Untangle friends,

At present, AppCtrl rules are eval'd after the AppList so if a given application is blocked in the AppList, then the rules for that same application have no effect. So I got to thinkin' and wanted to check if anyone sees merit in having the rules eval'd first. My reasoning is that by evaluating the AppCtrl rules first, it then becomes trivial to apply exceptions to the blocking of all traffic for a given application. So for example, you want to prohibit NetFlix or other streaming services for everyone except 2 or 3 people. Also, I know that this kind of exception is currently possible but it does require 2 AppCtrl rules and seems a bit more clumsy.

In terms of implementation, one of the following seems sensible:

  1. Have a knob that allows the user to specify if the rules are eval'd before\after the AppList. (preferable)
  2. Make a change that has all AppCtrl rules eval'd first. (least desirable)

Please share your thoughts on this including any pitfalls with the above suggestion or maybe better\preferable methods to accomplish the same goal, etc.