Merge remote-tracking branch 'origin/topic/johanna/netcontrol-updates'

* origin/topic/johanna/netcontrol-updates: Netcontrol: add rule_added_policy Netcontrol: more logging in catch-and-release Netcontrol: allow supplying explicit name to Debug plugin
2025-10-02 06:38:20 +00:00 · 2024-02-06 11:51:26 +00:00 · 2024-02-06 11:51:26 +00:00 · 160ccda45f
commit 160ccda45f
parent f8a7f3699c 737f828bcb
17 changed files with 494 additions and 33 deletions
--- a/24
+++ b/24
@ -1,3 +1,27 @@
+6.2.0-dev.519 | 2024-02-06 11:51:26 +0000
+
+  * Netcontrol: add rule_added_policy (Johanna Amann, Corelight)
+
+    rule_added_policy allows the modification of rules just after they have
+    been added. This allows the implementation of some more complex features
+    - like changing rule states depending on insertion in other plugins.
+
+  * Netcontrol: more logging in catch-and-release (Johanna Amann, Corelight)
+
+    Catch-and-release logs now include the plugin that is responsible for an
+    action. Furthermore, the catch-and-release log also includes instances
+    where a rule already existed, and where an error occurred during an
+    operation.
+
+  * Netcontrol: allow supplying explicit name to Debug plugin (Johanna Amann, Corelight)
+
+    This change extends the arguments of NetControl::create_debug, and
+    allows the specification of an optional name argument, which can be used
+    instead of the default-generated name.
+
+    This is helpful when one wants to attach several plugins to verify
+    behavior in those cases.
+
 6.2.0-dev.515 | 2024-02-06 11:22:26 +0100

  * Obj: Implement with_location_of() as template (Arne Welzel, Corelight)
--- a/7
+++ b/7
@ -187,6 +187,9 @@ New Functionality

 	hook Intel::seen_policy(s: Intel::Seen, found: bool)

+- A new ``NetControl::rule_added_policy`` hook has been introduced to allow modification
+  of NetControl rules after they have been added.
+
 Changed Functionality
 ---------------------

@ -213,6 +216,10 @@ Changed Functionality
  unbounded MIME message nesting. This limit is configurable with ``MIME::max_depth``.
  A new weird named ``exceeded_mime_max_depth`` is reported when reached.

+- The ``netcontrol_catch_release.log`` now contains a plugin column that shows which
+  plugin took an action. The logs also contain information when errors or existing
+	rules are encountered.
+
 Removed Functionality
 ---------------------

--- a/2
+++ b/2
@ -1 +1 @@
-6.2.0-dev.515
+6.2.0-dev.519
--- a/scripts/base/frameworks/netcontrol/main.zeek
+++ b/scripts/base/frameworks/netcontrol/main.zeek
@ -262,6 +262,20 @@ export {
 	## r: The rule to be added.
 	global NetControl::rule_policy: hook(r: Rule);

+	## Hook that allows the modification of rule states after they are returned from
+	## the plugins and have been added to the rules database. This allows low-level
+	## modification of the handling of rules like, e.g., changing rule expiration depending
+	## on context.
+	##
+	## r: The rule now in place.
+	##
+	## p: The state for the plugin that put it into place.
+	##
+	## exists: If the adding plugin flagged the rule as already existing.
+	##
+	## msg: An optional informational message by the plugin.
+	global NetControl::rule_added_policy: hook(r: Rule, p: PluginState, exists: bool, msg: string);
+
 	##### Plugin functions

 	## Function called by plugins once they finished their activation. After all
@ -945,6 +959,8 @@ function rule_added_impl(r: Rule, p: PluginState, exists: bool, msg: string &def
 		# rule was completely added.
 		rule$_added = T;
 		}
+
+	hook NetControl::rule_added_policy(rule, p, exists, msg);
 	}

