- Fix segfault introduced in previous commit to prevent extra eof event.
We should NULL srvdst.bev after terminating child dst xferred from
srvdst of parent, so that we don't try to access srvdst.bev. This
happens if child conn with dst xferred from parent srvdst is terminated
before parent conn.
- Fix autossl crash trying to engage passthrough mode. We cannot engage
passthrough mode in autossl, because src is already enabled. But we
shouldn't crash either. These changes are expected to fix other possible
segfaults if passthrough is engaged on eventcb of a child conn.
We reuse srvdst as dst or child dst, so srvdst == dst or child_dst.
But if we don't NULL the callbacks of srvdst in split mode,
we randomly but rarely get a second eof event for srvdst during conn
termination (especially on arm64), which crashes us with signal 11 or
10, because the first eof event for dst frees the ctx.
Note that we don't free anything here, but just disable callbacks and
events.
This does not seem to happen with srvdst_xferred, but just to be safe we
do the same for it too.
This seems to be an issue with libevent.
TODO: Why does libevent raise the same event again for an already
disabled and freed conn end? Note again that srvdst == dst or child_dst
here.
Currently, an autossl conn writes 3x CONN lines in connection logs,
when:
1. tcp srvdst connects (before ssl upgrade)
2. ssl dst connects (src ssl is not complete yet)
3. ssl src connects
This causes misleading connection statistics, as in UTMFW.
TODO: We should write CONN logs at conn termination times, for all
protos not just autossl, not tcp or ssl connect times, so that we don't
write multiple CONN logs for a single conn.
The -n command line option enables split mode for all proxyspecs,
effectively making sslproxy behave like sslsplit.
Divert option can be set/unset globally and per-proxyspec.
Add e2e tests for split mode, and update make file for tests
accordingly.
Update documentation accordingly.
Improve code reuse, remove duplicate functions.
This change deserves a release of its own, hence v0.8.4.
readcb fires before connect eventcb, so we enable it in readcb now. But
perhaps lp should behave like sslproxy and not enable readcb until after
connect eventcb.
Note that there is no problem with sslproxy, it's just lp.
Allow omitting the -T option, indicating the target is irrelevant.
The use case is an IDS sensor listening on a dummy interface for the
packets sslsplit produces. The IDS will listen in promisc mode, so the
target is irrelevant.
Copied from sslsplit.
Otherwise, we cannot classify user if we need to issue identify_user
events, in case database is busy or locked. We should call classify_user
callback right after the user is identified.
So we introduce classify_user callback to achieve that, which fixes the
classify_user behavior for autssl proto too.
Return void in pxy_userauth
Fix typo in clasify
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning:
‘__builtin_strncpy’ output truncated before terminating nul copying as
many bytes from a string as its length [-Wstringop-truncation]
logpkt.c:351:3: warning: converting a packed ‘ip4_hdr_t’ {aka ‘struct
<anonymous>’} pointer (alignment 1) to a ‘uint16_t’ {aka ‘short unsigned
int’} pointer (alignment 2) may result in an unaligned pointer value
[-Waddress-of-packed-member]
