优化应用识别性能,解决高版本内核应用识别导致死机问题
This commit is contained in:
destan19@126.com
parent
ed07f06293
commit
7d109b53f8
@ -11,6 +11,7 @@
|
||||
#include <net/tcp.h>
|
||||
#include <linux/netfilter.h>
|
||||
#include <net/netfilter/nf_conntrack.h>
|
||||
#include <net/netfilter/nf_conntrack_acct.h>
|
||||
#include <linux/skbuff.h>
|
||||
#include <net/ip.h>
|
||||
#include <linux/types.h>
|
||||
@ -36,7 +37,8 @@ DEFINE_RWLOCK(af_feature_lock);
|
||||
#define feature_list_read_unlock() read_unlock_bh(&af_feature_lock);
|
||||
#define feature_list_write_lock() write_lock_bh(&af_feature_lock);
|
||||
#define feature_list_write_unlock() write_unlock_bh(&af_feature_lock);
|
||||
|
||||
// ×¢ÒâÓÐÖØ´«±¨ÎÄ
|
||||
#define MAX_PARSE_PKT_NUM 16
|
||||
#define MIN_HTTP_DATA_LEN 16
|
||||
#define MAX_APP_NAME_LEN 64
|
||||
#define MAX_FEATURE_NUM_PER_APP 16
|
||||
@ -519,7 +521,7 @@ void parse_http_proto(flow_info_t *flow)
|
||||
}
|
||||
if (flow->sport != 80 && flow->dport != 80)
|
||||
return;
|
||||
for (i = 0; i < data_len - 4; i++) {
|
||||
for (i = 0; i < data_len; i++) {
|
||||
if (data[i] == 0x0d && data[i + 1] == 0x0a){
|
||||
if (0 == memcmp(&data[start], "POST ", 5)) {
|
||||
flow->http.match = AF_TRUE;
|
||||
@ -535,7 +537,7 @@ void parse_http_proto(flow_info_t *flow)
|
||||
flow->http.url_len = i - start - 4;
|
||||
//dump_str("post request", flow->http.url_pos, flow->http.url_len);
|
||||
}
|
||||
else if (0 == memcmp(&data[start], "Host: ", 6) ){
|
||||
else if (0 == memcmp(&data[start], "Host:", 5) ){
|
||||
flow->http.host_pos = data + start + 6;
|
||||
flow->http.host_len = i - start - 6;
|
||||
//dump_str("host ", flow->http.host_pos, flow->http.host_len);
|
||||
@ -771,6 +773,7 @@ int app_filter_match(flow_info_t *flow)
|
||||
return AF_FALSE;
|
||||
}
|
||||
|
||||
#define APP_FILTER_DROP_BITS 0xf0000000
|
||||
|
||||
/* ÔÚnetfilter¿ò¼Ü×¢²áµÄ¹³×Ó */
|
||||
|
||||
@ -786,6 +789,8 @@ static u_int32_t app_filter_hook(unsigned int hook,
|
||||
const struct net_device *out,
|
||||
int (*okfn)(struct sk_buff *)){
|
||||
#endif
|
||||
unsigned long long total_packets = 0;
|
||||
flow_info_t flow;
|
||||
// 4.10-->4.11 nfct-->_nfct
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,11,0)
|
||||
struct nf_conn *ct = (struct nf_conn *)skb->_nfct;
|
||||
@ -796,14 +801,54 @@ static u_int32_t app_filter_hook(unsigned int hook,
|
||||
//AF_ERROR("ct is null\n");
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
flow_info_t flow;
|
||||
|
||||
if (!nf_ct_is_confirmed(ct)){
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
|
||||
#if defined(CONFIG_NF_CONNTRACK_MARK)
|
||||
if (ct->mark != 0)
|
||||
if (APP_FILTER_DROP_BITS == (ct->mark & APP_FILTER_DROP_BITS)){
|
||||
return NF_DROP;
|
||||
}
|
||||
#endif
|
||||
|
||||
// 3.12.74-->3.13-rc1
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,13,0)
|
||||
struct nf_conn_acct *acct;
|
||||
acct = nf_conn_acct_find(ct);
|
||||
if (!acct)
|
||||
return NF_ACCEPT;
|
||||
total_packets = (unsigned long long)atomic64_read(&acct->counter[IP_CT_DIR_ORIGINAL].packets)
|
||||
+ (unsigned long long)atomic64_read(&acct->counter[IP_CT_DIR_REPLY].packets);
|
||||
#else
|
||||
|
||||
struct nf_conn_counter *counter;
|
||||
counter = nf_conn_acct_find(ct);
|
||||
|
||||
if (!counter)
|
||||
return NF_ACCEPT;
|
||||
|
||||
total_packets = (unsigned long long)atomic64_read(&counter[IP_CT_DIR_ORIGINAL].packets)
|
||||
+ (unsigned long long)atomic64_read(&counter[IP_CT_DIR_REPLY].packets);
|
||||
|
||||
#endif
|
||||
if (total_packets > MAX_PARSE_PKT_NUM){
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
|
||||
memset((char *)&flow, 0x0, sizeof(flow_info_t));
|
||||
parse_flow_base(skb, &flow);
|
||||
parse_http_proto(&flow);
|
||||
parse_https_proto(&flow);
|
||||
//dump_flow_info(&flow);
|
||||
if (app_filter_match(&flow))
|
||||
if (app_filter_match(&flow)){
|
||||
|
||||
#if defined(CONFIG_NF_CONNTRACK_MARK)
|
||||
ct->mark |= APP_FILTER_DROP_BITS;
|
||||
#endif
|
||||
return NF_DROP;
|
||||
}
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user