Add git dfprog/++host/::filter stop-processing block prefix

Inspired by OpenBSD syslogd, introduce a double-prefix syntax for block
headers that stops rule evaluation once a matching rule fires,
preventing a message from being logged twice.

  !!prog      -- like !prog  but stops on match
  ++host      -- like +host  but stops on match
  ::filter    -- like :filter but stops on match (sysklogd extension)

Use !*, +*, or :* as usual to reset and resume normal evaluation for
subsequent blocks.

The STOP_FLAG (0x040) is set on all filed entries created within a
double-prefix block.  The logmsg() dispatch loop breaks out of the
SIMPLEQ_FOREACH as soon as it processes a rule carrying that flag,
so no further rules see the message.

Example -- route nftables firewall logs exclusively to their own file:

  ::msg, contains, "[nftables"
  kern.*                    -/var/log/nftables.log
  :*
  *.warn;authpriv.none      -/var/log/syslog

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>

Author: troglobit

man/syslog.conf.5

@@ -63,11 +63,14 @@ single backslash ('\\') character.
 .Pp
 .Bd -literal -offset indent
 PROGRAM  := !IDENT[,IDENT]
+         |= !!IDENT[,IDENT]
          |= !+IDENT[,IDENT]
 	 |= !-IDENT[,IDENT]
 HOSTNAME := +IDENT[,IDENT]
+         |= ++IDENT[,IDENT]
 	 |= -IDENT[,IDENT]
 PROPERTY := :PROP, [PREFIX]OPERATOR, "VALUE"
+         |= ::PROP, [PREFIX]OPERATOR, "VALUE"
 PROP     := hostname
 	 |= msg
          |= msgid
@@ -176,6 +179,16 @@ You can reset the program specification at any time using the
 syntax.  The program specification is also reset for each included .conf
 file.
 .Pp
+The
+.Ql !!prog
+form works like
+.Ql !prog
+but causes evaluation to stop after a matching rule in this block fires,
+ensuring no further rules are applied to that message.
+Use
+.Ql !*
+to cancel the effect and resume normal evaluation for subsequent blocks.
+.Pp
 A
 .Em hostname filter
 specification of the form
@@ -197,14 +210,34 @@ the local hostname will be used.  Similar to program specifications,
 multiple comma-separated values may be specified for hostname
 specifications.
 .Pp
+The
+.Ql ++hostname
+form works like
+.Ql +hostname
+but causes evaluation to stop after a matching rule in this block fires,
+ensuring no further rules are applied to that message.
+Use
+.Ql +*
+to cancel the effect and resume normal evaluation for subsequent blocks.
+.Pp
 A
 .Em property-based filter
 specification is a line beginning with
 .Ql #:
 or
 .Ql :
 and the following blocks will be applied only when filter value matches
-given filter properties value.  See
+given filter properties value.
+The
+.Ql ::
+form works like
+.Ql :
+but causes evaluation to stop after a matching rule in this block fires,
+ensuring no further rules are applied to that message.
+Use
+.Ql :*
+to cancel the effect and resume normal evaluation for subsequent blocks.
+See
 .Sx PROPERTY-BASED FILTERS
 section for more details.  For examples, see
 .Sx EXAMPLES
@@ -844,6 +877,37 @@ These examples show off the substring and regexp matching capabilities.
 :hostname, icase_ereregex, "^server-(dcA|podB|cdn)-rack1[0-9]{2}\..*"
 *.*			     /var/log/racks10-19.log
 .Ed
+.Ss Stop Processing
+In this example, firewall messages tagged with
+.Ql [nftables
+are captured in a dedicated log file and then processing stops,
+preventing the same messages from also appearing in
+.Pa /var/log/syslog .
+Without the
+.Ql ::
+prefix on the property filter, both files would receive the message.
+.Bd -literal -offset indent
+# Capture firewall messages exclusively in their own log file.
+# The :: prefix stops further rule evaluation once a match fires.
+::msg, contains, "[nftables"
+kern.*                       /var/log/nftables.log
+
+# Reset the property filter, then log general kernel/warn messages.
+# Firewall messages never reach this rule.
+:*
+*.warn;\e
+    authpriv.none;cron.none;mail.none;news.none    /var/log/syslog
+.Ed
+.Pp
+The same behaviour is available for program and hostname blocks.
+Here, all messages from
+.Nm spamd
+are routed to their own log and nowhere else:
+.Bd -literal -offset indent
+!!spamd
+daemon.info                  /var/log/spamd
+!*
+.Ed
 .Ss Critical
 This stores all messages of priority
 .Ql crit

