feat(pipeline): per-pipeline packet_length with global fallback

Add optional packet_length config to each pipeline. When set, it
overrides the global server.config.packet_length for that pipeline's
sessions in both RPC chunking (upload/download/pipe) and parser-level
packet size validation. Zero value falls back to global default.

Includes unit tests for Session.GetPacketLength() and
MaleficParser.maxPacketLen() fallback logic.

Author: h3zh1

helper/implanttypes/pipeline.go

@@ -231,10 +231,11 @@ type PipelineParams struct {
 	Tls        *TlsConfig                    `json:"tls,omitempty"`
 	Secure     *SecureConfig                 `json:"secure,omitempty"`
 	// HTTP pipeline specific params
-	Headers    map[string][]string `json:"headers,omitempty"`
-	ErrorPage  string              `json:"error_page,omitempty" gorm:"-"`
-	BodyPrefix string              `json:"body_prefix,omitempty"`
-	BodySuffix string              `json:"body_suffix,omitempty"`
+	Headers      map[string][]string `json:"headers,omitempty"`
+	ErrorPage    string              `json:"error_page,omitempty" gorm:"-"`
+	BodyPrefix   string              `json:"body_prefix,omitempty"`
+	BodySuffix   string              `json:"body_suffix,omitempty"`
+	PacketLength int                 `json:"packet_length,omitempty" yaml:"packet_length,omitempty"`
 }
 
 func (params *PipelineParams) String() string {

server/internal/configs/listener.go

@@ -38,6 +38,7 @@ type TcpPipelineConfig struct {
 	TlsConfig        *TlsConfig                     `config:"tls" yaml:"tls"`
 	EncryptionConfig implanttypes.EncryptionsConfig `config:"encryption" yaml:"encryption"`
 	SecureConfig     *implanttypes.SecureConfig     `config:"secure" yaml:"secure"` // Age 密码学安全配置
+	PacketLength     int                            `config:"packet_length" yaml:"packet_length"`
 }
 
 type AutoBuildConfig struct {
@@ -58,6 +59,7 @@ func (tcp *TcpPipelineConfig) ToProtobuf(lisId string) (*clientpb.Pipeline, erro
 		Enable:     tcp.Enable,
 		Parser:     tcp.Parser,
 		Type:       consts.TCPPipeline,
+		PacketLength: uint32(tcp.PacketLength),
 		Body: &clientpb.Pipeline_Tcp{
 			Tcp: &clientpb.TCPPipeline{
 				Host: tcp.Host,
@@ -75,6 +77,7 @@ type BindPipelineConfig struct {
 	Name             string                         `config:"name" default:"bind" yaml:"name"`
 	TlsConfig        *TlsConfig                     `config:"tls" yaml:"tls"`
 	EncryptionConfig implanttypes.EncryptionsConfig `config:"encryption" yaml:"encryption"`
+	PacketLength     int                            `config:"packet_length" yaml:"packet_length"`
 }
 
 func (pipeline *BindPipelineConfig) ToProtobuf(lisId string) (*clientpb.Pipeline, error) {
@@ -87,6 +90,7 @@ func (pipeline *BindPipelineConfig) ToProtobuf(lisId string) (*clientpb.Pipeline
 		Enable:     pipeline.Enable,
 		ListenerId: lisId,
 		Parser:     consts.ImplantMalefic,
+		PacketLength: uint32(pipeline.PacketLength),
 		Body: &clientpb.Pipeline_Bind{
 			Bind: &clientpb.BindPipeline{},
 		},
@@ -108,6 +112,7 @@ type HttpPipelineConfig struct {
 	ErrorPage        string                         `config:"error_page" yaml:"error_page"`
 	BodyPrefix       string                         `config:"body_prefix" yaml:"body_prefix"`
 	BodySuffix       string                         `config:"body_suffix" yaml:"body_suffix"`
+	PacketLength     int                            `config:"packet_length" yaml:"packet_length"`
 }
 
