Fix the ordering of sites, ports, and macro values in filtering rules

all_sites and all_ports rules should be at the end of their lists, they
should be searched last, because they are the least specific rules in
their lists, hence have lower precedences.

Also, obey the order of rules in conf files by adding sites, ports, and
macro values to their lists in the same order they are in conf files.

Update the unit and e2e tests accordingly, and improve.
pull/48/head
Soner Tari 3 years ago
parent c8f09d162a
commit 14f68457fb

@ -707,6 +707,22 @@ opts_append_to_filter_rules(filter_rule_t **list, filter_rule_t *rule)
*list = rule;
}
static void
opts_append_to_macro_values(value_t **list, value_t *value)
{
value_t *l = *list;
while (l) {
if (!l->next)
break;
l = l->next;
}
if (l)
l->next = value;
else
*list = value;
}
#ifndef WITHOUT_USERAUTH
static int WUNRES
opts_set_user_auth_url(opts_t *opts, const char * argv0, const char *optarg)
@ -879,8 +895,7 @@ clone_global_opts(global_t *global, const char *argv0, tmp_global_opts_t *tmp_gl
if (!v->value)
return oom_return_null(argv0);
v->next = m->value;
m->value = v;
opts_append_to_macro_values(&m->value, v);
value = value->next;
}
@ -2896,8 +2911,8 @@ opts_set_macro(opts_t *opts, char *value, int line_num)
v->value = strdup(argv[i++]);
if (!v->value)
return oom_return_na();
v->next = macro->value;
macro->value = v;
opts_append_to_macro_values(&macro->value, v);
}
macro->next = opts->macro;
@ -3514,38 +3529,38 @@ opts_find_port(filter_port_t *port, filter_rule_t *rule)
return port;
}
static filter_port_t *
opts_add_port(filter_port_t *port, filter_rule_t *rule)
static int NONNULL(1,2) WUNRES
opts_add_port(filter_port_t **port, filter_rule_t *rule)
{
int prepend = 1;
if (port && port->all_ports) {
// all_ports should be at the beginning of the port list for performance reasons
// it effectively disables the rest of the list, but we keep the rest for reporting
prepend = 0;
}
filter_port_t *p = opts_find_port(port, rule);
filter_port_t *p = opts_find_port(*port, rule);
if (!p) {
p = malloc(sizeof(filter_port_t));
if (!p)
return oom_return_na_null();
return oom_return_na();
memset(p, 0, sizeof(filter_port_t));
p->port = strdup(rule->port);
if (!p->port)
return oom_return_na_null();
return oom_return_na();
if (prepend) {
p->next = port;
} else {
// Insert the new port after the head
// If prepend is 0, port is never NULL
p->next = port->next;
port->next = p;
// all_ports should be at the end of the port list, it has the lowest precedence
filter_port_t *prev = NULL;
filter_port_t *l = *port;
while (l) {
if (l->all_ports)
break;
prev = l;
l = l->next;
}
if (prev) {
p->next = prev->next;
prev->next = p;
}
else {
if (*port)
p->next = *port;
*port = p;
}
} else {
// If the port exists, we should return the head of the port list
// i.e. we have not prepended anything
prepend = 0;
}
// Do not override the specs of port rules at higher precedence
@ -3581,8 +3596,7 @@ opts_add_port(filter_port_t *port, filter_rule_t *rule)
p->action.precedence = rule->action.precedence;
}
return prepend ? p : port;
return 0;
}
static filter_site_t *
@ -3596,38 +3610,38 @@ opts_find_site(filter_site_t *site, filter_rule_t *rule)
return site;
}
static filter_site_t *
opts_add_site(filter_site_t *site, filter_rule_t *rule)
static int NONNULL(1,2) WUNRES
opts_add_site(filter_site_t **site, filter_rule_t *rule)
{
int prepend = 1;
if (site && site->all_sites) {
// all_sites should be at the beginning of the site list for performance reasons
// it effectively disables the rest of the list, but we keep the rest for reporting
prepend = 0;
}
filter_site_t *s = opts_find_site(site, rule);
filter_site_t *s = opts_find_site(*site, rule);
if (!s) {
s = malloc(sizeof(filter_site_t));
if (!s)
return oom_return_na_null();
return oom_return_na();
memset(s, 0, sizeof(filter_site_t));
s->site = strdup(rule->site);
if (!s->site)
return oom_return_na_null();
return oom_return_na();
if (prepend) {
s->next = site;
} else {
// Insert the new site after the head
// If prepend is 0, site is never NULL
