|
|
|
@ -38,6 +38,14 @@
|
|
|
|
|
#define MAX_SSL_PROTO "tls12"
|
|
|
|
|
#endif /* !HAVE_TLSV13 */
|
|
|
|
|
|
|
|
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20702000L)
|
|
|
|
|
#define SSL_PROTO_CONFIG ">=tls10<="MAX_SSL_PROTO
|
|
|
|
|
#define SSL_PROTO_CONFIG_FILTERRULE "tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO
|
|
|
|
|
#else
|
|
|
|
|
#define SSL_PROTO_CONFIG ""
|
|
|
|
|
#define SSL_PROTO_CONFIG_FILTERRULE "tls11 -"MAX_SSL_PROTO"|no_"MAX_SSL_PROTO
|
|
|
|
|
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
|
|
|
|
|
|
|
|
|
|
START_TEST(set_filter_struct_01)
|
|
|
|
|
{
|
|
|
|
|
char *s;
|
|
|
|
@ -2431,25 +2439,25 @@ START_TEST(set_filter_struct_07)
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
|
|
fail_unless(!strcmp(strstr(s, "filter rule 7: "),
|
|
|
|
|
"filter rule 7: dstip=, dstport=, srcip=, user=root, desc=, exact=|||user|, all=||sites|, action=||pass||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 7: sni=, dstport=, srcip=, user=root, desc=, exact=|||user|, all=||sites|, action=||pass||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 7: cn=, dstport=, srcip=, user=root, desc=, exact=|||user|, all=||sites|, action=||pass||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 7: host=, dstport=, srcip=, user=root, desc=, exact=|||user|, all=||sites|, action=||pass||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 7: uri=, dstport=, srcip=, user=root, desc=, exact=|||user|, all=||sites|, action=||pass||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 8: dstip=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=divert||||, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 8: sni=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=divert||||, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 8: cn=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=divert||||, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 8: host=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=divert||||, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 8: uri=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=divert||||, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 9: dstip=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||||match, log=connect|master|cert|content|pcap|mirror, precedence=1\n"
|
|
|
|
|
"filter rule 9: sni=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||||match, log=connect|master|cert|content|pcap|mirror, precedence=1\n"
|
|
|
|
|
"filter rule 9: cn=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||||match, log=connect|master|cert|content|pcap|mirror, precedence=1\n"
|
|
|
|
@ -2464,25 +2472,25 @@ START_TEST(set_filter_struct_07)
|
|
|
|
|
|
|
|
|
|
fail_unless(!strcmp(strstr(s, "filter rule 5: "),
|
|
|
|
|
"filter rule 5: dstip=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=||||match, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 5: sni=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=||||match, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 5: cn=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=||||match, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 5: host=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=||||match, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 5: uri=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=||||match, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 6: dstip=, dstport=, srcip=, user=, desc=desc, exact=||||desc, all=|users|sites|, action=|split|||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 6: sni=, dstport=, srcip=, user=, desc=desc, exact=||||desc, all=|users|sites|, action=|split|||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 6: cn=, dstport=, srcip=, user=, desc=desc, exact=||||desc, all=|users|sites|, action=|split|||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 6: host=, dstport=, srcip=, user=, desc=desc, exact=||||desc, all=|users|sites|, action=|split|||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 6: uri=, dstport=, srcip=, user=, desc=desc, exact=||||desc, all=|users|sites|, action=|split|||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
),
|
|
|
|
|
"failed to parse rule: %s", strstr(s, "filter rule 5: "));
|
|
|
|
|
|
|
|
|
@ -2508,15 +2516,15 @@ START_TEST(set_filter_struct_07)
|
|
|
|
|
"filter rule 2: uri=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=||pass||, log=|||||, precedence=0\n"
