Commit Graph

1126 Commits

Author SHA1 Message Date
Soner Tari
39e1d87783 Fix deferred pass filter action in SSL filter
Do not call protopassthrough_engage() twice. If we call it to apply the
deferred pass action and also set the ctx->pass flag, it will be called
again in protossl_setup_src_ssl(). So, just set the flag and leave the
rest to protossl_setup_src_ssl().
2021-09-24 11:31:31 +03:00
Soner Tari
db9974617f Improve documentation
The Include and Define options, the ordering in config options, etc.
2021-09-23 22:03:32 +03:00
Soner Tari
712733b329 Reuse debug print of filter rule
Actually, the PassSite option will be deprecated, but reuse for
correctness.
2021-09-23 20:08:35 +03:00
Soner Tari
17630340d2 Add unit tests for filtering rules
for both the parser and the translator

TODO: Add reject tests
2021-09-23 18:23:50 +03:00
Soner Tari
e4d27bee99 Return 2 to indicate the end of structured proxyspec, not 1
Return value of 1 is for ending macro expansion. Otherwise, it coincided
with closing brace retval, which was wrongly breaking out of the while
loop in load_proxyspec_struct().

TODO: Use enums for return values.
2021-09-23 01:06:53 +03:00
Soner Tari
41dccaff14 Increase max tokens for filter rules to 15
+= master + cert
2021-09-22 23:01:38 +03:00
Soner Tari
f5bb67f581 Error out if struct proxyspec is not complete
The default proto is tcp, so we allow the Proto option to be omitted.
2021-09-22 21:11:06 +03:00
Soner Tari
c7e43f359d Do not allow empty option values except for the closing brace in struct proxyspecs
It is better to error out earlier than to pass the option down to be
rejected by its handler (the handler may fail to reject, as was the case
with a couple of options).
2021-09-22 21:09:28 +03:00
Soner Tari
abb301c418 Fail if struct ProxySpec has no arguments or closing brace 2021-09-22 16:42:38 +03:00
Soner Tari
d877b9a635 Fix and improve get_name_value() and unit tests
Fix possible segfault if name has leading white space
Pass the name param to get_name_value() as char *, so it cannot be
modified ever

Improve unit tests for get_name_value and proxyspec_parse
2021-09-22 15:29:09 +03:00
Soner Tari
ab7674b652 Do not allow Include option within include files, no recursive include files
Prevent infinitely recursive include files
2021-09-22 01:50:48 +03:00
Soner Tari
01ff382267 Do not allow macro within macro, no recursive macro definitions
Prevent infinite macro expansion
2021-09-22 01:23:00 +03:00
Soner Tari
206734e4b6 Return -1 on error from all configuration functions, never exit()
And use all those return values.

Since we support include files now, we should be able to report in which
include file the error has occured. This is not possible if functions
just bail out calling exit(), because the user has to scroll back stderr
lines to find which include file has failed loading (a line starting
with 'Conf: ').

Plus, calling exit() on errors reduces unit testability of functions.

Also, handle all possible out of memory conditions in opts.c.
2021-09-22 00:51:36 +03:00
Soner Tari
c38c065923 Add Include option for loading configuration from an include file 2021-09-21 19:20:43 +03:00
Soner Tari
0f5ed122fb Add Define option for macro definitions and macro expansion to filtering rules
The new Define option can be used for defining macros to be used in
filtering rules. Macro names must begin with a '$' char. Macro values
must be separated with spaces.

Macros are expanded by rewriting the rule with the values of macro.

PassSite rules do not support macros (the PassSite option will be
deprecated in favor of filtering rules in the future).
2021-09-20 00:58:00 +03:00
Soner Tari
446cc29f5f Don't change log action if not specified, and obey the order of filtering rules
Filtering rules can enable/disable or don't change logging. If a rule
does not mention a log action, its logging should not change. So, binary
log action fields were not enough to represent those 3 possibilities,
hence we have increased the size of those fields to 2-bits.

