This is an automated email from the ASF dual-hosted git repository.
amc pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new b92a6b3 TS-4593: Extend IPAllow to filter outbound connections
and be controlled from remap. (#1)
b92a6b3 is described below
commit b92a6b3fd5d7addb84aa36622877c70128b9172b
Author: Alan M. Carroll <[email protected]>
AuthorDate: Wed Nov 2 15:04:26 2016 -0500
TS-4593: Extend IPAllow to filter outbound connections and be controlled
from remap. (#1)
Merged
---
doc/admin-guide/files/ip_allow.config.en.rst | 33 +++++++++++++-----
iocore/net/SessionAccept.cc | 4 +--
lib/ts/MatcherUtils.cc | 4 ++-
lib/ts/MatcherUtils.h | 3 +-
proxy/IPAllow.cc | 42 +++++++++++++++--------
proxy/IPAllow.h | 50 +++++++++++++++++++++-------
proxy/InkAPI.cc | 2 +-
proxy/http/HttpSM.cc | 46 ++++++++++++++++++++++++-
proxy/http/HttpTransact.cc | 16 +++++++++
proxy/http/HttpTransact.h | 1 +
proxy/http/remap/RemapConfig.cc | 35 +++++++++++++++----
proxy/http/remap/RemapConfig.h | 2 ++
proxy/http/remap/UrlMapping.h | 1 +
13 files changed, 191 insertions(+), 48 deletions(-)
diff --git a/doc/admin-guide/files/ip_allow.config.en.rst
b/doc/admin-guide/files/ip_allow.config.en.rst
index 203d577..6687805 100644
--- a/doc/admin-guide/files/ip_allow.config.en.rst
+++ b/doc/admin-guide/files/ip_allow.config.en.rst
@@ -22,10 +22,12 @@ ip_allow.config
.. configfile:: ip_allow.config
The :file:`ip_allow.config` file controls client access to the Traffic
-Server proxy cache. You can specify ranges of IP addresses that are
-allowed to use the Traffic Server as a web proxy cache. After you modify
-the :file:`ip_allow.config` file, navigate to the Traffic Server bin
-directory and run the :option:`traffic_ctl config reload` command to apply
changes. When
+Server proxy cache and Traffic Server connections to the servers. You
+can specify ranges of IP addresses that are allowed to use the Traffic
+Server as a web proxy cache or that are allowed to be remapped by
+Traffic Server. After you modify the :file:`ip_allow.config` file,
+navigate to the Traffic Server bin directory and run the
+:option:`traffic_ctl config reload` command to apply changes. When
you apply the changes to a node in a cluster, Traffic Server
automatically applies the changes to all other nodes in the cluster.
@@ -36,13 +38,18 @@ Each line in the :file:`ip_allow.config` file must have the
following
format::
src_ip=<range of IP addresses> action=<action> [method=<list of methods
separated by '|'>]
+ dest_ip=<range of IP addresses> action=<action> [method=<list of methods
separated by '|'>]
where src_ip is the IP address or range of IP addresses of the
-client(s). The action ``ip_allow`` enables the specified client(s) to
-access the Traffic Server proxy cache, and ``ip_deny`` denies the
-specified client(s) to access the Traffic Server proxy cache. Multiple
-method keywords can be specified (method=GET method=HEAD), or multiple
-methods can be separated by an '\|' (method=GET\|HEAD). The method
+client(s) and dest_ip is the IP address or range of IP addresses of the
+server(s). When src_ip is indicated, the action ``ip_allow`` enables
+the specified client(s) to access the Traffic Server proxy cache,
+and ``ip_deny`` denies the specified client(s) to access the Traffic
+Server proxy cache. When dest_ip is indicated, the action ``ip_allow``
+enables the Traffic Server to access the specified server(s), and
+``ip_deny`` denies the Traffic Server to access the specified server(s).
