internal State(NetGate gate)
{
Gate = gate;
Rules = new OrderedRegistry<Rule>();
Groups = new OrderedRegistry<Group>();
VarDefs = new Registry<VarDef>();
NetState = new ConcurrentDictionary<string,NetSiteState>(System.Environment.ProcessorCount * 8, 1024);
}
public void Variables_SessionFlood_Parallel_Create_Decay()
{
using(var gate = new NetGate(null))
{
gate.Configure( CONFIG_SESSION.AsLaconicConfig() );
gate.Start();
Rule rule;
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="170.12.14.12"}, out rule) );
Assert.IsNull(rule);
gate.IncreaseVariable(TrafficDirection.Incoming, "5.5.5.5", "newSession", 8);
Assert.AreEqual(GateAction.Deny, gate.CheckTraffic( new GeneralTraffic{FromAddress="5.5.5.5"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("Session Flood", rule.Name);
const int CNT = 10000;
System.Threading.Tasks.Parallel.For(0, CNT,
(i)=>
{
var address = "addr-{0}".Args(i);
gate.IncreaseVariable(TrafficDirection.Incoming, address, "newSession", 8);
Rule lr;
Assert.AreEqual(GateAction.Deny, gate.CheckTraffic( new GeneralTraffic{FromAddress=address}, out lr) );
Assert.IsNotNull(lr);
Assert.AreEqual("Session Flood", lr.Name);
System.Threading.Thread.Sleep(ExternalRandomGenerator.Instance.NextScaledRandomInteger(1,5));
});
Assert.AreEqual(CNT+1, gate[TrafficDirection.Incoming].NetState.Count);
System.Threading.Thread.Sleep(12000);
Assert.AreEqual( 0, gate[TrafficDirection.Incoming].NetState.Count);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="5.5.5.5"}, out rule) );
Assert.IsNull(rule);
}
}
public void Variables_SessionFlood_2()
{
using(var gate = new NetGate(null))
{
gate.Configure( CONFIG_SESSION.AsLaconicConfig() );
gate.Start();
Rule rule;
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="170.12.14.12"}, out rule) );
Assert.IsNull(rule);
gate.IncreaseVariable(TrafficDirection.Incoming, "5.5.5.5", "newSession", 5);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="170.12.14.12"}, out rule) );
Assert.IsNull(rule);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="170.1.99.144"}, out rule) );
Assert.IsNull(rule);
Assert.AreEqual(GateAction.Deny, gate.CheckTraffic( new GeneralTraffic{FromAddress="5.5.5.5"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("Session Flood", rule.Name);
System.Threading.Thread.Sleep(5000);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="5.5.5.5"}, out rule) );
Assert.IsNull(rule);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="170.1.99.144"}, out rule) );
Assert.IsNull(rule);
}
}
public void SpeedSingleThread()
{
const int CNT = 2000000;
using(var gate = new NetGate(null))
{
gate.Configure( CONFIG_DEFAULT_DENY.AsLaconicConfig() );
gate.Start();
var sw = System.Diagnostics.Stopwatch.StartNew();
for(int i=0;i<CNT;i++)
{
Rule rule;
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="45.2.2.75"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("Workgroups", rule.Name);
}
var elapsed = sw.ElapsedMilliseconds;
Console.WriteLine("{0} in {1}ms at {2} ops/sec".Args(CNT,elapsed, CNT / ((double)elapsed/1000)) );
}
}
public void DefaultDeny()
{
using(var gate = new NetGate(null))
{
gate.Configure( CONFIG_DEFAULT_DENY.AsLaconicConfig() );
gate.Start();
Assert.AreEqual(GateAction.Deny, gate.CheckTraffic( new GeneralTraffic{FromAddress="123.0.0.1"}) );
Rule rule;
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="170.12.14.12"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("AdminAccess", rule.Name);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="170.12.14.13"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("AdminAccess", rule.Name);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="14.2.1.12"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("Workgroups", rule.Name);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="14.2.1.46"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("Workgroups", rule.Name);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="14.2.1.18"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("Workgroups", rule.Name);
Assert.AreEqual(GateAction.Deny, gate.CheckTraffic( new GeneralTraffic{FromAddress="14.2.2.18"}, out rule) );
Assert.IsNull(rule);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="3.118.2.12"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("Workgroups", rule.Name);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="3.118.2.13"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("Workgroups", rule.Name);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="3.118.2.14"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("Workgroups", rule.Name);
Assert.AreEqual(GateAction.Deny, gate.CheckTraffic( new GeneralTraffic{FromAddress="3.118.2.15"}, out rule) );
Assert.IsNull(rule);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="77.123.1.14"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("Workgroups", rule.Name);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="45.2.2.12"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("Workgroups", rule.Name);
Assert.AreEqual(GateAction.Allow, gate.CheckTraffic( new GeneralTraffic{FromAddress="45.2.2.75"}, out rule) );
Assert.IsNotNull(rule);
Assert.AreEqual("Workgroups", rule.Name);
}
}
/// <summary>
/// Cheks whether the rule is satisfied - all listed conditions are met. May lazily resolve addresses to groups
/// </summary>
public virtual bool Check(NetGate.State state, ITraffic traffic, ref Group fromGroup, ref Group toGroup)
{
if (
!Check_FromAddrs(traffic.FromAddress) ||
!Check_ToAddrs(traffic.ToAddress) ||
!Check_Methods(traffic.Method) ||
!Check_Services(traffic.Service) ||
!Check_URLFragments(traffic.RequestURL)
) return false;
if (m_FromGroups!=null)
{
if (fromGroup==null)
fromGroup = state.FindGroupForAddress(traffic.FromAddress);
if (fromGroup==null) return false;
if (!Check_FromGroups(fromGroup.Name)) return false;
}
if (m_ToGroups!=null)
{
if (toGroup==null)
toGroup = state.FindGroupForAddress(traffic.ToAddress);
if (toGroup==null) return false;
if (!Check_ToGroups(toGroup.Name)) return false;
}
if (m_FromExpression!=null)
{
var netState = state.FindNetSiteStateForAddress(traffic.FromAddress, ref fromGroup);
if (!invokeEvaluator(netState, m_FromExpression)) return false;
}
if (m_ToExpression!=null)
{
var netState = state.FindNetSiteStateForAddress(traffic.ToAddress, ref toGroup);
if (!invokeEvaluator(netState, m_ToExpression)) return false;
}
return true;
}