 func (http *HttpPipelineConfig) ToProtobuf(lisId string) (*clientpb.Pipeline, error) {
@@ -139,6 +144,7 @@ func (http *HttpPipelineConfig) ToProtobuf(lisId string) (*clientpb.Pipeline, er
 		Enable:     http.Enable,
 		Parser:     http.Parser,
 		Type:       consts.HTTPPipeline,
+		PacketLength: uint32(http.PacketLength),
 		Body: &clientpb.Pipeline_Http{
 			Http: &clientpb.HTTPPipeline{
 				Host:   http.Host,

server/internal/core/pipeline.go

@@ -64,6 +64,7 @@ func FromPipeline(pipeline *clientpb.Pipeline) *PipelineConfig {
 		TLSConfig:    implanttypes.FromTls(pipeline.Tls),
 		Encryption:   implanttypes.FromEncryptions(pipeline.GetEncryption()),
 		SecureConfig: implanttypes.FromSecure(pipeline.Secure),
+		PacketLength: int(pipeline.PacketLength),
 	}
 }
 
@@ -73,6 +74,7 @@ type PipelineConfig struct {
 	TLSConfig    *implanttypes.TlsConfig
 	Encryption   implanttypes.EncryptionsConfig
 	SecureConfig *implanttypes.SecureConfig
+	PacketLength int
 }
 
 func (p *PipelineConfig) WrapConn(conn io.ReadWriteCloser) (*cryptostream.Conn, error) {
@@ -83,7 +85,7 @@ func (p *PipelineConfig) WrapConn(conn io.ReadWriteCloser) (*cryptostream.Conn,
 	if err != nil {
 		return nil, err
 	}
-	return cryptostream.WrapPeekConn(conn, crys, p.Parser)
+	return cryptostream.WrapPeekConn(conn, crys, p.Parser, uint32(p.PacketLength))
 }
 
 // WrapBindConn wraps a connection for bind mode without pre-reading
@@ -96,7 +98,7 @@ func (p *PipelineConfig) WrapBindConn(conn io.ReadWriteCloser) (*cryptostream.Co
 	if err != nil {
 		return nil, err
 	}
-	return cryptostream.WrapBindConn(conn, crys)
+	return cryptostream.WrapBindConn(conn, crys, uint32(p.PacketLength))
 }
 
 //

server/internal/core/session.go

@@ -625,6 +625,15 @@ func (s *Session) GetPipelineEncryptionKey() string {
 	return encryptions[0].Key
 }
 
+// GetPacketLength returns the per-pipeline packet length or falls back to global config.
+func (s *Session) GetPacketLength() int {
+	pipeline, ok := Listeners.Find(s.PipelineID)
+	if ok && pipeline != nil && pipeline.PacketLength > 0 {
+		return int(pipeline.PacketLength)
+	}
+	return config.Int(consts.ConfigMaxPacketLength)
+}
+
 func (s *Session) Update(req *clientpb.RegisterSession) {
 	s.Name = req.RegisterData.Name
 	s.PipelineID = req.PipelineId

