{"expand":"renderedFields,names,schema,operations,editmeta,changelog,versionedRepresentations","id":"46671","self":"https://jira.geedge.net/rest/api/2/issue/46671","key":"OMPUB-1506","fields":{"issuetype":{"self":"https://jira.geedge.net/rest/api/2/issuetype/10004","id":"10004","description":"","iconUrl":"https://jira.geedge.net/secure/viewavatar?size=xsmall&avatarId=10303&avatarType=issuetype","name":"故障","subtask":false,"avatarId":10303},"components":[],"timespent":null,"timeoriginalestimate":null,"description":"测试DNS Redirect功能，界面有命中日志，无实际效果，sysinfo.log中无发包计数，tsg-os的管理口捕包也捕不到重定向包。\r\n\r\n状态：已解决\r\n故障原因：DNS发包默认看到应答报文才发，由于泉州联通的流量都是请求侧流量，所以测试无效果\r\n解决方法：通过hotfix修改tsgconf/main.conf中FIREWALL PACKET_RESPONSE_MODE 默认配置\r\ncrudini --inplace --set /opt/tsg/sapp/tsgconf/main.conf FIREWALL PACKET_RESPONSE_MODE \"hijack\"\r\n","project":{"self":"https://jira.geedge.net/rest/api/2/project/10206","id":"10206","key":"OMPUB","name":"Operation and Maintenance","projectTypeKey":"business","avatarUrls":{"48x48":"https://jira.geedge.net/secure/projectavatar?pid=10206&avatarId=10715","24x24":"https://jira.geedge.net/secure/projectavatar?size=small&pid=10206&avatarId=10715","16x16":"https://jira.geedge.net/secure/projectavatar?size=xsmall&pid=10206&avatarId=10715","32x32":"https://jira.geedge.net/secure/projectavatar?size=medium&pid=10206&avatarId=10715"},"projectCategory":{"self":"https://jira.geedge.net/rest/api/2/projectCategory/10002","id":"10002","description":"系统运维","name":"MaintenanceDev"}},"fixVersions":[],"aggregatetimespent":null,"resolution":{"self":"https://jira.geedge.net/rest/api/2/resolution/10000","id":"10000","description":"该问题的工作流程已完成。","name":"完成"},"timetracking":{},"customfield_10401":null,"customfield_10104":null,"customfield_10402":null,"customfield_10105":"0|i062is:","customfield_10403":null,"customfield_10404":null,"attachment":[],"aggregatetimeestimate":null,"resolutiondate":"2024-10-18T18:16:23.079+0800","workratio":-1,"summary":"福建项目：测试DNS Redirect功能，界面有命中日志，无实际效果","lastViewed":"2024-10-21T10:05:46.930+0800","watches":{"self":"https://jira.geedge.net/rest/api/2/issue/OMPUB-1506/watchers","watchCount":3,"isWatching":false},"creator":{"self":"https://jira.geedge.net/rest/api/2/user?username=zhangzhihan","name":"zhangzhihan","key":"JIRAUSER10111","emailAddress":"zhangzhihan@geedgenetworks.com","avatarUrls":{"48x48":"https://jira.geedge.net/secure/useravatar?ownerId=JIRAUSER10111&avatarId=12001","24x24":"https://jira.geedge.net/secure/useravatar?size=small&ownerId=JIRAUSER10111&avatarId=12001","16x16":"https://jira.geedge.net/secure/useravatar?size=xsmall&ownerId=JIRAUSER10111&avatarId=12001","32x32":"https://jira.geedge.net/secure/useravatar?size=medium&ownerId=JIRAUSER10111&avatarId=12001"},"displayName":"张智涵","active":true,"timeZone":"Asia/Shanghai"},"subtasks":[],"created":"2024-10-18T18:16:11.478+0800","reporter":{"self":"https://jira.geedge.net/rest/api/2/user?username=zhangzhihan","name":"zhangzhihan","key":"JIRAUSER10111","emailAddress":"zhangzhihan@geedgenetworks.com","avatarUrls":{"48x48":"https://jira.geedge.net/secure/useravatar?ownerId=JIRAUSER10111&avatarId=12001","24x24":"https://jira.geedge.net/secure/useravatar?size=small&ownerId=JIRAUSER10111&avatarId=12001","16x16":"https://jira.geedge.net/secure/useravatar?size=xsmall&ownerId=JIRAUSER10111&avatarId=12001","32x32":"https://jira.geedge.net/secure/useravatar?size=medium&ownerId=JIRAUSER10111&avatarId=12001"},"displayName":"张智涵","active":true,"timeZone":"Asia/Shanghai"},"customfield_10000":"{summaryBean=com.atlassian.jira.plugin.devstatus.rest.SummaryBean@6ebaf3ee[summary={pullrequest=com.atlassian.jira.plugin.devstatus.rest.SummaryItemBean@2821bccc[overall=PullRequestOverallBean{stateCount=0, state='OPEN', details=PullRequestOverallDetails{openCount=0, mergedCount=0, declinedCount=0}},byInstanceType={}], build=com.atlassian.jira.plugin.devstatus.rest.SummaryItemBean@2cf2504e[overall=com.atlassian.jira.plugin.devstatus.summary.beans.BuildOverallBean@9104ec0[failedBuildCount=0,successfulBuildCount=0,unknownBuildCount=0,count=0,lastUpdated=<null>,lastUpdatedTimestamp=<null>],byInstanceType={}], review=com.atlassian.jira.plugin.devstatus.rest.SummaryItemBean@5bb7cc7e[overall=com.atlassian.jira.plugin.devstatus.summary.beans.ReviewsOverallBean@399f8992[stateCount=0,state=<null>,dueDate=<null>,overDue=false,count=0,lastUpdated=<null>,lastUpdatedTimestamp=<null>],byInstanceType={}], deployment-environment=com.atlassian.jira.plugin.devstatus.rest.SummaryItemBean@751decf[overall=com.atlassian.jira.plugin.devstatus.summary.beans.DeploymentOverallBean@cbce6ab[topEnvironments=[],showProjects=false,successfulCount=0,count=0,lastUpdated=<null>,lastUpdatedTimestamp=<null>],byInstanceType={}], repository=com.atlassian.jira.plugin.devstatus.rest.SummaryItemBean@698d0f7e[overall=com.atlassian.jira.plugin.devstatus.summary.beans.CommitOverallBean@2c9bd8c4[count=0,lastUpdated=<null>,lastUpdatedTimestamp=<null>],byInstanceType={}], branch=com.atlassian.jira.plugin.devstatus.rest.SummaryItemBean@2535dc3e[overall=com.atlassian.jira.plugin.devstatus.summary.beans.BranchOverallBean@4e57ef8d[count=0,lastUpdated=<null>,lastUpdatedTimestamp=<null>],byInstanceType={}]},errors=[],configErrors=[]], devSummaryJson={\"cachedValue\":{\"errors\":[],\"configErrors\":[],\"summary\":{\"pullrequest\":{\"overall\":{\"count\":0,\"lastUpdated\":null,\"stateCount\":0,\"state\":\"OPEN\",\"details\":{\"openCount\":0,\"mergedCount\":0,\"declinedCount\":0,\"total\":0},\"open\":true},\"byInstanceType\":{}},\"build\":{\"overall\":{\"count\":0,\"lastUpdated\":null,\"failedBuildCount\":0,\"successfulBuildCount\":0,\"unknownBuildCount\":0},\"byInstanceType\":{}},\"review\":{\"overall\":{\"count\":0,\"lastUpdated\":null,\"stateCount\":0,\"state\":null,\"dueDate\":null,\"overDue\":false,\"completed\":false},\"byInstanceType\":{}},\"deployment-environment\":{\"overall\":{\"count\":0,\"lastUpdated\":null,\"topEnvironments\":[],\"showProjects\":false,\"successfulCount\":0},\"byInstanceType