s->next = site->next;
site->next = s;
// all_sites should be at the end of the site list, it has the lowest precedence
filter_site_t *prev = NULL;
filter_site_t *l = *site;
while (l) {
if (l->all_sites)
break;
prev = l;
l = l->next;
}
if (prev) {
s->next = prev->next;
prev->next = s;
}
else {
if (*site)
s->next = *site;
*site = s;
}
} else {
// If the site exists, we should return the head of the site list
// i.e. we have not prepended anything
prepend = 0;
}
s->all_sites = rule->all_sites;
@ -3637,7 +3651,8 @@ opts_add_site(filter_site_t *site, filter_rule_t *rule)
// Port rule is added as a new port under the same site
// hence 'if else', not just 'if'
if (rule->port) {
s->port = opts_add_port(s->port, rule);
if (opts_add_port(&s->port, rule) == -1)
return -1;
}
// Do not override the specs of site rules at higher precedence
// precedence can only go up not down
@ -3669,36 +3684,30 @@ opts_add_site(filter_site_t *site, filter_rule_t *rule)
s->action.precedence = rule->action.precedence;
}
return prepend ? s : site;
return 0;
}
static int
opts_add_to_sitelist(filter_list_t *list, filter_rule_t *rule)
{
if (rule->dstip) {
list->ip = opts_add_site(list->ip, rule);
if (!list->ip)
if (opts_add_site(&list->ip, rule) == -1)
return -1;
}
if (rule->sni) {
list->sni = opts_add_site(list->sni, rule);
if (!list->sni)
if (opts_add_site(&list->sni, rule) == -1)
return -1;
}
if (rule->cn) {
list->cn = opts_add_site(list->cn, rule);
if (!list->cn)
if (opts_add_site(&list->cn, rule) == -1)
return -1;
}
if (rule->host) {
list->host = opts_add_site(list->host, rule);
if (!list->host)
if (opts_add_site(&list->host, rule) == -1)
return -1;
}
if (rule->uri) {
list->uri = opts_add_site(list->uri, rule);
if (!list->uri)
if (opts_add_site(&list->uri, rule) == -1)
return -1;
}
return 0;

@ -1454,8 +1454,7 @@ START_TEST(set_filter_rule_08)
fail_unless(rv == 0, "failed to parse rule");
free(s);
// The order of sites does not match the order of rules, it is the reverse
// But all_sites should always be the first element
// all_sites should always be the last element
s = strdup("from ip 192.168.0.2 to ip *");
rv = opts_set_filter_rule(opts, "Match", s, 0);
fail_unless(rv == 0, "failed to parse rule");
@ -1503,18 +1502,18 @@ START_TEST(set_filter_rule_08)
"ip_filter->\n"
" ip 0 192.168.0.2= \n"
" ip: \n"
" 0: (all_sites, substring, action=||||match, log=|||||, precedence=1)\n"
" 1: 192.168.0.3 (exact, action=||||match, log=|||||, precedence=1)\n"
" 2: 192.168.0. (substring, action=||||match, log=|||||, precedence=1)\n"
" 3: 192.168.0.1 (exact, action=||||match, log=|||||, precedence=1)\n"
" 0: 192.168.0.1 (exact, action=||||match, log=|||||, precedence=1)\n"
" 1: 192.168.0. (substring, action=||||match, log=|||||, precedence=1)\n"
" 2: 192.168.0.3 (exact, action=||||match, log=|||||, precedence=1)\n"
" 3: (all_sites, substring, action=||||match, log=|||||, precedence=1)\n"
" sni: \n"
" cn: \n"
" host: \n"
" uri: \n"
" ip 1 192.168.0.1= \n"
" ip: \n"
" 0: 192.168.0.3 (exact, action=||||match, log=|||||, precedence=1)\n"
" 1: 192.168.0.2 (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=2)\n"
" 0: 192.168.0.2 (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=2)\n"
" 1: 192.168.0.3 (exact, action=||||match, log=|||||, precedence=1)\n"
" sni: \n"
" cn: \n"
" host: \n"
@ -1582,8 +1581,7 @@ START_TEST(set_filter_rule_09)
fail_unless(rv == 0, "failed to parse rule");
free(s);
// The order of sites does not match the order of rules, it is the reverse
// But all_sites should always be the first element
// all_sites should always be the last element
s = strdup("from ip 192.168.0.2 to ip 192.168.0.1 port *");
rv = opts_set_filter_rule(opts, "Match", s, 0);
fail_unless(rv == 0, "failed to parse rule");
@ -1628,22 +1626,22 @@ START_TEST(set_filter_rule_09)
" ip: \n"
" 0: 192.168.0.1 (exact, action=||||, log=|||||, precedence=0)\n"
" port:\n"
" 0: (all_ports, substring, action=||||match, log=|||||, precedence=2)\n"
" 0: 443 (exact, action=||||match, log=|||||, precedence=2)\n"
" 1: 80 (substring, action=||||match, log=|||||, precedence=2)\n"
