Michael Turner created TS-1235:
----------------------------------
Summary: Deny occurring for IPs not in the ip_allow.config file
Key: TS-1235
URL: https://issues.apache.org/jira/browse/TS-1235
Project: Traffic Server
Issue Type: Bug
Components: Configuration, Security
Affects Versions: 3.1.3
Environment: Linux server.domain.com 2.6.32-220.el6.x86_64 #1 SMP Wed
Dec 7 10:41:06 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
Reporter: Michael Turner
Consistently seeing this morning IPs that are not set to deny in
ip_allow.config being rejected. Here's the config file we were using:
#
# ip_allow.config
#
# Two types of rules:
# #src_ip=<range of IP addresses> action=ip_allow
# #src_ip=<range of IP addresses> action=ip_deny
# Rules are applied in the order listed starting from the top.
#
# Ban all of the XXXX servers
src_ip=AAA.BBB.CCC.134 action=ip_deny
#src_ip=AAA.BBB.CCC.135 action=ip_deny # temp unbanning. we've talked
to him
src_ip=AAA.BBB.CCC.137 action=ip_deny
src_ip=AAA.BBB.CCC.202 action=ip_deny
src_ip=AAA.BBB.CCC.203 action=ip_deny
src_ip=AAA.BBB.CCC.208 action=ip_deny
src_ip=AAA.BBB.CCC.209 action=ip_deny
src_ip=AAA.BBB.CCC.216 action=ip_deny
src_ip=AAA.BBB.CCC.217 action=ip_deny
src_ip=AAA.BBB.CCC.218 action=ip_deny
src_ip=AAA.BBB.CCC.219 action=ip_deny
src_ip=AAA.BBB.CCC.220 action=ip_deny
src_ip=AAA.BBB.CCC.222 action=ip_deny
src_ip=AAA.BBB.CCC.224 action=ip_deny
src_ip=AAA.BBB.CCC.236 action=ip_deny
# Banned IPs
src_ip=AAA.BBB.CCC.212 action=ip_deny
src_ip=AAA.BBB.CCC.246 action=ip_deny
src_ip=AAA.BBB.CCC.144 action=ip_deny
# Stock Rules
src_ip=0.0.0.0-255.255.255.255 action=ip_allow
src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow
And here's log entries from when this config was active:
[Apr 30 10:06:21.446] {0x2b321b2d42a0} NOTE: updated diags config
[Apr 30 10:06:21.449] Server {0x2b321b2d42a0} NOTE: cache clustering disabled
[Apr 30 10:06:21.492] Server {0x2b321b2d42a0} NOTE: cache clustering disabled
[Apr 30 10:06:21.584] Server {0x2b321b2d42a0} NOTE: logging initialized[15],
logging_mode = 3
[Apr 30 10:06:21.591] Server {0x2b321b2d42a0} NOTE: traffic server running
[Apr 30 10:06:25.140] Server {0x2b3222d2c700} NOTE: cache enabled
[Apr 30 10:06:33.804] Server {0x2b3223534700} WARNING: connect by disallowed
client AAA.BBB.CCC.111, closing
[Apr 30 10:07:01.914] Server {0x2b324b2d2700} WARNING: connect by disallowed
client AAA.BBB.CCC.111, closing
[Apr 30 10:07:02.025] Server {0x2b324b4d4700} WARNING: connect by disallowed
client AAA.BBB.CCC.144, closing
[Apr 30 10:07:03.109] Server {0x2b3222827700} WARNING: connect by disallowed
client AAA.BBB.CCC.74, closing
[Apr 30 10:07:04.594] Server {0x2b3222f2e700} WARNING: connect by disallowed
client AAA.BBB.CCC.74, closing
[Apr 30 10:07:05.201] Server {0x2b3223332700} WARNING: connect by disallowed
client AAA.BBB.CCC.74, closing
[Apr 30 10:07:06.170] Server {0x2b3223534700} WARNING: connect by disallowed
client AAA.BBB.CCC.74, closing
[Apr 30 10:07:06.575] Server {0x2b3223736700} WARNING: connect by disallowed
client AAA.BBB.CCC.74, closing
[Apr 30 10:07:06.690] Server {0x2b3223837700} WARNING: connect by disallowed
client AAA.BBB.CCC.74, closing
[Apr 30 10:07:06.785] Server {0x2b3223938700} WARNING: connect by disallowed
client AAA.BBB.CCC.74, closing
[Apr 30 10:07:06.817] Server {0x2b3223a39700} WARNING: connect by disallowed
client AAA.BBB.CCC.74, closing
[Apr 30 10:07:06.841] Server {0x2b3223b3a700} WARNING: connect by disallowed
client AAA.BBB.CCC.74, closing
[Apr 30 10:07:10.587] Server {0x2b321b2d42a0} WARNING: connect by disallowed
client AAA.BBB.CCC.35, closing
FATAL: HttpSM.cc:890: failed assert `0`
The IPS visible in the log ending in .111 and .74 are not in the deny list
anywhere. The two ending in .144 and .35 are in the deny list.
Please let me know what further information I can provide to help
troubleshoot/reproduce this.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