+Multiple method keywords can be specified (method=GET method=HEAD), or
+multiple methods can be separated by an '\|' (method=GET\|HEAD). The method
keyword is optional and it is defaulted to ALL. This supports ANY string
as the HTTP method, meaning no validation is done to check whether it
is a valid HTTP method. This allows you to create filters for any method
@@ -78,3 +85,11 @@ the Traffic Server proxy cache::
src_ip=123.45.6.0-123.45.6.123 action=ip_deny
+The following example enables the Traffic Server to access all servers::
+
+ dest_ip=0.0.0.0-255.255.255.255 action=ip_allow
+
+The following example denies the Traffic Server to access all servers
+on a specific subnet::
+
+ dest_ip=10.0.0.0-10.0.0.255 action=ip_deny
diff --git a/iocore/net/SessionAccept.cc b/iocore/net/SessionAccept.cc
index 8f144e9..1bb1f02 100644
--- a/iocore/net/SessionAccept.cc
+++ b/iocore/net/SessionAccept.cc
@@ -31,8 +31,8 @@ SessionAccept::testIpAllowPolicy(sockaddr const *client_ip)
IpAllow::scoped_config ipallow;
const AclRecord *acl_record = nullptr;
if (ipallow) {
- acl_record = ipallow->match(client_ip);
- if (acl_record && acl_record->isEmpty()) {
+ acl_record = ipallow->match(client_ip, IpAllow::SRC_ADDR);
+ if (acl_record && acl_record->isEmpty() &&
ipallow->isAcceptCheckEnabled()) {
acl_record = nullptr;
}
}
diff --git a/lib/ts/MatcherUtils.cc b/lib/ts/MatcherUtils.cc
index a064d2b..5c5f32f 100644
--- a/lib/ts/MatcherUtils.cc
+++ b/lib/ts/MatcherUtils.cc
@@ -401,7 +401,9 @@ processDurationString(char *str, int *seconds)
const matcher_tags http_dest_tags = {"dest_host", "dest_domain", "dest_ip",
"url_regex", "url", "host_regex", true};
-const matcher_tags ip_allow_tags = {nullptr, nullptr, "src_ip", nullptr,
nullptr, nullptr, false};
+const matcher_tags ip_allow_src_tags = {nullptr, nullptr, "src_ip", nullptr,
nullptr, nullptr, false};
+
+const matcher_tags ip_allow_dest_tags = {nullptr, nullptr, "dest_ip", nullptr,
nullptr, nullptr, true};
const matcher_tags socks_server_tags = {nullptr, nullptr, "dest_ip", nullptr,
nullptr, nullptr, false};
diff --git a/lib/ts/MatcherUtils.h b/lib/ts/MatcherUtils.h
index 44d308b..4893234 100644
--- a/lib/ts/MatcherUtils.h
+++ b/lib/ts/MatcherUtils.h
@@ -108,7 +108,8 @@ struct matcher_tags {
};
extern const matcher_tags http_dest_tags;
-extern const matcher_tags ip_allow_tags;
+extern const matcher_tags ip_allow_src_tags;
+extern const matcher_tags ip_allow_dest_tags;
extern const matcher_tags socks_server_tags;
const char *parseConfigLine(char *line, matcher_line *p_line, const
matcher_tags *tags);
diff --git a/proxy/IPAllow.cc b/proxy/IPAllow.cc
index 3e0af82..bece005 100644
--- a/proxy/IPAllow.cc
+++ b/proxy/IPAllow.cc
@@ -45,7 +45,8 @@ enum AclOp {
const AclRecord IpAllow::ALL_METHOD_ACL(AclRecord::ALL_METHOD_MASK);
-int IpAllow::configid = 0;
+int IpAllow::configid = 0;
+bool IpAllow::accept_check_p = true; // initializing global flag for fast deny
static ConfigUpdateHandler<IpAllow> *ipAllowUpdate;
@@ -108,12 +109,11 @@ IpAllow::~IpAllow()
}
void
-IpAllow::Print()
+IpAllow::PrintMap(IpMap *map)
{
std::ostringstream s;
- s << _map.getCount() << " ACL entries";
- s << '.';
- for (IpMap::iterator spot(_map.begin()), limit(_map.end()); spot != limit;
++spot) {
+ s << map->getCount() << " ACL entries.";
+ for (IpMap::iterator spot(map->begin()), limit(map->end()); spot != limit;
++spot) {
char text[INET6_ADDRSTRLEN];
AclRecord const *ar = static_cast<AclRecord const *>(spot->data());
@@ -156,6 +156,15 @@ IpAllow::Print()
Debug("ip-allow", "%s", s.str().c_str());
}
+void
+IpAllow::Print()
+{
+ Debug("ip-allow", "Printing src map");
+ PrintMap(&_src_map);
+ Debug("ip-allow", "Printing dest map");
+ PrintMap(&_dest_map);
+}
+
int
IpAllow::BuildTable()
{
@@ -171,7 +180,7 @@ IpAllow::BuildTable()
bool alarmAlready = false;
// Table should be empty
- ink_assert(_map.getCount() == 0);
+ ink_assert(_src_map.getCount() == 0 && _dest_map.getCount() == 0);
file_buf = readIntoBuffer(config_file_path, module_name, nullptr);
@@ -190,6 +199,8 @@ IpAllow::BuildTable()
}
if (*line != '\0' && *line != '#') {
+ const matcher_tags &ip_allow_tags =
+ strstr(line, ip_allow_dest_tags.match_ip) != nullptr ?