|
|
|
|
|
"filter rule 3: dstip=192.168.0.1, dstport=, srcip=, user=, desc=, exact=site||||, all=conns|||, action=|||block|, log=|||||, precedence=1\n"
|
|
|
|
|
"filter rule 4: dstip=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=|||block|, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 4: sni=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=|||block|, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 4: cn=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=|||block|, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 4: host=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=|||block|, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 4: uri=, dstport=, srcip=, user=, desc=, exact=||||, all=|users|sites|, action=|||block|, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
),
|
|
|
|
|
"failed to parse rule: %s", s);
|
|
|
|
|
free(s);
|
|
|
|
@ -2530,19 +2538,19 @@ START_TEST(set_filter_struct_07)
|
|
|
|
|
"user_filter_all->\n"
|
|
|
|
|
" ip all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=divert|||block|match, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" sni all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=divert|||block|match, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" cn all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=divert|||block|match, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" host all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=divert|||block|match, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" uri all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=divert|||block|match, log=|||||, precedence=1\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
"ip_filter_exact->\n"
|
|
|
|
|
"ip_filter_substring->\n"
|
|
|
|
|
"filter_all->\n"
|
|
|
|
@ -2571,37 +2579,37 @@ START_TEST(set_filter_struct_07)
|
|
|
|
|
" user 0 root (exact)=\n"
|
|
|
|
|
" ip all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=||pass||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" sni all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=||pass||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" cn all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=||pass||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" host all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=||pass||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" uri all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=||pass||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
"user_filter_substring->\n"
|
|
|
|
|
"desc_filter_exact->\n"
|
|
|
|
|
" desc 0 desc (exact)=\n"
|
|
|
|
|
" ip all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=|split|||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" sni all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=|split|||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" cn all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=|split|||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" host all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=|split|||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" uri all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=|split|||, log=|||||, precedence=2\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
"desc_filter_substring->\n"
|
|
|
|
|
), "failed to translate rule head: %s", s);
|
|
|
|
|
|
|
|
|
@ -3118,27 +3126,27 @@ START_TEST(set_filter_struct_10)
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
|
|
fail_unless(!strcmp(s,
|
|
|
|
|
"filter rule 0: sni=example.com, dstport=, srcip=, user=root, desc=, exact=site|||user|, all=|||, action=divert||||, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 1: sni=example.com, dstport=, srcip=, user=root, desc=, exact=site|||user|, all=|||, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 2: sni=example.com, dstport=, srcip=, user=root, desc=, exact=site|||user|, all=|||, action=||pass||, log=!connect||!cert||!pcap|, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 3: sni=example.com, dstport=, srcip=, user=root, desc=, exact=site|||user|, all=|||, action=|||block|, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 4: sni=example2.com, dstport=, srcip=, user=root, desc=, exact=site|||user|, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 5: sni=example.com, dstport=, srcip=, user=daemon, desc=, exact=site|||user|, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 