 function rule_removed_impl(r: Rule, p: PluginState, msg: string &default="") &is_used
--- a/scripts/base/frameworks/netcontrol/plugins/debug.zeek
+++ b/scripts/base/frameworks/netcontrol/plugins/debug.zeek
@ -12,7 +12,21 @@ export {
 	##
 	## do_something: If true, the plugin will claim it supports all operations; if
 	##               false, it will indicate it doesn't support any.
-	global create_debug: function(do_something: bool) : PluginState;
+	##
+	## name: Optional name that for the plugin.
+	global create_debug: function(do_something: bool, name: string &default="") : PluginState;
+
+	## Instantiates a debug plugin for the NetControl framework. This variation
+	## of the plugin will return "exists" to any rule operations.
+	##
+	## name: Name of this plugin.
+	global create_debug_exists: function(name: string) : PluginState;
+
+	## Instantiates a debug plugin for the NetControl framework. This variation
+	## of the plugin will return "error" to any rule operations.
+	##
+	## name: Name of this plugin.
+	global create_debug_error: function(name: string) : PluginState;
 }

 function do_something(p: PluginState) : bool
@ -22,7 +36,7 @@ function do_something(p: PluginState) : bool

 function debug_name(p: PluginState) : string
 	{
-	return fmt("Debug-%s", (do_something(p) ? "All" : "None"));
+	return p$config["name"];
 	}

 function debug_log(p: PluginState, msg: string)
@ -55,6 +69,34 @@ function debug_add_rule(p: PluginState, r: Rule) : bool
 	return F;
 	}

+function debug_add_rule_exists(p: PluginState, r: Rule) : bool
+	{
+	local s = fmt("add_rule_exists: %s", r);
+	debug_log(p, s);
+
+	if ( do_something(p) )
+		{
+		event NetControl::rule_exists(r, p);
+		return T;
+		}
+
+	return F;
+	}
+
+function debug_add_rule_error(p: PluginState, r: Rule) : bool
+	{
+	local s = fmt("add_rule_error: %s", r);
+	debug_log(p, s);
+
+	if ( do_something(p) )
+		{
+		event NetControl::rule_error(r, p, "debug error");
+		return T;
+		}
+
+	return F;
+	}
+
 function debug_remove_rule(p: PluginState, r: Rule, reason: string) : bool
 	{
 	local s = fmt("remove_rule (%s): %s", reason, r);
@ -73,13 +115,35 @@ global debug_plugin = Plugin(
 	$remove_rule = debug_remove_rule
 	);

-function create_debug(do_something: bool) : PluginState
+function create_debug(do_something: bool, name: string) : PluginState
 	{
 	local p: PluginState = [$plugin=debug_plugin];

 	# FIXME: Why's the default not working?
 	p$config = table();
 	p$config["all"] = (do_something ? "1" : "0");
+	if ( name == "" )
+		p$config["name"] = fmt("Debug-%s", (do_something ? "All" : "None"));
+	else
+		p$config["name"] = name;

 	return p;
 	}
+
+function create_debug_error(name: string) : PluginState
+	{
+	local p: PluginState = copy([$plugin=debug_plugin]);
+	p$config["name"] = name;
+	p$config["all"] = "1";
+	p$plugin$add_rule = debug_add_rule_error;
+	return p;
+	}
+
+function create_debug_exists(name: string) : PluginState
+	{
+	local p: PluginState = copy([$plugin=debug_plugin]);
+	p$config["name"] = name;
+	p$config["all"] = "1";
+	p$plugin$add_rule = debug_add_rule_exists;
+	return p;
+	}
--- a/scripts/policy/frameworks/netcontrol/catch-and-release.zeek
+++ b/scripts/policy/frameworks/netcontrol/catch-and-release.zeek
@ -73,6 +73,8 @@ export {
 		location: string &log &optional;
 		## Additional informational string by the catch and release framework about this log-line.
 		message: string &log &optional;
+		## Plugin triggering the log entry.
+		plugin: string		&log &optional;
 	};

 	## Stops all packets involving an IP address from being forwarded. This function
@ -270,11 +272,40 @@ event rule_added(r: Rule, p: PluginState, msg: string)
 	local bi = blocks[ip];

 	local log = populate_log_record(ip, bi, DROPPED);
+	log$plugin = p$plugin$name(p);
 	if ( msg != "" )
 		log$message = msg;
 	Log::write(CATCH_RELEASE, log);
 	}

