->dst_port = dst_port; - - /* TCP stream reassembly and detect a protocol pdu */ - if ((protocol0 == IP_PROTOCOL_TCP) && (flow0->reass_en)) - { - dpi_handle_tcp_stream (flow0, bi0, l4_pkt0, payload_len0, - is_reverse0); - - /* This packet has been consumed, retrieve next packet */ - if (flow0->consumed) - goto trace0; - - /* send out continuous scanned segments */ - seg = flow0->first_seg; - dpi_enqueue_tcp_segments (seg, vm, node, next_index, to_next, - n_left_to_next, bi0, next0); - flow0->first_seg = 0; - - /* Here detected successfully, send out remaining segments in seg_queue */ - if (flow0->info->detect_done) - { - seg = flow0->c2s.seg_queue; - dpi_enqueue_tcp_segments (seg, vm, node, next_index, - to_next, n_left_to_next, bi0, - next0); - flow0->c2s.seg_queue = 0; - - seg = flow0->s2c.seg_queue; - dpi_enqueue_tcp_segments (seg, vm, node, next_index, - to_next, n_left_to_next, bi0, - next0); - flow0->s2c.seg_queue = 0; - } - goto trace0; - } - else - { - /* detect layer 7 application for single packet */ - dpi_detect_application (payload0, payload_len0, flow0->info); - } - -enqueue0: - to_next[0] = bi0; - to_next++; - n_left_to_next--; - next0 = flow0->next_index; - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - -trace0: - if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED)) - { - dpi_rx_trace_t *tr - = vlib_add_trace (vm, node, b0, sizeof (*tr)); - tr->app_id = flow0->info->app_id; - tr->next_index = next0; - tr->error = b0->error; - tr->flow_id = flow_index0; - } - - from += 1; - n_left_from -= 1; - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - return frame->n_vectors; -} - - -VLIB_NODE_FN (dpi4_flow_input_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return dpi_flow_input_inline (vm, node, frame, /* is_ip4 */ 1); -} - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (dpi4_flow_input_node) = { - .name = "dpi4-flow-input", - .type = VLIB_NODE_TYPE_INTERNAL, - .vector_size = sizeof (u32), - - .format_trace = format_dpi_rx_trace, - - .n_errors = DPI_FLOW_N_ERROR, - .error_strings = dpi_flow_error_strings, - - .n_next_nodes = DPI_FLOW_N_NEXT, - .next_nodes = { -#define _(s,n) [DPI_FLOW_NEXT_##s] = n, - foreach_dpi_flow_input_next -#undef _ - }, -}; -/* *INDENT-ON* */ - -/* Dummy init function to get us linked in. */ -static clib_error_t * -dpi4_flow_input_init (vlib_main_t * vm) -{ - return 0; -} - -VLIB_INIT_FUNCTION (dpi4_flow_input_init); - -VLIB_NODE_FN (dpi6_flow_input_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return dpi_flow_input_inline (vm, node, frame, /* is_ip4 */ 0); -} - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (dpi6_flow_input_node) = { - .name = "dpi6-flow-input", - .type = VLIB_NODE_TYPE_INTERNAL, - .vector_size = sizeof (u32), - - .format_trace = format_dpi_rx_trace, - - .n_errors = DPI_FLOW_N_ERROR, - .error_strings = dpi_flow_error_strings, - - .n_next_nodes = DPI_FLOW_N_NEXT, - .next_nodes = { -#define _(s,n) [DPI_FLOW_NEXT_##s] = n, - foreach_dpi_flow_input_next -#undef _ - }, -}; -/* *INDENT-ON* */ - -/* Dummy init function to get us linked in. */ -static clib_error_t * -dpi6_flow_input_init (vlib_main_t * vm) -{ - return 0; -} - -VLIB_INIT_FUNCTION (dpi6_flow_input_init); - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/dpi_plugin_doc.md b/src/dpi_plugin_doc.md deleted file mode 100644 index fc069c0..0000000 --- a/src/dpi_plugin_doc.md +++ /dev/null @@ -1,107 +0,0 @@ -# DPI plugin for VPP {#dpi_plugin_doc} - -## Overview - -DPI plugin can identify and analyze the traffic running on networks in real time. -It can be used on many use cases, such as Web Application Firewall, -Policy based routing, Intrusion Detection System, Intrusion Prevention System, etc. - -The main use case for current approach would be identification of cooperating traffic -for an established TCP connection (i.e. traffic that is not intentionally disguised) -to support application-based QoS. - - -## Design - -The DPI plugin leverage Hyperscan to perform regex matching. - -Hyperscan is a high-performance multiple regex matching library. -Please refer to below for details: -http://intel.github.io/dpi/dev-reference/ - -Below is the brief design: - -1. Provides a default APPID database for detection. - -2. Support TCP connection state