6: sni=, dstport=, srcip=, user=daemon, desc=, exact=|||user|, all=||sites|, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 7: sni=.example.com, dstport=, srcip=, user=daemon, desc=, exact=|||user|, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 8: sni=example3.com, dstport=, srcip=, user=daemon, desc=, exact=site|||user|, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 9: sni=example4.com, dstport=, srcip=, user=admin1, desc=, exact=site||||, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 10: sni=example5.com, dstport=, srcip=, user=admin2, desc=, exact=site||||, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
"failed to parse rule: %s", s);
|
|
|
|
|
free(s);
|
|
|
|
|
|
|
|
|
@ -3152,30 +3160,30 @@ START_TEST(set_filter_struct_10)
|
|
|
|
|
" user 0 daemon (exact)=\n"
|
|
|
|
|
" sni exact:\n"
|
|
|
|
|
" 0: example.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" 1: example3.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" sni substring:\n"
|
|
|
|
|
" 0: .example.com (substring, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" sni all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" user 1 root (exact)=\n"
|
|
|
|
|
" sni exact:\n"
|
|
|
|
|
" 0: example.com (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" 1: example2.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
"user_filter_substring->\n"
|
|
|
|
|
" user 0 admin1 (substring)=\n"
|
|
|
|
|
" sni exact:\n"
|
|
|
|
|
" 0: example4.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" user 1 admin2 (substring)=\n"
|
|
|
|
|
" sni exact:\n"
|
|
|
|
|
" 0: example5.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
"desc_filter_exact->\n"
|
|
|
|
|
"desc_filter_substring->\n"
|
|
|
|
|
"user_filter_all->\n"
|
|
|
|
@ -3297,19 +3305,19 @@ START_TEST(set_filter_struct_11)
|
|
|
|
|
|
|
|
|
|
fail_unless(!strcmp(strstr(s, "filter rule 7: "),
|
|
|
|
|
"filter rule 7: cn=example.com, dstport=, srcip=, user=daemon, desc=, exact=site|||user|, all=|||ports, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 8: cn=, dstport=, srcip=, user=daemon, desc=, exact=|||user|, all=||sites|ports, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 9: cn=.example.com, dstport=443, srcip=, user=daemon, desc=, exact=|port||user|, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 10: cn=.example.com, dstport=443, srcip=, user=daemon, desc=, exact=|||user|, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 11: cn=example3.com, dstport=443, srcip=, user=daemon, desc=, exact=site|port||user|, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 12: cn=example4.com, dstport=443, srcip=, user=admin1, desc=, exact=site|port|||, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 13: cn=example5.com, dstport=443, srcip=, user=admin2, desc=, exact=site|port|||, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
"failed to parse rule tail: %s", strstr(s, "filter rule 7: "));
|
|
|
|
|
|
|
|
|
|
// Trim the tail
|
|
|
|
@ -3318,19 +3326,19 @@ START_TEST(set_filter_struct_11)
|
|
|
|
|
|
|
|
|
|
fail_unless(!strcmp(s,
|
|
|
|
|
"filter rule 0: cn=example.com, dstport=443, srcip=, user=root, desc=, exact=site|port||user|, all=|||, action=divert||||, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 1: cn=example.com, dstport=443, srcip=, user=root, desc=, exact=site|port||user|, all=|||, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 2: cn=example.com, dstport=443, srcip=, user=root, desc=, exact=site|port||user|, all=|||, action=||pass||, log=!connect||!cert||!pcap|, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 3: cn=example.com, dstport=443, srcip=, user=root, desc=, exact=site|port||user|, all=|||, action=|||block|, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 4: cn=example2.com, dstport=443, srcip=, user=root, desc=, exact=site|port||user|, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 5: cn=example.com, dstport=443, srcip=, user=daemon, desc=, exact=site|port||user|, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 6: cn=, dstport=443, srcip=, user=daemon, desc=, exact=|port||user|, all=||sites|, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
"failed to parse rule head: %s", s);
|
|
|
|
|
free(s);
|
|
|
|
|
|
|
|
|
@ -3345,13 +3353,13 @@ START_TEST(set_filter_struct_11)
|
|
|
|
|
" 0: example4.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port exact:\n"
