Fix the ordering of sites, ports, and macro values in filtering rules

all_sites and all_ports rules should be at the end of their lists, they should be searched last, because they are the least specific rules in their lists, hence have lower precedences. Also, obey the order of rules in conf files by adding sites, ports, and macro values to their lists in the same order they are in conf files. Update the unit and e2e tests accordingly, and improve.
3 years ago · 14f68457fb
parent c8f09d162a
commit 14f68457fb
3 changed files with 577 additions and 163 deletions
--- a/src/opts.c
+++ b/src/opts.c
@ -707,6 +707,22 @@ opts_append_to_filter_rules(filter_rule_t **list, filter_rule_t *rule)
 		*list = rule;
 }

+static void
+opts_append_to_macro_values(value_t **list, value_t *value)
+{
+	value_t *l = *list;
+	while (l) {
+		if (!l->next)
+			break;
+		l = l->next;
+	}
+
+	if (l)
+		l->next = value;
+	else
+		*list = value;
+}
+
 #ifndef WITHOUT_USERAUTH
 static int WUNRES
 opts_set_user_auth_url(opts_t *opts, const char * argv0, const char *optarg)
@ -879,8 +895,7 @@ clone_global_opts(global_t *global, const char *argv0, tmp_global_opts_t *tmp_gl
 			if (!v->value)
 				return oom_return_null(argv0);

-			v->next = m->value;
-			m->value = v;
+			opts_append_to_macro_values(&m->value, v);

 			value = value->next;
 		}
@ -2896,8 +2911,8 @@ opts_set_macro(opts_t *opts, char *value, int line_num)
 		v->value = strdup(argv[i++]);
 		if (!v->value)
 			return oom_return_na();
-		v->next = macro->value;
-		macro->value = v;
+
+		opts_append_to_macro_values(&macro->value, v);
 	}

 	macro->next = opts->macro;
@ -3514,38 +3529,38 @@ opts_find_port(filter_port_t *port, filter_rule_t *rule)
 	return port;
 }

-static filter_port_t *
-opts_add_port(filter_port_t *port, filter_rule_t *rule)
+static int NONNULL(1,2) WUNRES
+opts_add_port(filter_port_t **port, filter_rule_t *rule)
 {
-	int prepend = 1;
-	if (port && port->all_ports) {
-		// all_ports should be at the beginning of the port list for performance reasons
-		// it effectively disables the rest of the list, but we keep the rest for reporting
-		prepend = 0;
-	}
-
-	filter_port_t *p = opts_find_port(port, rule);
+	filter_port_t *p = opts_find_port(*port, rule);
 	if (!p) {
 		p = malloc(sizeof(filter_port_t));
 		if (!p)
-			return oom_return_na_null();
+			return oom_return_na();
 		memset(p, 0, sizeof(filter_port_t));
 		p->port = strdup(rule->port);
 		if (!p->port)
-			return oom_return_na_null();
+			return oom_return_na();

-		if (prepend) {
-			p->next = port;
-		} else {
-			// Insert the new port after the head
-			// If prepend is 0, port is never NULL
-			p->next = port->next;
-			port->next = p;
+		// all_ports should be at the end of the port list, it has the lowest precedence
+		filter_port_t *prev = NULL;
+		filter_port_t *l = *port;
+		while (l) {
+			if (l->all_ports)
+				break;
+			prev = l;
+			l = l->next;
+		}
+
+		if (prev) {
+			p->next = prev->next;
+			prev->next = p;
+		}
+		else {
+			if (*port)
+				p->next = *port;
+			*port = p;
 		}
-	} else {
-		// If the port exists, we should return the head of the port list
-		// i.e. we have not prepended anything
-		prepend = 0;
 	}

 	// Do not override the specs of port rules at higher precedence
@ -3581,8 +3596,7 @@ opts_add_port(filter_port_t *port, filter_rule_t *rule)

 		p->action.precedence = rule->action.precedence;
 	}
-
-	return prepend ? p : port;
+	return 0;
 }

 static filter_site_t *
@ -3596,38 +3610,38 @@ opts_find_site(filter_site_t *site, filter_rule_t *rule)
 	return site;
 }