We should obey the order of rules as they are written in the conf file,
because latter rules should be able to override the log actions of
earlier rules. So, keep the order.
2021-09-19 16:24:35 +03:00
Soner Tari
ac3607a841 Add deferred pass and block actions
We should defer pass and/or block actions as long as possible, because a
higher precedence rule in SSL filter should be able to override (cancel)
deferred pass and block actions taken by a lower precedence rule in Dst
Host filter. And in HTTP filter the same applies to deferred block
actions taken by Dst Host and SSL filters.

Also, thanks to this new deferred actions, now HTTP filter can keep
enabled divert and split modes. In other words, a higher precedence HTTP
filter rule can cancel a deferred block action set by a lower precedence
rule earlier, which was not possible before without deferred actions and
rule precedence.

And other improvements.
2021-09-19 01:35:48 +03:00
Soner Tari
11884271fd Add negation prefix ! to log actions
Now filtering rules can disable log actions too. This is possible thanks
to the newly added precedence field of rules. Log actions of filtering
rules at higher precedence can modify logging now. In other words, more
specific rules can change the log actions of more general rules.
HTTP filtering rules can only disable logging.
2021-09-18 18:18:30 +03:00
Soner Tari
cc7bd4a332 Add precedence to filtering rules
Now we assign precedence to each filtering rule. More specific rules
have higher precedence. So, filtering rules at lower precedence cannot
override the actions applied to a conn by filtering rules at higher
precedence.
The other precedence rules still apply.
2021-09-18 16:58:42 +03:00
Soner Tari
0c9fe83bb5 Update unit tests with master and cert log actions 2021-09-18 01:01:47 +03:00
Soner Tari
8ec97d779f Do not take log actions in HTTP filtering rules
Log actions specified in HTTP filter rules can never enable disabled
logging, because their loggers would not be initialized.

Perhaps we should initialize them in the log submit function, if they
are initialized yet.
2021-09-18 00:43:18 +03:00
Soner Tari
8a57d52f62 Add master and cert log actions
Also, improve documentation
2021-09-17 20:08:04 +03:00
Soner Tari
357e6050db Do not init content logging for the connection if its log action is disabled
So now, we don't create any content log file if that log action is
disabled.
Also, improve documentation.
2021-09-17 14:27:43 +03:00
Soner Tari
f0c2ca6819 Add Match action and connect|content|pcap|mirror log actions in filtering rules
- Match action is added to be used with log actions only, the other
filter actions can specify log actions too
- Log actions do not configure any loggers. Global loggers for
respective log actions should have been configured for those log actions
to have any effect.
- If no filter rules are defined for a proxyspec, all log actions are
enabled. Otherwise, all log actions are disabled, and filtering rules
should enable them specifically.
- Fix max number of tokens in proxyspec and filter parsers
- Fix issues with rejecting unknown args in filter rule parser
- Do not use filter_rules field of proxyspec after config finished, it
is used for filter configuration and freed afterwards
2021-09-16 21:34:23 +03:00
Soner Tari
0787e74bd1 Rename FILTER_ACTION_IGNORE to FILTER_ACTION_MATCH
Match is a better term than ignore, if the other actions are not
returned but there is a matching filter rule. Otherwise, it is up to the
caller to ignore a match or not. Plus, we can implement Match filtering
rule too, e.g. for content logging as in OpenBSD/pf.
2021-09-15 12:13:52 +03:00
Soner Tari
5d84587195 Add -Q test config option
Quits after loading and testing all configuration.
2021-09-15 03:27:01 +03:00
Soner Tari
37f82aa84e Simplify get_name_value() 2021-09-15 03:07:04 +03:00
Soner Tari
42fecffb70 Silence error message issued for Divert option non-yes|no value
If the value for the Divert option is not yes|no, it is assumed to be a
Divert filtering rule. So the parser for filtering rules should issue
any errors.
2021-09-14 18:32:57 +03:00
Soner Tari
e993ccdb5d Add FILTER_ACTION_IGNORE action
Differentiate filter action for site match from no site match. The
search should stop if a match is found, even if the action does not
change anything in effect (divert/split action in divert/split mode,
respectively) or the action is ignored (pass action in passthrough
mode).
2021-09-14 15:45:19 +03:00
Soner Tari
9c8e56d5df Fix unit tests for proxyspec parser caused by tmp global opts change
Pass a non-NULL tmp global opts arg to proxyspec_parse() for its global
split flag accessed in the function.
2021-09-14 13:30:59 +03:00
Soner Tari
b5944cc190 Fix split mode proxy specifications on the command line
Split mode structured proxy specifications were fine.
2021-09-14 13:01:03 +03:00
Soner Tari
c63309c766 Fix the precedence of multiple divert options used in conf file
The Divert option is not equivalent to the command line -n option.
Also, move the global static split var to tmp struct removed after
config is finished.
2021-09-14 12:41:57 +03:00
Soner Tari
9dae032c71 Fix the precedence of split mode set by -n option
Global split mode set by the -n option overrides the divert options of
all proxyspecs.
2021-09-14 00:15:43 +03:00
Soner Tari
5b435515e3 Fix handling of Divert option and Divert filtering rules 2021-09-13 23:44:17 +03:00
Soner Tari
8d752b4d31 Add documentation for filtering rules
Also bump version to 0.8.7
2021-09-13 23:10:41 +03:00
Soner Tari
99c852972e Implement filter actions
- SSL and Dst Host filters can take all of the actions.

