1.5.0
This commit is contained in:
robin
@@ -1,7 +1,7 @@
|
||||
package teaconst
|
||||
|
||||
const (
|
||||
Version = "1.4.9" //1.3.8.2
|
||||
Version = "1.5.0" //1.3.8.2
|
||||
|
||||
ProductName = "Edge Node"
|
||||
ProcessName = "edge-node"
|
||||
|
||||
@@ -1,135 +0,0 @@
|
||||
// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
|
||||
//go:build plus && packet
|
||||
|
||||
package networksecurity
|
||||
|
||||
import (
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
|
||||
teaconst "github.com/TeaOSLab/EdgeNode/internal/const"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/events"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/monitor"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/utils"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/utils/goman"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/utils/netpackets"
|
||||
"github.com/iwind/TeaGo/Tea"
|
||||
"github.com/iwind/TeaGo/maps"
|
||||
"runtime"
|
||||
"time"
|
||||
)
|
||||
|
||||
var SharedManager = NewManager()
|
||||
|
||||
func init() {
|
||||
if !teaconst.IsMain {
|
||||
return
|
||||
}
|
||||
|
||||
events.On(events.EventLoaded, func() {
|
||||
nodeConfig, _ := nodeconfigs.SharedNodeConfig()
|
||||
if nodeConfig != nil {
|
||||
go SharedManager.Apply(nodeConfig.NetworkSecurityPolicy)
|
||||
}
|
||||
})
|
||||
|
||||
events.On(events.EventQuit, func() {
|
||||
go SharedManager.Apply(nil)
|
||||
})
|
||||
|
||||
goman.New(func() {
|
||||
var ticker = time.NewTicker(1 * time.Minute)
|
||||
for range ticker.C {
|
||||
SharedManager.Upload()
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
type Manager struct {
|
||||
listener *netpackets.Listener
|
||||
isRunning bool
|
||||
|
||||
policy *nodeconfigs.NetworkSecurityPolicy
|
||||
|
||||
totalTCPPacketsMinutely uint64
|
||||
totalUDPPacketsMinutely uint64
|
||||
totalICMPPacketsMinutely uint64
|
||||
}
|
||||
|
||||
func NewManager() *Manager {
|
||||
return &Manager{}
|
||||
}
|
||||
|
||||
// Apply 应用配置
|
||||
// 非线程安全
|
||||
func (this *Manager) Apply(policy *nodeconfigs.NetworkSecurityPolicy) {
|
||||
if this.policy != nil && this.policy.IsSame(policy) {
|
||||
return
|
||||
}
|
||||
|
||||
this.policy = policy
|
||||
|
||||
if policy == nil ||
|
||||
policy.Status == nodeconfigs.NetworkSecurityStatusOff ||
|
||||
(policy.Status == nodeconfigs.NetworkSecurityStatusAuto && runtime.NumCPU() < 8) {
|
||||
if this.listener != nil {
|
||||
remotelogs.Println("NETWORK_SECURITY_MANAGER", "stop")
|
||||
this.listener.Stop()
|
||||
}
|
||||
this.isRunning = false
|
||||
return
|
||||
}
|
||||
|
||||
if this.listener == nil {
|
||||
this.listener = netpackets.NewListener()
|
||||
|
||||
// References:
|
||||
// - https://biot.com/capstats/bpf.html
|
||||
// - https://www.ibm.com/docs/en/qsip/7.4?topic=queries-berkeley-packet-filters
|
||||
// - https://www.tcpdump.org/manpages/tcpdump.1.html
|
||||
|
||||
if Tea.IsTesting() || utils.IsDebugEnv() { // dev environment
|
||||
this.listener.SetBPF("(tcp or udp or icmp) and not net 127 and not net ::1")
|
||||
} else {
|
||||
this.listener.SetBPF("(tcp or udp or icmp) and not src net 127 and not src net 192.168 and not src net 172.16 and not src net ::1 and not src net 10")
|
||||
}
|
||||
this.listener.AddFilter(this)
|
||||
}
|
||||
|
||||
if !this.isRunning {
|
||||
this.isRunning = true
|
||||
remotelogs.Println("NETWORK_SECURITY_MANAGER", "start")
|
||||
err := this.listener.Start() // long run function
|
||||
if err != nil {
|
||||