-static filter_site_t *
-opts_add_site(filter_site_t *site, filter_rule_t *rule)
+static int NONNULL(1,2) WUNRES
+opts_add_site(filter_site_t **site, filter_rule_t *rule)
 {
-	int prepend = 1;
-	if (site && site->all_sites) {
-		// all_sites should be at the beginning of the site list for performance reasons
-		// it effectively disables the rest of the list, but we keep the rest for reporting
-		prepend = 0;
-	}
-
-	filter_site_t *s = opts_find_site(site, rule);
+	filter_site_t *s = opts_find_site(*site, rule);
 	if (!s) {
 		s = malloc(sizeof(filter_site_t));
 		if (!s)
-			return oom_return_na_null();
+			return oom_return_na();
 		memset(s, 0, sizeof(filter_site_t));
 		s->site = strdup(rule->site);
 		if (!s->site)
-			return oom_return_na_null();
+			return oom_return_na();

-		if (prepend) {
-			s->next = site;
-		} else {
-			// Insert the new site after the head
-			// If prepend is 0, site is never NULL
-			s->next = site->next;
-			site->next = s;
+		// all_sites should be at the end of the site list, it has the lowest precedence
+		filter_site_t *prev = NULL;
+		filter_site_t *l = *site;
+		while (l) {
+			if (l->all_sites)
+				break;
+			prev = l;
+			l = l->next;
+		}
+
+		if (prev) {
+			s->next = prev->next;
+			prev->next = s;
+		}
+		else {
+			if (*site)
+				s->next = *site;
+			*site = s;
 		}
-	} else {
-		// If the site exists, we should return the head of the site list
-		// i.e. we have not prepended anything
-		prepend = 0;
 	}

 	s->all_sites = rule->all_sites;
@ -3637,7 +3651,8 @@ opts_add_site(filter_site_t *site, filter_rule_t *rule)
 	// Port rule is added as a new port under the same site
 	// hence 'if else', not just 'if'
 	if (rule->port) {
-		s->port = opts_add_port(s->port, rule);
+		if (opts_add_port(&s->port, rule) == -1)
+			return -1;
 	}
 	// Do not override the specs of site rules at higher precedence
 	// precedence can only go up not down
@ -3669,36 +3684,30 @@ opts_add_site(filter_site_t *site, filter_rule_t *rule)

 		s->action.precedence = rule->action.precedence;
 	}
-
-	return prepend ? s : site;
+	return 0;
 }

 static int
 opts_add_to_sitelist(filter_list_t *list, filter_rule_t *rule)
 {
 	if (rule->dstip) {
-		list->ip = opts_add_site(list->ip, rule);
-		if (!list->ip)
+		if (opts_add_site(&list->ip, rule) == -1)
 			return -1;
 	}
 	if (rule->sni) {
-		list->sni = opts_add_site(list->sni, rule);
-		if (!list->sni)
+		if (opts_add_site(&list->sni, rule) == -1)
 			return -1;
 	}
 	if (rule->cn) {
-		list->cn = opts_add_site(list->cn, rule);
-		if (!list->cn)
+		if (opts_add_site(&list->cn, rule) == -1)
 			return -1;
 	}
 	if (rule->host) {
-		list->host = opts_add_site(list->host, rule);
-		if (!list->host)
+		if (opts_add_site(&list->host, rule) == -1)
 			return -1;
 	}
 	if (rule->uri) {
-		list->uri = opts_add_site(list->uri, rule);
-		if (!list->uri)
+		if (opts_add_site(&list->uri, rule) == -1)
 			return -1;
 	}
 	return 0;
--- a/tests/check/filter.t.c
+++ b/tests/check/filter.t.c
@ -1454,8 +1454,7 @@ START_TEST(set_filter_rule_08)
 	fail_unless(rv == 0, "failed to parse rule");
 	free(s);

