Re: [PR] ACL filter action documentation updates [trafficserver]

via GitHub Fri, 02 Aug 2024 08:35:34 -0700


bneradt commented on code in PR #11635:
URL: https://github.com/apache/trafficserver/pull/11635#discussion_r1702015995



##########
doc/admin-guide/files/remap.config.en.rst:
##########
@@ -662,32 +749,63 @@ This is an example of in-line filter, named filters in 
:file:`remap.config`, and
 
    map http://www.example.com/ http://internal.example.com/ @action=deny 
@method=POST
 
-With the "Match on IP and Method Policy", the evaluation applied from left to 
right until match is found:
+With the "Legacy" policy, the evaluation applied from left to right until 
match is found:
 
 ====== ============== ============== ============== ================ 
=============
 Method In-line Filter Named Filter 1 Named Filter 2 ip_allow.yaml    result
 ====== ============== ============== ============== ================ 
=============
 GET    \-             \-             \-             allow (implicit) allowed 
(200)
-POST   deny           \-             \-             \-               denied  
(403)
-HEAD   \-             allow          \-             \-               allowed 
(200)
-DELETE \-             \-             deny           \-               denied  
(403)
+POST   deny           \-             \-             allow (implicit) denied  
(403)
+HEAD   \-             allow          \-             allow (implicit) allowed 
(200)
+DELETE \-             \-             deny           allow (implicit) denied  
(403)
 PURGE  \-             \-             \-             deny             denied  
(403)
 PUSH   \-             \-             \-             deny             denied  
(403)
 ====== ============== ============== ============== ================ 
=============
 
-With the "Match on IP only Policy", the in-line filter works like an 
:file:`ip_allow.yaml` rule applies to all requests to
-``www.example.com`` that denies ``POST`` requests and implicitly allows all 
other methods:
-
-====== ================ ============== ============== ============= 
=============
-Method In-line Filter   Named Filter 1 Named Filter 2 ip_allow.yaml result
-====== ================ ============== ============== ============= 
=============
-GET    allow (implicit) \-             \-             \-            allowed 
(200)
-POST   deny             \-             \-             \-            denied  
(403)
-HEAD   allow (implicit) allow          \-             \-            allowed 
(200)
-DELETE allow (implicit) \-             deny           \-            allowed 
(200)
-PURGE  allow (implicit) \-             \-             deny          allowed 
(200)
-PUSH   allow (implicit) \-             \-             deny          allowed 
(200)
-====== ================ ============== ============== ============= 
=============
+With the "Modern" policy, the :file:`ip_allow.yaml` rule as well as all of the
+filter rules would trigger a fatal error message and |TS| would not start. The
+user would need to transition to ``set_allow``, ``set_deny``, ``add_allow``, 
and
+``add_deny`` actions.
+
+So let's try a set of conversions like that and consider the following updated 
example:
+
+::
+
+   # ip_allow.yaml
+   ip_allow:
+      - apply: in
+        ip_addrs: [0/0, ::/0]
+        action: set_deny
+        method: [PURGE, PUSH]
+
+   # remap.config
+   .definefilter named-filter-1 @action=add_allow @method=HEAD
+   .definefilter named-filter-2 @action=add_deny @method=DELETE
+
+   .activatefilter named-filter-1
+   .activatefilter named-filter-2
+
+   map http://www.example.com/ http://internal.example.com/ @action=set_deny 
@method=POST
+
+
+In this case, we changed the :file:`ip_allow.yaml` rule to use ``set_deny``
+instead of ``deny``. This makes it function as it did before in the previous
+example. Also, we changed the two named filter actions to ``add_allow`` and
+``add_deny``. Again, this makes them function as they did in legacy mode.
+Finally, we changed the in-line filter action to ``set_deny`` which changes its
+behavior to be like that of an :file:`ip_allow.yaml` rule: it will deny all 
POST
+requests and allow all other requests.
+
+====== ================ ============== ============== ================ 
=============
+Method In-line Filter   Named Filter 1 Named Filter 2 ip_allow.yaml    result
+====== ================ ============== ============== ================ 
=============
+GET    allow            \-             \-             allow (implicit) allowed 
(200)
+POST   deny             \-             \-             allow (implicit) denied  
(403)
+HEAD   allow            allow          \-             allow (implicit) allowed 
(200)
+DELETE allow            \-             deny           allow (implicit) allowed 
(200)
+PURGE  allow            \-             \-             delete           allowed 
(200)
+PUSH   allow            \-             \-             delete           allowed 
(200)
+====== ================ ============== ============== ================ 
=============

Review Comment:
   Great catch! Yes, I did mean deny. Thank you.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] ACL filter action documentation updates [trafficserver]

Reply via email to