+event rule_exists(r: Rule, p: PluginState, msg: string)
+	{
+	if ( !cr_check_rule(r) )
+		return;
+
+	local ip = subnet_to_addr(r$entity$ip);
+	local bi = blocks[ip];
+
+	local log = populate_log_record(ip, bi, INFO);
+	log$plugin = p$plugin$name(p);
+	local infomsg = "Existing rule encountered while inserting rule";
+	log$message = msg + infomsg;
+	Log::write(CATCH_RELEASE, log);
+	}
+
+event rule_error(r: Rule, p: PluginState, msg: string)
+	{
+	if ( !cr_check_rule(r) )
+		return;
+
+	local ip = subnet_to_addr(r$entity$ip);
+	local bi = blocks[ip];
+
+	local log = populate_log_record(ip, bi, INFO);
+	log$plugin = p$plugin$name(p);
+	log$message = "Error occurred during rule operation: " + msg;
+	Log::write(CATCH_RELEASE, log);
+	}

 event rule_timeout(r: Rule, i: FlowInfo, p: PluginState)
 	{
@ -285,6 +316,7 @@ event rule_timeout(r: Rule, i: FlowInfo, p: PluginState)
 	local bi = blocks[ip];

 	local log = populate_log_record(ip, bi, UNBLOCK);
+	log$plugin = p$plugin$name(p);
 	if ( bi?$block_until )
 		{
 		local difference: interval = network_time() - bi$block_until;
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.rule-added-hook-2/netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.rule-added-hook-2/netcontrol.log
@ -0,0 +1,25 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
+#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	plugin-1
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	plugin-1
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	plugin-2
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	plugin-2
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-2
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-2
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-2
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-2
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-2
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.rule-added-hook/netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.rule-added-hook/netcontrol.log
@ -0,0 +1,22 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
+#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	plugin-1
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	plugin-1
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	plugin-2
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	plugin-2
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-2
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-2
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	1.000000	-	plugin-1
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release-2/netcontrol_catch_release.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release-2/netcontrol_catch_release.log
@ -5,12 +5,12 @@
 #unset_field	-
 #path	netcontrol_catch_release
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message
-#types	time	string	addr	enum	interval	interval	time	time	count	string	string
-XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::ADDED	600.000000	3600.000000	-	XXXXXXXXXX.XXXXXX	1	test drop	Address already blocked outside of catch-and-release. Catch and release will monitor and only actively block if it appears in network traffic.
-XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	-	XXXXXXXXXX.XXXXXX	1	test drop	-
-XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::SEEN_AGAIN	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	test drop	-
-XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::DROPPED	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	test drop	-
-XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::SEEN_AGAIN	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	test drop	-
-XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::DROPPED	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	test drop	-
+#fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message	plugin
+#types	time	string	addr	enum	interval	interval	time	time	count	string	string	string
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::ADDED	600.000000	3600.000000	-	XXXXXXXXXX.XXXXXX	1	test drop	Address already blocked outside of catch-and-release. Catch and release will monitor and only actively block if it appears in network traffic.	-
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	-	XXXXXXXXXX.XXXXXX	1	test drop	-	Debug-All
+XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::SEEN_AGAIN	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	test drop	-	-
+XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::DROPPED	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	test drop	-	Debug-All
+XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::SEEN_AGAIN	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	test drop	-	-
+XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::DROPPED	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	test drop	-	Debug-All
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release-forgotten/netcontrol_catch_release.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release-forgotten/netcontrol_catch_release.log
@ -5,10 +5,10 @@
 #unset_field	-
 #path	netcontrol_catch_release
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message
-#types	time	string	addr	enum	interval	interval	time	time	count	string	string
-XXXXXXXXXX.XXXXXX	2	10.0.0.1	NetControl::DROP_REQUESTED	1.000000	2.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-
-XXXXXXXXXX.XXXXXX	2	10.0.0.1	NetControl::DROPPED	1.000000	2.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-