tracking. - -3. Support TCP segments reassembly on the fly, which handles out-of-order tcp segments and overlapping segments. - It means that we do not need to reassembly segments first, then dedect applicaion, - and then fragment segments again, which helps to improve performance. - -4. Support Hyperscan Stream mode, which can detect one rule straddling into some tcp segments. - It means that if there is a rule "abcde", then "abc" can be in packet 1, - and "de" can be in packet 2. - -5. Configure static dpi flows with 5-tuple and VRF-aware, and supports both ipv4 and ipv6 flows. - These flows will first try to HW offload to NIC based on DPDK rte_flow mechanism - and vpp/vnet/flow infrastructure. - If failed, then will create static SW flow mappings. - Each flow configuration will create two HW or SW flow mappings, i.e. for forward and reverse traffic. - And both flow mappings will be mapped to the same dpi flow. - Dynamically create new SW mapping and aging out mechanism will be added later. - - "dpi flow [add | del] " - "[src-ip ] [dst-ip ] " - "[src-port ] [dst-port ] " - "[protocol ] [vrf-id ]", - - "dpi tcp reass flow_id " - "[ ]", - - "dpi set flow-offload hw rx [del]", - - "dpi set ip4 flow-bypass [del]", - -6. When HW flow offload matched, packets will be redirected to DPI plugin with dpi flow_id in packet descriptor. - If not, packets will be bypassed to DPI plugin from ip-input, and then lookup SW flow mapping table. - -7. Then will detect layer 7 applications. - This first patch only detect sub protocls within SSL/TLS. - 1). Identify SSL/TLS certificate message and subsequent segments. - 2). Scan SSL/TLS certificate message through hyperscan, and get application id if matched. - 3). If maximum packets for this flow are checked and not found matched application, the detection will end up. - - -## Hyperscan Installation - -Hyperscan can be installed from packages directly on below OS: - Ubuntu 16.04.03 - Ubuntu 18.04 and later version - Fedora 27 and later version - openSUSE rolling-release Tumbleweed and later version - -If you cannot install Hyperscan from packages directly, -you can build and install it from the source code. - -Below are steps to build and install Hyperscan on Ubuntu 16.04: -1).Install binary prerequisites -apt-get install cmake ragel -apt-get install libboost-dev -apt-get install python-dev libbz2-dev - -2).Download Hyperscan sources -wget https://github.com/intel/hyperscan/archive/v5.0.0.tar.gz -tar -xf v5.0.0.tar.gz - -3).Download boost headers -wget https://dl.bintray.com/boostorg/release/1.68.0/source/boost_1_68_0.tar.gz -tar -xf boost_1_68_0.tar.gz -cp -r boost_1_68_0/boost hyperscan-5.0.0/include - -4).Build and install Hyperscan shared library. - Just follow the instruction from here. Compilation can take a long time. -cd hyperscan-5.0.0 -mkdir build -cd build -cmake -DBUILD_SHARED_LIBS=true .. -make -make install - -## Multi-Thread Support -Since generated bytecode database is read only, you can run multiple cores -to utilize the byte database to scale. - - - - diff --git a/src/protocols/dpi_ssl.c b/src/protocols/dpi_ssl.c deleted file mode 100644 index f15a19c..0000000 --- a/src/protocols/dpi_ssl.c +++ /dev/null @@ -1,247 +0,0 @@ -/* - * Copyright (c) 2019 Intel and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include -#include -#include -#include -#include - -#include -#include - -#include "../dpi.h" - -typedef enum -{ - State_Initial = 0, - State_Client_Hello = 1, - State_Server_Hello = 2, - State_Certificate = 3, -} ssl_state; - -enum -{ - MAJOR_TLS = 0x3, -}; - -enum -{ - MINOR_SSL30 = 0, - MINOR_TLS10 = 0x1, - MINOR_TLS11 = 0x2, - MINOR_TLS12 = 0x3, -}; - -typedef enum -{ - change_cipher_spec = 20, - alert = 21, - handshake = 22, - application_data = 23, -} ContentType; - -typedef struct -{ - u8 major; - u8 minor; -} ProtocolVersion; - -typedef struct -{ - u8 type; - ProtocolVersion version; - u16 length; -} __attribute__ ((packed)) ssl_header; - -typedef enum -{ - hello_request = 0, - client_hello = 1, - server_hello = 2, - certificate = 11, - server_key_exchange = 12, - certificate_request = 13, - server_hello_done = 14, - certificate_verify = 15, - client_key_exchange = 16, - finished = 20, -} HandshakeType; - -typedef struct -{ - u8 