Добавлена отправка rst при первом обращении к блокированному ip адрес…

…у из списка hosts
max197616 · Sep 10, 2019 · a7320b2 · a7320b2
1 parent 4bf0a85
commit a7320b2
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 21 deletions.
diff --git a/configure.ac b/configure.ac
@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.69])
-AC_INIT(extFilter, 0.99.1, max1976@mail.ru)
+AC_INIT(extFilter, 0.99.2, max1976@mail.ru)
 
 DPDK_HOME=
 DPDK_TARGET=

diff --git a/include/sender.h b/include/sender.h
@@ -205,7 +205,7 @@ class ESender : public BSender
 		return size;
 	}
 
-	inline int makeSwapPacketIPv4(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, bool f_reset, bool f_psh, struct rte_mbuf *m, bool to_server = false)
+	inline int makeSwapPacketIPv4(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, uint8_t f_reset, bool f_psh, struct rte_mbuf *m, bool to_server = false)
 	{
 		int pkt_len;
 		const uint8_t *pkt = pkt_infos->pkt;
@@ -279,8 +279,15 @@ class ESender : public BSender
 		tcph->psh = f_psh;
 		if(f_reset)
 		{
-			tcph->ack = 0;
-			tcph->ack_seq = 0;
+			if(f_reset & 2)
+			{
+				tcph->ack = 1;
+				tcph->ack_seq = seqnum;
+			} else {
+				tcph->ack = 0;
+				tcph->ack_seq = 0;
+			}
+
 			tcph->fin = 0;
 			tcph->window = 0;
 		} else {
@@ -299,7 +306,7 @@ class ESender : public BSender
 		return pkt_len;
 	}
 
-	inline int makeSwapPacketIPv6(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, bool f_reset, bool f_psh, struct rte_mbuf *m, bool to_server = false)
+	inline int makeSwapPacketIPv6(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, uint8_t f_reset, bool f_psh, struct rte_mbuf *m, bool to_server = false)
 	{
 		int pkt_len;
 
@@ -372,8 +379,14 @@ class ESender : public BSender
 		tcph->window = tcph_orig->window;
 		if(f_reset)
 		{
-			tcph->ack = 0;
-			tcph->ack_seq = 0;
+			if(f_reset & 2)
+			{
+				tcph->ack = 1;
+				tcph->ack_seq = seqnum;
+			} else {
+				tcph->ack = 0;
+				tcph->ack_seq = 0;
+			}
 			tcph->fin = 0;
 		} else {
 			tcph->ack_seq = seqnum;
@@ -387,14 +400,14 @@ class ESender : public BSender
 		return pkt_len;
 	}
 
-	void sendPacketIPv4(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, bool f_reset, bool f_psh, bool to_server = false);
-	void SendRSTIPv4(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum);
+	void sendPacketIPv4(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, uint8_t f_reset, bool f_psh, bool to_server = false);
+	void SendRSTIPv4(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, bool use_ack = false);
 	void HTTPRedirectIPv4(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, bool f_psh, const char *redir_url, size_t r_len);
 	void HTTPForbiddenIPv4(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, bool f_psh);
 
-	void sendPacketIPv6(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, bool f_reset, bool f_psh, bool to_server = false);
+	void sendPacketIPv6(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, uint8_t f_reset, bool f_psh, bool to_server = false);
 	void HTTPRedirectIPv6(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, bool f_psh, const char *redir_url, size_t r_len);
-	void SendRSTIPv6(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum);
+	void SendRSTIPv6(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, bool use_ack = false);
 	void HTTPForbiddenIPv6(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, bool f_psh);
 private:
 	uint8_t _port;

diff --git a/src/acl.cpp b/src/acl.cpp
@@ -138,7 +138,7 @@ int ACL::initACL(std::map<std::string, int> &fns, int _numa_on, std::set<struct
 		std::string file_name=entry.first;
 		if(!file_name.empty())
 		{
-			_logger.debug("Building ACL from file %s", file_name);
+			_logger.information("Building ACL from file %s", file_name);
 			Poco::FileInputStream hf(file_name);
 			if(hf.good())
 			{

diff --git a/src/sender.cpp b/src/sender.cpp
@@ -264,7 +264,7 @@ void ESender::sendPacket(void *ip_from, void *ip_to, int ip_ver, int port_from,
 }
 
