Do not take log actions in HTTP filtering rules

Log actions specified in HTTP filter rules can never enable disabled
logging, because their loggers would not be initialized.

Perhaps we should initialize them in the log submit function, if they
are initialized yet.

README.md

@@ -211,7 +211,7 @@ SSLproxy uses the certificate and key from the pemfiles configured by the
 ClientCert and ClientKey options when the destination requests client 
 certificates. These options can be defined globally and/or per-proxyspec.
 
-Alternatively, you can use Pass filter rules to pass through certain 
+Alternatively, you can use Pass filtering rules to pass through certain 
 destinations requesting client certificates.
 
 ### User authentication
@@ -263,7 +263,7 @@ updates, it is deferred until after the user idle time is more than half of
 the timeout period.
 
 If a description text is provided in the DESC field, it can be used with 
-filter rules to treat the user logged in from different locations, i.e. 
+filtering rules to treat the user logged in from different locations, i.e. 
 from different client IP addresses, separately.
 
 If the UserAuth option is enabled, the user owner of the connection is 
@@ -366,7 +366,7 @@ Filtering rules are applied based on certain precedence orders:
 
 - The precedence of filter types is as Dst Host > SSL > HTTP.
 - The precedence of filter actions is as Divert > Split > Pass > Block. This is 
-only for the same type of filter rules.
+only for the same type of filtering rules.
 - The precedence of site fields is as sni > cn for SSL filter and host > uri 
 for HTTP filter.
 
@@ -378,16 +378,16 @@ to the precedence order of site fields.
 
 In terms of possible filter actions,
 
-- Dst Host filter rules can take all of the filter and log actions.
-- SSL filter rules can take all of the filter and log actions.
-- HTTP filter rules can take the match and block filter actions, but not 
-the divert, split, or pass actions. Also, HTTP filter rules cannot take log 
+- Dst Host filtering rules can take all of the filter and log actions.
+- SSL filtering rules can take all of the filter and log actions.
+- HTTP filtering rules take the match and block filter actions, but not the 
+divert, split, or pass actions. Also, HTTP filtering rules do not take log 
 actions.
 
 Log actions do not configure any loggers. Global loggers for respective log 
 actions should have been configured for those log actions to have any effect.
 
-If no filter rules are defined for a proxyspec, all log actions for that 
+If no filtering rules are defined for a proxyspec, all log actions for that 
 proxyspec are enabled. Otherwise, all log actions are disabled, and filtering 
 rules should enable them specifically.
 

src/opts.c

@@ -2813,14 +2813,14 @@ opts_add_site(filter_site_t *site, filter_rule_t *rule)
 	s->all_sites = rule->all_sites;
 	s->exact = rule->exact;
 
-	// Multiple rules can set an action for the same site, hence bit-wise OR
+	// Multiple rules can set an action for the same site, hence the bit-wise OR
 	s->divert |= rule->divert;
 	s->split |= rule->split;
 	s->pass |= rule->pass;
 	s->block |= rule->block;
 	s->match |= rule->match;
 
-	// Multiple log actions can be set for the same site, hence bit-wise OR
+	// Multiple log actions can be set for the same site, hence the bit-wise OR
 	s->log_connect |= rule->log_connect;
 	s->log_master |= rule->log_master;
 	s->log_cert |= rule->log_cert;

src/opts.h

@@ -55,6 +55,13 @@
 #define FILTER_ACTION_PASS   0x10
 #define FILTER_ACTION_BLOCK  0x20
 
+#define FILTER_LOG_CONNECT   0x40
+#define FILTER_LOG_MASTER    0x80
+#define FILTER_LOG_CERT      0x100
+#define FILTER_LOG_CONTENT   0x200
+#define FILTER_LOG_PCAP      0x400
+#define FILTER_LOG_MIRROR    0x800
+
 #ifndef WITHOUT_USERAUTH
 typedef struct userlist {
 	char *user;

src/protohttp.c

@@ -432,7 +432,7 @@ protossl_match_uri(pxy_conn_ctx_t *ctx, filter_site_t *site)
 	return 0;
 }
 
