Archives
/
SSLproxy
mirror of https://github.com/sonertari/SSLproxy
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Don't change log action if not specified, and obey the order of filtering rules

Browse Source 
Filtering rules can enable/disable or don't change logging. If a rule
does not mention a log action, its logging should not change. So, binary
log action fields were not enough to represent those 3 possibilities,
hence we have increased the size of those fields to 2-bits.

We should obey the order of rules as they are written in the conf file,
because latter rules should be able to override the log actions of
earlier rules. So, keep the order.
pull/48/head
Soner Tari 3 years ago
parent ac3607a841
commit 446cc29f5f
8 changed files with 200 additions and 108 deletions
Show Stats Download Patch File Download Diff File

114
src/opts.c
Unescape Escape View File

@ -631,6 +631,22 @@ opts_proto_dbg_dump(opts_t *opts)
return s;
}
static void
opts_append_to_list(filter_rule_t **list, filter_rule_t *rule)
{
filter_rule_t *l = *list;
while (l) {
if (!l->next)
break;
l = l->next;
}
if (l)
l->next = rule;
else
*list = rule;
}
#ifndef WITHOUT_USERAUTH
static void
opts_set_user_auth_url(opts_t *opts, const char *optarg)
@ -802,8 +818,7 @@ clone_global_opts(global_t *global, const char *argv0, tmp_global_opts_t *tmp_gl
fr->precedence = rule->precedence;
fr->next = opts->filter_rules;
opts->filter_rules = fr;
opts_append_to_list(&opts->filter_rules, fr);
rule = rule->next;
}
@ -1156,9 +1171,11 @@ filter_rule_str(filter_rule_t *rule)
#endif /* !WITHOUT_USERAUTH */
rule->all_sites ? "sites" : "",
rule->divert ? "divert" : "", rule->split ? "split" : "", rule->pass ? "pass" : "", rule->block ? "block" : "", rule->match ? "match" : "",
rule->log_connect ? "connect" : "", rule->log_master ? "master" : "", rule->log_cert ? "cert" : "", rule->log_content ? "content" : "", rule->log_pcap ? "pcap" : "",
rule->log_connect ? (rule->log_connect == 1 ? "!connect" : "connect") : "", rule->log_master ? (rule->log_master == 1 ? "!master" : "master") : "",
rule->log_cert ? (rule->log_cert == 1 ? "!cert" : "cert") : "", rule->log_content ? (rule->log_content == 1 ? "!content" : "content") : "",
rule->log_pcap ? (rule->log_pcap == 1 ? "!pcap" : "pcap") : "",
#ifndef WITHOUT_MIRROR
rule->log_mirror ? "mirror" : "",
rule->log_mirror ? (rule->log_mirror == 1 ? "!mirror" : "mirror") : "",
#endif /* !WITHOUT_MIRROR */
rule->dstip ? "dstip" : "", rule->sni ? "sni" : "", rule->cn ? "cn" : "", rule->host ? "host" : "", rule->uri ? "uri" : "",
rule->precedence) < 0) {
@ -1202,11 +1219,13 @@ filter_sites_str(filter_site_t *site)
", precedence=%d)", STRORNONE(s), count,
site->site, site->all_sites ? "all_sites, " : "", site->exact ? "exact" : "substring",
site->divert ? "divert" : "", site->split ? "split" : "", site->pass ? "pass" : "", site->block ? "block" : "", site->match ? "match" : "",
site->log_connect ? "connect" : "", site->log_master ? "master" : "", site->log_cert ? "cert" : "", site->log_content ? "content" : "", site->log_pcap ? "pcap" : ""