remotelogs.Error("NETWORK_SECURITY_MANAGER", "start listener failed: "+err.Error())
|
||||
}
|
||||
this.isRunning = false
|
||||
}
|
||||
}
|
||||
|
||||
func (this *Manager) FilterMeta(meta *netpackets.PacketMeta) {
|
||||
switch meta.LayerType {
|
||||
case netpackets.LayerTypeTCP:
|
||||
// 这里不需要试用atomic,因为数据不需要那么精确
|
||||
this.totalTCPPacketsMinutely++
|
||||
case netpackets.LayerTypeUDP:
|
||||
this.totalUDPPacketsMinutely++
|
||||
case netpackets.LayerTypeICMPv4, netpackets.LayerTypeICMPv6:
|
||||
this.totalICMPPacketsMinutely++
|
||||
}
|
||||
}
|
||||
|
||||
func (this *Manager) Upload() {
|
||||
if !this.isRunning {
|
||||
return
|
||||
}
|
||||
|
||||
monitor.SharedValueQueue.Add(nodeconfigs.NodeValueItemNetworkPackets, maps.Map{
|
||||
"tcpInPPS": this.totalTCPPacketsMinutely / 60,
|
||||
"udpInPPS": this.totalUDPPacketsMinutely / 60,
|
||||
"icmpInPPS": this.totalICMPPacketsMinutely / 60,
|
||||
})
|
||||
|
||||
this.totalTCPPacketsMinutely = 0
|
||||
this.totalUDPPacketsMinutely = 0
|
||||
this.totalICMPPacketsMinutely = 0
|
||||
}
|
||||
@@ -1,24 +0,0 @@
|
||||
// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
|
||||
//go:build plus && packet
|
||||
|
||||
package networksecurity_test
|
||||
|
||||
import (
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
|
||||
networksecurity "github.com/TeaOSLab/EdgeNode/internal/network-security"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/utils/testutils"
|
||||
"os"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestManager_Apply(t *testing.T) {
|
||||
if !testutils.IsSingleTesting() {
|
||||
if os.Getgid() > 0 {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
var manager = networksecurity.NewManager()
|
||||
var policy = nodeconfigs.NewNetworkSecurityPolicy()
|
||||
manager.Apply(policy)
|
||||
}
|
||||
@@ -1,3 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
sudo go test -v -tags="plus packet" -run '^TestManager_Apply'
|
||||
@@ -9,14 +9,20 @@ import (
|
||||
"net/http"
|
||||
)
|
||||
|
||||
// 执行认证
|
||||
// 鎵ц璁よ瘉
|
||||
func (this *HTTPRequest) doAuth() (shouldStop bool) {
|
||||
if this.web.Auth == nil || !this.web.Auth.IsOn {
|
||||
return
|
||||
}
|
||||
|
||||
for _, ref := range this.web.Auth.PolicyRefs {
|
||||
if !ref.IsOn || ref.AuthPolicy == nil || !ref.AuthPolicy.IsOn {
|
||||
if !ref.IsOn {
|
||||
continue
|
||||
}
|
||||
if ref.AuthPolicy == nil {
|
||||
continue
|
||||
}
|
||||
if !ref.AuthPolicy.IsOn {
|
||||
continue
|
||||
}
|
||||
if !ref.AuthPolicy.MatchRequest(this.RawReq) {
|
||||
@@ -36,7 +42,7 @@ func (this *HTTPRequest) doAuth() (shouldStop bool) {
|
||||
return writer.StatusCode(), nil
|
||||
}, this.Format)
|
||||
if err != nil {
|
||||
this.write50x(err, http.StatusInternalServerError, "Failed to execute the AuthPolicy", "认证策略执行失败", false)
|
||||
this.write50x(err, http.StatusInternalServerError, "Failed to execute the AuthPolicy", "璁よ瘉绛栫暐鎵ц澶辫触", false)
|
||||
return
|
||||
}
|
||||
if ok {
|
||||
@@ -45,28 +51,28 @@ func (this *HTTPRequest) doAuth() (shouldStop bool) {
|
||||
}
|
||||
this.tags = append(this.tags, "auth:"+ref.AuthPolicy.Type)
|
||||
return
|
||||
} else {
|
||||
// Basic Auth比较特殊
|
||||
if ref.AuthPolicy.Type == serverconfigs.HTTPAuthTypeBasicAuth {
|
||||
method, ok := ref.AuthPolicy.Method().(*serverconfigs.HTTPAuthBasicMethod)
|
||||
if ok {
|
||||
var headerValue = "Basic realm=\""
|
||||
if len(method.Realm) > 0 {
|
||||
headerValue += method.Realm
|
||||
} else {
|
||||
headerValue += this.ReqHost
|
||||
}
|
||||
headerValue += "\""
|
||||
if len(method.Charset) > 0 {
|
||||