-static unsigned char NONNULL(1,2)
+static unsigned int NONNULL(1,2)
 protohttp_filter(pxy_conn_ctx_t *ctx, filter_list_t *list)
 {
 	protohttp_ctx_t *http_ctx = ctx->protoctx->arg;
@@ -502,18 +502,27 @@ protohttp_filter(pxy_conn_ctx_t *ctx, filter_list_t *list)
 static int
 protohttp_apply_filter(pxy_conn_ctx_t *ctx)
 {
-	unsigned char action;
+	int rv = 0;
+	unsigned int action;
 	if ((action = pxyconn_filter(ctx, protohttp_filter))) {
 		if (action & FILTER_ACTION_BLOCK) {
 			pxy_conn_term(ctx, 1);
-			return 1;
+			rv = 1;
 		}
 		else if (action & (FILTER_ACTION_DIVERT | FILTER_ACTION_SPLIT | FILTER_ACTION_PASS)) {
-			log_err_level_printf(LOG_WARNING, "HTTP filter cannot take divert, split, or pass action\n");
+			log_err_level_printf(LOG_WARNING, "HTTP filter cannot take divert, split, or pass actions, any log actions are ignored too\n");
 		}
 		//else { /* FILTER_ACTION_MATCH */ }
+
+		if (action & (FILTER_LOG_CONNECT | FILTER_LOG_MASTER | FILTER_LOG_CERT | FILTER_LOG_CONTENT | FILTER_LOG_PCAP
+#ifndef WITHOUT_MIRROR
+				| FILTER_LOG_MIRROR
+#endif /* !WITHOUT_MIRROR */
+				)) {
+			log_err_level_printf(LOG_WARNING, "HTTP filter cannot take log actions\n");
+		}
 	}
-	return 0;
+	return rv;
 }
 
 static void NONNULL(1,2,3,5)

src/protossl.c

@@ -676,7 +676,7 @@ protossl_match_cn(pxy_conn_ctx_t *ctx, filter_site_t *site)
 	return 0;
 }
 
-static unsigned char NONNULL(1,2)
+static unsigned int NONNULL(1,2)
 protossl_filter(pxy_conn_ctx_t *ctx, filter_list_t *list)
 {
 	if (ctx->sslctx->sni) {
@@ -744,7 +744,8 @@ protossl_filter(pxy_conn_ctx_t *ctx, filter_list_t *list)
 static int
 protossl_apply_filter(pxy_conn_ctx_t *ctx)
 {
-	unsigned char action;
+	int rv = 0;
+	unsigned int action;
 	if ((action = pxyconn_filter(ctx, protossl_filter))) {
 		if (action & FILTER_ACTION_DIVERT) {
 			ctx->divert = 1;
@@ -754,15 +755,24 @@ protossl_apply_filter(pxy_conn_ctx_t *ctx)
 		}
 		else if (action & FILTER_ACTION_PASS) {
 			ctx->pass = 1;
-			return 1;
+			rv = 1;
 		}
 		else if (action & FILTER_ACTION_BLOCK) {
 			pxy_conn_term(ctx, 1);
-			return 1;
+			rv = 1;
 		}
 		//else { /* FILTER_ACTION_MATCH */ }
+
+		ctx->log_connect |= !!(action & FILTER_LOG_CONNECT);
+		ctx->log_master |= !!(action & FILTER_LOG_MASTER);
+		ctx->log_cert |= !!(action & FILTER_LOG_CERT);
+		ctx->log_content |= !!(action & FILTER_LOG_CONTENT);
+		ctx->log_pcap |= !!(action & FILTER_LOG_PCAP);
+#ifndef WITHOUT_MIRROR
+		ctx->log_mirror |= !!(action & FILTER_LOG_MIRROR);
+#endif /* !WITHOUT_MIRROR */
 	}
-	return 0;
+	return rv;
 }
 
 /*

src/prototcp.c

@@ -526,7 +526,7 @@ prototcp_filter_match(pxy_conn_ctx_t *ctx, filter_site_t *site)
 	return 0;
 }
 