" 2: 443 (exact, action=||||match, log=|||||, precedence=2)\n"
" 2: (all_ports, substring, action=||||match, log=|||||, precedence=2)\n"
" sni: \n"
" cn: \n"
" host: \n"
" uri: \n"
" ip 1 192.168.0.1= \n"
" ip: \n"
" 0: 192.168.0.3 (exact, action=||||match, log=|||||!mirror, precedence=2)\n"
" port:\n"
" 0: 80 (exact, action=||||match, log=|||||, precedence=2)\n"
" 1: 443 (exact, action=||||match, log=|||||, precedence=2)\n"
" 1: 192.168.0.2 (exact, action=||||, log=|||||, precedence=0)\n"
" 0: 192.168.0.2 (exact, action=||||, log=|||||, precedence=0)\n"
" port:\n"
" 0: 443 (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=3)\n"
" 1: 192.168.0.3 (exact, action=||||match, log=|||||!mirror, precedence=2)\n"
" port:\n"
" 0: 443 (exact, action=||||match, log=|||||, precedence=2)\n"
" 1: 80 (exact, action=||||match, log=|||||, precedence=2)\n"
" sni: \n"
" cn: \n"
" host: \n"
@ -1701,8 +1699,7 @@ START_TEST(set_filter_rule_10)
fail_unless(rv == 0, "failed to parse rule");
free(s);
// The order of sites does not match the order of rules, it is the reverse
// But all_sites should always be the first element
// all_sites should always be the last element
s = strdup("from user daemon to sni *");
rv = opts_set_filter_rule(opts, "Match", s, 0);
fail_unless(rv == 0, "failed to parse rule");
@ -1743,18 +1740,18 @@ START_TEST(set_filter_rule_10)
" user 0 daemon= \n"
" ip: \n"
" sni: \n"
" 0: (all_sites, substring, action=||||match, log=|||||, precedence=3)\n"
" 1: example3.com (exact, action=||||match, log=|||||, precedence=3)\n"
" 2: .example.com (substring, action=||||match, log=|||||, precedence=3)\n"
" 3: example.com (exact, action=||||match, log=|||||, precedence=3)\n"
" 0: example.com (exact, action=||||match, log=|||||, precedence=3)\n"
" 1: .example.com (substring, action=||||match, log=|||||, precedence=3)\n"
" 2: example3.com (exact, action=||||match, log=|||||, precedence=3)\n"
" 3: (all_sites, substring, action=||||match, log=|||||, precedence=3)\n"
" cn: \n"
" host: \n"
" uri: \n"
" user 1 root= \n"
" ip: \n"
" sni: \n"
" 0: example2.com (exact, action=||||match, log=|||||, precedence=3)\n"
" 1: example.com (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=4)\n"
" 0: example.com (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=4)\n"
" 1: example2.com (exact, action=||||match, log=|||||, precedence=3)\n"
" cn: \n"
" host: \n"
" uri: \n"
@ -1819,8 +1816,7 @@ START_TEST(set_filter_rule_11)
fail_unless(rv == 0, "failed to parse rule");
free(s);
// The order of sites does not match the order of rules, it is the reverse
// But all_sites should always be the first element
// all_sites should always be the last element
s = strdup("from user daemon desc desc to cn *");
rv = opts_set_filter_rule(opts, "Match", s, 0);
fail_unless(rv == 0, "failed to parse rule");
@ -1897,10 +1893,10 @@ START_TEST(set_filter_rule_11)
" ip: \n"
" sni: \n"
" cn: \n"
" 0: (all_sites, substring, action=||||match, log=|||||, precedence=4)\n"
" 1: example3.com (exact, action=||||match, log=|||||, precedence=4)\n"
" 2: .example.com (substring, action=||||match, log=|||||, precedence=4)\n"
" 3: example.com (exact, action=||||match, log=|||||, precedence=4)\n"
" 0: example.com (exact, action=||||match, log=|||||, precedence=4)\n"
" 1: .example.com (substring, action=||||match, log=|||||, precedence=4)\n"
" 2: example3.com (exact, action=||||match, log=|||||, precedence=4)\n"
" 3: (all_sites, substring, action=||||match, log=|||||, precedence=4)\n"
" host: \n"
" uri: \n"
" user 1 root=\n"
@ -1908,8 +1904,8 @@ START_TEST(set_filter_rule_11)
" ip: \n"
" sni: \n"
" cn: \n"
" 0: example2.com (exact, action=||||match, log=|||||, precedence=4)\n"
" 1: example.com (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=5)\n"
" 0: example.com (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=5)\n"
" 1: example2.com (exact, action=||||match, log=|||||, precedence=4)\n"
" host: \n"
" uri: \n"
"user_filter->\n"
@ -1981,22 +1977,22 @@ START_TEST(set_filter_rule_12)
s = filter_rule_str(opts->filter_rules);
