Vk 2052 add ja5 filter

Makefile

@@ -1,7 +1,7 @@
 #		Tempesta FW
 #
 # Copyright (C) 2014 NatSys Lab. (info@natsys-lab.com).
-# Copyright (C) 2015-2022 Tempesta Technologies, Inc.
+# Copyright (C) 2015-2024 Tempesta Technologies, Inc.
 #
 # This program is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -158,7 +158,7 @@ ifdef ERROR
 endif
 ifndef AVX2
 	$(warning !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)
-	$(warning WARNING: YOUR PLATFORM IS TOO OLD AND IS NOT UNSUPPORTED)
+	$(warning WARNING: YOUR PLATFORM IS TOO OLD AND IS NOT SUPPORTED)
 	$(warning WARNING: THIS AFFECT PERFORMANCE AND MIGHT AFFECT SECURITY)
 	$(warning WARNING: PLEASE DO NOT USE THE BUILD IN PRODUCTION)
 	$(warning !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)

etc/tempesta_fw.conf

@@ -1421,3 +1421,77 @@
 # Example:
 #   access_log dmesg mmap mmap_host=localhost mmap_log=access.log;
 #
+
+# TAG: ja5t
+#
+# Specifies TLS filtering behaviour: which Ja5t hashes and how to filter.
+#
+# Syntax:
+#   ja5t storage_size=<STORAGE_SIZE> {
+#       hash <HASH_STRING> <CONNECTIONS_PER_SEC> <TLS_RECORDS_PER_SECOND>;
+#       ...
+#       hash <HASH_STRING> <CONNECTIONS_PER_SEC> <TLS_RECORDS_PER_SECOND>;
+#   }
+#
+#
+# STORAGE_SIZE is the size of the storage holding ja5t hashes to be monitored
+# by filtering code. Hashes are evicted by LRU algorithm. The value must be multiple
+# of 2^21. Defalut: 25 * 2^21
+#
+# HASH_STRING is a string value of a ja5t hash calculated from the Client Hello.
+# You can find these values in the access log or in ClickHouse-based 
+# analytics.
+#
+# CONNECTIONS_PER_SEC is a number of allowed connections per second for
+# clients identified by HASH_STRING.
+#
+# TLS_RECORDS_PER_SECOND is a number of allowed TLS records per second for
+# clients identified by HASH_STRING.
+#
+# Examples:
+#   ja5t storage_size=2097152 {
+#       hash deadbeef12345678 10 1000;
+#       ...
+#       hash 1234abcdeeaabbcc 0 0;
+#   }
+#
+# Default:
+#   No TLS filtering applied.
+#
+
+# TAG: ja5h
+#
+# Specifies HTTP filtering behaviour: which Ja5h hashes and how to filter.
+#
+# Syntax:
+#   ja5h storage_size=<STORAGE_SIZE> {
+#       hash <HASH_STRING> <CONNECTIONS_PER_SEC> <HTTP_REQUESTS_PER_SECOND>;
+#       ...
+#       hash <HASH_STRING> <CONNECTIONS_PER_SEC> <HTTP_REQUESTS_PER_SECOND>;
+#   }
+#
+#
+# STORAGE_SIZE is the size of the storage holding ja5h hashes to be monitored
+# by filtering code. Hashes are evicted by LRU algorithm. The value MUST be multiple
+# of 2^21. Defalut: 25 * 2^21
+#
+# HASH_STRING is a string value of a ja5h hash calculated from the HTTP request.
+# You can find these values in the access log or in ClickHouse-based 
+# analytics.
+#
+# CONNECTIONS_PER_SEC is a number of allowed connections per second for
+# clients identified by HASH_STRING.
+#
+# HTTP_REQUESTS_PER_SECOND is a number of allowed HTTP requests per second for
+# the clients identified by HASH_STRING.
+#
+# Examples:
+#   ja5h storage_size=2097152 {
+#       hash deadbeef12345678 10 1000;
+#       ...
+#       hash 1234abcdeeaabbcc 0 0;
+#   }
+#
+# Default:
+#   No HTTP filtering applied.
+#

fw/cfg.c

@@ -1393,6 +1393,16 @@ tfw_cfg_parse_long(const char *s, long *out_long)
 	return kstrtol(s, base, out_long);
 }
 
+int
+tfw_cfg_parse_ulonglong(const char *s, unsigned long long *out_ull)
+{
+	int base = detect_base(&s);
+
+	if (!base)
+		return -EINVAL;
+	return kstrtoull(s, base, out_ull);
+}
+
 int
 tfw_cfg_parse_uint(const char *s, unsigned int *out_uint)
 {

fw/cfg.h

@@ -188,32 +188,77 @@ typedef struct {
 	     (k) = (idx < (e)->attr_n ? (e)->attrs[(idx)].key : NULL), \
 	     (v) = (idx < (e)->attr_n ? (e)->attrs[(idx)].val : NULL))
 
