Commit Graph

92 Commits

Author SHA1 Message Date
Soner Tari
07c3f08584 Release v0.9.0 2021-10-21 14:10:19 +03:00
Soner Tari
42d84629f3 Add support for inline comments with #
Just trim the char # onwards from the start of value. So values cannot
have the char # in them.
2021-10-11 19:27:01 +03:00
Soner Tari
f056f699c1 Add port option to all site specs, fix precedences in filtering rules
Now, all of the 'to' site fields in filtering rules can specify a port,
not just the dstip sites.

Fix the precedence of sites in the same type of rules. For example, if
we find a match with an sni site, we should not stop searching for a
match in cn, because a matching cn site may have a higher precedence
than the matching sni site. We should apply the action of the cn site,
although sni rules have precedence over cn. The same applies to http
host and uri rules too.

Fix the precedence of dstip rules.

Improve and update unit and e2e tests accordingly.
2021-10-07 22:22:23 +03:00
Soner Tari
017f0f8631 Improve and clean up code and documentation 2021-10-06 19:41:00 +03:00
Soner Tari
9d2e523cd0 Use Aho-Corasick machines for substring matching
Now, the filter uses B-trees for exact string matching and Aho-Corasick
machines for substring matching. B-trees and AC machines are exported to
linked lists for debug logging only.

Also,
- Separate all_sites and all_ports filters from substring filters. They
are not related with substring filters actually, and ACM keywords cannot
be empty strings anyway. So now they should be handled separately too.
- Improve debug logging of filtering rules.
- Update unit tests accordingly, and improve.
- Fix pxyconn_filter(), keep searching for a match in substring filters
if exact match does not have a matching site rule.
- Increase common names max len and tokens. weather.gov has 73 tokens.
- Rename keyword to desc.
- Update documentation.
- Clean up.
2021-10-05 23:00:17 +03:00
Soner Tari
97117d4e50 Fix and update documentation
We use B-tree not BST
2021-10-04 02:18:44 +03:00
Soner Tari
e654ca4e2c Fix memory leaks in filter
Add attributes
Update documentation
2021-10-03 13:08:27 +03:00
Soner Tari
f44f12456c Fix unit tests with WITHOUT_USERAUTH
And update documentation
2021-10-03 00:56:45 +03:00
Soner Tari
15991dfb93 Use kbtree BST for exact match in user, keyword, and ip 'from' fields
So, now we use two separate data structures: binary search trees (BST)
for exact match and linked lists for substring match.

Currently, only user, keyword, and ip 'from' fields in filtering rules
use these two data structures. This also means that now we support exact
and substring matches in 'from' fields.

Filtering rules should be written with exact matches instead of
substring matches, as much as possible. Because BST search must be much
faster than substring search over linked lists.

We have modifed kbtree to support complex data structures in from
fields.
2021-10-02 12:20:28 +03:00
Soner Tari
ec816e7db6 Fix documentation of user desc keyword exact search 2021-09-29 12:01:18 +03:00
Soner Tari
2b4cbd27fd Increase max tokens for filter rules to 17
+= port + serverport

And improve documentation
2021-09-27 19:31:53 +03:00
Soner Tari
c8f09d162a Add port field to Dst Host filter rules, and refactor for code reuse
Now the target IP address filters can use port specs too.
Refactor for code reuse, create filter_action struct used by rules,
sites, and ports.
Also, improve code and documentation.
2021-09-26 13:50:14 +03:00
Soner Tari
db9974617f Improve documentation
The Include and Define options, the ordering in config options, etc.
2021-09-23 22:03:32 +03:00
Soner Tari
c38c065923 Add Include option for loading configuration from an include file 2021-09-21 19:20:43 +03:00
Soner Tari
0f5ed122fb Add Define option for macro definitions and macro expansion to filtering rules
The new Define option can be used for defining macros to be used in
filtering rules. Macro names must begin with a '$' char. Macro values
must be separated with spaces.

Macros are expanded by rewriting the rule with the values of macro.

PassSite rules do not support macros (the PassSite option will be
deprecated in favor of filtering rules in the future).
2021-09-20 00:58:00 +03:00
Soner Tari
ac3607a841 Add deferred pass and block actions
We should defer pass and/or block actions as long as possible, because a
higher precedence rule in SSL filter should be able to override (cancel)
deferred pass and block actions taken by a lower precedence rule in Dst
Host filter. And in HTTP filter the same applies to deferred block
actions taken by Dst Host and SSL filters.

Also, thanks to this new deferred actions, now HTTP filter can keep
enabled divert and split modes. In other words, a higher precedence HTTP
filter rule can cancel a deferred block action set by a lower precedence
rule earlier, which was not possible before without deferred actions and
rule precedence.

And other improvements.
2021-09-19 01:35:48 +03:00
Soner Tari
11884271fd Add negation prefix ! to log actions
Now filtering rules can disable log actions too. This is possible thanks
to the newly added precedence field of rules. Log actions of filtering
rules at higher precedence can modify logging now. In other words, more
specific rules can change the log actions of more general rules.
HTTP filtering rules can only disable logging.
2021-09-18 18:18:30 +03:00
Soner Tari
cc7bd4a332 Add precedence to filtering rules
Now we assign precedence to each filtering rule. More specific rules
have higher precedence. So, filtering rules at lower precedence cannot
override the actions applied to a conn by filtering rules at higher
precedence.
The other precedence rules still apply.
2021-09-18 16:58:42 +03:00
Soner Tari
8ec97d779f Do not take log actions in HTTP filtering rules
Log actions specified in HTTP filter rules can never enable disabled
logging, because their loggers would not be initialized.