-	// The order of sites does not match the order of rules, it is the reverse 
-	// But all_sites should always be the first element
+	// all_sites should always be the last element
 	s = strdup("from ip 192.168.0.2 to ip *");
 	rv = opts_set_filter_rule(opts, "Match", s, 0);
 	fail_unless(rv == 0, "failed to parse rule");
@ -1503,18 +1502,18 @@ START_TEST(set_filter_rule_08)
 "ip_filter->\n"
 "  ip 0 192.168.0.2= \n"
 "    ip: \n"
-"      0:  (all_sites, substring, action=||||match, log=|||||, precedence=1)\n"
-"      1: 192.168.0.3 (exact, action=||||match, log=|||||, precedence=1)\n"
-"      2: 192.168.0. (substring, action=||||match, log=|||||, precedence=1)\n"
-"      3: 192.168.0.1 (exact, action=||||match, log=|||||, precedence=1)\n"
+"      0: 192.168.0.1 (exact, action=||||match, log=|||||, precedence=1)\n"
+"      1: 192.168.0. (substring, action=||||match, log=|||||, precedence=1)\n"
+"      2: 192.168.0.3 (exact, action=||||match, log=|||||, precedence=1)\n"
+"      3:  (all_sites, substring, action=||||match, log=|||||, precedence=1)\n"
 "    sni: \n"
 "    cn: \n"
 "    host: \n"
 "    uri: \n"
 "  ip 1 192.168.0.1= \n"
 "    ip: \n"
-"      0: 192.168.0.3 (exact, action=||||match, log=|||||, precedence=1)\n"
-"      1: 192.168.0.2 (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=2)\n"
+"      0: 192.168.0.2 (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=2)\n"
+"      1: 192.168.0.3 (exact, action=||||match, log=|||||, precedence=1)\n"
 "    sni: \n"
 "    cn: \n"
 "    host: \n"
@ -1582,8 +1581,7 @@ START_TEST(set_filter_rule_09)
 	fail_unless(rv == 0, "failed to parse rule");
 	free(s);

-	// The order of sites does not match the order of rules, it is the reverse 
-	// But all_sites should always be the first element
+	// all_sites should always be the last element
 	s = strdup("from ip 192.168.0.2 to ip 192.168.0.1 port *");
 	rv = opts_set_filter_rule(opts, "Match", s, 0);
 	fail_unless(rv == 0, "failed to parse rule");
@ -1628,22 +1626,22 @@ START_TEST(set_filter_rule_09)
 "    ip: \n"
 "      0: 192.168.0.1 (exact, action=||||, log=|||||, precedence=0)\n"
 "        port:\n"
-"          0:  (all_ports, substring, action=||||match, log=|||||, precedence=2)\n"
+"          0: 443 (exact, action=||||match, log=|||||, precedence=2)\n"
 "          1: 80 (substring, action=||||match, log=|||||, precedence=2)\n"
-"          2: 443 (exact, action=||||match, log=|||||, precedence=2)\n"
+"          2:  (all_ports, substring, action=||||match, log=|||||, precedence=2)\n"
 "    sni: \n"
 "    cn: \n"
 "    host: \n"
 "    uri: \n"
 "  ip 1 192.168.0.1= \n"
 "    ip: \n"
-"      0: 192.168.0.3 (exact, action=||||match, log=|||||!mirror, precedence=2)\n"
-"        port:\n"
-"          0: 80 (exact, action=||||match, log=|||||, precedence=2)\n"
-"          1: 443 (exact, action=||||match, log=|||||, precedence=2)\n"
-"      1: 192.168.0.2 (exact, action=||||, log=|||||, precedence=0)\n"
+"      0: 192.168.0.2 (exact, action=||||, log=|||||, precedence=0)\n"
 "        port:\n"
 "          0: 443 (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=3)\n"
+"      1: 192.168.0.3 (exact, action=||||match, log=|||||!mirror, precedence=2)\n"
+"        port:\n"
+"          0: 443 (exact, action=||||match, log=|||||, precedence=2)\n"
+"          1: 80 (exact, action=||||match, log=|||||, precedence=2)\n"
 "    sni: \n"
 "    cn: \n"
 "    host: \n"
@ -1701,8 +1699,7 @@ START_TEST(set_filter_rule_10)
 	fail_unless(rv == 0, "failed to parse rule");
 	free(s);