ip_allow_dest_tags : ip_allow_src_tags;
errPtr = parseConfigLine(line, &line_info, &ip_allow_tags);
if (errPtr != nullptr) {
@@ -211,6 +222,7 @@ IpAllow::BuildTable()
uint32_t acl_method_mask = 0;
AclRecord::MethodSet nonstandard_methods;
bool deny_nonstandard_methods = false;
+ bool is_dest_ip =
(strcasecmp(line_info.line[0][line_info.dest_entry], "dest_ip") == 0);
AclOp op = ACL_OP_DENY; // "shut up", I
explained to the compiler.
bool op_found = false, method_found = false;
for (int i = 0; i < MATCHER_MAX_TOKENS; i++) {
@@ -272,10 +284,11 @@ IpAllow::BuildTable()
}
if (method_found) {
- _acls.push_back(AclRecord(acl_method_mask, line_num,
nonstandard_methods, deny_nonstandard_methods));
- // Color with index because at this point the address
- // is volatile.
- _map.fill(&addr1, &addr2, reinterpret_cast<void *>(_acls.length()
- 1));
+ Vec<AclRecord> &acls = is_dest_ip ? _dest_acls : _src_acls;
+ IpMap &map = is_dest_ip ? _dest_map : _src_map;
+ acls.push_back(AclRecord(acl_method_mask, line_num,
nonstandard_methods, deny_nonstandard_methods));
+ // Color with index in acls because at this point the address is
volatile.
+ map.fill(&addr1, &addr2, reinterpret_cast<void *>(acls.length() -
1));
} else {
snprintf(errBuf, sizeof(errBuf), "%s discarding %s entry at line
%d : %s", module_name, config_file_path, line_num,
"Invalid action/method specified"); // changed by YTS
Team, yamsat bug id -59022
@@ -288,13 +301,14 @@ IpAllow::BuildTable()
line = tokLine(nullptr, &tok_state);
}
- if (_map.getCount() == 0) {
+ if (_src_map.getCount() == 0 && _dest_map.getCount() == 0) { // TODO: check
Warning("%s No entries in %s. All IP Addresses will be blocked",
module_name, config_file_path);
} else {
// convert the coloring from indices to pointers.
- for (IpMap::iterator spot(_map.begin()), limit(_map.end()); spot != limit;
++spot) {
- spot->setData(&_acls[reinterpret_cast<size_t>(spot->data())]);
- }
+ for (auto &item : _src_map)
+ item.setData(&_src_acls[reinterpret_cast<size_t>(item.data())]);
+ for (auto &item : _dest_map)
+ item.setData(&_dest_acls[reinterpret_cast<size_t>(item.data())]);
}
if (is_debug_tag_set("ip-allow")) {
diff --git a/proxy/IPAllow.h b/proxy/IPAllow.h
index f2218fc..a0a6f8b 100644
--- a/proxy/IPAllow.h
+++ b/proxy/IPAllow.h
@@ -110,12 +110,14 @@ class IpAllow : public ConfigInfo
public:
typedef IpAllow self; ///< Self reference type.