site->log_connect ? (site->log_connect == 1 ? "!connect" : "connect") : "", site->log_master ? (site->log_master == 1 ? "!master" : "master") : "",
site->log_cert ? (site->log_cert == 1 ? "!cert" : "cert") : "", site->log_content ? (site->log_content == 1 ? "!content" : "content") : "",
site->log_pcap ? (site->log_pcap == 1 ? "!pcap" : "pcap") : "",
#ifndef WITHOUT_MIRROR
, site->log_mirror ? "mirror" : ""
site->log_mirror ? (site->log_mirror == 1 ? "!mirror" : "mirror") : "",
#endif /* !WITHOUT_MIRROR */
, site->precedence) < 0) {
site->precedence) < 0) {
goto err;
}
if (s)
@ -2435,8 +2454,8 @@ opts_set_passsite(opts_t *opts, char *value, int line_num)
rule->cn = 1;
rule->pass = 1;
rule->next = opts->filter_rules;
opts->filter_rules = rule;
opts_append_to_list(&opts->filter_rules, rule);
#ifdef DEBUG_OPTS
log_dbg_printf("Filter rule: %s, %s, %s"
#ifndef WITHOUT_USERAUTH
@ -2461,9 +2480,11 @@ opts_set_passsite(opts_t *opts, char *value, int line_num)
#endif /* !WITHOUT_USERAUTH */
rule->all_sites ? "sites" : "",
rule->divert ? "divert" : "", rule->split ? "split" : "", rule->pass ? "pass" : "", rule->block ? "block" : "", rule->match ? "match" : "",
rule->log_connect ? "connect" : "", rule->log_master ? "master" : "", rule->log_cert ? "cert" : "", rule->log_content ? "content" : "", rule->log_pcap ? "pcap" : "",
rule->log_connect ? (rule->log_connect == 1 ? "!connect" : "connect") : "", rule->log_master ? (rule->log_master == 1 ? "!master" : "master") : "",
rule->log_cert ? (rule->log_cert == 1 ? "!cert" : "cert") : "", rule->log_content ? (rule->log_content == 1 ? "!content" : "content") : "",
rule->log_pcap ? (rule->log_pcap == 1 ? "!pcap" : "pcap") : "",
#ifndef WITHOUT_MIRROR
rule->log_mirror ? "mirror" : "",
rule->log_mirror ? (rule->log_mirror == 1 ? "!mirror" : "mirror") : "",
#endif /* !WITHOUT_MIRROR */
rule->dstip ? "dstip" : "", rule->sni ? "sni" : "", rule->cn ? "cn" : "", rule->host ? "host" : "", rule->uri ? "uri" : "",
rule->precedence);
@ -2696,30 +2717,30 @@ filter_rule_parse(opts_t *opts, const char *name, char *value, int line_num)
) {
do {
if (equal(argv[i], "connect"))
rule->log_connect = 1;
rule->log_connect = 2;
else if (equal(argv[i], "master"))
rule->log_master = 1;
rule->log_master = 2;
else if (equal(argv[i], "cert"))
rule->log_cert = 1;
rule->log_cert = 2;
else if (equal(argv[i], "content"))
rule->log_content = 1;
rule->log_content = 2;
else if (equal(argv[i], "pcap"))
rule->log_pcap = 1;
rule->log_pcap = 2;
else if (equal(argv[i], "!connect"))
rule->log_connect = 0;
rule->log_connect = 1;
else if (equal(argv[i], "!master"))
rule->log_master = 0;
rule->log_master = 1;
else if (equal(argv[i], "!cert"))
rule->log_cert = 0;
rule->log_cert = 1;
else if (equal(argv[i], "!content"))
rule->log_content = 0;
rule->log_content = 1;
else if (equal(argv[i], "!pcap"))
rule->log_pcap = 0;
rule->log_pcap = 1;
#ifndef WITHOUT_MIRROR
else if (equal(argv[i], "mirror"))
rule->log_mirror = 1;
rule->log_mirror = 2;
else if (equal(argv[i], "!mirror"))
rule->log_mirror = 0;
rule->log_mirror = 1;
#endif /* !WITHOUT_MIRROR */
if (++i == argc)
@ -2734,6 +2755,18 @@ filter_rule_parse(opts_t *opts, const char *name, char *value, int line_num)