-	// The order of sites does not match the order of rules, it is the reverse 
-	// But all_sites should always be the first element
+	// all_sites should always be the last element
 	s = strdup("from user daemon to sni *");
 	rv = opts_set_filter_rule(opts, "Match", s, 0);
 	fail_unless(rv == 0, "failed to parse rule");
@ -1743,18 +1740,18 @@ START_TEST(set_filter_rule_10)
 "  user 0 daemon= \n"
 "    ip: \n"
 "    sni: \n"
-"      0:  (all_sites, substring, action=||||match, log=|||||, precedence=3)\n"
-"      1: example3.com (exact, action=||||match, log=|||||, precedence=3)\n"
-"      2: .example.com (substring, action=||||match, log=|||||, precedence=3)\n"
-"      3: example.com (exact, action=||||match, log=|||||, precedence=3)\n"
+"      0: example.com (exact, action=||||match, log=|||||, precedence=3)\n"
+"      1: .example.com (substring, action=||||match, log=|||||, precedence=3)\n"
+"      2: example3.com (exact, action=||||match, log=|||||, precedence=3)\n"
+"      3:  (all_sites, substring, action=||||match, log=|||||, precedence=3)\n"
 "    cn: \n"
 "    host: \n"
 "    uri: \n"
 "  user 1 root= \n"
 "    ip: \n"
 "    sni: \n"
-"      0: example2.com (exact, action=||||match, log=|||||, precedence=3)\n"
-"      1: example.com (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=4)\n"
+"      0: example.com (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=4)\n"
+"      1: example2.com (exact, action=||||match, log=|||||, precedence=3)\n"
 "    cn: \n"
 "    host: \n"
 "    uri: \n"
@ -1819,8 +1816,7 @@ START_TEST(set_filter_rule_11)
 	fail_unless(rv == 0, "failed to parse rule");
 	free(s);

-	// The order of sites does not match the order of rules, it is the reverse 
-	// But all_sites should always be the first element
+	// all_sites should always be the last element
 	s = strdup("from user daemon desc desc to cn *");
 	rv = opts_set_filter_rule(opts, "Match", s, 0);
 	fail_unless(rv == 0, "failed to parse rule");
@ -1897,10 +1893,10 @@ START_TEST(set_filter_rule_11)
 "    ip: \n"
 "    sni: \n"
 "    cn: \n"
-"      0:  (all_sites, substring, action=||||match, log=|||||, precedence=4)\n"
-"      1: example3.com (exact, action=||||match, log=|||||, precedence=4)\n"
-"      2: .example.com (substring, action=||||match, log=|||||, precedence=4)\n"
-"      3: example.com (exact, action=||||match, log=|||||, precedence=4)\n"
+"      0: example.com (exact, action=||||match, log=|||||, precedence=4)\n"
+"      1: .example.com (substring, action=||||match, log=|||||, precedence=4)\n"
+"      2: example3.com (exact, action=||||match, log=|||||, precedence=4)\n"
+"      3:  (all_sites, substring, action=||||match, log=|||||, precedence=4)\n"
 "    host: \n"
 "    uri: \n"
 " user 1 root=\n"
@ -1908,8 +1904,8 @@ START_TEST(set_filter_rule_11)
 "    ip: \n"
 "    sni: \n"
 "    cn: \n"
-"      0: example2.com (exact, action=||||match, log=|||||, precedence=4)\n"
-"      1: example.com (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=5)\n"
+"      0: example.com (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=5)\n"
+"      1: example2.com (exact, action=||||match, log=|||||, precedence=4)\n"
 "    host: \n"
 "    uri: \n"
 "user_filter->\n"
@ -1981,22 +1977,22 @@ START_TEST(set_filter_rule_12)

 	s = filter_rule_str(opts->filter_rules);
 	fail_unless(!strcmp(s,
-		"filter rule 0: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
-		"filter rule 1: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
-		"filter rule 2: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
-		"filter rule 3: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
-		"filter rule 4: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
-		"filter rule 5: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
-		"filter rule 6: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
-		"filter rule 7: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
-		"filter rule 8: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
-		"filter rule 9: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
-		"filter rule 10: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
-		"filter rule 11: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
-		"filter rule 12: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
-		"filter rule 13: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
-		"filter rule 14: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
-		"filter rule 15: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3"),
+		"filter rule 0: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
+		"filter rule 1: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
+		"filter rule 2: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
+		"filter rule 3: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
+		"filter rule 4: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
+		"filter rule 5: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
+		"filter rule 6: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
+		"filter rule 7: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
+		"filter rule 8: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
+		"filter rule 9: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
+		"filter rule 10: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
+		"filter rule 11: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
+		"filter rule 12: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
+		"filter rule 13: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
+		"filter rule 14: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
+		"filter rule 15: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3"),
 		"failed to parse rule: %s", s);	
 	free(s);