fail_unless(!strcmp(s,
"filter rule 0: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 1: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 2: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 3: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 4: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 5: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 6: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 7: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 8: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 9: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 10: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 11: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 12: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 13: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 14: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 15: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3"),
"filter rule 0: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 1: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 2: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 3: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 4: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 5: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 6: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 7: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.1, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 8: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 9: site=192.168.0.3, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 10: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 11: site=192.168.0.3, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 12: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 13: site=192.168.0.4, exact, port=80, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3\n"
"filter rule 14: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=|!master||||, apply to=dstip||||, precedence=3\n"
"filter rule 15: site=192.168.0.4, exact, port=443, exact_port, ip=192.168.0.2, user=, keyword=, all=|||, action=||||match, log=||||!pcap|, apply to=dstip||||, precedence=3"),
"failed to parse rule: %s", s);
free(s);
@ -2014,7 +2010,7 @@ START_TEST(set_filter_rule_12)
" host: \n"
" uri: \n"
"ip_filter->\n"
" ip 0 192.168.0.1= \n"
" ip 0 192.168.0.2= \n"
" ip: \n"
" 0: 192.168.0.3 (exact, action=||||, log=|||||, precedence=0)\n"
" port:\n"
@ -2028,7 +2024,7 @@ START_TEST(set_filter_rule_12)
" cn: \n"
" host: \n"
" uri: \n"
" ip 1 192.168.0.2= \n"
" ip 1 192.168.0.1= \n"
" ip: \n"
" 0: 192.168.0.3 (exact, action=||||, log=|||||, precedence=0)\n"
" port:\n"
@ -2092,30 +2088,30 @@ START_TEST(set_filter_rule_13)
s = filter_rule_str(opts->filter_rules);
fail_unless(!strcmp(s,
"filter rule 0: site=site2, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 1: site=site2, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 2: site=site2, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 3: site=site1, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 4: site=site1, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 5: site=site1, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 6: site=site2, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 7: site=site2, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 8: site=site2, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 9: site=site1, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 10: site=site1, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 11: site=site1, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 12: site=site2, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 13: site=site2, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 14: site=site2, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 15: site=site1, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 16: site=site1, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 17: site=site1, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 18: site=site2, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 19: site=site2, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 20: site=site2, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 21: site=site1, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 22: site=site1, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 23: site=site1, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5"),
