Commit Graph

189 Commits

Author SHA1 Message Date
Soner Tari
feb673e8fa Add unit tests for struct proxyspecs 2021-11-02 03:40:39 +03:00
Soner Tari
eccd46dc0e Add support for multiple log actions on Log lines
But we don't support $macros within multi valued Log lines, i.e. cannot
mix log actions with $macros, use either log actions concat with spaces
or just a $macro, and no point trying to support it either.
2021-11-01 21:31:00 +03:00
Soner Tari
9708225bb1 Rename LogAction to Log 2021-11-01 20:48:24 +03:00
Soner Tari
a3c89fc931 Set conn_opts only if struct filtering rule specifies any conn option
Otherwise, we use the global or proxyspec conn options, so we should not
waste memory for duplicate conn_opts structs.
2021-11-01 18:44:36 +03:00
Soner Tari
8e00f94ccd Fix user/desc precedence in struct filtering rules
Don't forget tot increment precedence if only Desc is used.
But do not increment precedence twice for both User and Desc.
Note that the ordering of User and Desc in the rule is not known.
2021-11-01 18:20:23 +03:00
Soner Tari
775ae774ea Set conn term flag only, do not free conn in eventcb
Rename reconnected_ssl flag to reconnected
Improve e2e tests
2021-10-30 19:37:06 +03:00
Soner Tari
8f63ec7f82 Add ReconnectSSL option to enforce SSL options in struct filtering rules
The ReconnectSSL option allows rule developers to write struct filtering
rules using SNI and CN SSL specifications to override the SSL
configuration of a connection.

Otherwise, without this new option, filtering rules cannot change SSL
options using SSL filtering fields to match connections (the SSL config
in the rule would not have any effect on the server side of the matching
connection). Without ReconnectSSL, only DstIP and DstPort fields can be
used to override the SSL config of a connection.

If the ReconnectSSL option in a struct filtering rule is set, we
disconnect and free the server side of the matching SSL connection, and
reconnect it with the SSL options in the matching struct filtering rule.
This enforces the SSL config in the rule.

Do not use the ReconnectSSL option if server disconnect is not desirable
or acceptable in your case.
2021-10-30 16:27:13 +03:00
Soner Tari
e8f35ce587 Reapply dsthost filter after user auth
We have to apply the DstHost filter both (1) as early as in
pxy_conn_connect() and also (2) after user owner of the conn is
determined in srvdst connected callback functions for tcp and ssl.

Otherwise, we cannot override SSL options of conns if we don't apply it
before SSL establishment (1), and we cannot apply user auth filtering
rules if we don't apply after determining the user owner of conn (2).

This commit actually adds the same calls in the same places as they were
before the structured filtering rules were introduced.

So for example, now we have to apply filters 4x for an HTTPS conn: 2x
dsthost, 1x ssl, and 1x http.
2021-10-30 01:16:24 +03:00
Soner Tari
05d5412515 Fix warning for unused ctx debug param in pxy_conn_set_filter_action() 2021-10-29 22:56:24 +03:00
Soner Tari
98d9a05eac Add documentation for structured filtering rules 2021-10-29 22:49:18 +03:00
Soner Tari
6c586bb4a4 Add e2e tests for struct filtering rules, and add -B EnableSSLProto option
The EnableSSLProto option is useful with structured proxyspecs and
filtering rules.
2021-10-29 21:21:19 +03:00
Soner Tari
1485fa1dfb Fix copying of SSL options in tmp_opts
And clean up whitspace
2021-10-29 18:46:38 +03:00
Soner Tari
a3222ee2c1 Increment rule precedence only once for multiple LogAction specs
We allow for multiple LogAction lines in the same structured filtering
rule.
2021-10-29 02:00:28 +03:00
Soner Tari
18fb6f4dd7 Apply dstip filter before ssl server conn setup
So that we can replace the SSL/TLS configuration of the conn with the
one in the matching filtering rule. Otherwise, once the server conn is
established, we cannot change the SSL config, or would risk confusing
the SSL routines.
2021-10-29 01:18:09 +03:00
Soner Tari
6c988b0f4a Add structured filtering rules to specify conn options
Now all connection oriented proxy options possible to specify
per-proxyspec or globally can be specified in structured filtering rules
to be selectively applied to connections too. One line filtering rules
can specify filter and log actions only.