@ -2014,7 +2010,7 @@ START_TEST(set_filter_rule_12)
 "    host: \n"
 "    uri: \n"
 "ip_filter->\n"
-"  ip 0 192.168.0.1= \n"
+"  ip 0 192.168.0.2= \n"
 "    ip: \n"
 "      0: 192.168.0.3 (exact, action=||||, log=|||||, precedence=0)\n"
 "        port:\n"
@ -2028,7 +2024,7 @@ START_TEST(set_filter_rule_12)
 "    cn: \n"
 "    host: \n"
 "    uri: \n"
-"  ip 1 192.168.0.2= \n"
+"  ip 1 192.168.0.1= \n"
 "    ip: \n"
 "      0: 192.168.0.3 (exact, action=||||, log=|||||, precedence=0)\n"
 "        port:\n"
@ -2092,30 +2088,30 @@ START_TEST(set_filter_rule_13)

 	s = filter_rule_str(opts->filter_rules);
 	fail_unless(!strcmp(s,
-		"filter rule 0: site=site2, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
-		"filter rule 1: site=site2, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
-		"filter rule 2: site=site2, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
-		"filter rule 3: site=site1, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
-		"filter rule 4: site=site1, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
-		"filter rule 5: site=site1, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
-		"filter rule 6: site=site2, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
-		"filter rule 7: site=site2, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
-		"filter rule 8: site=site2, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
-		"filter rule 9: site=site1, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
-		"filter rule 10: site=site1, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
-		"filter rule 11: site=site1, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
-		"filter rule 12: site=site2, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
-		"filter rule 13: site=site2, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
-		"filter rule 14: site=site2, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
-		"filter rule 15: site=site1, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
-		"filter rule 16: site=site1, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
-		"filter rule 17: site=site1, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
-		"filter rule 18: site=site2, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
-		"filter rule 19: site=site2, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
-		"filter rule 20: site=site2, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
-		"filter rule 21: site=site1, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
-		"filter rule 22: site=site1, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
-		"filter rule 23: site=site1, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5"),
+		"filter rule 0: site=site1, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
+		"filter rule 1: site=site1, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
+		"filter rule 2: site=site1, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
+		"filter rule 3: site=site2, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
+		"filter rule 4: site=site2, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
+		"filter rule 5: site=site2, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
+		"filter rule 6: site=site1, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
+		"filter rule 7: site=site1, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
+		"filter rule 8: site=site1, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
+		"filter rule 9: site=site2, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
+		"filter rule 10: site=site2, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
+		"filter rule 11: site=site2, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
+		"filter rule 12: site=site1, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
+		"filter rule 13: site=site1, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
+		"filter rule 14: site=site1, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
+		"filter rule 15: site=site2, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
+		"filter rule 16: site=site2, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
+		"filter rule 17: site=site2, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
+		"filter rule 18: site=site1, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
+		"filter rule 19: site=site1, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
+		"filter rule 20: site=site1, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
+		"filter rule 21: site=site2, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
+		"filter rule 22: site=site2, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
+		"filter rule 23: site=site2, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5"),
 		"failed to parse rule: %s", s);	
 	free(s);