done_log = 1;
}
else if (equal(argv[i], "*")) {
rule->log_connect = 2;
rule->log_master = 2;
rule->log_cert = 2;
rule->log_content = 2;
rule->log_pcap = 2;
#ifndef WITHOUT_MIRROR
rule->log_mirror = 2;
#endif /* !WITHOUT_MIRROR */
i++;
done_log = 1;
}
else if (equal(argv[i], "!*")) {
rule->log_connect = 1;
rule->log_master = 1;
rule->log_cert = 1;
@ -2745,10 +2778,6 @@ filter_rule_parse(opts_t *opts, const char *name, char *value, int line_num)
i++;
done_log = 1;
}
else if (equal(argv[i], "!*")) {
i++;
done_log = 1;
}
else {
fprintf(stderr, "Unknown argument in filter rule at '%s' on line %d\n", argv[i], line_num);
exit(EXIT_FAILURE);
@ -2773,8 +2802,8 @@ filter_rule_parse(opts_t *opts, const char *name, char *value, int line_num)
rule->dstip = 1;
}
rule->next = opts->filter_rules;
opts->filter_rules = rule;
opts_append_to_list(&opts->filter_rules, rule);
#ifdef DEBUG_OPTS
log_dbg_printf("Filter rule: %s, %s, %s"
#ifndef WITHOUT_USERAUTH
@ -2799,9 +2828,11 @@ filter_rule_parse(opts_t *opts, const char *name, char *value, int line_num)
#endif /* !WITHOUT_USERAUTH */
rule->all_sites ? "sites" : "",
rule->divert ? "divert" : "", rule->split ? "split" : "", rule->pass ? "pass" : "", rule->block ? "block" : "", rule->match ? "match" : "",
rule->log_connect ? "connect" : "", rule->log_master ? "master" : "", rule->log_cert ? "cert" : "", rule->log_content ? "content" : "", rule->log_pcap ? "pcap" : "",
rule->log_connect ? (rule->log_connect == 1 ? "!connect" : "connect") : "", rule->log_master ? (rule->log_master == 1 ? "!master" : "master") : "",
rule->log_cert ? (rule->log_cert == 1 ? "!cert" : "cert") : "", rule->log_content ? (rule->log_content == 1 ? "!content" : "content") : "",
rule->log_pcap ? (rule->log_pcap == 1 ? "!pcap" : "pcap") : "",
#ifndef WITHOUT_MIRROR
rule->log_mirror ? "mirror" : "",
rule->log_mirror ? (rule->log_mirror == 1 ? "!mirror" : "mirror") : "",
#endif /* !WITHOUT_MIRROR */
rule->dstip ? "dstip" : "", rule->sni ? "sni" : "", rule->cn ? "cn" : "", rule->host ? "host" : "", rule->uri ? "uri" : "",
rule->precedence);
@ -2865,14 +2896,21 @@ opts_add_site(filter_site_t *site, filter_rule_t *rule)
s->match |= rule->match;
// Multiple log actions can be set for the same site
// Multiple rules can enable/disable a log action for the same site, hence the direct assignment
s->log_connect = rule->log_connect;
s->log_master = rule->log_master;
s->log_cert = rule->log_cert;
s->log_content = rule->log_content;
s->log_pcap = rule->log_pcap;
// Multiple rules can enable/disable or don't change a log action for the same site
// 0: don't change, 1: disable, 2: enable
if (rule->log_connect)
s->log_connect = rule->log_connect;
if (rule->log_master)
s->log_master = rule->log_master;
if (rule->log_cert)
s->log_cert = rule->log_cert;
if (rule->log_content)
s->log_content = rule->log_content;
if (rule->log_pcap)
s->log_pcap = rule->log_pcap;
#ifndef WITHOUT_MIRROR
s->log_mirror = rule->log_mirror;
if (rule->log_mirror)
s->log_mirror = rule->log_mirror;
#endif /* !WITHOUT_MIRROR */
s->precedence = rule->precedence;

