- This topic has 0 replies, 1 voice, and was last updated 17 years, 2 months ago by
.
Viewing 1 post (of 1 total)
-
Posts
-
hi,
can anybody help me to increase the speed of my function, because it is too slow…some packets will be queued from the driver…and therefore i have some managment problems
the function should decide if the packet will be passed or dany
int CPkgTunnel::isAllowed(INTERMEDIATE_BUFFER *Buffer, unsigned char AdapterNr) { // returns the rule id / is the packet allowed the function return -1
bool failed=0;
int ret=0;
ether_header* pEthHeader = (ether_header*)Buffer->m_IBuffer;
iphdr* pIpHeader = (iphdr*)&Buffer->m_IBuffer[sizeof(ether_header)]; ;
tcphdr* pTcpHeader = (tcphdr*)&Buffer->m_IBuffer[sizeof(ether_header)+sizeof(DWORD)*pIpHeader->ip_hl+4];;
if(pEthHeader->h_proto==htons(ETH_P_ARP))
return RULE_ARP_PACKET;
else if(pEthHeader->h_proto==htons(ETH_P_RARP))
return RULE_RARP_PACKET;
else if(pEthHeader->h_proto==htons(ETH_P_IP))
;
else
return RULE_NO_COMMON_PACKET;
// Generally Security Level
if(Spec_Adapter_Rule[AdapterNr].SecurityLevel == SECURITY_LEVEL_BLOCK_ALL) return RULE_BLOCK_ALL;
if(Spec_Adapter_Rule[AdapterNr].SecurityLevel == SECURITY_LEVEL_ALLOW_ALL) return RULE_ALLOW_ALL;
if(Spec_Adapter_Rule[AdapterNr].SecurityLevel == SECURITY_LEVEL_ONLY_LOKAL) {
if(isLocalIp((S_un_b*)&pIpHeader->ip_src.S_un.S_un_b) && isLocalIp((S_un_b*)&pIpHeader->ip_dst.S_un.S_un_b) )
return RULE_ONLY_LOKAL;
else
return -1*RULE_ONLY_LOKAL;
}
// ICMP Security Rules
if(pIpHeader->ip_p==IPPROTO_ICMP) {
if(!(ret=isICMPAllow(Buffer, AdapterNr)))
return -1*ret;
else
return ret;
}
// User defined Security Rules
for(unsigned int i=0; i
// allways continue if there is any rule which doesn`t agree
// Enabled ?
if(!SecurityRules.status) continue;
// right Adapter ?
if(SecurityRules.interface_index != ANY_INTERFACE) // any
if(SecurityRules.interface_index!=AdapterNr) continue;
// right Direction?
if(SecurityRules.direction != ANY_DIRECTION) // any
if(Buffer->m_dwDeviceFlags!=SecurityRules.direction) continue;
// right Protocol?
if(SecurityRules.protocol != ANY_PROTOCOL) // any
if(SecurityRules.protocol!=pIpHeader->ip_p) continue;
// right ip?
failed=0;
if(SecurityRules.direction != ANY_DIRECTION) {
if(SecurityRules.src_ip_addr != ANY_IP)
if(!memcmp(SecurityRules.src_ip_addr,&pIpHeader->ip_src.S_un.S_un_b,sizeof(S_un_b))) continue;
if(SecurityRules.dest_ip_addr!=ANY_IP)
if(!memcmp(SecurityRules.dest_ip_addr,&pIpHeader->ip_dst.S_un.S_un_b,sizeof(S_un_b))) continue;
} else { // check both direction
if(SecurityRules.src_ip_addr != ANY_IP)
if(!memcmp(SecurityRules.src_ip_addr,&pIpHeader->ip_src.S_un.S_un_b,sizeof(S_un_b))) failed=1;
if(SecurityRules.dest_ip_addr!=ANY_IP)
if(!memcmp(SecurityRules.dest_ip_addr,&pIpHeader->ip_dst.S_un.S_un_b,sizeof(S_un_b))) failed=1;
if(failed) {
failed=0;
if(SecurityRules.src_ip_addr != ANY_IP)
if(!memcmp(SecurityRules.src_ip_addr,&pIpHeader->ip_dst.S_un.S_un_b,sizeof(S_un_b))) failed=1;
if(SecurityRules.dest_ip_addr!=ANY_IP)
if(!memcmp(SecurityRules.dest_ip_addr,&pIpHeader->ip_src.S_un.S_un_b,sizeof(S_un_b))) failed=1;
if(failed) continue;
}
}
//right Ports?
failed=0;
if(SecurityRules.direction != ANY_DIRECTION) {
if(SecurityRules.src_port_from != ANY_PORT)
if(SecurityRules.src_port_from > ntohs(pTcpHeader->th_sport) ||
SecurityRules.src_port_to < ntohs(pTcpHeader->th_sport)) continue;
if(SecurityRules.dest_port_from != ANY_PORT)
if(SecurityRules.dest_port_from > ntohs(pTcpHeader->th_dport) ||
SecurityRules.dest_port_to < ntohs(pTcpHeader->th_dport)) continue;
} else { // check both directions
if(SecurityRules.src_port_from != ANY_PORT)
if(SecurityRules.src_port_from > ntohs(pTcpHeader->th_sport) ||
SecurityRules.src_port_to < ntohs(pTcpHeader->th_sport)) failed=1;
if(SecurityRules.dest_port_from != ANY_PORT)
if(SecurityRules.dest_port_from > ntohs(pTcpHeader->th_dport) ||
SecurityRules.dest_port_to < ntohs(pTcpHeader->th_dport)) failed=1;
if(failed) {
failed=0;
if(SecurityRules.src_port_from != ANY_PORT)
if(SecurityRules.src_port_from > ntohs(pTcpHeader->th_dport) ||
SecurityRules.src_port_to < ntohs(pTcpHeader->th_dport)) failed=1;
if(SecurityRules.dest_port_from != ANY_PORT)
if(SecurityRules.dest_port_from > ntohs(pTcpHeader->th_sport) ||
SecurityRules.dest_port_to < ntohs(pTcpHeader->th_sport)) failed=1;
if(failed) continue;
}
}
unsigned short localPort = Buffer->m_dwDeviceFlags==RULE_INCOMING ? ntohs(pTcpHeader->th_dport) : ntohs(pTcpHeader->th_sport);
if(strcmp(SecurityRules.hash,ANY_HASH) != 0)
if(!TDI->isAssociatedProcessCertificated((_PROTOCOL)pIpHeader->ip_p,(unsigned int)localPort))
continue;
// allow or dany
if(!SecurityRules.ruleType)
return -1*(SecurityRules.id); // forbidden
else
return SecurityRules.id; // allow
}
if(Spec_Adapter_Rule[AdapterNr].SecurityLevel == SECURITY_LEVEL_GENERALY_BLOCK)
return RULE_GENERALY_BLOCK;
return ret;
}
is it possible to compare the rule and the packet with creating an hash and compare this?? would it be faster?
how would you do it??
THANKS
ulli
Viewing 1 post (of 1 total)
- You must be logged in to reply to this topic.