The ReconnectSSL option allows rule developers to write struct filtering
rules using SNI and CN SSL specifications to override the SSL
configuration of a connection.
Otherwise, without this new option, filtering rules cannot change SSL
options using SSL filtering fields to match connections (the SSL config
in the rule would not have any effect on the server side of the matching
connection). Without ReconnectSSL, only DstIP and DstPort fields can be
used to override the SSL config of a connection.
If the ReconnectSSL option in a struct filtering rule is set, we
disconnect and free the server side of the matching SSL connection, and
reconnect it with the SSL options in the matching struct filtering rule.
This enforces the SSL config in the rule.
Do not use the ReconnectSSL option if server disconnect is not desirable
or acceptable in your case.
Now, all of the 'to' site fields in filtering rules can specify a port,
not just the dstip sites.
Fix the precedence of sites in the same type of rules. For example, if
we find a match with an sni site, we should not stop searching for a
match in cn, because a matching cn site may have a higher precedence
than the matching sni site. We should apply the action of the cn site,
although sni rules have precedence over cn. The same applies to http
host and uri rules too.
Fix the precedence of dstip rules.
Improve and update unit and e2e tests accordingly.
Now, the filter uses B-trees for exact string matching and Aho-Corasick
machines for substring matching. B-trees and AC machines are exported to
linked lists for debug logging only.
Also,
- Separate all_sites and all_ports filters from substring filters. They
are not related with substring filters actually, and ACM keywords cannot
be empty strings anyway. So now they should be handled separately too.
- Improve debug logging of filtering rules.
- Update unit tests accordingly, and improve.
- Fix pxyconn_filter(), keep searching for a match in substring filters
if exact match does not have a matching site rule.
- Increase common names max len and tokens. weather.gov has 73 tokens.
- Rename keyword to desc.
- Update documentation.
- Clean up.
So, now we use two separate data structures: binary search trees (BST)
for exact match and linked lists for substring match.
Currently, only user, keyword, and ip 'from' fields in filtering rules
use these two data structures. This also means that now we support exact
and substring matches in 'from' fields.
Filtering rules should be written with exact matches instead of
substring matches, as much as possible. Because BST search must be much
faster than substring search over linked lists.
We have modifed kbtree to support complex data structures in from
fields.
Now the target IP address filters can use port specs too.
Refactor for code reuse, create filter_action struct used by rules,
sites, and ports.
Also, improve code and documentation.
The new Define option can be used for defining macros to be used in
filtering rules. Macro names must begin with a '$' char. Macro values
must be separated with spaces.
Macros are expanded by rewriting the rule with the values of macro.
PassSite rules do not support macros (the PassSite option will be
deprecated in favor of filtering rules in the future).
Now filtering rules can disable log actions too. This is possible thanks
to the newly added precedence field of rules. Log actions of filtering
rules at higher precedence can modify logging now. In other words, more
specific rules can change the log actions of more general rules.
HTTP filtering rules can only disable logging.
- Match action is added to be used with log actions only, the other
filter actions can specify log actions too
- Log actions do not configure any loggers. Global loggers for
respective log actions should have been configured for those log actions
to have any effect.
- If no filter rules are defined for a proxyspec, all log actions are
enabled. Otherwise, all log actions are disabled, and filtering rules
should enable them specifically.
- Fix max number of tokens in proxyspec and filter parsers
- Fix issues with rejecting unknown args in filter rule parser
- Do not use filter_rules field of proxyspec after config finished, it
is used for filter configuration and freed afterwards
The -n command line option enables split mode for all proxyspecs,
effectively making sslproxy behave like sslsplit.
Divert option can be set/unset globally and per-proxyspec.
Add e2e tests for split mode, and update make file for tests
accordingly.
Update documentation accordingly.
Improve code reuse, remove duplicate functions.
This change deserves a release of its own, hence v0.8.4.
These vars are used while configuring proxyspecs, and freed right after
they are used. So they should not be in proxyspec struct.
Refactor accordingly.
Add testproxy e2e tests for POP3 and SMTP protocol validation.
We have detected that POP3 and SMTP protocol validation was broken
thanks to these new testproxy e2e tests. This is yet another example why
e2e tests are important.
Fix segmentation fault upon receiving BEV_EVENT_EOF on the inbound
bufferevent while the outbound bufferevent has not received
BEV_EVENT_CONNECTED yet.
Issue: #124
Patch by: Eun Soo Park
Soner Tari
Daniel Roethlisberger