Fix a major memset() mistake leaking memory and possibly breaking CA
chains for proxyspecs and struct filtering rules.
Fix wrong memset size.
Fix redundant WUNRES attrib, MALLOC attrib has WUNRES already.
And fix param names.
Now we can specify multiple sites in one struct rule: SNI, CN, Host,
URI, and DstIp destination sites. We create a new rule for each
destination site type specified. Struct rules can be complicated and
long, so this is expected to help with rule reuse.
Error out unit tests if DEBUG_PROXY enabled, because we debug print
line_num if DEBUG_PROXY enabled. We cannot support line_num in expected
debug output, it would make things complicated with very little benefit.
Now all connection oriented proxy options possible to specify
per-proxyspec or globally can be specified in structured filtering rules
to be selectively applied to connections too. One line filtering rules
can specify filter and log actions only.
For example, we can enable/disable user authentication, protocol
validation, server ssl verification, and many other options
per-connection, or configure SSL/TLS connection options per-connection.
So, now we replace the conn_opts struct of a connection's ctx with the
conn_opts struct of the matching structured filtering rule. (One line
filtering rules have a NULL conn_opts, so we first check if the
conn_opts is not NULL.)
Now, all of the 'to' site fields in filtering rules can specify a port,
not just the dstip sites.
Fix the precedence of sites in the same type of rules. For example, if
we find a match with an sni site, we should not stop searching for a
match in cn, because a matching cn site may have a higher precedence
than the matching sni site. We should apply the action of the cn site,
although sni rules have precedence over cn. The same applies to http
host and uri rules too.
Fix the precedence of dstip rules.
Improve and update unit and e2e tests accordingly.
Now, the filter uses B-trees for exact string matching and Aho-Corasick
machines for substring matching. B-trees and AC machines are exported to
linked lists for debug logging only.
Also,
- Separate all_sites and all_ports filters from substring filters. They
are not related with substring filters actually, and ACM keywords cannot
be empty strings anyway. So now they should be handled separately too.
- Improve debug logging of filtering rules.
- Update unit tests accordingly, and improve.
- Fix pxyconn_filter(), keep searching for a match in substring filters
if exact match does not have a matching site rule.
- Increase common names max len and tokens. weather.gov has 73 tokens.
- Rename keyword to desc.
- Update documentation.
- Clean up.
So, for 'to' fields too, we use two separate data structures: binary
search trees (BST) for exact match and linked lists for substring match.
Now all 'from' and 'to' fields in filtering rules use these two data
structures.
To repeat, filtering rules should be written with exact matches instead
of substring matches, as much as possible. Because BST search must be
much faster than substring search over linked lists.
To repeat, we have modifed kbtree to support complex data structures in
from fields.
Also, update the unit tests accordingly.
So, now we use two separate data structures: binary search trees (BST)
for exact match and linked lists for substring match.
Currently, only user, keyword, and ip 'from' fields in filtering rules
use these two data structures. This also means that now we support exact
and substring matches in 'from' fields.
Filtering rules should be written with exact matches instead of
substring matches, as much as possible. Because BST search must be much
faster than substring search over linked lists.
We have modifed kbtree to support complex data structures in from
fields.
Soner Tari