diff --git a/oaf/src/app_filter.c b/oaf/src/app_filter.c index b4587c8..868a361 100755 --- a/oaf/src/app_filter.c +++ b/oaf/src/app_filter.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -36,7 +37,8 @@ DEFINE_RWLOCK(af_feature_lock); #define feature_list_read_unlock() read_unlock_bh(&af_feature_lock); #define feature_list_write_lock() write_lock_bh(&af_feature_lock); #define feature_list_write_unlock() write_unlock_bh(&af_feature_lock); - +// 注意有重传报文 +#define MAX_PARSE_PKT_NUM 16 #define MIN_HTTP_DATA_LEN 16 #define MAX_APP_NAME_LEN 64 #define MAX_FEATURE_NUM_PER_APP 16 @@ -519,7 +521,7 @@ void parse_http_proto(flow_info_t *flow) } if (flow->sport != 80 && flow->dport != 80) return; - for (i = 0; i < data_len - 4; i++) { + for (i = 0; i < data_len; i++) { if (data[i] == 0x0d && data[i + 1] == 0x0a){ if (0 == memcmp(&data[start], "POST ", 5)) { flow->http.match = AF_TRUE; @@ -535,7 +537,7 @@ void parse_http_proto(flow_info_t *flow) flow->http.url_len = i - start - 4; //dump_str("post request", flow->http.url_pos, flow->http.url_len); } - else if (0 == memcmp(&data[start], "Host: ", 6) ){ + else if (0 == memcmp(&data[start], "Host:", 5) ){ flow->http.host_pos = data + start + 6; flow->http.host_len = i - start - 6; //dump_str("host ", flow->http.host_pos, flow->http.host_len); @@ -771,6 +773,7 @@ int app_filter_match(flow_info_t *flow) return AF_FALSE; } +#define APP_FILTER_DROP_BITS 0xf0000000 /* 在netfilter框架注册的钩子 */ @@ -786,6 +789,8 @@ static u_int32_t app_filter_hook(unsigned int hook, const struct net_device *out, int (*okfn)(struct sk_buff *)){ #endif + unsigned long long total_packets = 0; + flow_info_t flow; // 4.10-->4.11 nfct-->_nfct #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,11,0) struct nf_conn *ct = (struct nf_conn *)skb->_nfct; @@ -796,14 +801,54 @@ static u_int32_t app_filter_hook(unsigned int hook, //AF_ERROR("ct is null\n"); return NF_ACCEPT; } - flow_info_t flow; + + if (!nf_ct_is_confirmed(ct)){ + return NF_ACCEPT; + } + +#if defined(CONFIG_NF_CONNTRACK_MARK) + if (ct->mark != 0) + if (APP_FILTER_DROP_BITS == (ct->mark & APP_FILTER_DROP_BITS)){ + return NF_DROP; + } +#endif + +// 3.12.74-->3.13-rc1 +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,13,0) + struct nf_conn_acct *acct; + acct = nf_conn_acct_find(ct); + if (!acct) + return NF_ACCEPT; + total_packets = (unsigned long long)atomic64_read(&acct->counter[IP_CT_DIR_ORIGINAL].packets) + + (unsigned long long)atomic64_read(&acct->counter[IP_CT_DIR_REPLY].packets); +#else + + struct nf_conn_counter *counter; + counter = nf_conn_acct_find(ct); + + if (!counter) + return NF_ACCEPT; + + total_packets = (unsigned long long)atomic64_read(&counter[IP_CT_DIR_ORIGINAL].packets) + + (unsigned long long)atomic64_read(&counter[IP_CT_DIR_REPLY].packets); + +#endif + if (total_packets > MAX_PARSE_PKT_NUM){ + return NF_ACCEPT; + } + memset((char *)&flow, 0x0, sizeof(flow_info_t)); parse_flow_base(skb, &flow); parse_http_proto(&flow); parse_https_proto(&flow); //dump_flow_info(&flow); - if (app_filter_match(&flow)) + if (app_filter_match(&flow)){ + +#if defined(CONFIG_NF_CONNTRACK_MARK) + ct->mark |= APP_FILTER_DROP_BITS; +#endif return NF_DROP; + } return NF_ACCEPT; }