headerValue += ", charset=\"" + method.Charset + "\""
|
||||
}
|
||||
this.writer.Header()["WWW-Authenticate"] = []string{headerValue}
|
||||
}
|
||||
}
|
||||
this.writer.WriteHeader(http.StatusUnauthorized)
|
||||
this.tags = append(this.tags, "auth:"+ref.AuthPolicy.Type)
|
||||
return true
|
||||
}
|
||||
|
||||
// Basic Auth 姣旇緝鐗规畩
|
||||
if ref.AuthPolicy.Type == serverconfigs.HTTPAuthTypeBasicAuth {
|
||||
method, ok := ref.AuthPolicy.Method().(*serverconfigs.HTTPAuthBasicMethod)
|
||||
if ok {
|
||||
var headerValue = "Basic realm=\""
|
||||
if len(method.Realm) > 0 {
|
||||
headerValue += method.Realm
|
||||
} else {
|
||||
headerValue += this.ReqHost
|
||||
}
|
||||
headerValue += "\""
|
||||
if len(method.Charset) > 0 {
|
||||
headerValue += ", charset=\"" + method.Charset + "\""
|
||||
}
|
||||
this.writer.Header()["WWW-Authenticate"] = []string{headerValue}
|
||||
}
|
||||
}
|
||||
this.writer.WriteHeader(http.StatusUnauthorized)
|
||||
this.tags = append(this.tags, "auth:"+ref.AuthPolicy.Type)
|
||||
return true
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@@ -1,35 +0,0 @@
|
||||
// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
|
||||
//go:build plus && packet
|
||||
|
||||
package nodes
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
|
||||
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
|
||||
networksecurity "github.com/TeaOSLab/EdgeNode/internal/network-security"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/rpc"
|
||||
)
|
||||
|
||||
func (this *Node) execNetworkSecurityPolicyChangedTask(rpcClient *rpc.RPCClient) error {
|
||||
remotelogs.Println("NODE", "updating network security policy ...")
|
||||
resp, err := rpcClient.NodeRPC.FindNodeNetworkSecurityPolicy(rpcClient.Context(), &pb.FindNodeNetworkSecurityPolicyRequest{})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var policy = nodeconfigs.NewNetworkSecurityPolicy()
|
||||
if len(resp.NetworkSecurityPolicyJSON) > 0 {
|
||||
err = json.Unmarshal(resp.NetworkSecurityPolicyJSON, policy)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
sharedNodeConfig.NetworkSecurityPolicy = policy
|
||||
|
||||
go networksecurity.SharedManager.Apply(policy)
|
||||
|
||||
return nil
|
||||
}
|
||||
@@ -1,5 +1,5 @@
|
||||
// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
|
||||
//go:build plus && !packet
|
||||
//go:build plus
|
||||
|
||||
package nodes
|
||||
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
|
||||
//go:build plus && packet
|
||||
|
||||
package netpackets
|
||||
|
||||
type FilterInterface interface {
|
||||
FilterMeta(meta *PacketMeta)
|
||||
}
|
||||
@@ -1,92 +0,0 @@
|
||||
// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
|
||||
//go:build plus
|
||||
|
||||
package netpackets
|
||||
|
||||
import (
|
||||
"github.com/TeaOSLab/EdgeNode/internal/utils/linkedlist"
|
||||
"sync"
|
||||
)
|
||||
|
||||
type IgnoredIPList struct {
|
||||
mu sync.RWMutex
|
||||
|
||||
itemMap map[string]*linkedlist.Item[string] // linked => item
|
||||
list *linkedlist.List[string]
|
||||
|
||||
capacity int
|
||||
lastIP string
|
||||
}
|
||||
|
||||
func NewIgnoredIPList(capacity int) *IgnoredIPList {
|
||||
return &IgnoredIPList{
|
||||
itemMap: map[string]*linkedlist.Item[string]{},
|
||||
list: linkedlist.NewList[string](),
|
||||
capacity: capacity,
|
||||
}
|
||||
}
|
||||
|
||||
func (this *IgnoredIPList) Add(ip string) {
|
||||
this.mu.Lock()
|
||||
defer this.mu.Unlock()
|
||||
|
||||
if this.lastIP == ip {
|
||||
return
|
||||
}
|
||||
this.lastIP = ip