 
-void ESender::sendPacketIPv4(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, bool f_reset, bool f_psh, bool to_server)
+void ESender::sendPacketIPv4(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, uint8_t f_reset, bool f_psh, bool to_server)
 {
 	struct rte_mbuf *pkt = rte_pktmbuf_alloc(_mp);
 	if(unlikely(pkt == nullptr))
@@ -305,7 +305,7 @@ void ESender::sendPacketIPv4(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32
 	return;
 }
 
-void ESender::sendPacketIPv6(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, bool f_reset, bool f_psh, bool to_server)
+void ESender::sendPacketIPv6(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, const char *dt_buf, size_t dt_len, uint8_t f_reset, bool f_psh, bool to_server)
 {
 	struct rte_mbuf *pkt = rte_pktmbuf_alloc(_mp);
 	if(unlikely(pkt == nullptr))
@@ -403,19 +403,19 @@ void ESender::HTTPForbiddenIPv6(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uin
 }
 
 
-void ESender::SendRSTIPv4(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum)
+void ESender::SendRSTIPv4(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, bool use_ack)
 {
 	// send rst to the client
-	sendPacketIPv4(pkt_infos, acknum, seqnum, nullptr, 0, true, false);
+	sendPacketIPv4(pkt_infos, acknum, seqnum, nullptr, 0, use_ack ? 3 : 1, false);
 	// send rst to the server
 	if(_parameters.send_rst_to_server)
 		sendPacketIPv4(pkt_infos, seqnum, acknum, nullptr, 0, true, false, true);
 }
 
-void ESender::SendRSTIPv6(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum)
+void ESender::SendRSTIPv6(dpi_pkt_infos_t *pkt_infos, uint32_t acknum, uint32_t seqnum, bool use_ack)
 {
 	// send rst to the client
-	sendPacketIPv6(pkt_infos, acknum, seqnum, nullptr, 0, true, false);
+	sendPacketIPv6(pkt_infos, acknum, seqnum, nullptr, 0, use_ack ? 3 : 1, false);
 	// send rst to the server
 	if(_parameters.send_rst_to_server)
 		sendPacketIPv6(pkt_infos, seqnum, acknum, nullptr, 0, true, false, true);

diff --git a/src/worker.cpp b/src/worker.cpp
@@ -615,20 +615,20 @@ bool WorkerThread::analyzePacket(struct rte_mbuf* m, uint64_t timestamp)
 	m_ThreadStats.analyzed_packets++;
 
 
-	if(unlikely(payload_len > 0 && acl_action == ACL::ACL_DROP))
+	if(unlikely(((tcph->syn == 1 && tcph->ack == 0) || payload_len > 0) && acl_action == ACL::ACL_DROP))
 	{
 		m_ThreadStats.matched_ip_port++;
 		dpi_pkt_infos_t pkt_infos;
 		pkt_infos.pkt = l3;
 		pkt_infos.l2_pkt = rte_pktmbuf_mtod(m, const uint8_t *);
 		if(ip_version == 4)
 		{
-			_snd->SendRSTIPv4(&pkt_infos, /*acknum*/ tcph->ack_seq, /*seqnum*/ tcph->seq);
+			_snd->SendRSTIPv4(&pkt_infos, /*acknum*/ tcph->ack_seq, /*seqnum*/ rte_cpu_to_be_32(rte_be_to_cpu_32(tcph->seq) + 1), (tcph->syn == 1 && tcph->ack == 0) ? true : false);
 			m_ThreadStats.sended_rst_ipv4++;
 		}
 		else
 		{
-			_snd->SendRSTIPv6(&pkt_infos, /*acknum*/ tcph->ack_seq, /*seqnum*/ tcph->seq);
+			_snd->SendRSTIPv6(&pkt_infos, /*acknum*/ tcph->ack_seq, /*seqnum*/ rte_cpu_to_be_32(rte_be_to_cpu_32(tcph->seq) + 1), (tcph->syn == 1 && tcph->ack == 0) ? true : false);
 			m_ThreadStats.sended_rst_ipv6++;
 		}
 		return true;