-#define TFW_CFG_ENTRY_FOR_EACH_VAL(e, idx, v)	\
-	for ((idx) = 0, (v) = (e)->vals[0];	\
-	     (idx) < (e)->val_n;		\
-	     (idx)++,				\
+#define TFW_CFG_ENTRY_FOR_EACH_VAL(e, idx, v)			\
+	for ((idx) = 0, (v) = (e)->vals[0];			\
+	     (idx) < (e)->val_n;				\
+	     (idx)++,						\
 	     (v) = (idx < (e)->val_n ? (e)->vals[(idx)] : NULL))
 
-#define TFW_CFG_CHECK_NO_ATTRS(spec, entry)				\
-	if ((entry)->attr_n) {						\
-		T_ERR_NL("%s: Arguments may not have the '=' sign\n",	\
-			 (spec)->name);					\
-		return -EINVAL;						\
-	}
-
-#define TFW_CFG_CHECK_VAL_N(op, req, spec, entry)			\
-	if (! ((entry)->val_n op (req)) ) {				\
-		T_ERR_NL("%s: Invalid number of arguments: %zu, must "	\
-			 "be %s %d\n", (spec)->name, (entry)->val_n,	\
-			 #op, (req));					\
-		return -EINVAL;						\
-	}
-
-#define TFW_CFG_CHECK_VAL_DUP(name, val_was_set, code)		        \
-	if (val_was_set) {						\
-		T_ERR_NL("Duplicate argument: '%s'\n", name);		\
-		code;							\
-	}								\
+#define TFW_CFG_CHECK_NO_ATTRS(spec, entry)			\
+	do {							\
+		if ((entry)->attr_n) {				\
+			T_ERR_NL("%s: Arguments may not have "	\
+				"the '=' sign\n", (spec)->name);\
+			return -EINVAL;				\
+		}						\
+	} while (0)
+
+#define TFW_CFG_CHECK_ATTR_N(op, req, spec, entry)		\
+do {								\
+	if (!((entry)->attr_n op (req))) {			\
+		T_ERR_NL("%s: Invalid number of attributes: "	\
+			"%zu, must be %s %d\n",			\
+			(spec)->name, (entry)->attr_n,		\
+			#op, (req));				\
+		return -EINVAL;					\
+	}							\
+} while (0)
+
+#define TFW_CFG_CHECK_ATTR_EQ_N(req, spec, entry)		\
+do {								\
+	if (!((entry)->attr_n == (req))) {			\
+		T_ERR_NL("%s: Invalid number of attributes: "	\
+			"%zu, must be queal %d\n",		\
+			(spec)->name, (entry)->attr_n, (req));	\
+		return -EINVAL;					\
+	}							\
+} while (0)
+
+#define TFW_CFG_CHECK_ATTR_LE_N(req, spec, entry)		\
+do {								\
+	if (!((entry)->attr_n <= (req))) {			\
+		T_ERR_NL("%s: Invalid number of attributes: "	\
+		"%zu, must be less or equal %d\n",		\
+		(spec)->name, (entry)->attr_n, (req));		\
+		return -EINVAL;					\
+	}							\
+} while (0)
+
+#define TFW_CFG_CHECK_VAL_N(op, req, spec, entry)		\
+do {								\
+	if (!((entry)->val_n op (req))) {			\
+		T_ERR_NL("%s: Invalid number of arguments: "	\
+		"%zu, must be %s %d\n",				\
+		(spec)->name, (entry)->val_n, #op, (req));	\
+		return -EINVAL;					\
+	}							\
+} while (0)
+
+#define TFW_CFG_CHECK_VAL_EQ_N(req, spec, entry)		\
+do {								\
+	if (!((entry)->val_n == (req))) {			\
+		T_ERR_NL("%s: Invalid number of arguments: "	\
+		"%zu, must be equal %d\n",			\
+		(spec)->name, (entry)->val_n, (req));		\
+		return -EINVAL;					\
+	}							\
+} while (0)
+
+#define TFW_CFG_CHECK_VAL_DUP(name, val_was_set, code)		\
+	if (val_was_set) {					\
+		T_ERR_NL("Duplicate argument: '%s'\n", name);	\
+		code;						\
+	}							\
 	val_was_set = true;
 
 /**
@@ -451,6 +496,7 @@ int tfw_cfg_check_val_n(const TfwCfgEntry *e, int val_n);
 int tfw_cfg_check_single_val(const TfwCfgEntry *e);
 int tfw_cfg_parse_int(const char *s, int *out_int);
 int tfw_cfg_parse_long(const char *s, long *out_long);
+int tfw_cfg_parse_ulonglong(const char *s, unsigned long long *out_ull);
 int tfw_cfg_parse_uint(const char *s, unsigned int *out_uint);
 int tfw_cfg_parse_bool(const char *in_str, bool *out_bool);
 int tfw_cfg_parse_intvl(const char *s, unsigned long *i0, unsigned long *i1);