For example, we can enable/disable user authentication, protocol
validation, server ssl verification, and many other options
per-connection, or configure SSL/TLS connection options per-connection.

So, now we replace the conn_opts struct of a connection's ctx with the
conn_opts struct of the matching structured filtering rule. (One line
filtering rules have a NULL conn_opts, so we first check if the
conn_opts is not NULL.)
2021-10-28 23:33:53 +03:00
Soner Tari
14c8d417c9 Move connection oriented options to a new conn_opts struct 2021-10-26 19:08:00 +03:00
Soner Tari
396db70a87 Rename parent/child dst/src addrs to divert and return addrs 2021-10-26 14:46:10 +03:00
Soner Tari
07c3f08584 Release v0.9.0 2021-10-21 14:10:19 +03:00
Soner Tari
efc9f3175d Update version to 0.9.0 2021-10-16 20:49:53 +03:00
Soner Tari
b3aa278be2 Add missing documentation for MinSSLProto and MaxSSLProto options 2021-10-16 19:42:17 +03:00
Soner Tari
64640d7574 Fix build with LibreSSL 3.4.1 on OpenBSD 7.0 2021-10-14 23:34:53 +03:00
Soner Tari
42d84629f3 Add support for inline comments with #
Just trim the char # onwards from the start of value. So values cannot
have the char # in them.
2021-10-11 19:27:01 +03:00
Soner Tari
dff3f90c62 Add DEBUG_PROXY around debug func params 2021-10-08 01:17:50 +03:00
Soner Tari
f056f699c1 Add port option to all site specs, fix precedences in filtering rules
Now, all of the 'to' site fields in filtering rules can specify a port,
not just the dstip sites.

Fix the precedence of sites in the same type of rules. For example, if
we find a match with an sni site, we should not stop searching for a
match in cn, because a matching cn site may have a higher precedence
than the matching sni site. We should apply the action of the cn site,
although sni rules have precedence over cn. The same applies to http
host and uri rules too.

Fix the precedence of dstip rules.

Improve and update unit and e2e tests accordingly.
2021-10-07 22:22:23 +03:00
Soner Tari
114f01fa19 Fix missing all desc rules without user spec
If no user specified in an all desc (desc *) rule, we should set
all_user, otherwise the rule cannot be translated to data structs, they
go missing.
2021-10-07 12:22:36 +03:00
Soner Tari
7ed1396366 Add do {} while(0) around macros for semicolon termination 2021-10-07 01:20:03 +03:00
Soner Tari
017f0f8631 Improve and clean up code and documentation 2021-10-06 19:41:00 +03:00
Soner Tari
4602d0109b Update third-party licenses and documentation
aho_corasick_template*.h library is licensed under GPLv3. The developer
has been contacted for a license change to the LGPL.
2021-10-06 12:56:27 +03:00
Soner Tari
9d2e523cd0 Use Aho-Corasick machines for substring matching
Now, the filter uses B-trees for exact string matching and Aho-Corasick
machines for substring matching. B-trees and AC machines are exported to
linked lists for debug logging only.

