Revision: 14792
Author: adrian.chadd
Date: Mon Sep 6 21:39:50 2010
Log: This is an ugly multi-commit patch which needs to be broken up into
its component parts before merging into LUSCA_HEAD.
* the new aclCheckSetup() / aclCheckFinish() functions are now
being called wherever an aclCheck_t is being statically used
rather than created via aclChecklistCreate().
* aclCheck_t->src_addr has now become the IPv6-aware
aclCheck_t->src_address ;
all the users (which I could find!) have been renamed
* Delay pools has a hack to work around it for now - so yes, delay pools is
still v4 only.
* ICP, SNMP, HTCP are still IPv4-only but they now do IPv6-aware ACL
lookups.
http://code.google.com/p/lusca-cache/source/detail?r=14792
Modified:
/playpen/LUSCA_HEAD_ipv6/src/acl.c
/playpen/LUSCA_HEAD_ipv6/src/client_side.c
/playpen/LUSCA_HEAD_ipv6/src/delay_pools.c
/playpen/LUSCA_HEAD_ipv6/src/external_acl.c
/playpen/LUSCA_HEAD_ipv6/src/forward.c
/playpen/LUSCA_HEAD_ipv6/src/htcp.c
/playpen/LUSCA_HEAD_ipv6/src/http.c
/playpen/LUSCA_HEAD_ipv6/src/icp_v2.c
/playpen/LUSCA_HEAD_ipv6/src/icp_v3.c
/playpen/LUSCA_HEAD_ipv6/src/snmp_core.c
/playpen/LUSCA_HEAD_ipv6/src/structs.h
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/acl.c Mon Sep 6 21:35:23 2010
+++ /playpen/LUSCA_HEAD_ipv6/src/acl.c Mon Sep 6 21:39:50 2010
@@ -64,7 +64,7 @@
static void aclParseUserMaxIP(void *data);
static void aclDestroyUserMaxIP(void *data);
static wordlist *aclDumpUserMaxIP(void *data);
-static int aclMatchUserMaxIP(void *, auth_user_request_t *, struct
in_addr);
+static int aclMatchUserMaxIP(void *, auth_user_request_t *, sqaddr_t
*addr);
static void aclParseHeader(void *data);
static void aclDestroyHeader(void *data);
static squid_acl aclStrToType(const char *s);
@@ -1786,7 +1786,7 @@
*/
int
aclMatchUserMaxIP(void *data, auth_user_request_t * auth_user_request,
- struct in_addr src_addr)
+ sqaddr_t *src)
{
/*
* the logic for flush the ip list when the limit is hit vs keep
@@ -1798,20 +1798,17 @@
if (authenticateAuthUserRequestIPCount(auth_user_request) <=
acldata->max)
return 0;
- debug(28, 1) ("aclMatchUserMaxIP: user '%s' tries to use too many IP
addresses (max %d allowed)!\n",
authenticateUserRequestUsername(auth_user_request), acldata->max);
+ debug(28, 1) ("aclMatchUserMaxIP: user '%s' tries to use too many IP
addresses (max %d allowed)!\n",
+ authenticateUserRequestUsername(auth_user_request), acldata->max);
/* this is a match */
if (acldata->flags.strict) {
- sqaddr_t a;
/*
* simply deny access - the user name is already associated with
* the request
*/
/* remove _this_ ip, as it is the culprit for going over the limit */
- sqinet_init(&a);
- sqinet_set_v4_inaddr(&a, &src_addr);
- authenticateAuthUserRequestRemoveIp(auth_user_request, &a);
- sqinet_done(&a);
+ authenticateAuthUserRequestRemoveIp(auth_user_request, src);
debug(28, 4) ("aclMatchUserMaxIP: Denying access in strict mode\n");
