This is an automated email from the ASF dual-hosted git repository. sorber pushed a commit to branch 6.2.x in repository https://git-dual.apache.org/repos/asf/trafficserver.git
commit 2a000a764ae0ab2e011f9f6679500b7c23399e05 Author: Susan Hinrichs <shinr...@ieee.org> AuthorDate: Wed May 4 01:49:30 2016 +0000 TS-3485: Support ip_allow config for HTTP2. This closes #614. (cherry picked from commit 5ce103e889ef2eec9216ec06ae681916cb6e2298) --- iocore/net/I_SessionAccept.h | 6 +++++ iocore/net/Makefile.am | 1 + iocore/net/{I_SessionAccept.h => SessionAccept.cc} | 27 +++++++++++----------- proxy/http/HttpSessionAccept.cc | 19 +++++++-------- proxy/http2/Http2ClientSession.cc | 12 ---------- proxy/http2/Http2SessionAccept.cc | 13 ++++++++--- 6 files changed, 40 insertions(+), 38 deletions(-) diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/I_SessionAccept.h index 3d25b3d..1a8d6a2 100644 --- a/iocore/net/I_SessionAccept.h +++ b/iocore/net/I_SessionAccept.h @@ -27,6 +27,8 @@ #include "I_Net.h" #include "I_VConnection.h" +class AclRecord; + class SessionAccept : public Continuation { public: @@ -34,6 +36,10 @@ public: ~SessionAccept() {} virtual void accept(NetVConnection *, MIOBuffer *, IOBufferReader *) = 0; + /* Returns NULL if the specified client_ip is not allowed by ip_allow + * Returns a pointer to the relevant IP policy for later processing otherwise */ + static const AclRecord *testIpAllowPolicy(sockaddr const *client_ip); + private: virtual int mainEvent(int event, void *netvc) = 0; }; diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am index 888d3c2..45d3ee9 100644 --- a/iocore/net/Makefile.am +++ b/iocore/net/Makefile.am @@ -60,6 +60,7 @@ libinknet_a_SOURCES = \ I_UDPPacket.h \ Inline.cc \ I_SessionAccept.h \ + SessionAccept.cc \ Net.cc \ NetVConnection.cc \ P_CompletionUtil.h \ diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/SessionAccept.cc similarity index 68% copy from iocore/net/I_SessionAccept.h copy to iocore/net/SessionAccept.cc index 3d25b3d..9d0ff03 100644 --- a/iocore/net/I_SessionAccept.h +++ b/iocore/net/SessionAccept.cc @@ -21,21 +21,20 @@ limitations under the License. */ -#ifndef I_SessionAccept_H_ -#define I_SessionAccept_H_ - #include "I_Net.h" #include "I_VConnection.h" +#include "../../proxy/IPAllow.h" -class SessionAccept : public Continuation +const AclRecord * +SessionAccept::testIpAllowPolicy(sockaddr const *client_ip) { -public: - SessionAccept(ProxyMutex *amutex) : Continuation(amutex) { SET_HANDLER(&SessionAccept::mainEvent); } - ~SessionAccept() {} - virtual void accept(NetVConnection *, MIOBuffer *, IOBufferReader *) = 0; - -private: - virtual int mainEvent(int event, void *netvc) = 0; -}; - -#endif /* I_SessionAccept_H_ */ + IpAllow::scoped_config ipallow; + const AclRecord *acl_record = NULL; + if (ipallow) { + acl_record = ipallow->match(client_ip); + if (acl_record && acl_record->isEmpty()) { + acl_record = NULL; + } + } + return acl_record; +} diff --git a/proxy/http/HttpSessionAccept.cc b/proxy/http/HttpSessionAccept.cc index 394bbf7..ba5a500 100644 --- a/proxy/http/HttpSessionAccept.cc +++ b/proxy/http/HttpSessionAccept.cc @@ -33,20 +33,21 @@ HttpSessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferReade sockaddr const *client_ip = netvc->get_remote_addr(); const AclRecord *acl_record = NULL; ip_port_text_buffer ipb; - IpAllow::scoped_config ipallow; // The backdoor port is now only bound to "localhost", so no // reason to check for if it's incoming from "localhost" or not. if (backdoor) { acl_record = IpAllow::AllMethodAcl(); - } else if (ipallow && (((acl_record = ipallow->match(client_ip)) == NULL) || (acl_record->isEmpty()))) { - //////////////////////////////////////////////////// - // if client address forbidden, close immediately // - //////////////////////////////////////////////////// - Warning("client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb))); - netvc->do_io_close(); - - return; + } else { + acl_record = testIpAllowPolicy(client_ip); + if (!acl_record) { + //////////////////////////////////////////////////// + // if client address forbidden, close immediately // + //////////////////////////////////////////////////// + Warning("client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb))); + netvc->do_io_close(); + return; + } } // Set the transport type if not already set diff --git a/proxy/http2/Http2ClientSession.cc b/proxy/http2/Http2ClientSession.cc index 71fe2f2..5bbcab4 100644 --- a/proxy/http2/Http2ClientSession.cc +++ b/proxy/http2/Http2ClientSession.cc @@ -24,7 +24,6 @@ #include "Http2ClientSession.h" #include "HttpDebugNames.h" #include "ts/ink_base64.h" -#include "../IPAllow.h" #define STATE_ENTER(state_name, event) \ do { \ @@ -138,17 +137,6 @@ Http2ClientSession::start() void Http2ClientSession::new_connection(NetVConnection *new_vc, MIOBuffer *iobuf, IOBufferReader *reader, bool backdoor) { - acl_record = NULL; - sockaddr const *client_ip = new_vc->get_remote_addr(); - IpAllow::scoped_config ipallow; - if (ipallow && (((acl_record = ipallow->match(client_ip)) == NULL) || (acl_record->isEmpty()))) { - ip_port_text_buffer ipb; - Warning("http2 client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb))); - } else if (!acl_record) { - ip_port_text_buffer ipb; - Warning("http2 client '%s' no ip-allow policy specified", ats_ip_ntop(client_ip, ipb, sizeof(ipb))); - } - ink_assert(new_vc->mutex->thread_holding == this_ethread()); HTTP2_INCREMENT_THREAD_DYN_STAT(HTTP2_STAT_CURRENT_CLIENT_SESSION_COUNT, new_vc->mutex->thread_holding); HTTP2_INCREMENT_THREAD_DYN_STAT(HTTP2_STAT_TOTAL_CLIENT_CONNECTION_COUNT, new_vc->mutex->thread_holding); diff --git a/proxy/http2/Http2SessionAccept.cc b/proxy/http2/Http2SessionAccept.cc index 7aeefc7..3699d4c 100644 --- a/proxy/http2/Http2SessionAccept.cc +++ b/proxy/http2/Http2SessionAccept.cc @@ -25,6 +25,7 @@ #include "Http2ClientSession.h" #include "I_Machine.h" #include "Error.h" +#include "../IPAllow.h" Http2SessionAccept::Http2SessionAccept(const HttpSessionAccept::Options &_o) : SessionAccept(NULL), options(_o) { @@ -38,9 +39,16 @@ Http2SessionAccept::~Http2SessionAccept() void Http2SessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferReader *reader) { + sockaddr const *client_ip = netvc->get_remote_addr(); + const AclRecord *session_acl_record = testIpAllowPolicy(client_ip); + if (!session_acl_record) { + ip_port_text_buffer ipb; + Warning("HTTP/2 client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb))); + netvc->do_io_close(); + return; + } netvc->attributes = this->options.transport_type; - const sockaddr *client_ip = netvc->get_remote_addr(); if (is_debug_tag_set("http2_seq")) { ip_port_text_buffer ipb; @@ -48,9 +56,8 @@ Http2SessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferRead ats_ip_nptop(client_ip, ipb, sizeof(ipb)), netvc->attributes); } - // XXX Allocate a Http2ClientSession Http2ClientSession *new_session = THREAD_ALLOC_INIT(http2ClientSessionAllocator, this_ethread()); - + new_session->acl_record = session_acl_record; new_session->new_connection(netvc, iobuf, reader, false /* backdoor */); } -- To stop receiving notification emails like this one, please contact "commits@trafficserver.apache.org" <commits@trafficserver.apache.org>.