src/syslogd.c

@@ -2526,6 +2526,9 @@ static void logmsg(struct buf_msg *buffer)
 #endif
 			fprintlog_first(f, buffer);
 		}
+
+		if (f->f_flags & STOP_FLAG)
+			break;
 	}
 
 	sigprocmask(SIG_UNBLOCK, &mask, NULL);
@@ -4146,9 +4149,9 @@ static void init(void)
 			}
 
 			if (f->f_program)
-				printf(" (%s)", f->f_program);
+				printf(" (%s%s)", (f->f_flags & STOP_FLAG) ? "!!" : "", f->f_program);
 			if (f->f_host)
-				printf(" [%s]", f->f_host);
+				printf(" [%s%s]", (f->f_flags & STOP_FLAG) ? "++" : "", f->f_host);
 
 			if (f->f_flags & RFC5424)
 				printf("\t;RFC5424");
@@ -4891,6 +4894,7 @@ static int cfparse(FILE *fp, struct files *newf)
 	char host[LINE_MAX] = "*";
 	char prog[LINE_MAX] = "*";
 	char cbuf[LINE_MAX];
+	int stop_block = 0;
 	struct filed *f;
 	char *cline;
 	char *p;
@@ -4923,11 +4927,20 @@ static int cfparse(FILE *fp, struct files *newf)
 		if (*p == '+' || *p == '-') {
 			host[i++] = *p++;
 
+			/* ++ means final block (like OpenBSD), - never final */
+			if (*p == '+') {
+				stop_block = 1;
+				p++;
+			} else {
+				stop_block = 0;
+			}
+
 			while (isblank(*p))
 				p++;
 
 			if (*p == '*') {
 				(void)strlcpy(host, "*", sizeof(host));
+				stop_block = 0;
 				continue;
 			}
 
@@ -4949,11 +4962,21 @@ static int cfparse(FILE *fp, struct files *newf)
 
 		if (*p == '!') {
 			p++;
+
+			/* !! means final block, matching OpenBSD syslogd */
+			if (*p == '!') {
+				stop_block = 1;
+				p++;
+			} else {
+				stop_block = 0;
+			}
+
 			while (isblank(*p))
 				p++;
 
 			if (*p == '\0' || *p == '*') {
 				(void)strlcpy(prog, "*", sizeof(prog));
+				stop_block = 0;
 				continue;
 			}
 
@@ -4968,10 +4991,20 @@ static int cfparse(FILE *fp, struct files *newf)
 
 		if (*p == ':') {
 			p++;
+
+			/* :: means final block, analogous to !! for programs */
+			if (*p == ':') {
+				stop_block = 1;
+				p++;
+			} else {
+				stop_block = 0;
+			}
+
 			while (isblank(*p))
 				p++;
 			if (!*p || *p == '*') {
 				strlcpy(pfilter, "*", sizeof(pfilter));
+				stop_block = 0;
 				continue;
 			}
 			strlcpy(pfilter, p, sizeof(pfilter));
@@ -5034,6 +5067,9 @@ static int cfparse(FILE *fp, struct files *newf)
 		if (!f)
 			continue;
 
+		if (stop_block)
+			f->f_flags |= STOP_FLAG;
+
 		SIMPLEQ_INSERT_TAIL(newf, f, f_link);
 	}
 

src/syslogd.h

@@ -191,6 +191,7 @@
 #define MARK      0x008  /* this message is a mark */
 #define RFC3164   0x010  /* format log message according to RFC 3164 */
 #define RFC5424   0x020  /* format log message according to RFC 5424 */
+#define STOP_FLAG 0x040 /* stop processing further rules after match */
 
 /* Syslog timestamp formats. */
 #define	BSDFMT_DATELEN	0