} else {
/*
@@ -1954,7 +1951,6 @@
{
request_t *r = checklist->request;
http_hdr_type headertype;
- sqaddr_t a;
int rv;
if (NULL == r) {
@@ -1971,10 +1967,7 @@
}
/* get authed here */
/* Note: this fills in checklist->auth_user_request when applicable
(auth incomplete) */
- sqinet_init(&a);
- sqinet_copy_v4_inaddr(&a, &checklist->src_addr, SQADDR_NONE);
- rv =
authenticateTryToAuthenticateAndSetAuthUser(&checklist->auth_user_request,
headertype, checklist->request, checklist->conn, &a);
- sqinet_done(&a);
+ rv =
authenticateTryToAuthenticateAndSetAuthUser(&checklist->auth_user_request,
headertype, checklist->request, checklist->conn, &checklist->src_address);
switch (rv) {
case AUTH_ACL_CANNOT_AUTHENTICATE:
debug(28, 4) ("aclAuthenticated: returning 0 user authenticated but not
authorised.\n");
@@ -2045,7 +2038,7 @@
debug(28, 3) ("aclMatchAcl: checking '%s'\n", ae->cfgline);
switch (ae->type) {
case ACL_SRC_IP:
- return aclMatchIp4(&ae->data, checklist->src_addr);
+ return aclMatchIp(&ae->data, &checklist->src_address);
/* NOTREACHED */
case ACL_MY_IP:
if (sqinet_get_family(&checklist->my_address) == AF_INET)
@@ -2094,12 +2087,14 @@
return aclMatchDomainList(&ae->data, "none");
/* NOTREACHED */
case ACL_SRC_DOMAIN:
- fqdn = fqdncache_gethostbyaddr(checklist->src_addr,
FQDN_LOOKUP_IF_MISS);
+ fqdn = fqdncache_gethostbyaddr6(&checklist->src_address,
FQDN_LOOKUP_IF_MISS);
if (fqdn) {
return aclMatchDomainList(&ae->data, fqdn);
} else if (checklist->state[ACL_SRC_DOMAIN] == ACL_LOOKUP_NONE) {
+ LOCAL_ARRAY(char, cbuf, MAX_IPSTRLEN);
+ (void) sqinet_ntoa(&checklist->src_address, cbuf, MAX_IPSTRLEN,
SQADDR_NONE);
debug(28, 3) ("aclMatchAcl: Can't yet compare '%s' ACL for '%s'\n",
- ae->name, inet_ntoa(checklist->src_addr));
+ ae->name, cbuf);
checklist->state[ACL_SRC_DOMAIN] = ACL_LOOKUP_NEEDED;
return 0;
}
@@ -2122,12 +2117,14 @@
return aclMatchRegex(ae->data, "none");
/* NOTREACHED */
case ACL_SRC_DOM_REGEX:
- fqdn = fqdncache_gethostbyaddr(checklist->src_addr,
FQDN_LOOKUP_IF_MISS);
+ fqdn = fqdncache_gethostbyaddr6(&checklist->src_address,
FQDN_LOOKUP_IF_MISS);
if (fqdn) {
return aclMatchRegex(ae->data, fqdn);
} else if (checklist->state[ACL_SRC_DOMAIN] == ACL_LOOKUP_NONE) {
+ LOCAL_ARRAY(char, cbuf, MAX_IPSTRLEN);
+ (void) sqinet_ntoa(&checklist->src_address, cbuf, MAX_IPSTRLEN,
SQADDR_NONE);
debug(28, 3) ("aclMatchAcl: Can't yet compare '%s' ACL for '%s'\n",
- ae->name, inet_ntoa(checklist->src_addr));
+ ae->name, cbuf);
checklist->state[ACL_SRC_DOMAIN] = ACL_LOOKUP_NEEDED;
return 0;
}
@@ -2157,7 +2154,7 @@
return k;
/* NOTREACHED */
case ACL_MAXCONN:
- k = clientdbEstablished(checklist->src_addr, 0);
+ k = clientdbEstablished6(&checklist->src_address, 0);
return ((k > ((intlist *) ae->data)->i) ? 1 : 0);
/* NOTREACHED */
case ACL_URL_PORT:
@@ -2227,7 +2224,7 @@
if ((ti = aclAuthenticated(checklist)) != 1)
return ti;
ti = aclMatchUserMaxIP(ae->data, r->auth_user_request,
