masaori335 commented on code in PR #11433:
URL: https://github.com/apache/trafficserver/pull/11433#discussion_r1650536069
##########
src/proxy/http/remap/UrlRewrite.cc:
##########
@@ -535,17 +551,28 @@ UrlRewrite::PerformACLFiltering(HttpTransact::State *s,
url_mapping *map)
if (ip_matches) {
// The rule matches. Handle the method according to the rule.
if (method_matches) {
+ // Explicit match
// Did they specify allowing the listed methods, or denying them?
Dbg(dbg_ctl_url_rewrite, "matched ACL filter rule, %s request",
rp->allow_flag ? "allowing" : "denying");
s->client_connection_allowed = rp->allow_flag;
- } else {
+
+ // Since we have a explicit matching ACL, no need to process other
filters nor ip_allow.yaml rules
+ // regardless of ACLMatchingPolicy.
+ s->skip_ip_allow_yaml = true;
+ break;
+ }
+
+ if (_acl_matching_policy == ACLMatchingPolicy::FIRST_ANY_MATCH_WINS) {
+ // Flipping action with implicit match
Dbg(dbg_ctl_url_rewrite, "ACL rule matched on IP but not on method,
action: %s, %s the request",
(rp->allow_flag ? "allow" : "deny"), (rp->allow_flag ? "denying"
: "allowing"));
s->client_connection_allowed = !rp->allow_flag;
+
+ // Since we have a implicit matching ACL with FIRST_ANY_MATCH_WINS
policy, no need to process other filters nor
+ // ip_allow.yaml rules.
Review Comment:
Changed to below to describe why we're skipping other filters and ip_allow.
> // Since IP match and configured policy is MATCH_ON_IP_ONLY, no need to
process other filters nor ip_allow.yaml rules.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscr...@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
