[GitHub] [trafficserver] SolidWallOfCode commented on a diff in pull request #9845: Extract apply_ip_allow_filter

Sun, 18 Jun 2023 09:45:48 -0700 


SolidWallOfCode commented on code in PR #9845:
URL: https://github.com/apache/trafficserver/pull/9845#discussion_r1233337623


##########
proxy/http/HttpSM.cc:
##########
@@ -5258,6 +5258,70 @@ HttpSM::get_outbound_sni() const
   return zret;
 }
 
+bool
+HttpSM::apply_ip_allow_filter()
+{
+  bool result{true};
+  // Method allowed on dest IP address check
+  IpAllow::ACL acl = IpAllow::match(this->get_server_remote_addr(), 
IpAllow::DST_ADDR);
+
+  if (ip_allow_is_request_forbidden(acl)) {
+    ip_allow_deny_request(acl);
+    result = false;
+  } else if (HttpTransact::is_server_negative_cached(&t_state) == true &&
+             t_state.txn_conf->connect_attempts_max_retries_down_server <= 0) {
+    call_transact_and_set_next_state(HttpTransact::OriginDown);
+    result = false;
+  }
+
+  return result;
+}
+
+bool
+HttpSM::ip_allow_is_request_forbidden(const IpAllow::ACL &acl)
+{
+  bool result{false};
+  if (acl.isValid()) {
+    if (acl.isDenyAll()) {
+      result = true;
+    } else if (!acl.isAllowAll()) {
+      if (this->get_request_method_wksidx() != -1) {
+        result = !acl.isMethodAllowed(this->get_request_method_wksidx());
+      } else {
+        int method_str_len{};
+        auto method_str = 
t_state.hdr_info.server_request.method_get(&method_str_len);
+        result          = 
!acl.isNonstandardMethodAllowed(std::string_view(method_str, method_str_len));
+      }
+    }
+  }
+
+  return result;
+}
+
+void
+HttpSM::ip_allow_deny_request(const IpAllow::ACL &acl)
+{
+  if (is_debug_tag_set("ip_allow")) {
+    ip_text_buffer ipb;
+    const char *method_str{};
+    int method_str_len{};
+    if (this->get_request_method_wksidx() != -1) {

Review Comment:
   What is the point of this, since it's just turned into a string anyway? In 
the original code, this was done separately because the WKSIDX was used to 
check the permission bit and was therefore necessary to obtain. That doesn't 
happen here, making the WKSIDX useless.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to