ssl bump bypass is being ignored when multiple categories match

[elico]

I have the next acls.conf:

acl localnet user-ip 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
acl all user-ip 0.0.0.0/0
acl connect method CONNECT

allow connect sslbypass

ssl-bump tlsbump
ssl-bump bump
ssl-bump localbump
ssl-bump localnet

block nudity
block blacklist
block ytbl
block porn
block yandex-adult
block block

disable-proxy-headers all

and I have couple categories with an ignore action.

When I am creating a whitelist category the connection is being bumped despite the fact that it also matches the sslbypass category. The next is when ssl-bump is being bypassed: 2021-05-20 01:36:45.753516,10.200.191.171,allow,//www.mizrahi-tefahot.co.il,CONNECT,0,,0,,/(^|.*\.)mizrahi\-tefahot\.co\.il$/h 1,sslbypass 500,connect sslbypass,,,,,,,,

While the next is when I am enabling the whitelist category with an ignore action: 2021-05-20 01:28:44.257310,10.200.191.171,ssl-bump,//www.mizrahi-tefahot.co.il,CONNECT,0,,0,,/(^|.*\.)mizrahi\-tefahot\.co\.il$/h 1,"z999-whitelist 1500, sslbypass 500",localnet,,,,,,,,

So I have tried to lower the default score to below 500 and got the next log line: 2021-05-20 01:43:47.272874,10.200.191.171,allow,//www.mizrahi-tefahot.co.il,CONNECT,0,,0,,/(^|.*\.)mizrahi\-tefahot\.co\.il$/h 1,"sslbypass 500, z999-whitelist 499",connect sslbypass,,,,,,,,

I assumed that since the allow connect sslbypass is the first rule it will match and the connect will be bypassed however it is being bumped. I am pretty sure it's a bug but was wondering if this is the expected result?

[andybalholm]

The top score wins. This takes precedence over the ordering of the rules. But you can disable this behavior by setting the default action of the sslbypass category to acl so that it will be treated more like an ACL—it's just on or off, and the score doesn't matter than, as long as it's greater than 0.

[elico]

@andybalholm I have not verified all scenarios but it answered my question. Thanks.!