+ // indicator for whether we should be checking the acl record for src ip or
dest ip
+ enum match_key_t { SRC_ADDR, DEST_ADDR };
IpAllow(const char *config_var, const char *name, const char *action_val);
~IpAllow();
void Print();
- AclRecord *match(IpEndpoint const *ip) const;
- AclRecord *match(sockaddr const *ip) const;
+ AclRecord *match(IpEndpoint const *ip, match_key_t key) const;
+ AclRecord *match(sockaddr const *ip, match_key_t key) const;
static void startup();
static void reconfigure();
@@ -130,35 +132,59 @@ public:
return &ALL_METHOD_ACL;
}
+ /* @return The previous accept check state
+ * This is a global variable that is independent of
+ * the ip_allow configuration
+ */
+ static bool
+ enableAcceptCheck(bool state)
+ {
+ bool temp = accept_check_p;
+ accept_check_p = state;
+ return temp;
+ }
+ /* @return The current accept check state
+ * This is a global variable that is independent of
+ * the ip_allow configuration
+ */
+ static bool
+ isAcceptCheckEnabled()
+ {
+ return accept_check_p;
+ }
+
typedef ConfigProcessor::scoped_config<IpAllow, IpAllow> scoped_config;
private:
static int configid;
static const AclRecord ALL_METHOD_ACL;
+ static bool accept_check_p;
+ void PrintMap(IpMap *map);
int BuildTable();
char config_file_path[PATH_NAME_MAX];
const char *module_name;
const char *action;
- IpMap _map;
- Vec<AclRecord> _acls;
+ IpMap _src_map;
+ IpMap _dest_map;
+ Vec<AclRecord> _src_acls;
+ Vec<AclRecord> _dest_acls;
};
inline AclRecord *
-IpAllow::match(IpEndpoint const *ip) const
+IpAllow::match(IpEndpoint const *ip, match_key_t key) const
{
- return this->match(&ip->sa);
+ return this->match(&ip->sa, key);
}
inline AclRecord *
-IpAllow::match(sockaddr const *ip) const
+IpAllow::match(sockaddr const *ip, match_key_t key) const
{
- void *raw;
- if (_map.contains(ip, &raw)) {
- return static_cast<AclRecord *>(raw);
- }
- return nullptr;
+ void *raw = nullptr;
+ const IpMap &map = (key == SRC_ADDR) ? _src_map : _dest_map;
+ map.contains(ip, &raw);
+ return static_cast<AclRecord *>(raw);
}
#endif
diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc
index d95f701..48697d5 100644
--- a/proxy/InkAPI.cc
+++ b/proxy/InkAPI.cc
@@ -7298,7 +7298,7 @@ const char *
TSMatcherParseSrcIPConfigLine(char *line, TSMatcherLine ml)
{
sdk_assert(sdk_sanity_check_null_ptr((void *)line) == TS_SUCCESS);
- return parseConfigLine(line, (matcher_line *)ml, &ip_allow_tags);
+ return parseConfigLine(line, (matcher_line *)ml, &ip_allow_src_tags);
}
char *
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index ffabb6e..f2638d0 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -42,6 +42,7 @@
#include "HttpPages.h"
+#include "IPAllow.h"
//#include "I_Auth.h"
//#include "HttpAuthParams.h"
#include "congest/Congestion.h"
@@ -4730,7 +4731,50 @@ HttpSM::do_http_server_open(bool raw)
milestones[TS_MILESTONE_SERVER_FIRST_CONNECT] =
milestones[TS_MILESTONE_SERVER_CONNECT];
}
- if (t_state.pCongestionEntry != nullptr) {
+ // Check for remap rule. If so, only apply ip_allow filter if it is
activated (ip_allow_check_enabled_p set).
+ // Otherwise, if no remap rule is defined, apply the ip_allow filter.