|
|
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" user 1 admin2 (substring)=\n"
|
|
|
|
|
" cn exact:\n"
|
|
|
|
|
" 0: example5.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port exact:\n"
|
|
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
"desc_filter_exact->\n"
|
|
|
|
|
"desc_filter_substring->\n"
|
|
|
|
|
"user_filter_all->\n"
|
|
|
|
@ -3372,40 +3380,40 @@ START_TEST(set_filter_struct_11)
|
|
|
|
|
" 0: example.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port exact:\n"
|
|
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" port all:\n"
|
|
|
|
|
" 0: (all_ports, substring, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" 1: example3.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port exact:\n"
|
|
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" cn substring:\n"
|
|
|
|
|
" 0: .example.com (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port exact:\n"
|
|
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" port substring:\n"
|
|
|
|
|
" 0: 443 (substring, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" cn all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port exact:\n"
|
|
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" port all:\n"
|
|
|
|
|
" 0: (all_ports, substring, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" user 1 root (exact)=\n"
|
|
|
|
|
" cn exact:\n"
|
|
|
|
|
" 0: example.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port exact:\n"
|
|
|
|
|
" 0: 443 (exact, action=divert|split|pass||, log=!connect|master|!cert|content|!pcap|mirror, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" 1: example2.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port exact:\n"
|
|
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
), "failed to translate rule head: %s", s);
|
|
|
|
|
|
|
|
|
|
free(s);
|
|
|
|
@ -3545,21 +3553,21 @@ START_TEST(set_filter_struct_12)
|
|
|
|
|
|
|
|
|
|
fail_unless(!strcmp(strstr(s, "filter rule 9: "),
|
|
|
|
|
"filter rule 9: host=example4.com, dstport=, srcip=, user=admin1, desc=desc1, exact=site||||, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 10: host=example5.com, dstport=, srcip=, user=admin2, desc=desc2, exact=site||||, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 11: host=example6.com, dstport=, srcip=, user=daemon, desc=desc2, exact=site|||user|desc, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 12: host=example7.com, dstport=, srcip=, user=, desc=desc, exact=site||||desc, all=|users||, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 13: sni=, dstport=, srcip=, user=, desc=desc, exact=||||desc, all=|users|sites|, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 14: uri=example8.com, dstport=, srcip=, user=, desc=desc3, exact=site||||desc, all=|||, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 15: host=example9.com, dstport=, srcip=, user=, desc=desc4, exact=site||||, all=|users||, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 16: host=example10.com, dstport=443, srcip=, user=admin, desc=desc5, exact=||||, all=|||, action=||||match, log=|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
"failed to parse rule tail: %s", strstr(s, "filter rule 9: "));
|
|
|
|
|
|
|
|
|
|
// Trim the tail
|
|
|
|
@ -3568,23 +3576,23 @@ START_TEST(set_filter_struct_12)
|
|
|
|
|
|
|
|
|
|
fail_unless(!strcmp(s,
|
|
|
|
|
"filter rule 0: host=example.com, dstport=, srcip=, user=root, desc=desc, exact=site|||user|desc, all=|||, action=divert||||, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 1: host=example.com, dstport=443, srcip=, user=root, desc=desc, exact=site|port||user|desc, all=|||, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 2: host=example.com, dstport=, srcip=, user=root, desc=desc, exact=site|||user|desc, all=|||, action=||pass||, log=!connect||!cert||!pcap|, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 3: host=example.com, dstport=, srcip=, user=root, desc=desc, exact=site|||user|desc, all=|||, action=|||block|, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 4: host=example2.com, dstport=443, srcip=, user=root, desc=desc, exact=site|port||user|desc, all=|||, action=||||match, log=|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 5: host=example.com, dstport=, srcip=, user=daemon, desc=desc, exact=site|||user|desc, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 6: host=, dstport=443, srcip=, user=daemon, desc=desc, exact=|port||user|desc, all=||sites|, action=||||match, log=|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 7: host=.example.com, dstport=, srcip=, user=daemon, desc=desc, exact=|||user|desc, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 8: host=example3.com, dstport=, srcip=, user=daemon, desc=desc, exact=site|||user|desc, all=|||, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