@ -2124,8 +2120,8 @@ START_TEST(set_filter_rule_13)
 	s = filter_str(opts->filter);
 	fail_unless(!strcmp(s, "filter=>\n"
 "userkeyword_filter->\n"
-" user 0 root=\n"
-"  keyword 0 desc1= \n"
+" user 0 daemon=\n"
+"  keyword 0 desc2= \n"
 "    ip: \n"
 "    sni: \n"
 "      0: site1 (exact, action=||||match, log=connect|||content||mirror, precedence=5)\n"
@ -2133,7 +2129,7 @@ START_TEST(set_filter_rule_13)
 "    cn: \n"
 "    host: \n"
 "    uri: \n"
-"  keyword 1 desc2= \n"
+"  keyword 1 desc1= \n"
 "    ip: \n"
 "    sni: \n"
 "      0: site1 (exact, action=||||match, log=connect|||content||mirror, precedence=5)\n"
@ -2141,8 +2137,8 @@ START_TEST(set_filter_rule_13)
 "    cn: \n"
 "    host: \n"
 "    uri: \n"
-" user 1 daemon=\n"
-"  keyword 0 desc1= \n"
+" user 1 root=\n"
+"  keyword 0 desc2= \n"
 "    ip: \n"
 "    sni: \n"
 "      0: site1 (exact, action=||||match, log=connect|||content||mirror, precedence=5)\n"
@ -2150,7 +2146,7 @@ START_TEST(set_filter_rule_13)
 "    cn: \n"
 "    host: \n"
 "    uri: \n"
-"  keyword 1 desc2= \n"
+"  keyword 1 desc1= \n"
 "    ip: \n"
 "    sni: \n"
 "      0: site1 (exact, action=||||match, log=connect|||content||mirror, precedence=5)\n"
--- a/tests/testproxy/sslproxy.conf
+++ b/tests/testproxy/sslproxy.conf
@ -335,10 +335,61 @@ ProxySpec {
 	TargetAddr 127.0.0.1
 	TargetPort 9191
 	Divert no
-	# Match rules should not change filter action
-	Match from ip 127.0.0.1 to ip 127.0.0.1
-	Divert from ip 127.0.0.1 to ip 127.0.0.1
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9190
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9190 log connect
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Pass *
+	Split *
+
+	Match from *
+	Block from *
+	Pass from *
+	Split from *
+
+	Match from ip *
+	Block from ip *
+	Pass from ip *
+	Split from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+
 	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Block from ip 127.0.0.1 to ip 127.0.0.1
+	Pass from ip 127.0.0.1 to ip 127.0.0.1
+	Split from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9191
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9191
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port 9191
+
+	# The most specific and the highest precedence action
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port 9191
 }
 ProxySpec {
 	Proto https
@ -348,9 +399,61 @@ ProxySpec {
 	TargetAddr 127.0.0.1
 	TargetPort 9192
 	Divert no
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191 log connect
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Pass *
+	Split *
+
+	Match from *
+	Block from *
+	Pass from *
+	Split from *
+
+	Match from ip *
+	Block from ip *
+	Pass from ip *
+	Split from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+
 	Match from ip 127.0.0.1 to ip 127.0.0.1
-	Divert from ip 127.0.0.1 to ip 127.0.0.1
-	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Block from ip 127.0.0.1 to ip 127.0.0.1
+	Pass from ip 127.0.0.1 to ip 127.0.0.1
+	Split from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9192
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9192
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port 9192
+
+	# The most specific and the highest precedence action
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port 9192
 }

 # Tests for Split filtering rules
@ -362,9 +465,61 @@ ProxySpec {
 	TargetAddr 127.0.0.1
 	TargetPort 9193
 	Divert yes
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192 log connect
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Pass *
+	Divert *
+
+	Match from *
+	Block from *
+	Pass from *
+	Divert from *
+
+	Match from ip *
+	Block from ip *
+	Pass from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Divert from ip 127.0.0.1 to ip *
+
 	Match from ip 127.0.0.1 to ip 127.0.0.1
-	Split from ip 127.0.0.1 to ip 127.0.0.1
-	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Block from ip 127.0.0.1 to ip 127.0.0.1
+	Pass from ip 127.0.0.1 to ip 127.0.0.1
+	Divert from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9193
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9193
+	# No Divert, because Divert's precedence is higher than Split's
+
+	# The most specific and the highest precedence action
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port 9193
 }
 ProxySpec {
 	Proto https
@ -374,9 +529,61 @@ ProxySpec {
 	TargetAddr 127.0.0.1
 	TargetPort 9194
 	Divert yes
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193 log connect
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Pass *
+	Divert *
+
+	Match from *
+	Block from *
+	Pass from *
+	Divert from *
+
+	Match from ip *
+	Block from ip *
+	Pass from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Divert from ip 127.0.0.1 to ip *
+
 	Match from ip 127.0.0.1 to ip 127.0.0.1
-	Split from ip 127.0.0.1 to ip 127.0.0.1
-	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Block from ip 127.0.0.1 to ip 127.0.0.1
+	Pass from ip 127.0.0.1 to ip 127.0.0.1
+	Divert from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9194
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9194
+	# No Divert, because Divert's precedence is higher than Split's
+
+	# The most specific and the highest precedence action
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port 9194
 }