67
src/opts.h
Unescape Escape View File

@ -48,21 +48,28 @@
#define STRORDASH(x) (((x)&&*(x))?(x):"-")
#define STRORNONE(x) (((x)&&*(x))?(x):"")
#define FILTER_ACTION_NONE 0x0
#define FILTER_ACTION_MATCH 0x200
#define FILTER_ACTION_DIVERT 0x400
#define FILTER_ACTION_SPLIT 0x800
#define FILTER_ACTION_PASS 0x1000
#define FILTER_ACTION_BLOCK 0x2000
#define FILTER_LOG_CONNECT 0x4000
#define FILTER_LOG_MASTER 0x8000
#define FILTER_LOG_CERT 0x10000
#define FILTER_LOG_CONTENT 0x20000
#define FILTER_LOG_PCAP 0x40000
#define FILTER_LOG_MIRROR 0x80000
#define FILTER_PRECEDENCE 0x0000FF
#define FILTER_ACTION_NONE 0x00000000U
#define FILTER_ACTION_MATCH 0x00000200U
#define FILTER_ACTION_DIVERT 0x00000400U
#define FILTER_ACTION_SPLIT 0x00000800U
#define FILTER_ACTION_PASS 0x00001000U
#define FILTER_ACTION_BLOCK 0x00002000U
#define FILTER_LOG_CONNECT 0x00004000U
#define FILTER_LOG_MASTER 0x00008000U
#define FILTER_LOG_CERT 0x00010000U
#define FILTER_LOG_CONTENT 0x00020000U
#define FILTER_LOG_PCAP 0x00040000U
#define FILTER_LOG_MIRROR 0x00080000U
#define FILTER_LOG_NOCONNECT 0x00100000U
#define FILTER_LOG_NOMASTER 0x00200000U
#define FILTER_LOG_NOCERT 0x00400000U
#define FILTER_LOG_NOCONTENT 0x00800000U
#define FILTER_LOG_NOPCAP 0x01000000U
#define FILTER_LOG_NOMIRROR 0x02000000U
#define FILTER_PRECEDENCE 0x000000FFU
#ifndef WITHOUT_USERAUTH
typedef struct userlist {
@ -186,14 +193,15 @@ typedef struct filter_rule {
unsigned int block : 1;
unsigned int match : 1;
// Log action
unsigned int log_connect : 1;
unsigned int log_master : 1;
unsigned int log_cert : 1;
unsigned int log_content : 1;
unsigned int log_pcap : 1;
// Log action, two bits
// 0: don't change, 1: disable, 2: enable
unsigned int log_connect : 2;
unsigned int log_master : 2;
unsigned int log_cert : 2;
unsigned int log_content : 2;
unsigned int log_pcap : 2;
#ifndef WITHOUT_MIRROR
unsigned int log_mirror : 1;
unsigned int log_mirror : 2;
#endif /* !WITHOUT_MIRROR */
// Conn field to apply filter to
@ -217,19 +225,22 @@ typedef struct filter_site {
char *site;
unsigned int all_sites : 1;
unsigned int exact : 1;
unsigned int divert : 1;
unsigned int split : 1;
unsigned int pass : 1;
unsigned int block : 1;
unsigned int match : 1;
unsigned int log_connect : 1;
unsigned int log_master : 1;
unsigned int log_cert : 1;
unsigned int log_content : 1;
unsigned int log_pcap : 1;
unsigned int log_connect : 2;
unsigned int log_master : 2;
unsigned int log_cert : 2;
unsigned int log_content : 2;
unsigned int log_pcap : 2;
#ifndef WITHOUT_MIRROR
unsigned int log_mirror : 1;
unsigned int log_mirror : 2;
#endif /* !WITHOUT_MIRROR */
unsigned int precedence;
struct filter_site *next;
} filter_site_t;