- HTTP filter can only take block action, not divert, split, or pass.
Because, we cannot tear a conn down and reconnect its src, after the
processing of HTTP request header is complete, e.g. SSLproxy line has
already been added to its dst buffer. Also, any change in child conns
would affect listening programs too.

- The precedence of filters is as Dst Host > SSL > HTTP.

- The precedence of actions is as Divert > Split > Pass > Block. This is
only for the same type of filter.

- The precedence of match sites is as sni > cn for ssl filter and host >
uri for http filter.

For example, pass action of dst host filter is taken before split action
of ssl filter, due to the precedence order of filters.

For example, pass action of sni site is taken before split action of cn,
due to the precedence order of sites.

We now create src ssl before enabling src to be able to take divert or
split actions of SSL filter. Otherwise, we wouldn't be able to switch
between divert and split while enabling src, only pass or block action
could be taken at that stage.

Also, refactor and clean up.
2021-09-13 15:11:22 +03:00
Soner Tari
475a7ebcda Add Divert|Split|Pass|Block filtering rules
(Divert|Split|Pass|Block)
  ([from (
        user (username|*) [desc keyword]|
        ip (clientaddr|*)|
        *)]
    [to (
        sni (servername[*]|*)|
        cn (commonname[*]|*)|
        host (host[*]|*)|
        uri (uri[*]|*)|
        ip (serveraddr|*)|
        *)]
  |*)

Also, fix a couple of issues with filter rule handling
Clean up
2021-09-12 15:08:59 +03:00
Soner Tari
eb60fc9c1f Enclose equal macro in parentheses
Otherwise, we cannot and/or multiple equal macros or with certain other
conditions
2021-09-12 14:38:05 +03:00
Soner Tari
ff3bcab3f1 Add exact bit, do not add slashes around sites, avoid unnecessary strdups
Limit site len to 200
2021-09-11 11:53:32 +03:00
Soner Tari
85fb1bd214 Add new data structure for general filtering rules
Now PassSite rules are considered as pass rule and added to the new data
structure. PassSite option will be deprecated in the future.
2021-09-10 22:53:08 +03:00
Soner Tari
6a4a70bb06 Avoid strdup() and simplify passsite search
Also, improve code, tests, and documentation
2021-09-08 00:21:52 +03:00
Soner Tari
982880ccfe Restructure passsite filter data structure
Now we don't go over all of the passsite rules in a linked list trying
to apply passsite to the sni or common names of a conn. Instead, we now
have user+keyword, keyword, ip, and all lists. For example, if we find
the conn user in the user+keyword list and a passsite in that list
matches, we don't look into other lists.

This change is expected to improve the performance of passsite
processing considerably, because in the earlier implementation we had to
go over all of the passsite rules trying to match passsite.

And this solution uses a correct data structure, even if not the best.
For example, each user or keyword in passsite rules is strdup()'ed only
once.

Note that a better solution could use, say, a hash table for users,
instead of a linked list. But hash tables are not suitable for keywords
or sites, because we search for substring matches with them, not exact
matches.