"filter rule 0: site=site1, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 1: site=site1, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 2: site=site1, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 3: site=site2, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 4: site=site2, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 5: site=site2, exact, port=, , ip=, user=root, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 6: site=site1, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 7: site=site1, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 8: site=site1, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 9: site=site2, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 10: site=site2, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 11: site=site2, exact, port=, , ip=, user=root, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 12: site=site1, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 13: site=site1, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 14: site=site1, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 15: site=site2, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 16: site=site2, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 17: site=site2, exact, port=, , ip=, user=daemon, keyword=desc1, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 18: site=site1, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 19: site=site1, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 20: site=site1, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5\n"
"filter rule 21: site=site2, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=connect|||||, apply to=|sni|||, precedence=5\n"
"filter rule 22: site=site2, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||content||, apply to=|sni|||, precedence=5\n"
"filter rule 23: site=site2, exact, port=, , ip=, user=daemon, keyword=desc2, all=|||, action=||||match, log=|||||mirror, apply to=|sni|||, precedence=5"),
"failed to parse rule: %s", s);
free(s);
@ -2124,8 +2120,8 @@ START_TEST(set_filter_rule_13)
s = filter_str(opts->filter);
fail_unless(!strcmp(s, "filter=>\n"
"userkeyword_filter->\n"
" user 0 root=\n"
" keyword 0 desc1= \n"
" user 0 daemon=\n"
" keyword 0 desc2= \n"
" ip: \n"
" sni: \n"
" 0: site1 (exact, action=||||match, log=connect|||content||mirror, precedence=5)\n"
@ -2133,7 +2129,7 @@ START_TEST(set_filter_rule_13)
" cn: \n"
" host: \n"
" uri: \n"
" keyword 1 desc2= \n"
" keyword 1 desc1= \n"
" ip: \n"
" sni: \n"
" 0: site1 (exact, action=||||match, log=connect|||content||mirror, precedence=5)\n"
@ -2141,8 +2137,8 @@ START_TEST(set_filter_rule_13)
" cn: \n"
" host: \n"
" uri: \n"
" user 1 daemon=\n"
" keyword 0 desc1= \n"
" user 1 root=\n"
" keyword 0 desc2= \n"
" ip: \n"
" sni: \n"
" 0: site1 (exact, action=||||match, log=connect|||content||mirror, precedence=5)\n"
@ -2150,7 +2146,7 @@ START_TEST(set_filter_rule_13)
" cn: \n"
" host: \n"
" uri: \n"
" keyword 1 desc2= \n"
" keyword 1 desc1= \n"
" ip: \n"
" sni: \n"
" 0: site1 (exact, action=||||match, log=connect|||content||mirror, precedence=5)\n"

@ -335,10 +335,61 @@ ProxySpec {
TargetAddr 127.0.0.1
TargetPort 9191
Divert no
# Match rules should not change filter action
Match from ip 127.0.0.1 to ip 127.0.0.1
Divert from ip 127.0.0.1 to ip 127.0.0.1
# Unrelated rules should not have any effect
Block from ip 127.0.0.0
Block from ip 127.0.0.2
Block from ip 127.0.0.1 to ip 127.0.0.0
Block from ip 127.0.0.1 to ip 127.0.0.2
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9190
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9190 log connect
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192 log connect