-XXXXXXXXXX.XXXXXX	2	10.0.0.1	NetControl::UNBLOCK	1.000000	2.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-
-XXXXXXXXXX.XXXXXX	2	10.0.0.1	NetControl::FORGOTTEN	1.000000	2.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-
+#fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message	plugin
+#types	time	string	addr	enum	interval	interval	time	time	count	string	string	string
+XXXXXXXXXX.XXXXXX	2	10.0.0.1	NetControl::DROP_REQUESTED	1.000000	2.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-	-
+XXXXXXXXXX.XXXXXX	2	10.0.0.1	NetControl::DROPPED	1.000000	2.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-	Debug-All
+XXXXXXXXXX.XXXXXX	2	10.0.0.1	NetControl::UNBLOCK	1.000000	2.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-	Debug-All
+XXXXXXXXXX.XXXXXX	2	10.0.0.1	NetControl::FORGOTTEN	1.000000	2.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release-two-plugins-2/netcontrol.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release-two-plugins-2/netcontrol.log
@ -0,0 +1,49 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	exists
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	exists
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	error
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	error
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	plugin-1
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	plugin-1
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	exists
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	error
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	exists
+XXXXXXXXXX.XXXXXX	2	NetControl::ERROR	-	-	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	debug error	0	600.000000	-	error
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	-	NetControl::REMOVED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	delete_rule: testing	0	600.000000	-	-
+XXXXXXXXXX.XXXXXX	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	3600.000000	Re-drop by catch-and-release: 	exists
+XXXXXXXXXX.XXXXXX	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	3600.000000	Re-drop by catch-and-release: 	error
+XXXXXXXXXX.XXXXXX	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	3600.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	3	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	3600.000000	Re-drop by catch-and-release: 	exists
+XXXXXXXXXX.XXXXXX	3	NetControl::ERROR	-	-	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	debug error	0	3600.000000	Re-drop by catch-and-release: 	error
+XXXXXXXXXX.XXXXXX	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	3600.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	3	NetControl::RULE	-	NetControl::REMOVED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	delete_rule: testing	0	3600.000000	Re-drop by catch-and-release: 	-
+XXXXXXXXXX.XXXXXX	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	86400.000000	Re-drop by catch-and-release: 	exists
+XXXXXXXXXX.XXXXXX	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	86400.000000	Re-drop by catch-and-release: 	error
+XXXXXXXXXX.XXXXXX	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	86400.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	4	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	86400.000000	Re-drop by catch-and-release: 	exists
+XXXXXXXXXX.XXXXXX	4	NetControl::ERROR	-	-	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	debug error	0	86400.000000	Re-drop by catch-and-release: 	error
+XXXXXXXXXX.XXXXXX	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	86400.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	4	NetControl::RULE	-	NetControl::REMOVED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	delete_rule: testing	0	86400.000000	Re-drop by catch-and-release: 	-
+XXXXXXXXXX.XXXXXX	5	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	exists
+XXXXXXXXXX.XXXXXX	5	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	error
+XXXXXXXXXX.XXXXXX	5	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	5	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	exists
+XXXXXXXXXX.XXXXXX	5	NetControl::ERROR	-	-	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	debug error	0	604800.000000	Re-drop by catch-and-release: 	error
+XXXXXXXXXX.XXXXXX	5	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	5	NetControl::RULE	-	NetControl::REMOVED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	delete_rule: testing	0	604800.000000	Re-drop by catch-and-release: 	-
+XXXXXXXXXX.XXXXXX	6	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	exists
+XXXXXXXXXX.XXXXXX	6	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	error
+XXXXXXXXXX.XXXXXX	6	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	6	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	exists
+XXXXXXXXXX.XXXXXX	6	NetControl::ERROR	-	-	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	debug error	0	604800.000000	Re-drop by catch-and-release: 	error
+XXXXXXXXXX.XXXXXX	6	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	6	NetControl::RULE	-	NetControl::REMOVED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	delete_rule: testing	0	604800.000000	Re-drop by catch-and-release: 	-
+XXXXXXXXXX.XXXXXX	7	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	exists
+XXXXXXXXXX.XXXXXX	7	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	error
+XXXXXXXXXX.XXXXXX	7	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	7	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	exists