server/internal/core/session_packet_length_test.go

@@ -0,0 +1,73 @@
+package core
+
+import (
+	"testing"
+
+	"github.com/chainreactors/IoM-go/consts"
+	"github.com/chainreactors/IoM-go/proto/client/clientpb"
+	"github.com/gookit/config/v2"
+)
+
+func TestGetPacketLengthWithPipelineConfig(t *testing.T) {
+	withIsolatedListeners(t)
+	withIsolatedBroker(t)
+
+	config.Set(consts.ConfigMaxPacketLength, 10485760)
+	t.Cleanup(func() { config.Set(consts.ConfigMaxPacketLength, 0) })
+
+	listener := NewListener("test-lis", "10.0.0.1")
+	Listeners.Add(listener)
+	listener.AddPipeline(&clientpb.Pipeline{
+		Name:         "pipe-custom",
+		ListenerId:   "test-lis",
+		PacketLength: 2048,
+	})
+
+	sess := newTestSession("pkt-test")
+	sess.PipelineID = "pipe-custom"
+
+	got := sess.GetPacketLength()
+	if got != 2048 {
+		t.Fatalf("GetPacketLength() = %d, want 2048", got)
+	}
+}
+
+func TestGetPacketLengthFallsBackToGlobal(t *testing.T) {
+	withIsolatedListeners(t)
+	withIsolatedBroker(t)
+
+	config.Set(consts.ConfigMaxPacketLength, 10485760)
+	t.Cleanup(func() { config.Set(consts.ConfigMaxPacketLength, 0) })
+
+	listener := NewListener("test-lis2", "10.0.0.1")
+	Listeners.Add(listener)
+	listener.AddPipeline(&clientpb.Pipeline{
+		Name:       "pipe-default",
+		ListenerId: "test-lis2",
+		// PacketLength is 0 (unset)
+	})
+
+	sess := newTestSession("pkt-fallback")
+	sess.PipelineID = "pipe-default"
+
+	got := sess.GetPacketLength()
+	if got != 10485760 {
+		t.Fatalf("GetPacketLength() = %d, want 10485760 (global default)", got)
+	}
+}
+
+func TestGetPacketLengthNoPipeline(t *testing.T) {
+	withIsolatedListeners(t)
+	withIsolatedBroker(t)
+
+	config.Set(consts.ConfigMaxPacketLength, 10485760)
+	t.Cleanup(func() { config.Set(consts.ConfigMaxPacketLength, 0) })
+
+	sess := newTestSession("pkt-nopipe")
+	sess.PipelineID = "nonexistent"
+
+	got := sess.GetPacketLength()
+	if got != 10485760 {
+		t.Fatalf("GetPacketLength() = %d, want 10485760 (global default)", got)
+	}
+}

server/internal/db/models/pipeline.go

@@ -31,10 +31,11 @@ type Pipeline struct {
 
 func pipelineParamsFromProto(pipeline *clientpb.Pipeline) *implanttypes.PipelineParams {
 	return &implanttypes.PipelineParams{
-		Parser:     pipeline.Parser,
-		Tls:        implanttypes.FromTls(pipeline.Tls),
-		Encryption: implanttypes.FromEncryptions(pipeline.Encryption),
-		Secure:     implanttypes.FromSecure(pipeline.Secure),
+		Parser:       pipeline.Parser,
+		Tls:          implanttypes.FromTls(pipeline.Tls),
+		Encryption:   implanttypes.FromEncryptions(pipeline.Encryption),
+		Secure:       implanttypes.FromSecure(pipeline.Secure),
+		PacketLength: int(pipeline.PacketLength),
 	}
 }
 