\":{}},\"repository\":{\"overall\":{\"count\":0,\"lastUpdated\":null},\"byInstanceType\":{}},\"branch\":{\"overall\":{\"count\":0,\"lastUpdated\":null},\"byInstanceType\":{}}}},\"isStale\":false}}","aggregateprogress":{"progress":0,"total":0},"customfield_10100":null,"priority":{"self":"https://jira.geedge.net/rest/api/2/priority/3","iconUrl":"https://jira.geedge.net/images/icons/priorities/medium.svg","name":"Medium","id":"3"},"customfield_10200":null,"customfield_10400":null,"labels":["FUJIAN"],"environment":null,"timeestimate":null,"aggregatetimeoriginalestimate":null,"versions":[],"duedate":null,"progress":{"progress":0,"total":0},"issuelinks":[],"comment":{"comments":[{"self":"https://jira.geedge.net/rest/api/2/issue/46671/comment/86592","id":"86592","author":{"self":"https://jira.geedge.net/rest/api/2/user?username=yangwei","name":"yangwei","key":"JIRAUSER10103","emailAddress":"yangwei@geedgenetworks.com","avatarUrls":{"48x48":"https://jira.geedge.net/secure/useravatar?ownerId=JIRAUSER10103&avatarId=10708","24x24":"https://jira.geedge.net/secure/useravatar?size=small&ownerId=JIRAUSER10103&avatarId=10708","16x16":"https://jira.geedge.net/secure/useravatar?size=xsmall&ownerId=JIRAUSER10103&avatarId=10708","32x32":"https://jira.geedge.net/secure/useravatar?size=medium&ownerId=JIRAUSER10103&avatarId=10708"},"displayName":"杨威","active":true,"timeZone":"Asia/Shanghai"},"body":"背景\r\n * 功能端针对DNS Redirect动作，支持hijack和replace两个模式，默认模式为replace，即命中后，仅对DNS应答进行修改\r\n * replace模式仅在inline接入下生效，能够避免DNS Flood或者DNS探测对于Firewall的影响\r\n\r\n原因\r\n * 福建为mirror接入，且分流设备仅镜像C2S流量，因此默认的replace模式下，会出现策略命中，但是未执行DNS Redirect动作的情况（功能端需要调整rule hits计数逻辑，即执行动作后再进行计数）\r\n\r\n问题\r\n * 在功能端的hijack和replace两个模式，对于用户不可知，与接入模式相关，容易造成issue中接入模式变化后，策略命中但是Deny无效果的情况\r\n\r\n调整方案\r\n * 功能端不再隐式包含hijack和replace两个模式，而是通过策略条件，由用户决定针对DNS 请求或者应答执行Redirect\r\n * 仅选择QNAME时，默认双向都生效，即hijack和replace两个模式同时支持，行为如下：\r\n ** inline接入\r\n *** 收到DNS request，构造并发送DNS 应答，丢弃当前请求包，等同于hijack模式;\r\n *** 收到DNS response，构造DNS应答，丢弃当前应答包，等同于replace模式；\r\n ** mirror接入\r\n *** 逻辑同上，收到DNS request，hijack模式有效果\r\n *** 收到DNS response，replace模式无效果\r\n * 增加策略条件，指定在请求/应答生效时，可选方案如下： \r\n ** Option A：通过选择session_flags->c2s/s2c指定生效方向\r\n ** Option B：DNS Filter增加QR(Query/Response)Flags，0为请求，1为应答\r\n\r\n小结，本issue对应问题如下：\r\n # 功能端rule hits计数不准确，未满足发送DNS Redirect时仍然进行统计\r\n # 隐式的DNS Redirect执行模式（与接入方式强相关），对于部署实施不友好。考虑将DNS Redirect生效的条件显式的加入策略条件\r\n\r\n * \r\n ** 附带问题：mirror接入时，需要建议用户将DNS策略增加指定在DNS Request侧生效的条件，否则该模式下收到DNS response时，Firewall也将发送无效的DNS应答包","updateAuthor":{"self":"https://jira.geedge.net/rest/api/2/user?username=yangwei","name":"yangwei","key":"JIRAUSER10103","emailAddress":"yangwei@geedgenetworks.com","avatarUrls":{"48x48":"https://jira.geedge.net/secure/useravatar?ownerId=JIRAUSER10103&avatarId=10708","24x24":"https://jira.geedge.net/secure/useravatar?size=small&ownerId=JIRAUSER10103&avatarId=10708","16x16":"https://jira.geedge.net/secure/useravatar?size=xsmall&ownerId=JIRAUSER10103&avatarId=10708","32x32":"https://jira