-static unsigned char NONNULL(1,2)
+static unsigned int NONNULL(1,2)
 prototcp_dsthost_filter(pxy_conn_ctx_t *ctx, filter_list_t *list)
 {
 	if (ctx->dsthost_str) {
@@ -548,7 +548,8 @@ prototcp_dsthost_filter(pxy_conn_ctx_t *ctx, filter_list_t *list)
 int
 prototcp_apply_filter(pxy_conn_ctx_t *ctx)
 {
-	unsigned char action;
+	int rv = 0;
+	unsigned int action;
 	if ((action = pxyconn_filter(ctx, prototcp_dsthost_filter))) {
 		if (action & FILTER_ACTION_DIVERT) {
 			ctx->divert = 1;
@@ -559,15 +560,28 @@ prototcp_apply_filter(pxy_conn_ctx_t *ctx)
 		else if (action & FILTER_ACTION_PASS) {
 			protopassthrough_engage(ctx);
 			ctx->pass = 1;
-			return 1;
+			rv = 1;
 		}
 		else if (action & FILTER_ACTION_BLOCK) {
 			pxy_conn_term(ctx, 1);
-			return 1;
+			rv = 1;
 		}
 		//else { /* FILTER_ACTION_MATCH */ }
-	}
-	return 0;
+
+		// The presence of a log action enables that logging
+		// The absence does nothing
+		// hence the bit-wise OR
+		// And note the signum function '!!'
+		ctx->log_connect |= !!(action & FILTER_LOG_CONNECT);
+		ctx->log_master |= !!(action & FILTER_LOG_MASTER);
+		ctx->log_cert |= !!(action & FILTER_LOG_CERT);
+		ctx->log_content |= !!(action & FILTER_LOG_CONTENT);
+		ctx->log_pcap |= !!(action & FILTER_LOG_PCAP);
+#ifndef WITHOUT_MIRROR
+		ctx->log_mirror |= !!(action & FILTER_LOG_MIRROR);
+#endif /* !WITHOUT_MIRROR */
+	}
+	return rv;
 }
 
 static void NONNULL(1,2)

src/pxyconn.c

@@ -1996,10 +1996,10 @@ pxy_userauth(pxy_conn_ctx_t *ctx)
 }
 #endif /* !WITHOUT_USERAUTH */
 
-unsigned char
+unsigned int
 pxyconn_set_filter_action(pxy_conn_ctx_t *ctx, filter_site_t *site)
 {
-	unsigned char action = FILTER_ACTION_NONE;
+	unsigned int action = FILTER_ACTION_NONE;
 	if (site->divert) {
 		log_err_level_printf(LOG_INFO, "Site filter divert action for %s\n", site->site);
 		action = FILTER_ACTION_DIVERT;
@@ -2025,40 +2025,39 @@ pxyconn_set_filter_action(pxy_conn_ctx_t *ctx, filter_site_t *site)
 	}
 
 	// Multiple log actions can be defined, hence no 'else'
-	// Log actions can only enable logging not disable, hence set to 1
 	if (site->log_connect) {
 		log_err_level_printf(LOG_INFO, "Site filter connect log for %s\n", site->site);
-		ctx->log_connect = 1;
+		action |= FILTER_LOG_CONNECT;
 	}
 	if (site->log_master) {
 		log_err_level_printf(LOG_INFO, "Site filter master log for %s\n", site->site);
-		ctx->log_master = 1;
+		action |= FILTER_LOG_MASTER;
 	}
 	if (site->log_cert) {
 		log_err_level_printf(LOG_INFO, "Site filter cert log for %s\n", site->site);
-		ctx->log_cert = 1;
+		action |= FILTER_LOG_CERT;
 	}
 	if (site->log_content) {
 		log_err_level_printf(LOG_INFO, "Site filter content log for %s\n", site->site);
-		ctx->log_content = 1;
+		action |= FILTER_LOG_CONTENT;
 	}
 	if (site->log_pcap) {
 		log_err_level_printf(LOG_INFO, "Site filter pcap log for %s\n", site->site);
-		ctx->log_pcap = 1;
+		action |= FILTER_LOG_PCAP;
 	}
 #ifndef WITHOUT_MIRROR
 	if (site->log_mirror) {
 		log_err_level_printf(LOG_INFO, "Site filter mirror log for %s\n", site->site);
-		ctx->log_mirror = 1;
+		action |= FILTER_LOG_MIRROR;
 	}
 #endif /* !WITHOUT_MIRROR */
 	return action;
 }
 
