Reapply dsthost filter after user auth

We have to apply the DstHost filter both (1) as early as in pxy_conn_connect() and also (2) after user owner of the conn is determined in srvdst connected callback functions for tcp and ssl. Otherwise, we cannot override SSL options of conns if we don't apply it before SSL establishment (1), and we cannot apply user auth filtering rules if we don't apply after determining the user owner of conn (2). This commit actually adds the same calls in the same places as they were before the structured filtering rules were introduced. So for example, now we have to apply filters 4x for an HTTPS conn: 2x dsthost, 1x ssl, and 1x http.
3 years ago · e8f35ce587
parent 05d5412515
commit e8f35ce587
4 changed files with 10 additions and 16 deletions
--- a/src/protossl.c
+++ b/src/protossl.c
@ -1688,6 +1688,12 @@ protossl_bev_eventcb_connected_srvdst(UNUSED struct bufferevent *bev, pxy_conn_c
 	}
 #endif /* !WITHOUT_USERAUTH */

+	// Defer any pass or block action until SSL filter application below
+	if (pxy_conn_apply_filter(ctx, FILTER_ACTION_PASS | FILTER_ACTION_BLOCK)) {
+		// We never reach here, since we defer pass and block actions
+		return;
+	}
+
 	// Set src ssl up early to apply SSL filter,
 	// this is the last moment we can take divert or split action
 	if (protossl_setup_src_ssl(ctx) != 0) {
--- a/src/prototcp.c
+++ b/src/prototcp.c
@ -520,8 +520,9 @@ prototcp_bev_eventcb_connected_srvdst(UNUSED struct bufferevent *bev, pxy_conn_c
 	}
 #endif /* !WITHOUT_USERAUTH */

+	// Defer any block action until HTTP filter application or the first src readcb of non-http proto
 	// We cannot defer pass action from this point on
-	if (pxy_conn_apply_deferred_pass_action(ctx)) {
+	if (pxy_conn_apply_filter(ctx, FILTER_ACTION_BLOCK)) {
 		return;
 	}

--- a/src/pxyconn.c
+++ b/src/pxyconn.c
@ -1686,7 +1686,7 @@ pxy_conn_dsthost_filter(pxy_conn_ctx_t *ctx, filter_list_t *list)
 	return NULL;
 }

-static int NONNULL(1)
+int
 pxy_conn_apply_filter(pxy_conn_ctx_t *ctx, unsigned int defer_action)
 {
 	int rv = 0;
@ -2129,19 +2129,6 @@ pxy_userauth(pxy_conn_ctx_t *ctx)
 }
 #endif /* !WITHOUT_USERAUTH */

-int
-pxy_conn_apply_deferred_pass_action(pxy_conn_ctx_t *ctx)
-{
-	if (ctx->deferred_action & FILTER_ACTION_PASS) {
-		log_fine("Applying deferred pass action");
-		ctx->deferred_action = FILTER_ACTION_NONE;
-		protopassthrough_engage(ctx);
-		ctx->pass = 1;
-		return 1;
-	}
-	return 0;
-}
-
 int
 pxy_conn_apply_deferred_block_action(pxy_conn_ctx_t *ctx)
 {
--- a/src/pxyconn.h
+++ b/src/pxyconn.h
@ -448,8 +448,8 @@ int pxy_is_listuser(userlist_t *, const char *
 void pxy_classify_user(pxy_conn_ctx_t *) NONNULL(1);
 void pxy_userauth(pxy_conn_ctx_t *) NONNULL(1);
 #endif /* !WITHOUT_USERAUTH */
-int pxy_conn_apply_deferred_pass_action(pxy_conn_ctx_t *) NONNULL(1) WUNRES;
 int pxy_conn_apply_deferred_block_action(pxy_conn_ctx_t *) NONNULL(1) WUNRES;
+int pxy_conn_apply_filter(pxy_conn_ctx_t *, unsigned int) NONNULL(1);
 unsigned int pxy_conn_translate_filter_action(pxy_conn_ctx_t *, filter_action_t *);
 filter_action_t *pxy_conn_set_filter_action(filter_action_t *, filter_action_t *
 #ifdef DEBUG_PROXY