|
||||
|
||||
item, ok := this.itemMap[ip]
|
||||
if !ok {
|
||||
if this.capacity > 0 && len(this.itemMap) == this.capacity {
|
||||
var firstItem = this.list.Shift()
|
||||
if firstItem != nil {
|
||||
delete(this.itemMap, firstItem.Value)
|
||||
}
|
||||
}
|
||||
|
||||
item = linkedlist.NewItem[string](ip)
|
||||
this.itemMap[ip] = item
|
||||
}
|
||||
this.list.Push(item)
|
||||
}
|
||||
|
||||
func (this *IgnoredIPList) Remove(ip string) {
|
||||
this.mu.Lock()
|
||||
defer this.mu.Unlock()
|
||||
|
||||
item, ok := this.itemMap[ip]
|
||||
if ok {
|
||||
delete(this.itemMap, ip)
|
||||
this.list.Remove(item)
|
||||
}
|
||||
}
|
||||
|
||||
func (this *IgnoredIPList) Contains(ip string) bool {
|
||||
this.mu.RLock()
|
||||
defer this.mu.RUnlock()
|
||||
_, ok := this.itemMap[ip]
|
||||
return ok
|
||||
}
|
||||
|
||||
func (this *IgnoredIPList) List(size int) (ipList []string) {
|
||||
if size <= 0 {
|
||||
return
|
||||
}
|
||||
|
||||
this.mu.RLock()
|
||||
defer this.mu.RUnlock()
|
||||
|
||||
this.list.RangeReverse(func(item *linkedlist.Item[string]) (goNext bool) {
|
||||
ipList = append(ipList, item.Value)
|
||||
size--
|
||||
return size > 0
|
||||
})
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (this *IgnoredIPList) Len() int {
|
||||
this.mu.RLock()
|
||||
defer this.mu.RUnlock()
|
||||
return len(this.itemMap)
|
||||
}
|
||||
@@ -1,71 +0,0 @@
|
||||
// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
|
||||
//go:build plus
|
||||
|
||||
package netpackets_test
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/utils/netpackets"
|
||||
"github.com/iwind/TeaGo/assert"
|
||||
"github.com/iwind/TeaGo/rands"
|
||||
"runtime"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestIgnoredIPList_Add(t *testing.T) {
|
||||
var a = assert.NewAssertion(t)
|
||||
|
||||
var list = netpackets.NewIgnoredIPList(10)
|
||||
list.Add("192.168.2.1")
|
||||
list.Add("192.168.2.2")
|
||||
list.Add("192.168.2.3")
|
||||
|
||||
a.IsTrue(list.Contains("192.168.2.1"))
|
||||
a.IsFalse(list.Contains("192.168.2.0"))
|
||||
|
||||
t.Log(list.List(0))
|
||||
t.Log(list.List(2))
|
||||
t.Log(list.List(4))
|
||||
}
|
||||
|
||||
func TestIgnoredIPList_Add_Capacity(t *testing.T) {
|
||||
var list = netpackets.NewIgnoredIPList(4)
|
||||
list.Add("192.168.2.1")
|
||||
list.Add("192.168.2.2")
|
||||
list.Add("192.168.2.3")
|
||||
list.Add("192.168.2.4")
|
||||
list.Add("192.168.2.5")
|
||||
list.Add("192.168.2.6")
|
||||
list.Add("192.168.2.7")
|
||||
t.Log(list.List(10))
|
||||
t.Log(list.Len(), "items")
|
||||
}
|
||||
|
||||
func TestIgnoredIPList_Remove(t *testing.T) {
|
||||
var list = netpackets.NewIgnoredIPList(10)
|
||||
list.Add("192.168.2.1")
|
||||
list.Add("192.168.2.2")
|
||||
list.Add("192.168.2.3")
|
||||
list.Remove("192.168.2.2")
|
||||
t.Log(list.List(4))
|
||||
}
|
||||
|
||||
func BenchmarkIgnoredIPList_Add(b *testing.B) {
|
||||
runtime.GOMAXPROCS(1)
|
||||
|
||||
var genIPFunc = func() string {
|
||||
return fmt.Sprintf("%d.%d.%d.%d", rands.Int(0, 255), rands.Int(0, 255), rands.Int(0, 255), rands.Int(0, 255))
|
||||
}
|
||||
|
||||
var list = netpackets.NewIgnoredIPList(65535)
|
||||
b.RunParallel(func(pb *testing.PB) {
|
||||
for pb.Next() {
|
||||
list.Add(genIPFunc())
|
||||
list.Remove(genIPFunc())
|
||||
list.Contains(genIPFunc())
|
||||
if rands.Int(0, 100) == 0 {
|
||||
list.List(1000)
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
@@ -1,18 +0,0 @@
|
||||
// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
|
||||
//go:build plus && packet