Also, this fixes passsite rules without any filters defined, i.e. to be
applied to all connections.

Also, now e2e tests error exit if WITHOUT_USERAUTH is enabled. E2e tests
require UserAuth enabled.
2021-09-07 18:52:52 +03:00
Soner Tari
56237558cd Refactor protossl_pass_site() to reduce and decouple code for substring and exact search 2021-09-05 21:40:24 +03:00
Soner Tari
f2d4ef61c9 Add support for passsite substring match
Now the site field in PassSite option can have an '*' suffix to search
for a match anywhere in sni or common names. Note that this is not a
regex or wildcard search.

Previously, we only supported exact matches in sni and between slashes
in common names. This change makes it possible to cover multiple sites
in one PassSite option. In fact, without this change, certain sites
could not be added as passsite, because it was impossible to know their
subdomain names beforehand, for example *.fbcdn.net, which may have many
subdomain names in place of asterisk.

So to use substring match, append an '*' to a site name in PassSite
option (the asterisk is removed before substring search). For example,
use ".fbcdn.net*" to match all subdomains of fbcdn.net, notice the
asterisk at the end.

We also add a warning log starting with "Closing on ssl error without
passsite match" to report sites that can be added as passsite, which is
expected to help in writing PassSite rules.

Also, we now set dstaddr_str earlier in conn handling, so we can print
it in debug logs. This also helps in IDLE and EXPIRED conn logs.
2021-09-05 00:48:37 +03:00
Soner Tari
9a7e2c35f3 Avoid multithreading issues by duping the site arg as a local var
If more than one thread enters protossl_pass_site() with the same
proxyspec, they all use spec->opts->passsites->site. Since
protossl_pass_site() modifies the site arg, spec->opts->passsites->site
may be broken. For example, /example.org/ may become /example.or//,
which really happened.
2021-09-04 15:48:45 +03:00
Soner Tari
d26c3fd079 Fix passsite in split mode
We should identify conn user before setting dst up in split mode.
Because in split mode dst setup also sets src up too, which tries to
apply passsite rules and switch to passthrough mode. But since user
identification has not run yet, we don't know the user owner of the
conn, which fails passsite rules.
2021-09-04 13:07:22 +03:00
Soner Tari
45b34678de Prepend sslproxy line using evbuffer_add_printf() in non-debug mode for non-http protos
This prevents unnecessary malloc and memmove calls in non-debug mode.
This change is for correctness not for speed, because it improves
conn handling only of the first packet and for non-http protos.
2021-09-03 22:21:40 +03:00
Soner Tari
74cf3800f2 Fix passthrough in split mode 2021-09-02 22:12:48 +03:00
Soner Tari
9123732739 Fix possible segfaults with srvdst_xferred, autossl and passthrough
- Fix segfault introduced in previous commit to prevent extra eof event.
We should NULL srvdst.bev after terminating child dst xferred from
srvdst of parent, so that we don't try to access srvdst.bev. This
happens if child conn with dst xferred from parent srvdst is terminated
before parent conn.

- Fix autossl crash trying to engage passthrough mode. We cannot engage
passthrough mode in autossl, because src is already enabled. But we
shouldn't crash either. These changes are expected to fix other possible
segfaults if passthrough is engaged on eventcb of a child conn.
2021-09-02 17:55:42 +03:00
Soner Tari
de9c85f65e Fix signal 11/10 crash due to a second eof event for srvdst in split mode
We reuse srvdst as dst or child dst, so srvdst == dst or child_dst.
But if we don't NULL the callbacks of srvdst in split mode,
we randomly but rarely get a second eof event for srvdst during conn
termination (especially on arm64), which crashes us with signal 11 or
10, because the first eof event for dst frees the ctx.
Note that we don't free anything here, but just disable callbacks and
events.
This does not seem to happen with srvdst_xferred, but just to be safe we
do the same for it too.
This seems to be an issue with libevent.

TODO: Why does libevent raise the same event again for an already
disabled and freed conn end? Note again that srvdst == dst or child_dst
here.
2021-08-31 17:51:43 +03:00