"failed to parse rule head: %s", s);
|
|
|
|
|
|
|
|
|
|
free(s);
|
|
|
|
@ -3602,38 +3610,38 @@ START_TEST(set_filter_struct_12)
|
|
|
|
|
" 0: example10.com (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port substring:\n"
|
|
|
|
|
" 0: 443 (substring, action=||||match, log=|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" user 1 admin1 (substring)=\n"
|
|
|
|
|
" desc substring:\n"
|
|
|
|
|
" desc 0 desc1 (substring)=\n"
|
|
|
|
|
" host exact:\n"
|
|
|
|
|
" 0: example4.com (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" user 2 admin2 (substring)=\n"
|
|
|
|
|
" desc substring:\n"
|
|
|
|
|
" desc 0 desc2 (substring)=\n"
|
|
|
|
|
" host exact:\n"
|
|
|
|
|
" 0: example5.com (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
"user_filter_exact->\n"
|
|
|
|
|
"user_filter_substring->\n"
|
|
|
|
|
"desc_filter_exact->\n"
|
|
|
|
|
" desc 0 desc (exact)=\n"
|
|
|
|
|
" sni all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" host exact:\n"
|
|
|
|
|
" 0: example7.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" desc 1 desc3 (exact)=\n"
|
|
|
|
|
" uri exact:\n"
|
|
|
|
|
" 0: example8.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
"desc_filter_substring->\n"
|
|
|
|
|
" desc 0 desc4 (substring)=\n"
|
|
|
|
|
" host exact:\n"
|
|
|
|
|
" 0: example9.com (exact, action=||||match, log=|||||, precedence=3\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
"user_filter_all->\n"
|
|
|
|
|
"ip_filter_exact->\n"
|
|
|
|
|
"ip_filter_substring->\n"
|
|
|
|
@ -3650,34 +3658,34 @@ START_TEST(set_filter_struct_12)
|
|
|
|
|
" desc 0 desc (exact)=\n"
|
|
|
|
|
" host exact:\n"
|
|
|
|
|
" 0: example.com (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" 1: example3.com (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" host substring:\n"
|
|
|
|
|
" 0: .example.com (substring, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" host all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port exact:\n"
|
|
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" desc 1 desc2 (exact)=\n"
|
|
|
|
|
" host exact:\n"
|
|
|
|
|
" 0: example6.com (exact, action=||||match, log=|||||, precedence=4\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" user 1 root (exact)=\n"
|
|
|
|
|
" desc exact:\n"
|
|
|
|
|
" desc 0 desc (exact)=\n"
|
|
|
|
|
" host exact:\n"
|
|
|
|
|
" 0: example.com (exact, action=divert||pass||, log=!connect||!cert||!pcap|, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" port exact:\n"
|
|
|
|
|
" 0: 443 (exact, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" 1: example2.com (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port exact:\n"
|
|
|
|
|
" 0: 443 (exact, action=||||match, log=|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
), "failed to translate rule head: %s", s);
|
|
|
|
|
|
|
|
|
|
free(s);
|
|
|
|
@ -3900,21 +3908,21 @@ START_TEST(set_filter_struct_14)
|
|
|
|
|
|
|
|
|
|
fail_unless(!strcmp(strstr(s, "filter rule 8: "),
|
|
|
|
|
"filter rule 8: sni=site1, dstport=, srcip=, user=admin, desc=desc1, exact=site||||desc, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 9: sni=site1, dstport=, srcip=, user=admin, desc=desc1, exact=site||||desc, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 10: sni=site2, dstport=, srcip=, user=admin, desc=desc1, exact=||||desc, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 11: sni=site2, dstport=, srcip=, user=admin, desc=desc1, exact=||||desc, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 12: sni=site1, dstport=, srcip=, user=admin, desc=desc2, exact=site||||, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 13: sni=site1, dstport=, srcip=, user=admin, desc=desc2, exact=site||||, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 14: sni=site2, dstport=, srcip=, user=admin, desc=desc2, exact=||||, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 15: sni=site2, dstport=, srcip=, user=admin, desc=desc2, exact=||||, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