+XXXXXXXXXX.XXXXXX	7	NetControl::ERROR	-	-	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	debug error	0	604800.000000	Re-drop by catch-and-release: 	error
+XXXXXXXXXX.XXXXXX	7	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-1
--- a/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release-two-plugins-2/netcontrol_catch_release.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release-two-plugins-2/netcontrol_catch_release.log
@ -0,0 +1,35 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol_catch_release
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message	plugin
+#types	time	string	addr	enum	interval	interval	time	time	count	string	string	string
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::DROP_REQUESTED	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-	-
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	Already blocked using catch-and-release - ignoring duplicate	-
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	Existing rule encountered while inserting rule	exists
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	Error occurred during rule operation: debug error	error
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-	plugin-1
+XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::SEEN_AGAIN	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	-	-	-
+XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::INFO	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	-	Existing rule encountered while inserting rule	exists
+XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::INFO	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	-	Error occurred during rule operation: debug error	error
+XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::DROPPED	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	-	-	plugin-1
+XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::SEEN_AGAIN	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	-	-	-
+XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::INFO	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	-	Existing rule encountered while inserting rule	exists
+XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::INFO	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	-	Error occurred during rule operation: debug error	error
+XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::DROPPED	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	-	-	plugin-1
+XXXXXXXXXX.XXXXXX	5	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	4	-	-	-
+XXXXXXXXXX.XXXXXX	5	192.168.18.50	NetControl::INFO	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	4	-	Existing rule encountered while inserting rule	exists
+XXXXXXXXXX.XXXXXX	5	192.168.18.50	NetControl::INFO	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	4	-	Error occurred during rule operation: debug error	error
+XXXXXXXXXX.XXXXXX	5	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	4	-	-	plugin-1
+XXXXXXXXXX.XXXXXX	6	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	5	-	-	-
+XXXXXXXXXX.XXXXXX	6	192.168.18.50	NetControl::INFO	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	5	-	Existing rule encountered while inserting rule	exists
+XXXXXXXXXX.XXXXXX	6	192.168.18.50	NetControl::INFO	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	5	-	Error occurred during rule operation: debug error	error
+XXXXXXXXXX.XXXXXX	6	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	5	-	-	plugin-1
+XXXXXXXXXX.XXXXXX	7	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	6	-	-	-
+XXXXXXXXXX.XXXXXX	7	192.168.18.50	NetControl::INFO	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	6	-	Existing rule encountered while inserting rule	exists
+XXXXXXXXXX.XXXXXX	7	192.168.18.50	NetControl::INFO	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	6	-	Error occurred during rule operation: debug error	error
+XXXXXXXXXX.XXXXXX	7	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	6	-	-	plugin-1
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release-two-plugins/netcontrol.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release-two-plugins/netcontrol.log
@ -0,0 +1,35 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	plugin-1
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	plugin-1
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	plugin-2
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	plugin-2
+0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	plugin-2
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	-	plugin-2
+XXXXXXXXXX.XXXXXX	2	NetControl::RULE	-	NetControl::REMOVED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	delete_rule: testing	0	600.000000	-	-
+XXXXXXXXXX.XXXXXX	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	3600.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	3600.000000	Re-drop by catch-and-release: 	plugin-2
+XXXXXXXXXX.XXXXXX	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	3600.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	3	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	3600.000000	Re-drop by catch-and-release: 	plugin-2
+XXXXXXXXXX.XXXXXX	3	NetControl::RULE	-	NetControl::REMOVED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	delete_rule: testing	0	3600.000000	Re-drop by catch-and-release: 	-
+XXXXXXXXXX.XXXXXX	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	86400.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	86400.000000	Re-drop by catch-and-release: 	plugin-2