|
||||
|
||||
package netpackets
|
||||
|
||||
import (
|
||||
"github.com/google/gopacket"
|
||||
"github.com/google/gopacket/layers"
|
||||
)
|
||||
|
||||
type LayerType = gopacket.LayerType
|
||||
|
||||
var (
|
||||
LayerTypeTCP = layers.LayerTypeTCP
|
||||
LayerTypeUDP = layers.LayerTypeUDP
|
||||
LayerTypeICMPv4 = layers.LayerTypeICMPv4
|
||||
LayerTypeICMPv6 = layers.LayerTypeICMPv6
|
||||
)
|
||||
@@ -1,293 +0,0 @@
|
||||
// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
|
||||
//go:build plus && packet
|
||||
|
||||
package netpackets
|
||||
|
||||
import (
|
||||
"encoding/binary"
|
||||
"fmt"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/remotelogs"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/utils"
|
||||
"github.com/google/gopacket"
|
||||
"github.com/google/gopacket/layers"
|
||||
"github.com/google/gopacket/pcap"
|
||||
"sort"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
const defaultBPFFilter = "(tcp or udp or icmp) and not net 127.0.0.1"
|
||||
|
||||
type Listener struct {
|
||||
filters []FilterInterface
|
||||
incomingHandle *pcap.Handle
|
||||
bpfFilter string
|
||||
|
||||
decodeDstIP bool
|
||||
|
||||
isClosed bool
|
||||
|
||||
outgoingIPList *IgnoredIPList
|
||||
outgoingHandle *pcap.Handle
|
||||
|
||||
filterTicker *time.Ticker
|
||||
}
|
||||
|
||||
func NewListener() *Listener {
|
||||
return &Listener{
|
||||
isClosed: true,
|
||||
outgoingIPList: NewIgnoredIPList(65535),
|
||||
}
|
||||
}
|
||||
|
||||
func (this *Listener) Start() error {
|
||||
if !this.isClosed {
|
||||
return nil
|
||||
}
|
||||
|
||||
this.isClosed = false
|
||||
|
||||
go func() {
|
||||
startErr := this.loopOutgoing()
|
||||
if startErr != nil {
|
||||
remotelogs.Error("NET_PACKET", "start outgoing packet listener failed: "+startErr.Error())
|
||||
}
|
||||
}()
|
||||
|
||||
go func() {
|
||||
this.loopUpdateFilter()
|
||||
}()
|
||||
|
||||
for { // 无限 for 是为了防止意外退出
|
||||
err := this.loopIncoming()
|
||||
if err != nil {
|
||||
if this.isClosed {
|
||||
return nil
|
||||
}
|
||||
|
||||
return fmt.Errorf("start packet listener failed: %w", err)
|
||||
}
|
||||
|
||||
if this.isClosed {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (this *Listener) AddFilter(filter FilterInterface) {
|
||||
this.filters = append(this.filters, filter)
|
||||
}
|
||||
|
||||
func (this *Listener) SetBPF(bpfFilter string) {
|
||||
this.bpfFilter = bpfFilter
|
||||
}
|
||||
|
||||
func (this *Listener) DecodeDstIP() {
|
||||
this.decodeDstIP = true
|
||||
}
|
||||
|
||||
func (this *Listener) Stop() {
|
||||
this.isClosed = true
|
||||
this.incomingHandle.Close()
|
||||
this.outgoingHandle.Close()
|
||||
}
|
||||
|
||||
func (this *Listener) IsRunning() bool {
|
||||
return this.incomingHandle != nil && !this.isClosed
|
||||
}
|
||||
|
||||
func (this *Listener) loopIncoming() error {
|
||||
const device = "any"
|
||||
var err error
|
||||
this.incomingHandle, err = pcap.OpenLive(device, 128, false /** ignore collision domain **/, pcap.BlockForever)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
defer func() {
|
||||
this.incomingHandle.Close()
|
||||
}()
|
||||
|
||||
err = this.incomingHandle.SetDirection(pcap.DirectionIn)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if len(this.bpfFilter) > 0 {
|
||||
err = this.incomingHandle.SetBPFFilter(this.bpfFilter)
|
||||
} else {
|
||||
this.bpfFilter = defaultBPFFilter
|
||||
err = this.incomingHandle.SetBPFFilter(defaultBPFFilter)
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var meta = &PacketMeta{}