-unsigned char
+unsigned int
 pxyconn_filter(pxy_conn_ctx_t *ctx, proto_filter_func_t filtercb)
 {
-	unsigned char action = FILTER_ACTION_NONE;
+	unsigned int action = FILTER_ACTION_NONE;
 
 	filter_t *filter = ctx->spec->opts->filter;
 	if (filter) {

src/pxyconn.h

@@ -78,7 +78,7 @@ typedef void (*proto_classify_user_func_t)(pxy_conn_ctx_t *);
 typedef void (*child_connect_func_t)(pxy_conn_child_ctx_t *);
 typedef void (*child_proto_free_func_t)(pxy_conn_child_ctx_t *);
 
-typedef unsigned char (*proto_filter_func_t)(pxy_conn_ctx_t *, filter_list_t *);
+typedef unsigned int (*proto_filter_func_t)(pxy_conn_ctx_t *, filter_list_t *);
 
 /*
  * Proxy connection context state, describes a proxy connection
@@ -437,8 +437,8 @@ int pxy_is_listuser(userlist_t *, const char *
 void pxy_classify_user(pxy_conn_ctx_t *) NONNULL(1);
 void pxy_userauth(pxy_conn_ctx_t *) NONNULL(1);
 #endif /* !WITHOUT_USERAUTH */
-unsigned char pxyconn_set_filter_action(pxy_conn_ctx_t *, filter_site_t *) NONNULL(1,2);
-unsigned char pxyconn_filter(pxy_conn_ctx_t *, proto_filter_func_t) NONNULL(1);
+unsigned int pxyconn_set_filter_action(pxy_conn_ctx_t *, filter_site_t *) NONNULL(1,2);
+unsigned int pxyconn_filter(pxy_conn_ctx_t *, proto_filter_func_t) NONNULL(1);
 void pxy_conn_setup(evutil_socket_t, struct sockaddr *, int,
                     pxy_thrmgr_ctx_t *, proxyspec_t *, global_t *,
 					evutil_socket_t)

src/sslproxy.1

@@ -227,7 +227,7 @@ SSLproxy uses the certificate and key from the pemfiles configured by the
 ClientCert and ClientKey options when the destination requests client 
 certificates. These options can be defined globally and/or per-proxyspec.
 .LP
-Alternatively, you can use Pass filter rules to pass through certain 
+Alternatively, you can use Pass filtering rules to pass through certain 
 destinations requesting client certificates.
 .SH User authentication
 If the UserAuth option is enabled, SSLproxy requires network users to log in 
@@ -277,7 +277,7 @@ updates, it is deferred until after the user idle time is more than half of
 the timeout period.
 .LP
 If a description text is provided in the DESC field, it can be used with 
-filter rules to treat the user logged in from different locations, i.e. 
+filtering rules to treat the user logged in from different locations, i.e. 
 from different client IP addresses, separately.
 .LP
 If the UserAuth option is enabled, the user owner of the connection is 
@@ -379,7 +379,7 @@ Filtering rules are applied based on certain precedence orders:
 .LP
  - The precedence of filter types is as Dst Host > SSL > HTTP.
  - The precedence of filter actions is as Divert > Split > Pass > Block. This is 
-only for the same type of filter rules.
+only for the same type of filtering rules.
  - The precedence of site fields is as sni > cn for SSL filter and host > uri 
 for HTTP filter.
 .LP
@@ -391,16 +391,16 @@ to the precedence order of site fields.
 .LP
 In terms of possible filter actions,
 .LP
- - Dst Host filter rules can take all of the filter and log actions.
- - SSL filter rules can take all of the filter and log actions.
- - HTTP filter rules can take the match and block filter actions, but not 
-the divert, split, or pass actions. Also, HTTP filter rules cannot take log 
+ - Dst Host filtering rules can take all of the filter and log actions.
+ - SSL filtering rules can take all of the filter and log actions.
+ - HTTP filtering rules take the match and block filter actions, but not the 
+divert, split, or pass actions. Also, HTTP filtering rules do not take log 
 actions.
 .LP
 Log actions do not configure any loggers. Global loggers for respective log 
 actions should have been configured for those log actions to have any effect.
 .LP
-If no filter rules are defined for a proxyspec, all log actions for that 
+If no filtering rules are defined for a proxyspec, all log actions for that 
 proxyspec are enabled. Otherwise, all log actions are disabled, and filtering 
 rules should enable them specifically.
 .LP