+XXXXXXXXXX.XXXXXX	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	86400.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	86400.000000	Re-drop by catch-and-release: 	plugin-2
+XXXXXXXXXX.XXXXXX	4	NetControl::RULE	-	NetControl::REMOVED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	delete_rule: testing	0	86400.000000	Re-drop by catch-and-release: 	-
+XXXXXXXXXX.XXXXXX	5	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	5	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-2
+XXXXXXXXXX.XXXXXX	5	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	5	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-2
+XXXXXXXXXX.XXXXXX	5	NetControl::RULE	-	NetControl::REMOVED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	delete_rule: testing	0	604800.000000	Re-drop by catch-and-release: 	-
+XXXXXXXXXX.XXXXXX	6	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	6	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-2
+XXXXXXXXXX.XXXXXX	6	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	6	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-2
+XXXXXXXXXX.XXXXXX	6	NetControl::RULE	-	NetControl::REMOVED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	delete_rule: testing	0	604800.000000	Re-drop by catch-and-release: 	-
+XXXXXXXXXX.XXXXXX	7	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	7	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-2
+XXXXXXXXXX.XXXXXX	7	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-1
+XXXXXXXXXX.XXXXXX	7	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	604800.000000	Re-drop by catch-and-release: 	plugin-2
--- a/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release-two-plugins/netcontrol_catch_release.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release-two-plugins/netcontrol_catch_release.log
@ -0,0 +1,29 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	netcontrol_catch_release
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message	plugin
+#types	time	string	addr	enum	interval	interval	time	time	count	string	string	string
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::DROP_REQUESTED	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-	-
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	Already blocked using catch-and-release - ignoring duplicate	-
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-	plugin-1
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-	plugin-2
+XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::SEEN_AGAIN	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	-	-	-
+XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::DROPPED	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	-	-	plugin-1
+XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::DROPPED	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	-	-	plugin-2
+XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::SEEN_AGAIN	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	-	-	-
+XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::DROPPED	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	-	-	plugin-1
+XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::DROPPED	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	-	-	plugin-2
+XXXXXXXXXX.XXXXXX	5	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	4	-	-	-
+XXXXXXXXXX.XXXXXX	5	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	4	-	-	plugin-1
+XXXXXXXXXX.XXXXXX	5	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	4	-	-	plugin-2
+XXXXXXXXXX.XXXXXX	6	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	5	-	-	-
+XXXXXXXXXX.XXXXXX	6	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	5	-	-	plugin-1
+XXXXXXXXXX.XXXXXX	6	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	5	-	-	plugin-2
+XXXXXXXXXX.XXXXXX	7	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	6	-	-	-
+XXXXXXXXXX.XXXXXX	7	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	6	-	-	plugin-1
+XXXXXXXXXX.XXXXXX	7	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	6	-	-	plugin-2
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release/netcontrol_catch_release.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.netcontrol.catch-and-release/netcontrol_catch_release.log
@ -5,19 +5,19 @@
 #unset_field	-
 #path	netcontrol_catch_release
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message
-#types	time	string	addr	enum	interval	interval	time	time	count	string	string
-XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::DROP_REQUESTED	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-
-XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	Already blocked using catch-and-release - ignoring duplicate
-XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-
-XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::SEEN_AGAIN	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	-	-
-XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::DROPPED	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	-	-
-XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::SEEN_AGAIN	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	-	-
-XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::DROPPED	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	-	-
-XXXXXXXXXX.XXXXXX	5	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	4	-	-
-XXXXXXXXXX.XXXXXX	5	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	4	-	-
-XXXXXXXXXX.XXXXXX	6	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	5	-	-
-XXXXXXXXXX.XXXXXX	6	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	5	-	-