"failed to parse rule tail: %s", strstr(s, "filter rule 8: "));
|
|
|
|
|
|
|
|
|
|
// Trim the tail
|
|
|
|
@ -3923,21 +3931,21 @@ START_TEST(set_filter_struct_14)
|
|
|
|
|
|
|
|
|
|
fail_unless(!strcmp(s,
|
|
|
|
|
"filter rule 0: sni=site1, dstport=, srcip=, user=root, desc=desc1, exact=site|||user|desc, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 1: sni=site1, dstport=, srcip=, user=root, desc=desc1, exact=site|||user|desc, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 2: sni=site2, dstport=, srcip=, user=root, desc=desc1, exact=|||user|desc, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 3: sni=site2, dstport=, srcip=, user=root, desc=desc1, exact=|||user|desc, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 4: sni=site1, dstport=, srcip=, user=root, desc=desc2, exact=site|||user|, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 5: sni=site1, dstport=, srcip=, user=root, desc=desc2, exact=site|||user|, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 6: sni=site2, dstport=, srcip=, user=root, desc=desc2, exact=|||user|, all=|||, action=||||match, log=connect|||||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 7: sni=site2, dstport=, srcip=, user=root, desc=desc2, exact=|||user|, all=|||, action=||||match, log=|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
"failed to parse rule head: %s", s);
|
|
|
|
|
|
|
|
|
|
free(s);
|
|
|
|
@ -3952,36 +3960,36 @@ START_TEST(set_filter_struct_14)
|
|
|
|
|
" desc 0 desc1 (exact)=\n"
|
|
|
|
|
" sni exact:\n"
|
|
|
|
|
" 0: site1 (exact, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" sni substring:\n"
|
|
|
|
|
" 0: site2 (substring, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" desc substring:\n"
|
|
|
|
|
" desc 0 desc2 (substring)=\n"
|
|
|
|
|
" sni exact:\n"
|
|
|
|
|
" 0: site1 (exact, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" sni substring:\n"
|
|
|
|
|
" 0: site2 (substring, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
"userdesc_filter_substring->\n"
|
|
|
|
|
" user 0 admin (substring)=\n"
|
|
|
|
|
" desc exact:\n"
|
|
|
|
|
" desc 0 desc1 (exact)=\n"
|
|
|
|
|
" sni exact:\n"
|
|
|
|
|
" 0: site1 (exact, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" sni substring:\n"
|
|
|
|
|
" 0: site2 (substring, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" desc substring:\n"
|
|
|
|
|
" desc 0 desc2 (substring)=\n"
|
|
|
|
|
" sni exact:\n"
|
|
|
|
|
" 0: site1 (exact, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" sni substring:\n"
|
|
|
|
|
" 0: site2 (substring, action=||||match, log=connect|||content||, precedence=5\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
"user_filter_exact->\n"
|
|
|
|
|
"user_filter_substring->\n"
|
|
|
|
|
"desc_filter_exact->\n"
|
|
|
|
@ -4052,21 +4060,21 @@ START_TEST(set_filter_struct_15)
|
|
|
|
|
|
|
|
|
|
fail_unless(!strcmp(strstr(s, "filter rule 8: "),
|
|
|
|
|
"filter rule 8: cn=site1, dstport=80, srcip=, user=admin, desc=desc1, exact=||||desc, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 9: cn=site1, dstport=, srcip=, user=admin, desc=desc1, exact=||||desc, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 10: cn=site2, dstport=80, srcip=, user=admin, desc=desc1, exact=site||||desc, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 11: cn=site2, dstport=, srcip=, user=admin, desc=desc1, exact=site||||desc, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 12: cn=site1, dstport=80, srcip=, user=admin, desc=desc2, exact=||||, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 13: cn=site1, dstport=, srcip=, user=admin, desc=desc2, exact=||||, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 14: cn=site2, dstport=80, srcip=, user=admin, desc=desc2, exact=site||||, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 15: cn=site2, dstport=, srcip=, user=admin, desc=desc2, exact=site||||, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
"failed to parse rule tail: %s", strstr(s, "filter rule 8: "));
|
|
|
|
|
|
|
|
|
|
// Trim the tail
|
|
|
|
@ -4075,21 +4083,21 @@ START_TEST(set_filter_struct_15)
|
|
|
|
|
|
|
|
|
|
fail_unless(!strcmp(s,
|
|
|
|
|