Also,
- Separate all_sites and all_ports filters from substring filters. They
are not related with substring filters actually, and ACM keywords cannot
be empty strings anyway. So now they should be handled separately too.
- Improve debug logging of filtering rules.
- Update unit tests accordingly, and improve.
- Fix pxyconn_filter(), keep searching for a match in substring filters
if exact match does not have a matching site rule.
- Increase common names max len and tokens. weather.gov has 73 tokens.
- Rename keyword to desc.
- Update documentation.
- Clean up.
2021-10-05 23:00:17 +03:00
Soner Tari
97117d4e50 Fix and update documentation
We use B-tree not BST
2021-10-04 02:18:44 +03:00
Soner Tari
96ba8557d6 Add unit tests for substring 'from' fields in filtering rules
Also, improve code
2021-10-03 23:50:41 +03:00
Soner Tari
640558863c Add NLORNONE macro 2021-10-03 21:37:58 +03:00
Soner Tari
f6e6b25221 Never pass NULL as rule param to filter_set() 2021-10-03 20:54:29 +03:00
Soner Tari
477bb239a0 Do not tokenize ssl_names if there is no rule to match exact common names 2021-10-03 15:18:36 +03:00
Soner Tari
9959bb48e9 Fix argc inc in cn token loop 2021-10-03 15:06:48 +03:00
Soner Tari
765c0dac05 Fix site precedence handling, and use all_sites and all_ports
Actually, no need to check all_sites or all_ports, because strstr(3) on
OpenBSD reads that "If little is an empty string, big is returned", and
if all_sites or all_ports is set, site or port (little/needle) is empty.
But using all_sites and all_ports should improve performance by avoiding
the strstr() call.
2021-10-03 14:35:02 +03:00
Soner Tari
e654ca4e2c Fix memory leaks in filter
Add attributes
Update documentation
2021-10-03 13:08:27 +03:00
Soner Tari
f44f12456c Fix unit tests with WITHOUT_USERAUTH
And update documentation
2021-10-03 00:56:45 +03:00
Soner Tari
2ff0f728e5 Use template macros for code reuse, and append to linked lists
Add to the end of linked lists for correct list ordering, but btrees
cannot obey this ordering.
Also, update the unit tests accordingly.
And fix compile with WITHOUT_USERAUTH.
2021-10-02 23:13:56 +03:00
Soner Tari
4f36a21c78 Use kbtree BST for exact match in site and port 'to' fields
So, for 'to' fields too, we use two separate data structures: binary
search trees (BST) for exact match and linked lists for substring match.

Now all 'from' and 'to' fields in filtering rules use these two data
structures.

To repeat, filtering rules should be written with exact matches instead
of substring matches, as much as possible. Because BST search must be
much faster than substring search over linked lists.

To repeat, we have modifed kbtree to support complex data structures in
from fields.

Also, update the unit tests accordingly.
2021-10-02 21:21:24 +03:00
Soner Tari
15991dfb93 Use kbtree BST for exact match in user, keyword, and ip 'from' fields
So, now we use two separate data structures: binary search trees (BST)
for exact match and linked lists for substring match.

Currently, only user, keyword, and ip 'from' fields in filtering rules
use these two data structures. This also means that now we support exact
and substring matches in 'from' fields.

Filtering rules should be written with exact matches instead of
substring matches, as much as possible. Because BST search must be much
faster than substring search over linked lists.

We have modifed kbtree to support complex data structures in from
fields.
2021-10-02 12:20:28 +03:00
Soner Tari
95dd3bb9f8 Update khash, fixes typos 2021-09-29 12:02:27 +03:00
Soner Tari
2b4cbd27fd Increase max tokens for filter rules to 17
+= port + serverport

And improve documentation
2021-09-27 19:31:53 +03:00
Soner Tari
e844f30886 Convert warning and info logs in filtering rules to fine debug logs 2021-09-27 17:23:09 +03:00
Soner Tari
66f7a88374 Move DivertUsers/PassUsers options to filter.c
The DivertUsers and PassUsers options will be deprecated in favor of
filtering rules in the future.
2021-09-27 16:03:32 +03:00
Soner Tari
21fed37a92 Rename tmp_global_opts to global_tmp_opts 2021-09-27 14:35:16 +03:00
Soner Tari
fd6c852355 Move filtering rules to filter.c/h
Also, fix certain and possible memory leaks in debug printing
And improve code
2021-09-27 14:17:25 +03:00
Soner Tari
14f68457fb Fix the ordering of sites, ports, and macro values in filtering rules
all_sites and all_ports rules should be at the end of their lists, they
should be searched last, because they are the least specific rules in
their lists, hence have lower precedences.

Also, obey the order of rules in conf files by adding sites, ports, and
macro values to their lists in the same order they are in conf files.

Update the unit and e2e tests accordingly, and improve.
2021-09-26 21:11:48 +03:00
Soner Tari
c8f09d162a Add port field to Dst Host filter rules, and refactor for code reuse
Now the target IP address filters can use port specs too.
Refactor for code reuse, create filter_action struct used by rules,
sites, and ports.
Also, improve code and documentation.
2021-09-26 13:50:14 +03:00
Soner Tari
39e1d87783 Fix deferred pass filter action in SSL filter
Do not call protopassthrough_engage() twice. If we call it to apply the
deferred pass action and also set the ctx->pass flag, it will be called
again in protossl_setup_src_ssl(). So, just set the flag and leave the
rest to protossl_setup_src_ssl().
2021-09-24 11:31:31 +03:00