 # Tests for Pass filtering rules
@ -388,9 +595,60 @@ ProxySpec {
 	TargetAddr 127.0.0.1
 	TargetPort 9195
 	Divert yes
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194 log connect
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Split *
+	Divert *
+
+	Match from *
+	Block from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Block from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+	Divert from ip 127.0.0.1 to ip *
+
 	Match from ip 127.0.0.1 to ip 127.0.0.1
-	Pass from ip 127.0.0.1 to ip 127.0.0.1 log connect
-	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Block from ip 127.0.0.1 to ip 127.0.0.1
+	Split from ip 127.0.0.1 to ip 127.0.0.1
+	Divert from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9195
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195
+	# No Divert or Split, because their precedence is higher than Pass's
+
+	# The most specific and the highest precedence action
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9195
 }
 ProxySpec {
 	Proto https
@ -400,9 +658,60 @@ ProxySpec {
 	TargetAddr 127.0.0.1
 	TargetPort 9196
 	Divert yes
+
+	# Unrelated rules should not have any effect
+	Block from ip 127.0.0.0
+	Block from ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.0
+	Block from ip 127.0.0.1 to ip 127.0.0.2
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195 log connect
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Block *
+	Split *
+	Divert *
+
+	Match from *
+	Block from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Block from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Block from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Block from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+	Divert from ip 127.0.0.1 to ip *
+
 	Match from ip 127.0.0.1 to ip 127.0.0.1
-	Pass from ip 127.0.0.1 to ip 127.0.0.1 log connect
-	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Block from ip 127.0.0.1 to ip 127.0.0.1
+	Split from ip 127.0.0.1 to ip 127.0.0.1
+	Divert from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9196
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196
+	# No Divert or Split, because their precedence is higher than Pass's
+
+	# The most specific and the highest precedence action
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196
 }

 # Tests for Block filtering rules
@ -414,9 +723,59 @@ ProxySpec {
 	TargetAddr 127.0.0.1
 	TargetPort 9197
 	Divert yes
+
+	# Unrelated rules should not have any effect
+	Pass from ip 127.0.0.0
+	Pass from ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.0
+	Pass from ip 127.0.0.1 to ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9198
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196 log connect
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9198 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Pass *
+	Split *
+	Divert *
+
+	Match from *
+	Pass from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Pass from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+	Divert from ip 127.0.0.1 to ip *
+
 	Match from ip 127.0.0.1 to ip 127.0.0.1
-	Block from ip 127.0.0.1 to ip 127.0.0.1
-	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Pass from ip 127.0.0.1 to ip 127.0.0.1
+	Split from ip 127.0.0.1 to ip 127.0.0.1
+	Divert from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9197
+	# No Divert, Split, or Pass, because their precedence is higher than Block's
+
+	# The most specific and the highest precedence action
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197
 }
 ProxySpec {
 	Proto https
@ -426,7 +785,57 @@ ProxySpec {
 	TargetAddr 127.0.0.1
 	TargetPort 9198
 	Divert yes
+
+	# Unrelated rules should not have any effect
+	Pass from ip 127.0.0.0
+	Pass from ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.0
+	Pass from ip 127.0.0.1 to ip 127.0.0.2
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9197
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9199
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9197 log connect
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9199 log connect
+
+	# Lower precedence actions should not change filter action
+	# Less specific rules should not change filter action
+	Match *
+	Pass *
+	Split *
+	Divert *
+
+	Match from *
+	Pass from *
+	Split from *
+	Divert from *
+
+	Match from ip *
+	Pass from ip *
+	Split from ip *
+	Divert from ip *
+
+	Match from ip 127.0.0.1
+	Pass from ip 127.0.0.1
+	Split from ip 127.0.0.1
+	Divert from ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip *
+	Pass from ip 127.0.0.1 to ip *
+	Split from ip 127.0.0.1 to ip *
+	Divert from ip 127.0.0.1 to ip *
+
 	Match from ip 127.0.0.1 to ip 127.0.0.1
-	Block from ip 127.0.0.1 to ip 127.0.0.1
-	Match from ip 127.0.0.1 to ip 127.0.0.1
+	Pass from ip 127.0.0.1 to ip 127.0.0.1
+	Split from ip 127.0.0.1 to ip 127.0.0.1
+	Divert from ip 127.0.0.1 to ip 127.0.0.1
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Split from ip 127.0.0.1 to ip 127.0.0.1 port *
+	Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
+
+	Match from ip 127.0.0.1 to ip 127.0.0.1 port 9198
+	# No Divert, Split, or Pass, because their precedence is higher than Block's
+
+	# The most specific and the highest precedence action
+	Block from ip 127.0.0.1 to ip 127.0.0.1 port 9198
 }