From e844f30886b4cc4f4f8003196d4826c7ad5e8e1c Mon Sep 17 00:00:00 2001 From: Soner Tari Date: Mon, 27 Sep 2021 17:23:09 +0300 Subject: [PATCH] Convert warning and info logs in filtering rules to fine debug logs --- src/protohttp.c | 38 +++++++++++++++++--------------------- src/protossl.c | 26 ++++++++++++-------------- src/prototcp.c | 4 ++-- src/pxyconn.c | 24 ++++++++++++------------ src/pxyconn.h | 2 +- 5 files changed, 44 insertions(+), 50 deletions(-) diff --git a/src/protohttp.c b/src/protohttp.c index 733a878..8b8082d 100644 --- a/src/protohttp.c +++ b/src/protohttp.c @@ -451,17 +451,15 @@ protohttp_filter(pxy_conn_ctx_t *ctx, filter_list_t *list) filter_site_t *site = list->host; while (site) { if (protohttp_filter_match_host(ctx, site)) { - // Do not print the surrounding slashes - log_err_level_printf(LOG_INFO, "Found site: %s for %s:%s, %s:%s" #ifndef WITHOUT_USERAUTH - ", %s, %s" -#endif /* !WITHOUT_USERAUTH */ - ", %s\n", site->site, + log_fine_va("Found site: %s for %s:%s, %s:%s, %s, %s, %s", site->site, + STRORDASH(ctx->srchost_str), STRORDASH(ctx->srcport_str), STRORDASH(ctx->dsthost_str), STRORDASH(ctx->dstport_str), + STRORDASH(ctx->user), STRORDASH(ctx->desc), STRORDASH(http_ctx->http_host)); +#else /* WITHOUT_USERAUTH */ + log_fine_va("Found site: %s for %s:%s, %s:%s, %s", site->site, STRORDASH(ctx->srchost_str), STRORDASH(ctx->srcport_str), STRORDASH(ctx->dsthost_str), STRORDASH(ctx->dstport_str), -#ifndef WITHOUT_USERAUTH - STRORDASH(ctx->user), STRORDASH(ctx->desc), -#endif /* !WITHOUT_USERAUTH */ STRORDASH(http_ctx->http_host)); +#endif /* WITHOUT_USERAUTH */ return pxyconn_set_filter_action(ctx, site->action, site->site); } site = site->next; @@ -481,17 +479,15 @@ protohttp_filter(pxy_conn_ctx_t *ctx, filter_list_t *list) filter_site_t *site = list->uri; while (site) { if (protohttp_filter_match_uri(ctx, site)) { - // Do not print the surrounding slashes - log_err_level_printf(LOG_INFO, "Found site: %s for %s:%s, %s:%s" #ifndef WITHOUT_USERAUTH - ", %s, %s" -#endif /* !WITHOUT_USERAUTH */ - ", %s\n", site->site, + log_fine_va("Found site: %s for %s:%s, %s:%s, %s, %s, %s", site->site, + STRORDASH(ctx->srchost_str), STRORDASH(ctx->srcport_str), STRORDASH(ctx->dsthost_str), STRORDASH(ctx->dstport_str), + STRORDASH(ctx->user), STRORDASH(ctx->desc), STRORDASH(http_ctx->http_uri)); +#else /* WITHOUT_USERAUTH */ + log_fine_va("Found site: %s for %s:%s, %s:%s, %s", site->site, STRORDASH(ctx->srchost_str), STRORDASH(ctx->srcport_str), STRORDASH(ctx->dsthost_str), STRORDASH(ctx->dstport_str), -#ifndef WITHOUT_USERAUTH - STRORDASH(ctx->user), STRORDASH(ctx->desc), -#endif /* !WITHOUT_USERAUTH */ STRORDASH(http_ctx->http_uri)); +#endif /* WITHOUT_USERAUTH */ return pxyconn_set_filter_action(ctx, site->action, site->site); } site = site->next; @@ -522,7 +518,7 @@ protohttp_apply_filter(pxy_conn_ctx_t *ctx) // Override any deferred block action, if already in divert mode (keep divert mode) ctx->deferred_action = FILTER_ACTION_NONE; } else { - log_err_level_printf(LOG_WARNING, "HTTP filter cannot enable divert mode\n"); + log_fine("HTTP filter cannot enable divert mode"); } } else if (action & FILTER_ACTION_SPLIT) { @@ -530,11 +526,11 @@ protohttp_apply_filter(pxy_conn_ctx_t *ctx) // Override any deferred block action, if already in split mode (keep split mode) ctx->deferred_action = FILTER_ACTION_NONE; } else { - log_err_level_printf(LOG_WARNING, "HTTP filter cannot enable split mode\n"); + log_fine("HTTP filter cannot enable split mode"); } } else if (action & FILTER_ACTION_PASS) { - log_err_level_printf(LOG_WARNING, "HTTP filter cannot take pass action\n"); + log_fine("HTTP filter cannot take pass action"); } else if (action & FILTER_ACTION_BLOCK) { ctx->deferred_action = FILTER_ACTION_NONE; @@ -549,9 +545,9 @@ protohttp_apply_filter(pxy_conn_ctx_t *ctx) #endif /* !WITHOUT_MIRROR */ )) { #ifndef WITHOUT_MIRROR - log_err_level_printf(LOG_WARNING, "HTTP filter cannot enable content, pcap, or mirror logging\n"); + log_fine("HTTP filter cannot enable content, pcap, or mirror logging"); #else /* !WITHOUT_MIRROR */ - log_err_level_printf(LOG_WARNING, "HTTP filter cannot enable content or pcap logging\n"); + log_fine("HTTP filter cannot enable content or pcap logging"); #endif /* WITHOUT_MIRROR */ } diff --git a/src/protossl.c b/src/protossl.c index 8f13431..79b238f 100644 --- a/src/protossl.c +++ b/src/protossl.c @@ -693,16 +693,15 @@ protossl_filter(pxy_conn_ctx_t *ctx, filter_list_t *list) filter_site_t *site = list->sni; while (site) { if (protossl_filter_match_sni(ctx, site)) { - log_err_level_printf(LOG_INFO, "Found site: %s for %s:%s, %s:%s" #ifndef WITHOUT_USERAUTH - ", %s, %s" -#endif /* !WITHOUT_USERAUTH */ - ", %s\n", site->site, + log_fine_va("Found site: %s for %s:%s, %s:%s, %s, %s, %s", site->site, + STRORDASH(ctx->srchost_str), STRORDASH(ctx->srcport_str), STRORDASH(ctx->dsthost_str), STRORDASH(ctx->dstport_str), + STRORDASH(ctx->user), STRORDASH(ctx->desc), STRORDASH(ctx->sslctx->sni)); +#else /* WITHOUT_USERAUTH */ + log_fine_va("Found site: %s for %s:%s, %s:%s, %s", site->site, STRORDASH(ctx->srchost_str), STRORDASH(ctx->srcport_str), STRORDASH(ctx->dsthost_str), STRORDASH(ctx->dstport_str), -#ifndef WITHOUT_USERAUTH - STRORDASH(ctx->user), STRORDASH(ctx->desc), -#endif /* !WITHOUT_USERAUTH */ STRORDASH(ctx->sslctx->sni)); +#endif /* WITHOUT_USERAUTH */ return pxyconn_set_filter_action(ctx, site->action, site->site); } site = site->next; @@ -722,16 +721,15 @@ protossl_filter(pxy_conn_ctx_t *ctx, filter_list_t *list) filter_site_t *site = list->cn; while (site) { if (protossl_filter_match_cn(ctx, site)) { - log_err_level_printf(LOG_INFO, "Found site: %s for %s:%s, %s:%s" #ifndef WITHOUT_USERAUTH - ", %s, %s" -#endif /* !WITHOUT_USERAUTH */ - ", %s\n", site->site, + log_fine_va("Found site: %s for %s:%s, %s:%s, %s, %s, %s", site->site, + STRORDASH(ctx->srchost_str), STRORDASH(ctx->srcport_str), STRORDASH(ctx->dsthost_str), STRORDASH(ctx->dstport_str), + STRORDASH(ctx->user), STRORDASH(ctx->desc), STRORDASH(ctx->sslctx->ssl_names)); +#else /* WITHOUT_USERAUTH */ + log_fine_va("Found site: %s for %s:%s, %s:%s, %s", site->site, STRORDASH(ctx->srchost_str), STRORDASH(ctx->srcport_str), STRORDASH(ctx->dsthost_str), STRORDASH(ctx->dstport_str), -#ifndef WITHOUT_USERAUTH - STRORDASH(ctx->user), STRORDASH(ctx->desc), -#endif /* !WITHOUT_USERAUTH */ STRORDASH(ctx->sslctx->ssl_names)); +#endif /* WITHOUT_USERAUTH */ return pxyconn_set_filter_action(ctx, site->action, site->site); } site = site->next; diff --git a/src/prototcp.c b/src/prototcp.c index e2372f1..338f369 100644 --- a/src/prototcp.c +++ b/src/prototcp.c @@ -564,14 +564,14 @@ prototcp_filter_match_ip(pxy_conn_ctx_t *ctx, filter_site_t *site) } if (action) { - log_err_level_printf(LOG_INFO, "Found site: %s for %s:%s, %s:%s\n", site->site, + log_fine_va("Found site: %s for %s:%s, %s:%s", site->site, STRORDASH(ctx->srchost_str), STRORDASH(ctx->srcport_str), STRORDASH(ctx->dsthost_str), STRORDASH(ctx->dstport_str)); if (site->port) { filter_port_t *port = site->port; while (port) { if (prototcp_filter_match_port(ctx, port)) { - log_err_level_printf(LOG_INFO, "Found port: %s for %s:%s, %s:%s\n", port->port, + log_fine_va("Found port: %s for %s:%s, %s:%s", port->port, STRORDASH(ctx->srchost_str), STRORDASH(ctx->srcport_str), STRORDASH(ctx->dsthost_str), STRORDASH(ctx->dstport_str)); return &port->action; } diff --git a/src/pxyconn.c b/src/pxyconn.c index 747c277..fec7e80 100644 --- a/src/pxyconn.c +++ b/src/pxyconn.c @@ -2007,58 +2007,58 @@ pxyconn_apply_deferred_block_action(pxy_conn_ctx_t *ctx) } unsigned int -pxyconn_set_filter_action(pxy_conn_ctx_t *ctx, filter_action_t a, char *site) +pxyconn_set_filter_action(pxy_conn_ctx_t *ctx, filter_action_t a, UNUSED char *site) { unsigned int action = FILTER_ACTION_NONE; if (a.divert) { - log_err_level_printf(LOG_INFO, "Filter divert action for %s, precedence %d\n", site, a.precedence); + log_fine_va("Filter divert action for %s, precedence %d", site, a.precedence); action = FILTER_ACTION_DIVERT; } else if (a.split) { - log_err_level_printf(LOG_INFO, "Filter split action for %s, precedence %d\n", site, a.precedence); + log_fine_va("Filter split action for %s, precedence %d", site, a.precedence); action = FILTER_ACTION_SPLIT; } else if (a.pass) { // Ignore pass action if already in passthrough mode if (!ctx->pass) { - log_err_level_printf(LOG_INFO, "Filter pass action for %s, precedence %d\n", site, a.precedence); + log_fine_va("Filter pass action for %s, precedence %d", site, a.precedence); action = FILTER_ACTION_PASS; } } else if (a.block) { - log_err_level_printf(LOG_INFO, "Filter block action for %s, precedence %d\n", site, a.precedence); + log_fine_va("Filter block action for %s, precedence %d", site, a.precedence); action = FILTER_ACTION_BLOCK; } else if (a.match) { - log_err_level_printf(LOG_INFO, "Filter match action for %s, precedence %d\n", site, a.precedence); + log_fine_va("Filter match action for %s, precedence %d", site, a.precedence); action = FILTER_ACTION_MATCH; } // Multiple