+ if (!t_state.url_remap_success ||
t_state.url_map.getMapping()->ip_allow_check_enabled_p) {
+ // Method allowed on dest IP address check
+ sockaddr *server_ip = &t_state.current.server->dst_addr.sa;
+ IpAllow::scoped_config ip_allow;
+
+ if (ip_allow) {
+ const AclRecord *acl_record = ip_allow->match(server_ip,
IpAllow::DEST_ADDR);
+ bool deny_request = false; // default is fail open.
+ int method =
t_state.hdr_info.server_request.method_get_wksidx();
+
+ if (acl_record) {
+ // If empty, nothing is allowed, deny. Conversely if all methods are
allowed it's OK, do not deny.
+ // Otherwise the method has to be checked specifically.
+ if (acl_record->isEmpty()) {
+ deny_request = true;
+ } else if (acl_record->_method_mask != AclRecord::ALL_METHOD_MASK) {
+ if (method != -1) {
+ deny_request = !acl_record->isMethodAllowed(method);
+ } else {
+ int method_str_len;
+ const char *method_str =
t_state.hdr_info.server_request.method_get(&method_str_len);
+ deny_request =
!acl_record->isNonstandardMethodAllowed(std::string(method_str,
method_str_len));
+ }
+ }
+ }
+
+ if (deny_request) {
+ if (is_debug_tag_set("ip-allow")) {
+ ip_text_buffer ipb;
+ Warning("server '%s' prohibited by ip-allow policy",
ats_ip_ntop(server_ip, ipb, sizeof(ipb)));
+ Debug("ip-allow", "Denial on %s:%s with mask %x",
ats_ip_ntop(&t_state.current.server->dst_addr.sa, ipb, sizeof(ipb)),
+ hdrtoken_index_to_wks(method), acl_record ?
acl_record->_method_mask : 0x0);
+ }
+ t_state.current.attempts =
t_state.txn_conf->connect_attempts_max_retries; // prevent any more retries
with this IP
+ call_transact_and_set_next_state(HttpTransact::Forbidden);
+ return;
+ }
+ }
+ }
+
+ // Congestion Check
+ if (t_state.pCongestionEntry != NULL) {
if (t_state.pCongestionEntry->F_congested() &&
(!t_state.pCongestionEntry->proxy_retry(milestones[TS_MILESTONE_SERVER_CONNECT])))
{
t_state.congestion_congested_or_failed = 1;
diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
index 0647a90..8e378c4 100644
--- a/proxy/http/HttpTransact.cc
+++ b/proxy/http/HttpTransact.cc
@@ -566,6 +566,16 @@ HttpTransact::BadRequest(State *s)
}
void
+HttpTransact::Forbidden(State *s)
+{
+ DebugTxn("http_trans", "[Forbidden]"
+ "IpAllow marked request forbidden");
+ bootstrap_state_variables_from_request(s, &s->hdr_info.client_request);
+ build_error_response(s, HTTP_STATUS_FORBIDDEN, "Access Denied",
"access#denied", NULL);
+ TRANSACT_RETURN(SM_ACTION_SEND_ERROR_CACHE_NOOP, NULL);
+}
+
+void
HttpTransact::HandleBlindTunnel(State *s)
{
NetVConnection *vc = s->state_machine->ua_session->get_netvc();
@@ -6576,6 +6586,12 @@ HttpTransact::process_quick_http_filter(State *s, int
method)
return;
}
+ // if ipallow rules are disabled by remap then don't modify anything
+ url_mapping *mp = s->url_map.getMapping();
+ if (mp && !mp->ip_allow_check_enabled_p) {
+ return;
+ }
+
if (s->state_machine->ua_session) {
const AclRecord *acl_record =
s->state_machine->ua_session->get_acl_record();
bool deny_request = (acl_record == nullptr);
diff --git a/proxy/http/HttpTransact.h b/proxy/http/HttpTransact.h
index 63f9925..dd81a49 100644
--- a/proxy/http/HttpTransact.h
+++ b/proxy/http/HttpTransact.h