"filter rule 0: cn=site1, dstport=80, srcip=, user=root, desc=desc1, exact=|||user|desc, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 1: cn=site1, dstport=, srcip=, user=root, desc=desc1, exact=|||user|desc, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 2: cn=site2, dstport=80, srcip=, user=root, desc=desc1, exact=site|||user|desc, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 3: cn=site2, dstport=, srcip=, user=root, desc=desc1, exact=site|||user|desc, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 4: cn=site1, dstport=80, srcip=, user=root, desc=desc2, exact=|||user|, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 5: cn=site1, dstport=, srcip=, user=root, desc=desc2, exact=|||user|, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 6: cn=site2, dstport=80, srcip=, user=root, desc=desc2, exact=site|||user|, all=|||, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"
|
|
|
|
|
"filter rule 7: cn=site2, dstport=, srcip=, user=root, desc=desc2, exact=site|||user|, all=|||ports, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192\n"),
|
|
|
|
|
"failed to parse rule head: %s", s);
|
|
|
|
|
|
|
|
|
|
free(s);
|
|
|
|
@ -4107,36 +4115,36 @@ START_TEST(set_filter_struct_15)
|
|
|
|
|
" 0: site2 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port substring:\n"
|
|
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" port all:\n"
|
|
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" cn substring:\n"
|
|
|
|
|
" 0: site1 (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port substring:\n"
|
|
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" port all:\n"
|
|
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" desc substring:\n"
|
|
|
|
|
" desc 0 desc2 (substring)=\n"
|
|
|
|
|
" cn exact:\n"
|
|
|
|
|
" 0: site2 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port substring:\n"
|
|
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" port all:\n"
|
|
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" cn substring:\n"
|
|
|
|
|
" 0: site1 (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port substring:\n"
|
|
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" port all:\n"
|
|
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
"user_filter_exact->\n"
|
|
|
|
|
"user_filter_substring->\n"
|
|
|
|
|
"desc_filter_exact->\n"
|
|
|
|
@ -4159,36 +4167,36 @@ START_TEST(set_filter_struct_15)
|
|
|
|
|
" 0: site2 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port substring:\n"
|
|
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" port all:\n"
|
|
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" cn substring:\n"
|
|
|
|
|
" 0: site1 (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port substring:\n"
|
|
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" port all:\n"
|
|
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" desc substring:\n"
|
|
|
|
|
" desc 0 desc2 (substring)=\n"
|
|
|
|
|
" cn exact:\n"
|
|
|
|
|
" 0: site2 (exact, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port substring:\n"
|
|
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" port all:\n"
|
|
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" cn substring:\n"
|
|
|
|
|
" 0: site1 (substring, action=||||, log=|||||, precedence=0)\n"
|
|
|
|
|
" port substring:\n"
|
|
|
|
|
" 0: 80 (substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" port all:\n"
|
|
|
|
|
" 0: (all_ports, substring, action=||||match, log=||||pcap|, precedence=6\n"
|
|
|
|
|
" conn opts: negotiate>=tls10<="MAX_SSL_PROTO"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
" conn opts: negotiate"SSL_PROTO_CONFIG"|no ciphers|no ciphersuites|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|user_auth|no user_auth_url|300|8192)\n"
|
|
|
|
|
), "failed to translate rule head: %s", s);
|
|
|
|
|
|
|
|
|
|
free(s);
|
|
|
|
@ -4232,8 +4240,10 @@ START_TEST(set_filter_struct_16)
|
|
|
|
|
"ForceSSLProto tls11\n"
|
|
|
|
|
"DisableSSLProto "MAX_SSL_PROTO"\n"
|
|
|
|
|
"EnableSSLProto tls1\n"
|
|
|
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20702000L)
|
|
|
|
|
"MinSSLProto tls10\n"
|
|
|
|
|
"MaxSSLProto tls11\n"
|
|
|
|
|
#endif
|
|
|
|
|
"Ciphers LOW\n"
|
|
|
|
|
"CipherSuites TLS_AES_128_CCM_SHA256\n"
|
|
|
|
|
"RemoveHTTPAcceptEncoding no\n"
|
|
|
|
@ -4257,12 +4267,12 @@ START_TEST(set_filter_struct_16)
|
|
|
|
|
#ifndef WITHOUT_USERAUTH
|
|
|
|
|
fail_unless(!strcmp(s,
|
|
|
|
|
"filter rule 0: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"),
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"),
|
|
|
|
|
"failed to parse rule: %s", s);
|
|
|
|
|