msg_type; /* handshake type */ - u8 length[3]; /* bytes in message */ -} Handshake_header; - -int dpi_ssl_detect_protocol_from_cert (u8 * payload, u32 payload_len, - dpi_flow_info_t * flow); - -#define dpi_isprint(ch) ((ch) >= 0x20 && (ch) <= 0x7e) -#define dpi_isalpha(ch) (((ch) >= 'a' && (ch) <= 'z') || ((ch) >= 'A' && (ch) <= 'Z')) -#define dpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') -#define dpi_isspace(ch) (((ch) >= '\t' && (ch) <= '\r') || ((ch) == ' ')) -#define dpi_min(a,b) ((a < b) ? a : b) - -static void -dpi_set_detected_protocol (dpi_flow_info_t * flow, - u32 upper_protocol, u32 lower_protocol) -{ - - if ((upper_protocol == DPI_PROTOCOL_UNKNOWN) - && (lower_protocol != DPI_PROTOCOL_UNKNOWN)) - upper_protocol = lower_protocol; - - if (upper_protocol == lower_protocol) - lower_protocol = DPI_PROTOCOL_UNKNOWN; - - if ((upper_protocol != DPI_PROTOCOL_UNKNOWN) - && (lower_protocol == DPI_PROTOCOL_UNKNOWN)) - { - if ((flow->guessed_host_protocol_id != DPI_PROTOCOL_UNKNOWN) - && (upper_protocol != flow->guessed_host_protocol_id)) - { - lower_protocol = upper_protocol; - upper_protocol = flow->guessed_host_protocol_id; - } - } - - flow->detected_protocol[0] = upper_protocol; - flow->detected_protocol[1] = lower_protocol; -} - -static u32 -dpi_ssl_refine_master_protocol (dpi_flow_info_t * flow, u32 protocol) -{ - - if (flow->l4.tcp.ssl_got_server_cert == 1) - protocol = DPI_PROTOCOL_SSL; - else - protocol = DPI_PROTOCOL_SSL_NO_CERT; - - return protocol; -} - -int -dpi_ssl_detect_protocol_from_cert (u8 * payload, u32 payload_len, - dpi_flow_info_t * flow) -{ - u32 host_protocol = DPI_PROTOCOL_UNKNOWN; - int rv = 0; - - /* Only check SSL handshake packets. - * Check first segment and subsequent segments. */ - if (((payload_len > (sizeof (ssl_header) + sizeof (Handshake_header))) - && (payload[0] == handshake)) || (flow->detect_begin)) - { - if ((flow->detected_protocol[0] == DPI_PROTOCOL_UNKNOWN) - || (flow->detected_protocol[0] == DPI_PROTOCOL_SSL)) - { - rv = dpi_search_host_protocol (flow, (char *) payload, payload_len, - DPI_PROTOCOL_SSL, &host_protocol); - - if (host_protocol != DPI_PROTOCOL_UNKNOWN) - { - dpi_set_detected_protocol (flow, host_protocol, - dpi_ssl_refine_master_protocol (flow, - DPI_PROTOCOL_SSL)); - return rv; - } - } - } - return 0; -} - - -void -dpi_search_tcp_ssl (u8 * payload, u32 payload_len, dpi_flow_info_t * flow) -{ - u32 cur_len = payload_len; - u32 cur_len2; - u8 handshake_type; - - /* Check first segment of SSL Certificate message */ - if ((payload_len > (sizeof (ssl_header) + sizeof (Handshake_header))) - && (payload[0] == handshake)) - { - handshake_type = payload[5]; - - if (handshake_type == client_hello) - { - flow->l4.tcp.ssl_stage = State_Client_Hello; - return; - } - else if (handshake_type == server_hello) - { - cur_len = ntohs (get_u16_t (payload, 3)) + sizeof (ssl_header); - - /* This packet only contains Server Hello message */ - if (cur_len == payload_len) - { - flow->l4.tcp.ssl_stage = State_Server_Hello; - return; - } - - /* This packet contains Server Hello, Certificate and more messages */ - if (payload_len >= cur_len + sizeof (ssl_header) - && payload[cur_len] == handshake - && payload[cur_len + 1] == MAJOR_TLS) - { - cur_len2 = ntohs (get_u16_t (payload, cur_len + 3)) - + sizeof (ssl_header); - if (payload[cur_len + 5] == certificate) - { - flow->l4.tcp.ssl_stage = State_Certificate; - flow->detect_begin = 1; - /* Scan segments of certificate message */ - if (dpi_ssl_detect_protocol_from_cert (&payload[cur_len], - cur_len2, flow) > 0) - return; - } - } - } - else if (handshake_type == certificate) - { - cur_len = ntohs (get_u16_t (payload, 3)) + sizeof (ssl_header); - - /* This packet contains first segment of certificate message */ - if (cur_len == payload_len) - { - flow->l4.tcp.ssl_stage = State_Certificate; - flow->detect_begin = 1; - /* Scan segments of certificate message */ - if (dpi_ssl_detect_protocol_from_cert (payload, cur_len, flow) > - 0) - return; - } - } - else if (flow->detect_begin) - { - /* Check subsequent segments of SSL Certificate message */ - if (dpi_ssl_detect_protocol_from_cert (payload, cur_len, flow) > 0) - return; - } - } - - return; -} - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ -- cgit 1.2.3-korg