@@ -1200,6 +1200,7 @@ public:
static void StartAuth(State *s);
static void HandleRequestAuthorized(State *s);
static void BadRequest(State *s);
+ static void Forbidden(State *s);
static void HandleFiltering(State *s);
static void DecideCacheLookup(State *s);
static void LookupSkipOpenServer(State *s);
diff --git a/proxy/http/remap/RemapConfig.cc b/proxy/http/remap/RemapConfig.cc
index cef1c40..40f245b 100644
--- a/proxy/http/remap/RemapConfig.cc
+++ b/proxy/http/remap/RemapConfig.cc
@@ -31,6 +31,7 @@
#include "ts/ink_cap.h"
#include "ts/ink_file.h"
#include "ts/Tokenizer.h"
+#include "../../proxy/IPAllow.h"
#define modulePrefix "[ReverseProxy]"
@@ -75,7 +76,8 @@ clear_xstr_array(char *v[], size_t vsize)
}
}
-BUILD_TABLE_INFO::BUILD_TABLE_INFO() : remap_optflg(0), paramc(0), argc(0),
rules_list(nullptr), rewrite(nullptr)
+BUILD_TABLE_INFO::BUILD_TABLE_INFO()
+ : remap_optflg(0), paramc(0), argc(0), ip_allow_check_enabled_p(true),
accept_check_p(true), rules_list(nullptr), rewrite(nullptr)
{
memset(this->paramv, 0, sizeof(this->paramv));
memset(this->argv, 0, sizeof(this->argv));
@@ -107,7 +109,7 @@ process_filter_opt(url_mapping *mp, const BUILD_TABLE_INFO
*bti, char *errStrBuf
for (rp = bti->rules_list; rp; rp = rp->next) {
if (rp->active_queue_flag) {
Debug("url_rewrite", "[process_filter_opt] Add active main filter \"%s\"
(argc=%d)",
- rp->filter_name ? rp->filter_name : "<NULL>", rp->argc);
+ rp->filter_name ? rp->filter_name : "<nullptr>", rp->argc);
for (rpp = &mp->filter; *rpp; rpp = &((*rpp)->next)) {
;
}
@@ -123,6 +125,9 @@ process_filter_opt(url_mapping *mp, const BUILD_TABLE_INFO
*bti, char *errStrBuf
}
errStr = remap_validate_filter_args(rpp, (const char **)bti->argv,
bti->argc, errStrBuf, errStrBufSize);
}
+ // Set the ip allow flag for this rule to the current ip allow flag state
+ mp->ip_allow_check_enabled_p = bti->ip_allow_check_enabled_p;
+
return errStr;
}
@@ -211,6 +216,12 @@ parse_activate_directive(const char *directive,
BUILD_TABLE_INFO *bti, char *err
return (const char *)errbuf;
}
+ // Check if for ip_allow filter
+ if (strcmp((const char *)bti->paramv[1], "ip_allow") == 0) {
+ bti->ip_allow_check_enabled_p = true;
+ return nullptr;
+ }
+
if ((rp = acl_filter_rule::find_byname(bti->rules_list, (const char
*)bti->paramv[1])) == nullptr) {
snprintf(errbuf, errbufsize, "Undefined filter \"%s\" in directive
\"%s\"", bti->paramv[1], directive);
Debug("url_rewrite", "[parse_directive] %s", errbuf);
@@ -232,6 +243,12 @@ parse_deactivate_directive(const char *directive,
BUILD_TABLE_INFO *bti, char *e
return (const char *)errbuf;
}
+ // Check if for ip_allow filter
+ if (strcmp((const char *)bti->paramv[1], "ip_allow") == 0) {
+ bti->ip_allow_check_enabled_p = false;
+ return nullptr;
+ }
+
if ((rp = acl_filter_rule::find_byname(bti->rules_list, (const char
*)bti->paramv[1])) == nullptr) {
snprintf(errbuf, errbufsize, "Undefined filter \"%s\" in directive
\"%s\"", bti->paramv[1], directive);
Debug("url_rewrite", "[parse_directive] %s", errbuf);
@@ -577,9 +594,9 @@ remap_validate_filter_args(acl_filter_rule **rule_pp, const
char **argv, int arg
}
if (ul & REMAP_OPTFLG_ACTION) { /* "action=" option */