|
||||
|
||||
var packetSource = gopacket.NewPacketSource(this.incomingHandle, this.incomingHandle.LinkType())
|
||||
packetSource.NoCopy = true
|
||||
packetSource.Lazy = true
|
||||
|
||||
var filters = this.filters
|
||||
var countFilters = len(filters)
|
||||
|
||||
for packet := range packetSource.Packets() {
|
||||
var networkLayer = packet.NetworkLayer()
|
||||
if networkLayer == nil {
|
||||
continue
|
||||
}
|
||||
|
||||
var networkFlow = networkLayer.NetworkFlow()
|
||||
|
||||
var src = networkFlow.Src()
|
||||
|
||||
meta.SrcIP = src.String()
|
||||
|
||||
// ignore outgoing ip
|
||||
if this.outgoingIPList.Contains(meta.SrcIP) {
|
||||
continue
|
||||
}
|
||||
|
||||
if this.decodeDstIP {
|
||||
meta.DstIP = networkFlow.Dst().String()
|
||||
}
|
||||
meta.Length = packet.Metadata().Length
|
||||
|
||||
var transportLayer = packet.TransportLayer()
|
||||
if transportLayer == nil {
|
||||
meta.SrcPort = 0
|
||||
meta.DstPort = 0
|
||||
|
||||
switch x := networkLayer.(type) {
|
||||
case *layers.IPv4:
|
||||
meta.LayerType = x.NextLayerType()
|
||||
case *layers.IPv6:
|
||||
meta.LayerType = x.NextLayerType()
|
||||
}
|
||||
|
||||
// call filters
|
||||
if countFilters == 1 {
|
||||
filters[0].FilterMeta(meta)
|
||||
} else {
|
||||
for _, filter := range filters {
|
||||
filter.FilterMeta(meta)
|
||||
}
|
||||
}
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
var transportFlow = transportLayer.TransportFlow()
|
||||
meta.SrcPort = int(binary.BigEndian.Uint16(transportFlow.Src().Raw()))
|
||||
meta.LayerType = transportLayer.LayerType()
|
||||
meta.DstPort = int(binary.BigEndian.Uint16(transportFlow.Dst().Raw()))
|
||||
|
||||
// call filters
|
||||
if countFilters == 1 {
|
||||
filters[0].FilterMeta(meta)
|
||||
} else {
|
||||
for _, filter := range filters {
|
||||
filter.FilterMeta(meta)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (this *Listener) loopOutgoing() error {
|
||||
const device = "any"
|
||||
var err error
|
||||
this.outgoingHandle, err = pcap.OpenLive(device, 128, true /** ignore collision domain **/, pcap.BlockForever)
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
defer func() {
|
||||
this.outgoingHandle.Close()
|
||||
}()
|
||||
|
||||
err = this.outgoingHandle.SetDirection(pcap.DirectionOut)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
err = this.outgoingHandle.SetBPFFilter("tcp and tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) = 0")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
var packetSource = gopacket.NewPacketSource(this.outgoingHandle, this.outgoingHandle.LinkType())
|
||||
packetSource.NoCopy = true
|
||||
packetSource.Lazy = true
|
||||
|
||||
for packet := range packetSource.Packets() {
|
||||
var networkLayer = packet.NetworkLayer()
|
||||
if networkLayer == nil {
|
||||
continue
|
||||
}
|
||||
|
||||
var networkFlow = networkLayer.NetworkFlow()
|
||||
var dstIP = networkFlow.Dst().String()
|
||||
this.outgoingIPList.Add(dstIP)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (this *Listener) loopUpdateFilter() {
|
||||
if this.filterTicker != nil {
|
||||
return
|
||||
}
|
||||
|
||||
this.filterTicker = time.NewTicker(1 * time.Second)
|
||||
var lastIPList []string
|
||||
for range this.filterTicker.C {
|
||||
if this.isClosed {
|
||||
continue
|
||||
}
|
||||
|
||||
var ipList = this.outgoingIPList.List(512) // 基于bfp长度的限制,这里数量不能太多
|
||||
sort.Strings(ipList)
|
||||
if this.equalStrings(lastIPList, ipList) {
|
||||
continue
|
||||
}
|
||||
|
||||
lastIPList = ipList