@@ -80,16 +81,21 @@ func (pipeline *Pipeline) ToProtobuf() *clientpb.Pipeline {
 	if pipeline == nil {
 		return nil
 	}
+	var packetLength uint32
+	if pipeline.PipelineParams != nil {
+		packetLength = uint32(pipeline.PipelineParams.PacketLength)
+	}
 	switch pipeline.Type {
 	case consts.TCPPipeline:
 		return &clientpb.Pipeline{
-			Name:       pipeline.Name,
-			ListenerId: pipeline.ListenerId,
-			Enable:     pipeline.Enable,
-			Parser:     pipeline.Parser,
-			Ip:         pipeline.IP,
-			Type:       consts.TCPPipeline,
-			CertName:   pipeline.CertName,
+			Name:         pipeline.Name,
+			ListenerId:   pipeline.ListenerId,
+			Enable:       pipeline.Enable,
+			Parser:       pipeline.Parser,
+			Ip:           pipeline.IP,
+			Type:         consts.TCPPipeline,
+			CertName:     pipeline.CertName,
+			PacketLength: packetLength,
 			Body: &clientpb.Pipeline_Tcp{
 				Tcp: &clientpb.TCPPipeline{
 					Name:       pipeline.Name,
@@ -104,13 +110,14 @@ func (pipeline *Pipeline) ToProtobuf() *clientpb.Pipeline {
 		}
 	case consts.HTTPPipeline:
 		return &clientpb.Pipeline{
-			Name:       pipeline.Name,
-			ListenerId: pipeline.ListenerId,
-			Enable:     pipeline.Enable,
-			Parser:     pipeline.Parser,
-			Ip:         pipeline.IP,
-			Type:       consts.HTTPPipeline,
-			CertName:   pipeline.CertName,
+			Name:         pipeline.Name,
+			ListenerId:   pipeline.ListenerId,
+			Enable:       pipeline.Enable,
+			Parser:       pipeline.Parser,
+			Ip:           pipeline.IP,
+			Type:         consts.HTTPPipeline,
+			CertName:     pipeline.CertName,
+			PacketLength: packetLength,
 			Body: &clientpb.Pipeline_Http{
 				Http: &clientpb.HTTPPipeline{
 					Name:       pipeline.Name,
@@ -126,13 +133,14 @@ func (pipeline *Pipeline) ToProtobuf() *clientpb.Pipeline {
 		}
 	case consts.BindPipeline:
 		return &clientpb.Pipeline{
-			Name:       pipeline.Name,
-			ListenerId: pipeline.ListenerId,
-			Enable:     pipeline.Enable,
-			Parser:     pipeline.Parser,
-			Ip:         pipeline.IP,
-			CertName:   pipeline.CertName,
-			Type:       consts.BindPipeline,
+			Name:         pipeline.Name,
+			ListenerId:   pipeline.ListenerId,
+			Enable:       pipeline.Enable,
+			Parser:       pipeline.Parser,
+			Ip:           pipeline.IP,
+			CertName:     pipeline.CertName,
+			Type:         consts.BindPipeline,
+			PacketLength: packetLength,
 			Body: &clientpb.Pipeline_Bind{
 				Bind: &clientpb.BindPipeline{
 					Name:       pipeline.Name,
@@ -145,13 +153,14 @@ func (pipeline *Pipeline) ToProtobuf() *clientpb.Pipeline {
 		}
 	case consts.WebsitePipeline:
 		return &clientpb.Pipeline{
-			Name:       pipeline.Name,
-			ListenerId: pipeline.ListenerId,
-			Ip:         pipeline.IP,
-			Enable:     pipeline.Enable,
-			Parser:     pipeline.Parser,
-			CertName:   pipeline.CertName,
-			Type:       consts.WebsitePipeline,
+			Name:         pipeline.Name,
+			ListenerId:   pipeline.ListenerId,
+			Ip:           pipeline.IP,
+			Enable:       pipeline.Enable,
+			Parser:       pipeline.Parser,
+			CertName:     pipeline.CertName,
+			Type:         consts.WebsitePipeline,
+			PacketLength: packetLength,
 			Body: &clientpb.Pipeline_Web{
 				Web: &clientpb.Website{
 					Name:       pipeline.Name,
@@ -167,13 +176,14 @@ func (pipeline *Pipeline) ToProtobuf() *clientpb.Pipeline {
 		}
 	case consts.RemPipeline:
 		return &clientpb.Pipeline{
-			Name:       pipeline.Name,
-			ListenerId: pipeline.ListenerId,
-			Enable:     pipeline.Enable,
-			Parser:     pipeline.Parser,
-			Type:       consts.RemPipeline,
-			Ip:         pipeline.IP,
-			CertName:   pipeline.CertName,
+			Name:         pipeline.Name,
+			ListenerId:   pipeline.ListenerId,
+			Enable:       pipeline.Enable,
+			Parser:       pipeline.Parser,
+			Type:         consts.RemPipeline,
+			Ip:           pipeline.IP,
+			CertName:     pipeline.CertName,
+			PacketLength: packetLength,
 			Body: &clientpb.Pipeline_Rem{
 				Rem: &clientpb.REM{
 					Name:      pipeline.Name,
@@ -197,13 +207,14 @@ func (pipeline *Pipeline) ToProtobuf() *clientpb.Pipeline {
 			params = string(data)
 		}
 		return &clientpb.Pipeline{
-			Name:       pipeline.Name,
-			ListenerId: pipeline.ListenerId,
-			Enable:     pipeline.Enable,
-			Parser:     pipeline.Parser,
-			Ip:         pipeline.IP,
-			Type:       pipeline.Type,
-			CertName:   pipeline.CertName,
+			Name:         pipeline.Name,
+			ListenerId:   pipeline.ListenerId,
+			Enable:       pipeline.Enable,
+			Parser:       pipeline.Parser,
+			Ip:           pipeline.IP,
+			Type:         pipeline.Type,
+			CertName:     pipeline.CertName,
+			PacketLength: packetLength,
 			Body: &clientpb.Pipeline_Custom{
 				Custom: &clientpb.CustomPipeline{
 					Name:       pipeline.Name,

