tlshd: Parse filter definitions

Administrators can define filters which specify a filter type (e.g.,
which x.509 field is to be checked) and filter arguments (e.g., what
content is to be matched).

A subsequent patch will add the ability to specify the tags which
are added to a TLS session based on filter matches.

Signed-off-by: Chuck Lever <[email protected]>

Author: chucklever

man/man7/tls-session-tags.7

@@ -221,6 +221,24 @@ derived SHA256 fingerrint.
 .B x509.derived.selfSigned
 Filters of this type match when an incoming x.509 certificate's
 issuer and subject distinguished names are exactly equal.
+.SS Filters
+The definition of each filter is YAML mapping that specifies
+the unique name of the filter,
+its filter type,
+and
+zero or more specific match arguments to be used.
+For example:
+
+  filters:
+    ...
+    monsters-university:
+      type: "x509.tbs.issuer"
+      pattern: "*,O=Monsters University,*"
+    ...
+
+This blurb defines a filter named "monsters-university".
+It uses a wildcard match that looks for "O=Monsters University"
+in the "issuer" field of each incoming x.509 certificate.
 .SH STANDARDS
 x.509
 .BR