This is an automated email from the ASF dual-hosted git repository.
bneradt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 30c740a869 Extract apply_ip_allow_filter (#9845)
30c740a869 is described below
commit 30c740a8695e7a0bdbad84125e3970c4b146b8dd
Author: JosiahWI <[email protected]>
AuthorDate: Fri Jul 14 16:00:56 2023 -0500
Extract apply_ip_allow_filter (#9845)
This breaks up the ip allow check in HttpSM::do_http_server_open.
---
proxy/http/HttpSM.cc | 104 +++++++++++++++++++++++++++++----------------------
proxy/http/HttpSM.h | 18 +++++++++
2 files changed, 78 insertions(+), 44 deletions(-)
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index d6cd497d3b..7d0a073f4c 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -5127,6 +5127,65 @@ HttpSM::get_outbound_sni() const
return zret;
}
+bool
+HttpSM::apply_ip_allow_filter()
+{
+ bool result{true};
+ // Method allowed on dest IP address check
+ IpAllow::ACL acl = IpAllow::match(this->get_server_remote_addr(),
IpAllow::DST_ADDR);
+
+ if (ip_allow_is_request_forbidden(acl)) {
+ ip_allow_deny_request(acl);
+ result = false;
+ } else if (HttpTransact::is_server_negative_cached(&t_state) == true &&
+ t_state.txn_conf->connect_attempts_max_retries_down_server <= 0) {
+ call_transact_and_set_next_state(HttpTransact::OriginDown);
+ result = false;
+ }
+
+ return result;
+}
+
+bool
+HttpSM::ip_allow_is_request_forbidden(const IpAllow::ACL &acl)
+{
+ bool result{false};
+ if (acl.isValid()) {
+ if (acl.isDenyAll()) {
+ result = true;
+ } else if (!acl.isAllowAll()) {
+ if (this->get_request_method_wksidx() != -1) {
+ result = !acl.isMethodAllowed(this->get_request_method_wksidx());
+ } else {
+ int method_str_len{};
+ auto method_str =
t_state.hdr_info.server_request.method_get(&method_str_len);
+ result =
!acl.isNonstandardMethodAllowed(std::string_view(method_str, method_str_len));
+ }
+ }
+ }
+
+ return result;
+}
+
+void
+HttpSM::ip_allow_deny_request(const IpAllow::ACL &acl)
+{
+ if (is_debug_tag_set("ip_allow")) {
+ ip_text_buffer ipb;
+ const char *method_str{};
+ int method_str_len{};
+ method_str = t_state.hdr_info.client_request.method_get(&method_str_len);
+
+ const char *ntop_formatted = ats_ip_ntop(this->get_server_remote_addr(),
ipb, sizeof(ipb));
+ Warning("server '%s' prohibited by ip-allow policy at line %d",
ntop_formatted, acl.source_line());
+ SMDebug("ip_allow", "Line %d denial for '%.*s' from %s",
acl.source_line(), method_str_len, method_str, ntop_formatted);
+ }
+
+ t_state.current.retry_attempts.maximize(
+ t_state.configured_connect_attempts_max_retries()); // prevent any more
retries with this IP
+ call_transact_and_set_next_state(HttpTransact::Forbidden);
+}
+
//////////////////////////////////////////////////////////////////////////
//
// HttpSM::do_http_server_open()
@@ -5188,50 +5247,7 @@ HttpSM::do_http_server_open(bool raw, bool only_direct)
// Check for remap rule. If so, only apply ip_allow filter if it is
activated (ip_allow_check_enabled_p set).
// Otherwise, if no remap rule is defined, apply the ip_allow filter.
if (!t_state.url_remap_success ||
t_state.url_map.getMapping()->ip_allow_check_enabled_p) {
- // Method allowed on dest IP address check
- sockaddr *server_ip = &t_state.current.server->dst_addr.sa;
- IpAllow::ACL acl = IpAllow::match(server_ip, IpAllow::DST_ADDR);
- bool deny_request = false; // default is fail open.
- int method =
t_state.hdr_info.server_request.method_get_wksidx();
- int method_str_len = 0;
- const char *method_str = nullptr;
-
- if (acl.isValid()) {
- if (acl.isDenyAll()) {
- deny_request = true;
- } else if (!acl.isAllowAll()) {
- if (method != -1) {
- deny_request = !acl.isMethodAllowed(method);
- } else {
- method_str =
t_state.hdr_info.server_request.method_get(&method_str_len);
- deny_request =
!acl.isNonstandardMethodAllowed(std::string_view(method_str, method_str_len));
- }
- }
- }
-
- if (deny_request) {
- if (is_debug_tag_set("ip_allow")) {
- ip_text_buffer ipb;
- if (method != -1) {
- method_str = hdrtoken_index_to_wks(method);
- method_str_len = strlen(method_str);
- } else if (!method_str) {
- method_str =
t_state.hdr_info.client_request.method_get(&method_str_len);
- }
- Warning("server '%s' prohibited by ip-allow policy at line %d",
ats_ip_ntop(server_ip, ipb, sizeof(ipb)),
- acl.source_line());
- SMDebug("ip_allow", "Line %d denial for '%.*s' from %s",
acl.source_line(), method_str_len, method_str,
- ats_ip_ntop(server_ip, ipb, sizeof(ipb)));
- }
- t_state.current.retry_attempts.maximize(
- t_state.configured_connect_attempts_max_retries()); // prevent any
more retries with this IP
- call_transact_and_set_next_state(HttpTransact::Forbidden);
- return;
- }
-
- if (HttpTransact::is_server_negative_cached(&t_state) == true &&
- t_state.txn_conf->connect_attempts_max_retries_down_server <= 0) {
- call_transact_and_set_next_state(HttpTransact::OriginDown);
+ if (!apply_ip_allow_filter()) {
return;
}
}
diff --git a/proxy/http/HttpSM.h b/proxy/http/HttpSM.h
index accce2428e..d61ec2e306 100644
--- a/proxy/http/HttpSM.h
+++ b/proxy/http/HttpSM.h
@@ -387,6 +387,9 @@ private:
void do_hostdb_reverse_lookup();
void do_cache_lookup_and_read();
void do_http_server_open(bool raw = false, bool only_direct = false);
+ bool apply_ip_allow_filter();
+ bool ip_allow_is_request_forbidden(const IpAllow::ACL &acl);
+ void ip_allow_deny_request(const IpAllow::ACL &acl);
void send_origin_throttled_response();
void do_setup_post_tunnel(HttpVC_t to_vc_type);
void do_cache_prepare_write();
@@ -469,6 +472,9 @@ private:
/// Update the milestones to track time spent in the plugin API.
void milestone_update_api_time();
+ sockaddr *get_server_remote_addr() const;
+ int get_request_method_wksidx() const;
+
public:
// TODO: Now that bodies can be empty, should the body counters be set to
-1 ? TS-2213
// Stats & Logging Info
@@ -778,3 +784,15 @@ HttpSM::get_postbuf_clone_reader()
{
return this->_postbuf.get_post_data_buffer_clone_reader();
}
+
+inline sockaddr *
+HttpSM::get_server_remote_addr() const
+{
+ return &t_state.current.server->dst_addr.sa;
+};
+
+inline int
+HttpSM::get_request_method_wksidx() const
+{
+ return t_state.hdr_info.server_request.method_get_wksidx();
+};