server/internal/parser/malefic/parser.go

@@ -34,10 +34,19 @@ func NewMaleficParser() *MaleficParser {
 }
 
 type MaleficParser struct {
-	StartDelimiter byte
-	EndDelimiter   byte
-	keyPair        *clientpb.KeyPair // Age 密钥对，用于加解密
-	privateKeys    []string
+	StartDelimiter   byte
+	EndDelimiter     byte
+	MaxPacketLength  uint32
+	keyPair          *clientpb.KeyPair // Age 密钥对，用于加解密
+	privateKeys      []string
+}
+
+// maxPacketLen returns the per-pipeline limit or falls back to global config.
+func (parser *MaleficParser) maxPacketLen() uint32 {
+	if parser.MaxPacketLength > 0 {
+		return parser.MaxPacketLength
+	}
+	return uint32(config.Uint(consts.ConfigMaxPacketLength))
 }
 
 // WithSecure 设置 Age 密钥对用于加解密，返回新的 parser 实例
@@ -92,8 +101,8 @@ func (parser *MaleficParser) readHeader(conn io.ReadWriteCloser) (uint32, uint32
 	}
 	sessionId := ParseSid(header)
 	length := binary.LittleEndian.Uint32(header[MsgSessionEnd:])
-	if length > uint32(config.Uint(consts.ConfigMaxPacketLength))+consts.KB*16 {
-		return 0, 0, fmt.Errorf("%w,expect: %d, recv: %d", types.ErrPacketTooLarge, config.Int(consts.ConfigMaxPacketLength), length)
+	if length > parser.maxPacketLen()+consts.KB*16 {
+		return 0, 0, fmt.Errorf("%w,expect: %d, recv: %d", types.ErrPacketTooLarge, parser.maxPacketLen(), length)
 	}
 
 	return sessionId, length + 1, nil
@@ -105,8 +114,8 @@ func (parser *MaleficParser) ReadHeader(conn io.ReadWriteCloser) (uint32, uint32
 		return 0, 0, err
 	}
 	//logs.Log.Debugf("%v read packet from %s , %d bytes", sid, conn.RemoteAddr(), length)
-	if length > uint32(config.Uint(consts.ConfigMaxPacketLength))+consts.KB*16+1 {
-		return 0, 0, fmt.Errorf("%w,expect: %d, recv: %d", types.ErrPacketTooLarge, config.Int(consts.ConfigMaxPacketLength), length)
+	if length > parser.maxPacketLen()+consts.KB*16+1 {
+		return 0, 0, fmt.Errorf("%w,expect: %d, recv: %d", types.ErrPacketTooLarge, parser.maxPacketLen(), length)
 	}
 	return sid, length, nil
 }