log actions can be defined, hence no 'else' // 0: don't change, 1: disable, 2: enable if (a.log_connect) { - log_err_level_printf(LOG_INFO, "Filter %s connect log for %s, precedence %d\n", a.log_connect % 2 ? "disable" : "enable", site, a.precedence); + log_fine_va("Filter %s connect log for %s, precedence %d", a.log_connect % 2 ? "disable" : "enable", site, a.precedence); action |= (a.log_connect % 2) ? FILTER_LOG_NOCONNECT : FILTER_LOG_CONNECT; } if (a.log_master) { - log_err_level_printf(LOG_INFO, "Filter %s master log for %s, precedence %d\n", a.log_master % 2 ? "disable" : "enable", site, a.precedence); + log_fine_va("Filter %s master log for %s, precedence %d", a.log_master % 2 ? "disable" : "enable", site, a.precedence); action |= (a.log_master % 2) ? FILTER_LOG_NOMASTER : FILTER_LOG_MASTER; } if (a.log_cert) { - log_err_level_printf(LOG_INFO, "Filter %s cert log for %s, precedence %d\n", a.log_cert % 2 ? "disable" : "enable", site, a.precedence); + log_fine_va("Filter %s cert log for %s, precedence %d", a.log_cert % 2 ? "disable" : "enable", site, a.precedence); action |= (a.log_cert % 2) ? FILTER_LOG_NOCERT : FILTER_LOG_CERT; } if (a.log_content) { - log_err_level_printf(LOG_INFO, "Filter %s content log for %s, precedence %d\n", a.log_content % 2 ? "disable" : "enable", site, a.precedence); + log_fine_va("Filter %s content log for %s, precedence %d", a.log_content % 2 ? "disable" : "enable", site, a.precedence); action |= (a.log_content % 2) ? FILTER_LOG_NOCONTENT : FILTER_LOG_CONTENT; } if (a.log_pcap) { - log_err_level_printf(LOG_INFO, "Filter %s pcap log for %s, precedence %d\n", a.log_pcap % 2 ? "disable" : "enable", site, a.precedence); + log_fine_va("Filter %s pcap log for %s, precedence %d", a.log_pcap % 2 ? "disable" : "enable", site, a.precedence); action |= (a.log_pcap % 2) ? FILTER_LOG_NOPCAP : FILTER_LOG_PCAP; } #ifndef WITHOUT_MIRROR if (a.log_mirror) { - log_err_level_printf(LOG_INFO, "Filter %s mirror log for %s, precedence %d\n", a.log_mirror % 2 ? "disable" : "enable", site, a.precedence); + log_fine_va("Filter %s mirror log for %s, precedence %d", a.log_mirror % 2 ? "disable" : "enable", site, a.precedence); action |= (a.log_mirror % 2) ? FILTER_LOG_NOMIRROR : FILTER_LOG_MIRROR; } #endif /* !WITHOUT_MIRROR */ diff --git a/src/pxyconn.h b/src/pxyconn.h index 05d25d9..bad09e8 100644 --- a/src/pxyconn.h +++ b/src/pxyconn.h @@ -446,7 +446,7 @@ void pxy_classify_user(pxy_conn_ctx_t *) NONNULL(1); void pxy_userauth(pxy_conn_ctx_t *) NONNULL(1); #endif /* !WITHOUT_USERAUTH */ int pxyconn_apply_deferred_block_action(pxy_conn_ctx_t *) NONNULL(1) WUNRES; -unsigned int pxyconn_set_filter_action(pxy_conn_ctx_t *, filter_action_t, char *) NONNULL(1,3) WUNRES; +unsigned int pxyconn_set_filter_action(pxy_conn_ctx_t *, filter_action_t, UNUSED char *) NONNULL(1,3) WUNRES; unsigned int pxyconn_filter(pxy_conn_ctx_t *, proto_filter_func_t) NONNULL(1) WUNRES; void pxy_conn_setup(evutil_socket_t, struct sockaddr *, int, pxy_thrmgr_ctx_t *, proxyspec_t *, global_t *,