# Lower precedence actions should not change filter action
# Less specific rules should not change filter action
Match *
Block *
Pass *
Split *
Match from *
Block from *
Pass from *
Split from *
Match from ip *
Block from ip *
Pass from ip *
Split from ip *
Match from ip 127.0.0.1
Block from ip 127.0.0.1
Pass from ip 127.0.0.1
Split from ip 127.0.0.1
Match from ip 127.0.0.1 to ip *
Block from ip 127.0.0.1 to ip *
Pass from ip 127.0.0.1 to ip *
Split from ip 127.0.0.1 to ip *
Match from ip 127.0.0.1 to ip 127.0.0.1
Block from ip 127.0.0.1 to ip 127.0.0.1
Pass from ip 127.0.0.1 to ip 127.0.0.1
Split from ip 127.0.0.1 to ip 127.0.0.1
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
Block from ip 127.0.0.1 to ip 127.0.0.1 port *
Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
Split from ip 127.0.0.1 to ip 127.0.0.1 port *
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9191
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9191
Split from ip 127.0.0.1 to ip 127.0.0.1 port 9191
# The most specific and the highest precedence action
Divert from ip 127.0.0.1 to ip 127.0.0.1 port 9191
}
ProxySpec {
Proto https
@ -348,9 +399,61 @@ ProxySpec {
TargetAddr 127.0.0.1
TargetPort 9192
Divert no
# Unrelated rules should not have any effect
Block from ip 127.0.0.0
Block from ip 127.0.0.2
Block from ip 127.0.0.1 to ip 127.0.0.0
Block from ip 127.0.0.1 to ip 127.0.0.2
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191 log connect
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193 log connect
# Lower precedence actions should not change filter action
# Less specific rules should not change filter action
Match *
Block *
Pass *
Split *
Match from *
Block from *
Pass from *
Split from *
Match from ip *
Block from ip *
Pass from ip *
Split from ip *
Match from ip 127.0.0.1
Block from ip 127.0.0.1
Pass from ip 127.0.0.1
Split from ip 127.0.0.1
Match from ip 127.0.0.1 to ip *
Block from ip 127.0.0.1 to ip *
Pass from ip 127.0.0.1 to ip *
Split from ip 127.0.0.1 to ip *
Match from ip 127.0.0.1 to ip 127.0.0.1
Divert from ip 127.0.0.1 to ip 127.0.0.1
Match from ip 127.0.0.1 to ip 127.0.0.1
Block from ip 127.0.0.1 to ip 127.0.0.1
Pass from ip 127.0.0.1 to ip 127.0.0.1
Split from ip 127.0.0.1 to ip 127.0.0.1
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
Block from ip 127.0.0.1 to ip 127.0.0.1 port *
Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
Split from ip 127.0.0.1 to ip 127.0.0.1 port *
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9192
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9192
Split from ip 127.0.0.1 to ip 127.0.0.1 port 9192
# The most specific and the highest precedence action
Divert from ip 127.0.0.1 to ip 127.0.0.1 port 9192
}
# Tests for Split filtering rules
@ -362,9 +465,61 @@ ProxySpec {
TargetAddr 127.0.0.1
TargetPort 9193
Divert yes
# Unrelated rules should not have any effect
Block from ip 127.0.0.0
Block from ip 127.0.0.2
Block from ip 127.0.0.1 to ip 127.0.0.0
Block from ip 127.0.0.1 to ip 127.0.0.2
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192 log connect
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194 log connect
# Lower precedence actions should not change filter action
# Less specific rules should not change filter action
Match *
Block *
Pass *
Divert *
Match from *
Block from *
Pass from *
Divert from *
Match from ip *
Block from ip *
Pass from ip *
Divert from ip *
Match from ip 127.0.0.1
Block from ip 127.0.0.1
Pass from ip 127.0.0.1
Divert from ip 127.0.0.1
Match from ip 127.0.0.1 to ip *
Block from ip 127.0.0.1 to ip *
Pass from ip 127.0.0.1 to ip *
Divert from ip 127.0.0.1 to ip *
Match from ip 127.0.0.1 to ip 127.0.0.1
Split from ip 127.0.0.1 to ip 127.0.0.1
Match from ip 127.0.0.1 to ip 127.0.0.1
Block from ip 127.0.0.1 to ip 127.0.0.1
Pass from ip 127.0.0.1 to ip 127.0.0.1
Divert from ip 127.0.0.1 to ip 127.0.0.1
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
Block from ip 127.0.0.1 to ip 127.0.0.1 port *
Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9193