- if (is_inkeylist(argptr, "0", "off", "deny", "disable", NULL)) {
+ if (is_inkeylist(argptr, "0", "off", "deny", "disable", nullptr)) {
rule->allow_flag = 0;
- } else if (is_inkeylist(argptr, "1", "on", "allow", "enable", NULL)) {
+ } else if (is_inkeylist(argptr, "1", "on", "allow", "enable", nullptr)) {
rule->allow_flag = 1;
} else {
Debug("url_rewrite", "[validate_filter_args] Unknown argument \"%s\"",
argv[i]);
@@ -750,7 +767,7 @@ remap_load_plugin(const char **argv, int argc, url_mapping
*mp, char *errbuf, in
}
} else {
if (unlikely(!mp || (remap_check_option(argv, argc, REMAP_OPTFLG_PLUGIN,
&idx) & REMAP_OPTFLG_PLUGIN) == 0)) {
- snprintf(errbuf, errbufsize, "Can't find remap plugin keyword or
\"url_mapping\" is NULL");
+ snprintf(errbuf, errbufsize, "Can't find remap plugin keyword or
\"url_mapping\" is nullptr");
return -1; /* incorrect input data - almost impossible case */
}
}
@@ -952,7 +969,7 @@ process_regex_mapping_config(const char *from_host_lower,
url_mapping *new_mappi
reg_map->url_map = new_mapping;
// using from_host_lower (and not new_mapping->fromURL.host_get())
- // as this one will be NULL-terminated (required by pcre_compile)
+ // as this one will be nullptr-terminated (required by pcre_compile)
if (reg_map->regular_expression.compile(from_host_lower) == false) {
Warning("pcre_compile failed! Regex has error starting at %s",
from_host_lower);
goto lFail;
@@ -1153,6 +1170,9 @@ remap_parse_config_bti(const char *path, BUILD_TABLE_INFO
*bti)
goto MAP_ERROR;
}
+ // update sticky flag
+ bti->accept_check_p = bti->accept_check_p && bti->ip_allow_check_enabled_p;
+
new_mapping->map_id = 0;
if ((bti->remap_optflg & REMAP_OPTFLG_MAP_ID) != 0) {
int idx = 0;
@@ -1413,8 +1433,9 @@ remap_parse_config_bti(const char *path, BUILD_TABLE_INFO
*bti)
delete reg_map;
delete new_mapping;
return false;
- } /* end of while(cur_line != NULL) */
+ } /* end of while(cur_line != nullptr) */
+ IpAllow::enableAcceptCheck(bti->accept_check_p);
return true;
}
diff --git a/proxy/http/remap/RemapConfig.h b/proxy/http/remap/RemapConfig.h
index 300eaea..0d76156 100644
--- a/proxy/http/remap/RemapConfig.h
+++ b/proxy/http/remap/RemapConfig.h
@@ -53,6 +53,8 @@ struct BUILD_TABLE_INFO {
char *paramv[BUILD_TABLE_MAX_ARGS];
char *argv[BUILD_TABLE_MAX_ARGS];
+ bool ip_allow_check_enabled_p;
+ bool accept_check_p;
acl_filter_rule *rules_list; // all rules defined in config files as
.define_filter foobar @src_ip=.....
UrlRewrite *rewrite; // Pointer to the UrlRewrite object we are
parsing for.
diff --git a/proxy/http/remap/UrlMapping.h b/proxy/http/remap/UrlMapping.h
index d4634b8..73f87c7 100644
--- a/proxy/http/remap/UrlMapping.h
+++ b/proxy/http/remap/UrlMapping.h
@@ -107,6 +107,7 @@ public:
unsigned int map_id;
referer_info *referer_list;
redirect_tag_str *redir_chunk_list;
+ bool ip_allow_check_enabled_p;
acl_filter_rule *filter; // acl filtering (list of rules)
unsigned int _plugin_count;
LINK(url_mapping, link); // For use with the main Queue linked list holding
all the mapping
--
To stop receiving notification emails like this one, please contact
['"[email protected]" <[email protected]>'].