|
||||
|
||||
// apply
|
||||
var incomingHandle = this.incomingHandle
|
||||
if incomingHandle != nil {
|
||||
var rules = []string{}
|
||||
for _, ip := range ipList {
|
||||
rules = append(rules, "not src host "+ip)
|
||||
}
|
||||
var newBPFFilter = this.bpfFilter + " and " + strings.Join(rules, " and ")
|
||||
if utils.IsDebugEnv() {
|
||||
remotelogs.Debug("NET_PACKET", "set new BPF filter: "+newBPFFilter)
|
||||
}
|
||||
err := incomingHandle.SetBPFFilter(newBPFFilter)
|
||||
if err != nil {
|
||||
remotelogs.Error("NET_PACKET", "set new BPF filter failed: "+err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (this *Listener) equalStrings(s1 []string, s2 []string) bool {
|
||||
var l = len(s1)
|
||||
if len(s2) != l {
|
||||
return false
|
||||
}
|
||||
if l == 0 {
|
||||
return true
|
||||
}
|
||||
for i := 0; i < l; i++ {
|
||||
if s1[i] != s2[i] {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
@@ -1,105 +0,0 @@
|
||||
// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
|
||||
//go:build plus && packet
|
||||
|
||||
package netpackets_test
|
||||
|
||||
import (
|
||||
"encoding/binary"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/utils/netpackets"
|
||||
"github.com/TeaOSLab/EdgeNode/internal/utils/testutils"
|
||||
"github.com/google/gopacket"
|
||||
"github.com/google/gopacket/layers"
|
||||
"github.com/iwind/TeaGo/types"
|
||||
"log"
|
||||
"os"
|
||||
"testing"
|
||||
"time"
|
||||
)
|
||||
|
||||
type testFilter struct {
|
||||
}
|
||||
|
||||
func (this *testFilter) FilterMeta(meta *netpackets.PacketMeta) {
|
||||
log.Println(meta.LayerType.String() + " " + meta.SrcIP + ":" + types.String(meta.SrcPort) + " => " + meta.DstIP + ":" + types.String(meta.DstPort) + " " + types.String(meta.Length) + "bytes")
|
||||
}
|
||||
|
||||
func TestListener_Start(t *testing.T) {
|
||||
if !testutils.IsSingleTesting() {
|
||||
if os.Getgid() > 0 {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
var listener = netpackets.NewListener()
|
||||
listener.AddFilter(&testFilter{})
|
||||
|
||||
go func() {
|
||||
time.Sleep(10 * time.Second)
|
||||
t.Log("stopping ...")
|
||||
listener.Stop()
|
||||
}()
|
||||
|
||||
t.Log("starting ...")
|
||||
err := listener.Start()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestListener_DecodePacket_UDP(t *testing.T) {
|
||||
var packetData = []byte{69, 0, 0, 134, 140, 133, 0, 0, 118, 17, 16, 79, 223, 5, 5, 5, 192, 168, 2, 224, 0, 53, 232, 163, 0, 114, 0, 0, 69, 42, 129, 128, 0, 1, 0, 3, 0, 0, 0, 0, 6, 115, 116, 97, 116, 105, 99, 7, 111, 115, 99, 104, 105, 110, 97, 3, 110, 101, 116, 0, 0, 1, 0, 1, 192, 12, 0, 5, 0, 1, 0, 0, 0, 1, 0, 25, 10, 115, 116, 97, 116, 105, 99, 45, 111, 115, 99, 2, 98, 48, 5, 97, 105, 99, 100, 110, 3, 99, 111, 109, 0, 192, 48, 0, 5, 0, 1, 0, 0, 0, 1, 0, 5, 2, 118, 109, 192, 62, 192, 85, 0, 1, 0, 1, 0, 0, 0, 1, 0, 4, 218, 28, 104, 157}
|
||||
|
||||
var packet = gopacket.NewPacket(packetData, layers.LayerTypeIPv4, gopacket.DecodeOptions{})
|
||||
var networkFlow = packet.NetworkLayer().NetworkFlow()
|
||||
|
||||
t.Log(networkFlow)
|
||||
|
||||
t.Log(packet.Metadata().Length)
|
||||
t.Log(packet.TransportLayer().TransportFlow())
|
||||
}
|
||||
|
||||
func TestListener_DecodePacket_TCP(t *testing.T) {
|
||||
var packetData = []byte{69, 8, 0, 64, 6, 51, 64, 0, 52, 6, 188, 222, 74, 91, 117, 187, 192, 168, 2, 224, 1, 187, 225, 226, 137, 198, 251, 25, 221, 137, 133, 93, 176, 16, 1, 245, 224, 6, 0, 0, 1, 1, 8, 10, 30, 187, 162, 175, 35, 215, 100, 174, 1, 1, 5, 10, 221, 137, 133, 68, 221, 137, 133, 93}