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9193
# No Divert, because Divert's precedence is higher than Split's
# The most specific and the highest precedence action
Split from ip 127.0.0.1 to ip 127.0.0.1 port 9193
}
ProxySpec {
Proto https
@ -374,9 +529,61 @@ ProxySpec {
TargetAddr 127.0.0.1
TargetPort 9194
Divert yes
# Unrelated rules should not have any effect
Block from ip 127.0.0.0
Block from ip 127.0.0.2
Block from ip 127.0.0.1 to ip 127.0.0.0
Block from ip 127.0.0.1 to ip 127.0.0.2
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193 log connect
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195 log connect
# Lower precedence actions should not change filter action
# Less specific rules should not change filter action
Match *
Block *
Pass *
Divert *
Match from *
Block from *
Pass from *
Divert from *
Match from ip *
Block from ip *
Pass from ip *
Divert from ip *
Match from ip 127.0.0.1
Block from ip 127.0.0.1
Pass from ip 127.0.0.1
Divert from ip 127.0.0.1
Match from ip 127.0.0.1 to ip *
Block from ip 127.0.0.1 to ip *
Pass from ip 127.0.0.1 to ip *
Divert from ip 127.0.0.1 to ip *
Match from ip 127.0.0.1 to ip 127.0.0.1
Split from ip 127.0.0.1 to ip 127.0.0.1
Match from ip 127.0.0.1 to ip 127.0.0.1
Block from ip 127.0.0.1 to ip 127.0.0.1
Pass from ip 127.0.0.1 to ip 127.0.0.1
Divert from ip 127.0.0.1 to ip 127.0.0.1
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
Block from ip 127.0.0.1 to ip 127.0.0.1 port *
Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9194
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9194
# No Divert, because Divert's precedence is higher than Split's
# The most specific and the highest precedence action
Split from ip 127.0.0.1 to ip 127.0.0.1 port 9194
}
# Tests for Pass filtering rules
@ -388,9 +595,60 @@ ProxySpec {
TargetAddr 127.0.0.1
TargetPort 9195
Divert yes
# Unrelated rules should not have any effect
Block from ip 127.0.0.0
Block from ip 127.0.0.2
Block from ip 127.0.0.1 to ip 127.0.0.0
Block from ip 127.0.0.1 to ip 127.0.0.2
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194 log connect
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196 log connect
# Lower precedence actions should not change filter action
# Less specific rules should not change filter action
Match *
Block *
Split *
Divert *
Match from *
Block from *
Split from *
Divert from *
Match from ip *
Block from ip *
Split from ip *
Divert from ip *
Match from ip 127.0.0.1
Block from ip 127.0.0.1
Split from ip 127.0.0.1
Divert from ip 127.0.0.1
Match from ip 127.0.0.1 to ip *
Block from ip 127.0.0.1 to ip *
Split from ip 127.0.0.1 to ip *
Divert from ip 127.0.0.1 to ip *
Match from ip 127.0.0.1 to ip 127.0.0.1
Pass from ip 127.0.0.1 to ip 127.0.0.1 log connect
Match from ip 127.0.0.1 to ip 127.0.0.1
Block from ip 127.0.0.1 to ip 127.0.0.1
Split from ip 127.0.0.1 to ip 127.0.0.1
Divert from ip 127.0.0.1 to ip 127.0.0.1
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
Block from ip 127.0.0.1 to ip 127.0.0.1 port *
Split from ip 127.0.0.1 to ip 127.0.0.1 port *
Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9195
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195
# No Divert or Split, because their precedence is higher than Pass's
# The most specific and the highest precedence action
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9195
}
ProxySpec {
Proto https
@ -400,9 +658,60 @@ ProxySpec {
TargetAddr 127.0.0.1
TargetPort 9196
Divert yes
# Unrelated rules should not have any effect
Block from ip 127.0.0.0
Block from ip 127.0.0.2
Block from ip 127.0.0.1 to ip 127.0.0.0
Block from ip 127.0.0.1 to ip 127.0.0.2
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195 log connect
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197 log connect
# Lower precedence actions should not change filter action
# Less specific rules should not change filter action
Match *
Block *
Split *
Divert *
Match from *
Block from *
Split from *
Divert from *
Match from ip *
Block from ip *
Split from ip *
Divert from ip *
Match from ip 127.0.0.1
Block from ip 127.0.0.1