23
src/protohttp.c
Unescape Escape View File

@ -556,19 +556,28 @@ protohttp_apply_filter(pxy_conn_ctx_t *ctx)
}
// Note that connect, master, and cert logs have already been written by now
// so disabling those logs here will not have any effect
ctx->log_connect = !!(action & FILTER_LOG_CONNECT);
ctx->log_master = !!(action & FILTER_LOG_MASTER);
ctx->log_cert = !!(action & FILTER_LOG_CERT);
// so enabling or disabling those logs here will not have any effect
if (action & FILTER_LOG_CONNECT)
ctx->log_connect = 1;
else if (action & FILTER_LOG_NOCONNECT)
ctx->log_connect = 0;
if (action & FILTER_LOG_MASTER)
ctx->log_master = 1;
else if (action & FILTER_LOG_NOMASTER)
ctx->log_master = 0;
if (action & FILTER_LOG_CERT)
ctx->log_cert = 1;
else if (action & FILTER_LOG_NOCERT)
ctx->log_cert = 0;
// content, pcap, and mirror logging can be disabled only
// loggers will stop writing further contents
if (!(action & FILTER_LOG_CONTENT))
if (action & FILTER_LOG_NOCONTENT)
ctx->log_content = 0;
if (!(action & FILTER_LOG_PCAP))
if (action & FILTER_LOG_NOPCAP)
ctx->log_pcap = 0;
#ifndef WITHOUT_MIRROR
if (!(action & FILTER_LOG_MIRROR))
if (action & FILTER_LOG_NOMIRROR)
ctx->log_mirror = 0;
#endif /* !WITHOUT_MIRROR */
}

31
src/protossl.c
Unescape Escape View File

@ -781,13 +781,32 @@ protossl_apply_filter(pxy_conn_ctx_t *ctx)
}
//else { /* FILTER_ACTION_MATCH */ }
ctx->log_connect = !!(action & FILTER_LOG_CONNECT);
ctx->log_master = !!(action & FILTER_LOG_MASTER);
ctx->log_cert = !!(action & FILTER_LOG_CERT);
ctx->log_content = !!(action & FILTER_LOG_CONTENT);
ctx->log_pcap = !!(action & FILTER_LOG_PCAP);
// Filtering rules at higher precedence can enable/disable logging
if (action & FILTER_LOG_CONNECT)
ctx->log_connect = 1;
else if (action & FILTER_LOG_NOCONNECT)
ctx->log_connect = 0;
if (action & FILTER_LOG_MASTER)
ctx->log_master = 1;
else if (action & FILTER_LOG_NOMASTER)
ctx->log_master = 0;
if (action & FILTER_LOG_CERT)
ctx->log_cert = 1;
else if (action & FILTER_LOG_NOCERT)
ctx->log_cert = 0;
if (action & FILTER_LOG_CONTENT)
ctx->log_content = 1;
else if (action & FILTER_LOG_NOCONTENT)
ctx->log_content = 0;
if (action & FILTER_LOG_PCAP)
ctx->log_pcap = 1;
else if (action & FILTER_LOG_NOPCAP)
ctx->log_pcap = 0;
#ifndef WITHOUT_MIRROR
ctx->log_mirror = !!(action & FILTER_LOG_MIRROR);
if (action & FILTER_LOG_MIRROR)
ctx->log_mirror = 1;
else if (action & FILTER_LOG_NOMIRROR)
ctx->log_mirror = 0;
#endif /* !WITHOUT_MIRROR */
}