.geedge.net/secure/useravatar?size=medium&ownerId=JIRAUSER10103&avatarId=10708"},"displayName":"杨威","active":true,"timeZone":"Asia/Shanghai"},"created":"2024-10-21T09:48:04.952+0800","updated":"2024-10-21T09:53:44.605+0800"},{"self":"https://jira.geedge.net/rest/api/2/issue/46671/comment/86631","id":"86631","author":{"self":"https://jira.geedge.net/rest/api/2/user?username=yangwei","name":"yangwei","key":"JIRAUSER10103","emailAddress":"yangwei@geedgenetworks.com","avatarUrls":{"48x48":"https://jira.geedge.net/secure/useravatar?ownerId=JIRAUSER10103&avatarId=10708","24x24":"https://jira.geedge.net/secure/useravatar?size=small&ownerId=JIRAUSER10103&avatarId=10708","16x16":"https://jira.geedge.net/secure/useravatar?size=xsmall&ownerId=JIRAUSER10103&avatarId=10708","32x32":"https://jira.geedge.net/secure/useravatar?size=medium&ownerId=JIRAUSER10103&avatarId=10708"},"displayName":"杨威","active":true,"timeZone":"Asia/Shanghai"},"body":"解决方案：Firewall支持DNS QR作为策略条件\r\n\r\n注意事项：mirror接入的环境，建议用户在DNS策略条件中增加DNS Request，避免Firewall对DNS请求和应答（mirror接入无法丢弃原始请求）都构造重定向报文","updateAuthor":{"self":"https://jira.geedge.net/rest/api/2/user?username=yangwei","name":"yangwei","key":"JIRAUSER10103","emailAddress":"yangwei@geedgenetworks.com","avatarUrls":{"48x48":"https://jira.geedge.net/secure/useravatar?ownerId=JIRAUSER10103&avatarId=10708","24x24":"https://jira.geedge.net/secure/useravatar?size=small&ownerId=JIRAUSER10103&avatarId=10708","16x16":"https://jira.geedge.net/secure/useravatar?size=xsmall&ownerId=JIRAUSER10103&avatarId=10708","32x32":"https://jira.geedge.net/secure/useravatar?size=medium&ownerId=JIRAUSER10103&avatarId=10708"},"displayName":"杨威","active":true,"timeZone":"Asia/Shanghai"},"created":"2024-10-22T10:30:59.877+0800","updated":"2024-10-22T10:31:52.361+0800"}],"maxResults":2,"total":2,"startAt":0},"votes":{"self":"https://jira.geedge.net/rest/api/2/issue/OMPUB-1506/votes","votes":0,"hasVoted":false},"worklog":{"startAt":0,"maxResults":20,"total":0,"worklogs":[]},"assignee":{"self":"https://jira.geedge.net/rest/api/2/user?username=yangwei","name":"yangwei","key":"JIRAUSER10103","emailAddress":"yangwei@geedgenetworks.com","avatarUrls":{"48x48":"https://jira.geedge.net/secure/useravatar?ownerId=JIRAUSER10103&avatarId=10708","24x24":"https://jira.geedge.net/secure/useravatar?size=small&ownerId=JIRAUSER10103&avatarId=10708","16x16":"https://jira.geedge.net/secure/useravatar?size=xsmall&ownerId=JIRAUSER10103&avatarId=10708","32x32":"https://jira.geedge.net/secure/useravatar?size=medium&ownerId=JIRAUSER10103&avatarId=10708"},"displayName":"杨威","active":true,"timeZone":"Asia/Shanghai"},"updated":"2024-10-22T10:31:52.363+0800","status":{"self":"https://jira.geedge.net/rest/api/2/status/10103","description":"这一问题被认为是完成, 这项决议是正确的。问题已关闭可以重新开放。","iconUrl":"https://jira.geedge.net/images/icons/statuses/generic.png","name":"已关闭","id":"10103","statusCategory":{"self":"https://jira.geedge.net/rest/api/2/statuscategory/3","id":3,"key":"done","colorName":"green","name":"完成"}}}}