#else /* WITHOUT_USERAUTH */
|
|
|
|
|
fail_unless(!strcmp(s,
|
|
|
|
|
"filter rule 0: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, exact=site||ip, all=||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|reconnect_ssl|2048\n"),
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|reconnect_ssl|2048\n"),
|
|
|
|
|
"failed to parse rule: %s", s);
|
|
|
|
|
#endif /* WITHOUT_USERAUTH */
|
|
|
|
|
free(s);
|
|
|
|
@ -4283,7 +4293,7 @@ START_TEST(set_filter_struct_16)
|
|
|
|
|
" ip 0 192.168.0.1 (exact)=\n"
|
|
|
|
|
" ip exact:\n"
|
|
|
|
|
" 0: 192.168.0.2 (exact, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
"ip_filter_substring->\n"
|
|
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
|
|
#else /* WITHOUT_USERAUTH */
|
|
|
|
@ -4292,7 +4302,7 @@ START_TEST(set_filter_struct_16)
|
|
|
|
|
" ip 0 192.168.0.1 (exact)=\n"
|
|
|
|
|
" ip exact:\n"
|
|
|
|
|
" 0: 192.168.0.2 (exact, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|reconnect_ssl|2048)\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|reconnect_ssl|2048)\n"
|
|
|
|
|
"ip_filter_substring->\n"
|
|
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
|
|
#endif /* WITHOUT_USERAUTH */
|
|
|
|
@ -4349,8 +4359,10 @@ START_TEST(set_filter_struct_17)
|
|
|
|
|
"ForceSSLProto tls11\n"
|
|
|
|
|
"DisableSSLProto "MAX_SSL_PROTO"\n"
|
|
|
|
|
"EnableSSLProto tls1\n"
|
|
|
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20702000L)
|
|
|
|
|
"MinSSLProto tls10\n"
|
|
|
|
|
"MaxSSLProto tls11\n"
|
|
|
|
|
#endif
|
|
|
|
|
"Ciphers LOW\n"
|
|
|
|
|
"CipherSuites TLS_AES_128_CCM_SHA256\n"
|
|
|
|
|
"RemoveHTTPAcceptEncoding no\n"
|
|
|
|
@ -4371,25 +4383,25 @@ START_TEST(set_filter_struct_17)
|
|
|
|
|
s = filter_rule_str(opts->filter_rules);
|
|
|
|
|
fail_unless(!strcmp(s,
|
|
|
|
|
"filter rule 0: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
"filter rule 0: sni=example.com, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
"filter rule 0: cn=example.com, dstport=, srcip=192.168.0.1, user=, desc=, exact=||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
"filter rule 0: host=site1, dstport=, srcip=192.168.0.1, user=, desc=, exact=||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
"filter rule 0: uri=, dstport=, srcip=192.168.0.1, user=, desc=, exact=||ip||, all=||sites|, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
"filter rule 1: dstip=192.168.0.2, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
"filter rule 1: sni=example.com, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
"filter rule 1: cn=example.com, dstport=, srcip=192.168.0.1, user=, desc=, exact=||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
"filter rule 1: host=site2, dstport=, srcip=192.168.0.1, user=, desc=, exact=site||ip||, all=|||, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"
|
|
|
|
|
"filter rule 1: uri=, dstport=, srcip=192.168.0.1, user=, desc=, exact=||ip||, all=||sites|, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"),
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|http://example1.com/example1.crl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048\n"),
|
|
|
|
|
"failed to parse rule: %s", s);
|
|
|
|
|
free(s);
|
|
|
|
|
|
|
|
|
@ -4408,22 +4420,22 @@ START_TEST(set_filter_struct_17)
|
|
|
|
|
" ip 0 192.168.0.1 (exact)=\n"
|
|
|
|
|
" ip exact:\n"
|
|
|
|
|
" 0: 192.168.0.2 (exact, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
" sni exact:\n"
|
|
|
|
|
" 0: example.com (exact, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
" cn substring:\n"
|
|
|
|
|
" 0: example.com (substring, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
" host exact:\n"
|
|
|
|
|
" 0: site2 (exact, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
" host substring:\n"
|
|
|
|
|
" 0: site1 (substring, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
" uri all:\n"
|
|
|
|
|
" 0: (all_sites, substring, action=||||match, log=connect|||||, precedence=3\n"
|
|
|
|
|
" conn opts: tls11 -"MAX_SSL_PROTO">=tls10<=tls11|no_"MAX_SSL_PROTO"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
" conn opts: "SSL_PROTO_CONFIG_FILTERRULE"|passthrough|LOW|TLS_AES_128_CCM_SHA256|prime192v1|no leafcrlurl|allow_wrong_host|https://192.168.0.12/userdblogin1.php|1200|reconnect_ssl|2048)\n"
|
|
|
|
|
"ip_filter_substring->\n"
|
|
|
|
|
"filter_all->\n"), "failed to translate rule: %s", s);
|
|
|
|
|
free(s);
|
|
|
|
|