(trafficserver) 03/03: AVX-45480: update plugin to support non-http/non-tls traffic

Tue, 09 Jul 2024 15:52:25 -0700 

This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch avx-45480
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit d4b5faebacf518c6a221a0c0fe4de1f53a69efde
Author: Susan Hinrichs <shinri...@aviatrix.com>
AuthorDate: Tue Jul 9 22:51:56 2024 +0000

    AVX-45480: update plugin to support non-http/non-tls traffic
---
 aviatrix/10_0_0.0001/configs/records.yaml          |  2 +-
 .../plugins/avx_policy_driver/policy_driver.cc     | 64 ++++++++++++++++++++--
 2 files changed, 61 insertions(+), 5 deletions(-)

diff --git a/aviatrix/10_0_0.0001/configs/records.yaml 
b/aviatrix/10_0_0.0001/configs/records.yaml
index 9bb22a8a5f..4283faa171 100644
--- a/aviatrix/10_0_0.0001/configs/records.yaml
+++ b/aviatrix/10_0_0.0001/configs/records.yaml
@@ -126,7 +126,7 @@ ts:
 # Specify server addresses and ports to bind for HTTP and HTTPS. Docs:
 #    
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.yaml.en.html#proxy.config.http.server_ports
 ##############################################################################
-    server_ports: 8443:ssl:tr-full:allow-plain
+    server_ports: 8443:ssl:tr-full:allow-plain:tr-pass
 
     server_session_sharing:
       match: none
diff --git a/aviatrix/plugins/avx_policy_driver/policy_driver.cc 
b/aviatrix/plugins/avx_policy_driver/policy_driver.cc
index dbf878cefb..0acabbfa7e 100644
--- a/aviatrix/plugins/avx_policy_driver/policy_driver.cc
+++ b/aviatrix/plugins/avx_policy_driver/policy_driver.cc
@@ -148,8 +148,8 @@ policy_sni(TSCont cont, TSEvent event, void *edata)
   case POLICY_DROP:
   default:
     Dbg(dbg_ctl, "Filter drop");
-    // int ssl_fd = TSVConnFdGet(ssl_vc);
-    //  close(ssl_fd);
+    int ssl_fd = TSVConnFdGet(ssl_vc);
+    close(ssl_fd);
     //  One might think that the TSVConnClose would be more appropriate
     //  than just closing the file descriptor.  But calling TSVConnClose
     //  with or without the reenable just causes a core dump.  Presume it is a 
problem
@@ -202,6 +202,60 @@ transaction_start(TSCont cont, TSEvent event, void *edata)
   return TS_SUCCESS;
 }
 
+static int
+tunnel_start(TSCont cont, TSEvent event, void *edata)
+{
+  TSHttpTxn txnp = reinterpret_cast<TSHttpTxn>(edata);
+  // Need to determine and skip if we entered this tunnel as the result of the 
first pass of policy evaluation
+  TSTxnType retval = TSHttpTxnTypeGet(txnp);
+  Dbg(dbg_ctl, "Tunnel Start event=%d type=%d", event, retval);
+  if (retval != TS_TXN_TYPE_TR_PASS_TUNNEL) {
+    Dbg(dbg_ctl, "No more policy for this tunnel");
+    TSHttpTxnReenable(txnp, TS_EVENT_HTTP_CONTINUE);
+    return TS_SUCCESS;
+  }
+  Dbg(dbg_ctl, "TR PASS Tunnel");
+
+  // Is a policy loaded?
+  if (!IsPolicyLoaded()) {
+    // Big error if not
+    TSError("[%s] Policy not loaded at tunnel start", PLUGIN_NAME);
+    TSHttpTxnReenable(txnp, TS_EVENT_HTTP_ERROR);
+    return TS_ERROR;
+  }
+
+  // Is there more policy to interpret
+  uint64_t policy_offset = get_l7_policy_offset(txnp);
+  Dbg(dbg_ctl, "Tunnel Policy Offset=0x%" PRIX64, policy_offset);
+  auto result = EvaluatePolicyTxn(txnp, &policy_offset);
+  switch (result) {
+  case POLICY_PERMIT:
+    Dbg(dbg_ctl, "No IDS policy, permit the tunnel and move on");
+    TSHttpTxnReenable(txnp, TS_EVENT_HTTP_CONTINUE);
+    break;
+  case POLICY_IDS:
+    Dbg(dbg_ctl, "Tunnel IDS policy, continue");
+    TSUserArgSet(txnp, IDSPolicyTxnIndex, reinterpret_cast<void 
*>(static_cast<intptr_t>(1)));
+    // Continue processing
+    TSHttpTxnReenable(txnp, TS_EVENT_HTTP_CONTINUE);
+    break;
+  case POLICY_DROP:
+  default:
+    Dbg(dbg_ctl, "tunnel drop");
+    int fd = -1;
+    TSHttpTxnClientFdGet(txnp, &fd);
+    close(fd);
+    // TODO, I assume continuing with ERROR will cause the transaction to fail
+    // This will end up returning a 50x status code, we could replace this 
with a 401
+    // unauthorized or something configurable to the customer's pleasing.  We 
would need to
+    // set a hook on the send client response to adjust the status code and 
message.
+    TSHttpTxnReenable(txnp, TS_EVENT_HTTP_ERROR);
+    return TS_ERROR;
+    break;
+  }
+  return TS_SUCCESS;
+}
+
 static int
 connection_start(TSCont cont, TSEvent event, void *edata)
 {
@@ -264,11 +318,13 @@ TSPluginInit(int argc, const char *argv[])
     if (stats_timeout <= 0) {
       stats_timeout = 60;
     }
-    TSCont start_contp     = TSContCreate(connection_start, NULL);
-    TSCont start_txn_contp = TSContCreate(transaction_start, NULL);
+    TSCont start_contp        = TSContCreate(connection_start, NULL);
+    TSCont start_txn_contp    = TSContCreate(transaction_start, NULL);
+    TSCont start_tunnel_contp = TSContCreate(tunnel_start, NULL);
     // Trigger on connection start, apply hooks on txn start as necssary
     TSHttpHookAdd(TS_VCONN_START_HOOK, start_contp);
     TSHttpHookAdd(TS_HTTP_READ_REQUEST_HDR_HOOK, start_txn_contp);
+    TSHttpHookAdd(TS_HTTP_TUNNEL_START_HOOK, start_tunnel_contp);
     // Set up next hook
     TSCont cb_sni = TSContCreate(policy_sni, nullptr);
     TSHttpHookAdd(TS_SSL_CERT_HOOK, cb_sni);

Reply via email to