34
src/prototcp.c
Unescape Escape View File

@ -601,17 +601,31 @@ prototcp_apply_filter(pxy_conn_ctx_t *ctx, unsigned int defer_action)
//else { /* FILTER_ACTION_MATCH */ }
// Filtering rules at higher precedence can enable/disable logging
// The presence of a log action enables that logging
// The absence disables it
// hence the direct assignment
// And note the signum function '!!'
ctx->log_connect = !!(action & FILTER_LOG_CONNECT);
ctx->log_master = !!(action & FILTER_LOG_MASTER);
ctx->log_cert = !!(action & FILTER_LOG_CERT);
ctx->log_content = !!(action & FILTER_LOG_CONTENT);
ctx->log_pcap = !!(action & FILTER_LOG_PCAP);
if (action & FILTER_LOG_CONNECT)
ctx->log_connect = 1;
else if (action & FILTER_LOG_NOCONNECT)
ctx->log_connect = 0;
if (action & FILTER_LOG_MASTER)
ctx->log_master = 1;
else if (action & FILTER_LOG_NOMASTER)
ctx->log_master = 0;
if (action & FILTER_LOG_CERT)
ctx->log_cert = 1;
else if (action & FILTER_LOG_NOCERT)
ctx->log_cert = 0;
if (action & FILTER_LOG_CONTENT)
ctx->log_content = 1;
else if (action & FILTER_LOG_NOCONTENT)
ctx->log_content = 0;
if (action & FILTER_LOG_PCAP)
ctx->log_pcap = 1;
else if (action & FILTER_LOG_NOPCAP)
ctx->log_pcap = 0;
#ifndef WITHOUT_MIRROR
ctx->log_mirror = !!(action & FILTER_LOG_MIRROR);
if (action & FILTER_LOG_MIRROR)
ctx->log_mirror = 1;
else if (action & FILTER_LOG_NOMIRROR)
ctx->log_mirror = 0;
#endif /* !WITHOUT_MIRROR */
}
return rv;

25
src/pxyconn.c
Unescape Escape View File

@ -2048,30 +2048,31 @@ pxyconn_set_filter_action(pxy_conn_ctx_t *ctx, filter_site_t *site)
}
// Multiple log actions can be defined, hence no 'else'
log_err_level_printf(LOG_INFO, "Site filter %s connect log for %s, precedence %d\n", site->log_connect ? "enable" : "disable", site->site, site->precedence);
// 0: don't change, 1: disable, 2: enable
if (site->log_connect) {
action |= FILTER_LOG_CONNECT;
log_err_level_printf(LOG_INFO, "Site filter %s connect log for %s, precedence %d\n", site->log_connect % 2 ? "disable" : "enable", site->site, site->precedence);
action |= (site->log_connect % 2) ? FILTER_LOG_NOCONNECT : FILTER_LOG_CONNECT;
}
log_err_level_printf(LOG_INFO, "Site filter %s master log for %s, precedence %d\n", site->log_master ? "enable" : "disable", site->site, site->precedence);
if (site->log_master) {
action |= FILTER_LOG_MASTER;
log_err_level_printf(LOG_INFO, "Site filter %s master log for %s, precedence %d\n", site->log_master % 2 ? "disable" : "enable", site->site, site->precedence);
action |= (site->log_master % 2) ? FILTER_LOG_NOMASTER : FILTER_LOG_MASTER;
}
log_err_level_printf(LOG_INFO, "Site filter %s cert log for %s, precedence %d\n", site->log_cert ? "enable" : "disable", site->site, site->precedence);
if (site->log_cert) {
action |= FILTER_LOG_CERT;
log_err_level_printf(LOG_INFO, "Site filter %s cert log for %s, precedence %d\n", site->log_cert % 2 ? "disable" : "enable", site->site, site->precedence);
action |= (site->log_cert % 2) ? FILTER_LOG_NOCERT : FILTER_LOG_CERT;
}
log_err_level_printf(LOG_INFO, "Site filter %s content log for %s, precedence %d\n", site->log_content ? "enable" : "disable", site->site, site->precedence);
if (site->log_content) {
action |= FILTER_LOG_CONTENT;
log_err_level_printf(LOG_INFO, "Site filter %s content log for %s, precedence %d\n", site->log_content % 2 ? "disable" : "enable", site->site, site->precedence);
action |= (site->log_content % 2) ? FILTER_LOG_NOCONTENT : FILTER_LOG_CONTENT;
}
log_err_level_printf(LOG_INFO, "Site filter %s pcap log for %s, precedence %d\n", site->log_pcap ? "enable" : "disable", site->site, site->precedence);
if (site->log_pcap) {
action |= FILTER_LOG_PCAP;
log_err_level_printf(LOG_INFO, "Site filter %s pcap log for %s, precedence %d\n", site->log_pcap % 2 ? "disable" : "enable", site->site, site->precedence);
action |= (site->log_pcap % 2) ? FILTER_LOG_NOPCAP : FILTER_LOG_PCAP;
}
#ifndef WITHOUT_MIRROR
log_err_level_printf(LOG_INFO, "Site filter %s mirror log for %s, precedence %d\n", site->log_mirror ? "enable" : "disable", site->site, site->precedence);
if (site->log_mirror) {
action |= FILTER_LOG_MIRROR;
log_err_level_printf(LOG_INFO, "Site filter %s mirror log for %s, precedence %d\n", site->log_mirror % 2 ? "disable" : "enable", site->site, site->precedence);
action |= (site->log_mirror % 2) ? FILTER_LOG_NOMIRROR : FILTER_LOG_MIRROR;
}
#endif /* !WITHOUT_MIRROR */