Perhaps we should initialize them in the log submit function, if they
are initialized yet.
2021-09-18 00:43:18 +03:00
Soner Tari
8a57d52f62 Add master and cert log actions
Also, improve documentation
2021-09-17 20:08:04 +03:00
Soner Tari
357e6050db Do not init content logging for the connection if its log action is disabled
So now, we don't create any content log file if that log action is
disabled.
Also, improve documentation.
2021-09-17 14:27:43 +03:00
Soner Tari
f0c2ca6819 Add Match action and connect|content|pcap|mirror log actions in filtering rules
- Match action is added to be used with log actions only, the other
filter actions can specify log actions too
- Log actions do not configure any loggers. Global loggers for
respective log actions should have been configured for those log actions
to have any effect.
- If no filter rules are defined for a proxyspec, all log actions are
enabled. Otherwise, all log actions are disabled, and filtering rules
should enable them specifically.
- Fix max number of tokens in proxyspec and filter parsers
- Fix issues with rejecting unknown args in filter rule parser
- Do not use filter_rules field of proxyspec after config finished, it
is used for filter configuration and freed afterwards
2021-09-16 21:34:23 +03:00
Soner Tari
8d752b4d31 Add documentation for filtering rules
Also bump version to 0.8.7
2021-09-13 23:10:41 +03:00
Soner Tari
f2d4ef61c9 Add support for passsite substring match
Now the site field in PassSite option can have an '*' suffix to search
for a match anywhere in sni or common names. Note that this is not a
regex or wildcard search.

Previously, we only supported exact matches in sni and between slashes
in common names. This change makes it possible to cover multiple sites
in one PassSite option. In fact, without this change, certain sites
could not be added as passsite, because it was impossible to know their
subdomain names beforehand, for example *.fbcdn.net, which may have many
subdomain names in place of asterisk.

So to use substring match, append an '*' to a site name in PassSite
option (the asterisk is removed before substring search). For example,
use ".fbcdn.net*" to match all subdomains of fbcdn.net, notice the
asterisk at the end.

We also add a warning log starting with "Closing on ssl error without
passsite match" to report sites that can be added as passsite, which is
expected to help in writing PassSite rules.

Also, we now set dstaddr_str earlier in conn handling, so we can print
it in debug logs. This also helps in IDLE and EXPIRED conn logs.
2021-09-05 00:48:37 +03:00
Soner Tari
69753b250c Add split mode of operation similar to SSLsplit
The -n command line option enables split mode for all proxyspecs,
effectively making sslproxy behave like sslsplit.
Divert option can be set/unset globally and per-proxyspec.
Add e2e tests for split mode, and update make file for tests
accordingly.
Update documentation accordingly.
Improve code reuse, remove duplicate functions.

This change deserves a release of its own, hence v0.8.4.
2021-08-29 17:31:05 +03:00
Soner Tari
1bb5bd2398 Improve UserAuth documentation 2021-06-22 11:49:41 +03:00
Soner Tari
2b9cb937fd Improve documentation 2021-05-08 11:17:27 +03:00
Soner Tari
596aebb2f3 Update version to 0.8.3 and copyright year to 2021 2021-02-11 00:25:09 +03:00
Soner Tari
66dddf2cdb Add info on IPv4-only features 2020-12-24 17:19:51 +03:00
Soner Tari
9c76563cee Fix mistake: return address -> divert address 2020-12-23 11:01:31 +03:00
Soner Tari
177f6a3b52 Improve overview 2020-12-22 00:56:34 +03:00
Soner Tari
def65e195c Update man page with README
Improve README
2020-12-20 18:04:43 +03:00
Soner Tari
f1e9de7386 Improve documentation 2020-12-20 15:40:28 +03:00
Soner Tari
f254ac1586 Add info on DivertUsers and PassUsers options 2020-12-18 00:04:23 +03:00
Soner Tari
6c0b981831 Update version to 0.8.1
Update TLS 1.3 documentation.
2020-09-08 14:33:25 +03:00
Soner Tari
05654e3bee Avoid possible crashes caused by passing NULL pointers to str*() functions 2020-04-18 11:28:55 +03:00
Soner Tari
ea57aebf15 Fix mailto 2020-04-17 14:19:03 +03:00
Soner Tari
2b702495b0 Remove comixwall.org 2020-04-16 15:33:50 +03:00
Soner Tari
a0d74baa43 Update copyright year to 2020 2020-04-14 18:12:16 +03:00
Soner Tari
009fe9f6ad Merge sslsplit develop changes 2019-08-08 12:23:04 +03:00
Soner Tari
3c124966e4 Update documentation 2019-07-22 11:24:53 +03:00
Soner Tari
c3abe74776 Add client filtering to PassSite option, per site filters can be defined using client IP addresses, users, and description keywords 2019-04-21 01:00:46 +03:00
Soner Tari
07a6c32e93 Update documentation with PassSite option 2019-04-20 01:13:06 +03:00
Soner Tari
0eaf475193 Update documentation with the new user info in SSLproxy line 2019-03-28 17:06:07 +03:00
Soner Tari
dcaaa49f90 Improve documentation and use better names 2019-03-15 15:39:15 +03:00
Soner Tari
362a87ac6d Update documentation 2019-03-15 02:38:08 +03:00
Soner Tari
0d49ba56db Enable user auth support on Linux 2019-03-09 18:17:05 +03:00
Soner Tari
b6f2203495 Validate proxyspec protocols http, pop3, and smtp 2019-03-07 23:14:53 +03:00
Soner Tari
f3e7a359a6 Update documentation with user auth feature 2019-03-06 22:43:43 +03:00
Soner Tari
588122b512 Explain support for remote listening programs in README 2019-01-07 01:05:48 +03:00