Split from ip 127.0.0.1
Divert from ip 127.0.0.1
Match from ip 127.0.0.1 to ip *
Block from ip 127.0.0.1 to ip *
Split from ip 127.0.0.1 to ip *
Divert from ip 127.0.0.1 to ip *
Match from ip 127.0.0.1 to ip 127.0.0.1
Pass from ip 127.0.0.1 to ip 127.0.0.1 log connect
Match from ip 127.0.0.1 to ip 127.0.0.1
Block from ip 127.0.0.1 to ip 127.0.0.1
Split from ip 127.0.0.1 to ip 127.0.0.1
Divert from ip 127.0.0.1 to ip 127.0.0.1
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
Block from ip 127.0.0.1 to ip 127.0.0.1 port *
Split from ip 127.0.0.1 to ip 127.0.0.1 port *
Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9196
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196
# No Divert or Split, because their precedence is higher than Pass's
# The most specific and the highest precedence action
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196
}
# Tests for Block filtering rules
@ -414,9 +723,59 @@ ProxySpec {
TargetAddr 127.0.0.1
TargetPort 9197
Divert yes
# Unrelated rules should not have any effect
Pass from ip 127.0.0.0
Pass from ip 127.0.0.2
Pass from ip 127.0.0.1 to ip 127.0.0.0
Pass from ip 127.0.0.1 to ip 127.0.0.2
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9198
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196 log connect
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9198 log connect
# Lower precedence actions should not change filter action
# Less specific rules should not change filter action
Match *
Pass *
Split *
Divert *
Match from *
Pass from *
Split from *
Divert from *
Match from ip *
Pass from ip *
Split from ip *
Divert from ip *
Match from ip 127.0.0.1
Pass from ip 127.0.0.1
Split from ip 127.0.0.1
Divert from ip 127.0.0.1
Match from ip 127.0.0.1 to ip *
Pass from ip 127.0.0.1 to ip *
Split from ip 127.0.0.1 to ip *
Divert from ip 127.0.0.1 to ip *
Match from ip 127.0.0.1 to ip 127.0.0.1
Block from ip 127.0.0.1 to ip 127.0.0.1
Match from ip 127.0.0.1 to ip 127.0.0.1
Pass from ip 127.0.0.1 to ip 127.0.0.1
Split from ip 127.0.0.1 to ip 127.0.0.1
Divert from ip 127.0.0.1 to ip 127.0.0.1
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
Split from ip 127.0.0.1 to ip 127.0.0.1 port *
Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9197
# No Divert, Split, or Pass, because their precedence is higher than Block's
# The most specific and the highest precedence action
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197
}
ProxySpec {
Proto https
@ -426,7 +785,57 @@ ProxySpec {
TargetAddr 127.0.0.1
TargetPort 9198
Divert yes
# Unrelated rules should not have any effect
Pass from ip 127.0.0.0
Pass from ip 127.0.0.2
Pass from ip 127.0.0.1 to ip 127.0.0.0
Pass from ip 127.0.0.1 to ip 127.0.0.2
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9197
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9199
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9197 log connect
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9199 log connect
# Lower precedence actions should not change filter action
# Less specific rules should not change filter action
Match *
Pass *
Split *
Divert *
Match from *
Pass from *
Split from *
Divert from *
Match from ip *
Pass from ip *
Split from ip *
Divert from ip *
Match from ip 127.0.0.1
Pass from ip 127.0.0.1
Split from ip 127.0.0.1
Divert from ip 127.0.0.1
Match from ip 127.0.0.1 to ip *
Pass from ip 127.0.0.1 to ip *
Split from ip 127.0.0.1 to ip *
Divert from ip 127.0.0.1 to ip *
Match from ip 127.0.0.1 to ip 127.0.0.1
Block from ip 127.0.0.1 to ip 127.0.0.1
Match from ip 127.0.0.1 to ip 127.0.0.1
Pass from ip 127.0.0.1 to ip 127.0.0.1
Split from ip 127.0.0.1 to ip 127.0.0.1
Divert from ip 127.0.0.1 to ip 127.0.0.1
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
Split from ip 127.0.0.1 to ip 127.0.0.1 port *
Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9198
# No Divert, Split, or Pass, because their precedence is higher than Block's
# The most specific and the highest precedence action
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9198
}

Loading…
Cancel
Save