2
src/pxyconn.h
Unescape Escape View File

@ -323,7 +323,7 @@ struct pxy_conn_ctx {
// Enable logging of conn for specific logger types
// Global logging options should be configured for these to write logs
// Default to all logging if no filter rules defined in proxyspec
// Otherwise, logging is disabled, so filter rules should enable each log action specifically
// Otherwise, logging is disabled, so filter rules should enable/disable each log action specifically
unsigned int log_connect : 1;
unsigned int log_master : 1;
unsigned int log_cert : 1;

12
tests/check/opts.t.c
Unescape Escape View File

@ -842,17 +842,17 @@ START_TEST(opts_set_passsite_05)
fail_unless(opts->filter_rules->next->next->next, "next->next->next not set");
fail_unless(opts->filter_rules->next->next->next->next, "next->next->next->next not set");
fail_unless(!opts->filter_rules->next->next->next->next->next, "next->next->next->next->next set");
fail_unless(!strcmp(ps, "filter rule 0: site=*.google.com, exact, ip=, user=, keyword=android, all=|users|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=3\n"
"filter rule 1: site=example.com, exact, ip=, user=root, keyword=, all=||, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=3\n"
fail_unless(!strcmp(ps, "filter rule 0: site=example.com, exact, ip=, user=, keyword=, all=conns||, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=1\n"
"filter rule 1: site=example.com, exact, ip=, user=, keyword=, all=|users|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=2\n"
"filter rule 2: site=example.com, exact, ip=192.168.0.1, user=, keyword=, all=||, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=2\n"
"filter rule 3: site=example.com, exact, ip=, user=, keyword=, all=|users|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=2\n"
"filter rule 4: site=example.com, exact, ip=, user=, keyword=, all=conns||, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=1"),
"filter rule 3: site=example.com, exact, ip=, user=root, keyword=, all=||, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=3\n"
"filter rule 4: site=*.google.com, exact, ip=, user=, keyword=android, all=|users|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=3"),
"failed parsing multiple passites: %s", ps);
#else /* WITHOUT_USERAUTH */
fail_unless(!opts->filter_rules->next->next->next, "next->next->next set");
fail_unless(!strcmp(ps, "filter rule 0: site=example.com, exact, ip=192.168.0.1, all=|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=2\n"
fail_unless(!strcmp(ps, "filter rule 0: site=example.com, exact, ip=, all=conns|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=1\n"
"filter rule 1: site=example.com, exact, ip=, all=conns|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=1\n"
"filter rule 2: site=example.com, exact, ip=, all=conns|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=1"),
"filter rule 2: site=example.com, exact, ip=192.168.0.1, all=|, action=||pass||, log=|||||, apply to=|sni|cn||, precedence=2"),
"failed parsing multiple passites: %s", ps);
#endif /* WITHOUT_USERAUTH */
free(ps);

Write Preview
Loading…
Cancel
Save