|
||||
|
||||
var packet = gopacket.NewPacket(packetData, layers.LayerTypeIPv4, gopacket.DecodeOptions{})
|
||||
var networkFlow = packet.NetworkLayer().NetworkFlow()
|
||||
t.Log(networkFlow.Src().Raw(), len(networkFlow.Src().Raw()))
|
||||
|
||||
t.Log(networkFlow)
|
||||
|
||||
t.Log(packet.Metadata().Length)
|
||||
t.Log(packet.TransportLayer().TransportFlow())
|
||||
}
|
||||
|
||||
func BenchmarkListener_DecodePacket(b *testing.B) {
|
||||
var packetData = []byte{69, 0, 0, 134, 140, 133, 0, 0, 118, 17, 16, 79, 223, 5, 5, 5, 192, 168, 2, 224, 0, 53, 232, 163, 0, 114, 0, 0, 69, 42, 129, 128, 0, 1, 0, 3, 0, 0, 0, 0, 6, 115, 116, 97, 116, 105, 99, 7, 111, 115, 99, 104, 105, 110, 97, 3, 110, 101, 116, 0, 0, 1, 0, 1, 192, 12, 0, 5, 0, 1, 0, 0, 0, 1, 0, 25, 10, 115, 116, 97, 116, 105, 99, 45, 111, 115, 99, 2, 98, 48, 5, 97, 105, 99, 100, 110, 3, 99, 111, 109, 0, 192, 48, 0, 5, 0, 1, 0, 0, 0, 1, 0, 5, 2, 118, 109, 192, 62, 192, 85, 0, 1, 0, 1, 0, 0, 0, 1, 0, 4, 218, 28, 104, 157}
|
||||
|
||||
var decodeOptions = gopacket.DecodeOptions{
|
||||
Lazy: true,
|
||||
NoCopy: true,
|
||||
//SkipDecodeRecovery: true,
|
||||
}
|
||||
|
||||
for i := 0; i < b.N; i++ {
|
||||
var packet = gopacket.NewPacket(packetData, layers.LayerTypeIPv4, decodeOptions)
|
||||
|
||||
var networkFlow = packet.NetworkLayer().NetworkFlow()
|
||||
var src = networkFlow.Src()
|
||||
var dest = networkFlow.Dst()
|
||||
|
||||
_ = netpackets.IsLocalRawIPv4(src.Raw())
|
||||
_ = netpackets.IsLocalRawIPv4(dest.Raw())
|
||||
|
||||
_ = src.String()
|
||||
_ = dest.String()
|
||||
|
||||
_ = packet.Metadata().Length
|
||||
|
||||
var transportFlow = packet.TransportLayer().TransportFlow()
|
||||
//_ = transportFlow.Src().String()
|
||||
//_ = transportFlow.Dst().String()
|
||||
|
||||
_ = int(binary.BigEndian.Uint16(transportFlow.Src().Raw()))
|
||||
_ = int(binary.BigEndian.Uint16(transportFlow.Dst().Raw()))
|
||||
}
|
||||
}
|
||||
@@ -1,13 +0,0 @@
|
||||
// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
|
||||
//go:build plus && packet
|
||||
|
||||
package netpackets
|
||||
|
||||
type PacketMeta struct {
|
||||
LayerType LayerType
|
||||
SrcIP string
|
||||
SrcPort int
|
||||
DstIP string
|
||||
DstPort int
|
||||
Length int
|
||||
}
|
||||
@@ -1,18 +0,0 @@
|
||||
// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
|
||||
|
||||
package netpackets
|
||||
|
||||
// IsLocalRawIPv4 使用原始IP数据判断是否为本地IPv4
|
||||
func IsLocalRawIPv4(ip []byte) bool {
|
||||
if len(ip) != 4 {
|
||||
return false
|
||||
}
|
||||
if ip[0] == 127 ||
|
||||
ip[0] == 10 ||
|
||||
(ip[0] == 172 && ip[1]&0xf0 == 16) ||
|
||||
(ip[0] == 192 && ip[1] == 168) {
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
@@ -1,21 +0,0 @@
|
||||
// Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
|
||||
|
||||
package netpackets_test
|
||||
|
||||
import (
|
||||
"github.com/TeaOSLab/EdgeNode/internal/utils/netpackets"
|
||||
"github.com/iwind/TeaGo/assert"
|
||||
"net"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestIsLocalRawIPv4(t *testing.T) {
|
||||
var a = assert.NewAssertion(t)
|
||||
|
||||
a.IsTrue(netpackets.IsLocalRawIPv4(net.ParseIP("192.168.2.100").To4()))
|
||||
a.IsTrue(netpackets.IsLocalRawIPv4(net.ParseIP("127.0.0.1").To4()))
|
||||
a.IsTrue(netpackets.IsLocalRawIPv4(net.ParseIP("172.16.0.1").To4()))
|
||||
a.IsTrue(netpackets.IsLocalRawIPv4(net.ParseIP("10.0.0.1").To4()))
|
||||
|
||||
a.IsFalse(netpackets.IsLocalRawIPv4(net.ParseIP("1.2.3.4").To4()))
|
||||
}
|
||||
Reference in New Issue
Block a user