-XXXXXXXXXX.XXXXXX	7	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	6	-	-
-XXXXXXXXXX.XXXXXX	7	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	6	-	-
+#fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message	plugin
+#types	time	string	addr	enum	interval	interval	time	time	count	string	string	string
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::DROP_REQUESTED	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-	-
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	Already blocked using catch-and-release - ignoring duplicate	-
+XXXXXXXXXX.XXXXXX	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	1	-	-	Debug-All
+XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::SEEN_AGAIN	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	-	-	-
+XXXXXXXXXX.XXXXXX	3	192.168.18.50	NetControl::DROPPED	3600.000000	86400.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	2	-	-	Debug-All
+XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::SEEN_AGAIN	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	-	-	-
+XXXXXXXXXX.XXXXXX	4	192.168.18.50	NetControl::DROPPED	86400.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	3	-	-	Debug-All
+XXXXXXXXXX.XXXXXX	5	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	4	-	-	-
+XXXXXXXXXX.XXXXXX	5	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	4	-	-	Debug-All
+XXXXXXXXXX.XXXXXX	6	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	5	-	-	-
+XXXXXXXXXX.XXXXXX	6	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	5	-	-	Debug-All
+XXXXXXXXXX.XXXXXX	7	192.168.18.50	NetControl::SEEN_AGAIN	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	6	-	-	-
+XXXXXXXXXX.XXXXXX	7	192.168.18.50	NetControl::DROPPED	604800.000000	604800.000000	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	6	-	-	Debug-All
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/scripts/base/frameworks/netcontrol/rule-added-hook.zeek
+++ b/testing/btest/scripts/base/frameworks/netcontrol/rule-added-hook.zeek
@ -0,0 +1,46 @@
+# @TEST-EXEC: zeek -b -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: btest-diff netcontrol.log
+
+@load base/frameworks/netcontrol
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T, "plugin-1");
+	local netcontrol_debug_exists = NetControl::create_debug_exists("plugin-2");
+	NetControl::activate(netcontrol_debug, 0);
+	NetControl::activate(netcontrol_debug_exists, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	NetControl::drop_address(id$orig_h, 1sec);
+	}
+
+@TEST-START-NEXT
+
+@load base/frameworks/netcontrol
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T, "plugin-1");
+	local netcontrol_debug_exists = NetControl::create_debug_exists("plugin-2");
+	NetControl::activate(netcontrol_debug, 0);
+	NetControl::activate(netcontrol_debug_exists, 0);
+	}
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	NetControl::drop_address(id$orig_h, 1sec);
+	}
+
+hook NetControl::rule_added_policy(r: NetControl::Rule, p: NetControl::PluginState, exists: bool, msg: string)
+	{
+	if ( exists )
+		# force expiration, even if rule exists
+		if ( p$_id in r$_no_expire_plugins )
+			delete r$_no_expire_plugins[p$_id];
+	}
+
+
--- a/testing/btest/scripts/policy/frameworks/netcontrol/catch-and-release-two-plugins.zeek
+++ b/testing/btest/scripts/policy/frameworks/netcontrol/catch-and-release-two-plugins.zeek
@ -0,0 +1,77 @@
+# @TEST-EXEC: zeek -b -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log
+# @TEST-EXEC: btest-diff netcontrol_catch_release.log
+
+@load base/frameworks/netcontrol
+@load policy/frameworks/netcontrol/catch-and-release
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T, "plugin-1");
+	local netcontrol_debug_two = NetControl::create_debug(T, "plugin-2");
+	NetControl::activate(netcontrol_debug, 0);
+	NetControl::activate(netcontrol_debug_two, 0);
+	}
+
+global i: count = 0;
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	NetControl::drop_address_catch_release(id$orig_h);
+	# second one should be ignored because duplicate
+	NetControl::drop_address_catch_release(id$orig_h);
+	}
+
+event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	if ( p$plugin$name(p) == "plugin-1" )
+		return;
+
+	if ( ++i >= 6 )
+		return;
+
+	# delete directly, without notifying anything.
+	NetControl::delete_rule(r$id, "testing");
+	NetControl::catch_release_seen(subnet_to_addr(r$entity$ip));
+	}
+
+
+@TEST-START-NEXT
+
+@load base/frameworks/netcontrol
+@load policy/frameworks/netcontrol/catch-and-release
+
+event NetControl::init()
+	{
+	local netcontrol_debug = NetControl::create_debug(T, "plugin-1");
+	local netcontrol_debug_two = NetControl::create_debug_exists("exists");
+	local netcontrol_debug_error = NetControl::create_debug_error("error");
+	NetControl::activate(netcontrol_debug_two, 0);
+	NetControl::activate(netcontrol_debug_error, 0);
+	NetControl::activate(netcontrol_debug, 0);
+	}
+
+global i: count = 0;
+
+event connection_established(c: connection)
+	{
+	local id = c$id;
+	NetControl::drop_address_catch_release(id$orig_h);
+	# second one should be ignored because duplicate
+	NetControl::drop_address_catch_release(id$orig_h);
+	}
+
+event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	if ( p$plugin$name(p) != "plugin-1" )
+		return;
+
+	if ( ++i >= 6 )
+		return;
+
+	# delete directly, without notifying anything.
+	NetControl::delete_rule(r$id, "testing");
+	NetControl::catch_release_seen(subnet_to_addr(r$entity$ip));
+	}
+