- checklist->src_addr);
+ &checklist->src_address);
return ti;
/* NOTREACHED */
#if SQUID_SNMP
@@ -2236,13 +2233,13 @@
/* NOTREACHED */
#endif
case ACL_SRC_ASN:
- return asnMatchIp(ae->data, checklist->src_addr);
+ return asnMatchIp(ae->data, &checklist->src_address);
/* NOTREACHED */
case ACL_DST_ASN:
ia = ipcache_gethostbyname(r->host, IP_LOOKUP_IF_MISS);
if (ia) {
for (k = 0; k < (int) ia->count; k++) {
- if (asnMatchIp(ae->data, ia->in_addrs[k]))
+ if (asnMatchIp4(ae->data, ia->in_addrs[k]))
return 1;
}
return 0;
@@ -2251,7 +2248,7 @@
ae->name, r->host);
checklist->state[ACL_DST_ASN] = ACL_LOOKUP_NEEDED;
} else {
- return asnMatchIp(ae->data, no_addr);
+ return asnMatchIp4(ae->data, no_addr);
}
return 0;
/* NOTREACHED */
@@ -2422,10 +2419,14 @@
int
aclCheckFastRequest(const acl_access * A, request_t * request)
{
+ int r;
aclCheck_t ch;
memset(&ch, 0, sizeof(ch));
+ aclCheckSetup(&ch);
ch.request = request;
- return aclCheckFast(A, &ch);
+ r = aclCheckFast(A, &ch);
+ aclCheckFinish(&ch);
+ return r;
}
static void
@@ -2463,7 +2464,7 @@
return;
} else if (checklist->state[ACL_SRC_DOMAIN] == ACL_LOOKUP_NEEDED) {
checklist->state[ACL_SRC_DOMAIN] = ACL_LOOKUP_PENDING;
- fqdncache_nbgethostbyaddr(checklist->src_addr,
+ fqdncache_nbgethostbyaddr6(&checklist->src_address,
aclLookupSrcFQDNDone, checklist);
return;
} else if (checklist->state[ACL_DST_DOMAIN] == ACL_LOOKUP_NEEDED) {
@@ -2558,7 +2559,7 @@
checklist->callback_data = NULL;
}
aclCheckCleanup(checklist);
- sqinet_done(&checklist->my_address);
+ aclCheckFinish(checklist);
cbdataFree(checklist);
}
@@ -2669,13 +2670,21 @@
aclChecklistCacheInit(aclCheck_t * checklist)
{
request_t *request = checklist->request;
- if (request != NULL && checklist->src_addr.s_addr == 0) {
+#warning This sqinet_get_family check should really be a "has this sqaddr
had an address set yet?"
+ /*
+ * checklist->src_address has already been init'ed but it may not have
an
+ * address.
+ *
+ * The previous code checked if src_addr == 0. This new code needs to
do something
+ * slightly different.
+ */
+ if (request != NULL && (sqinet_get_family(&checklist->src_address) ==
0)) {
#if FOLLOW_X_FORWARDED_FOR
if (Config.onoff.acl_uses_indirect_client) {
checklist->src_addr = request->indirect_client_addr;
} else
#endif /* FOLLOW_X_FORWARDED_FOR */
- checklist->src_addr = request->client_addr;
+ sqinet_set_v4_inaddr(&checklist->src_address, &request->client_addr);
sqinet_copy(&checklist->my_address, &request->my_address);
#if 0 && USE_IDENT
/*
@@ -2688,6 +2697,20 @@
#endif
}
}
+
+void
+aclCheckSetup(aclCheck_t *ch)
+{
+ sqinet_init(&ch->my_address);
+ sqinet_init(&ch->src_address);
+}
+
+void
+aclCheckFinish(aclCheck_t *ch)
+{
+ sqinet_done(&ch->my_address);
+ sqinet_done(&ch->src_address);
+}
void
aclCheckSetup(aclCheck_t *ch)
@@ -2727,7 +2750,7 @@
xstrncpy(checklist->rfc931, ident, USER_IDENT_SZ);
#endif
checklist->auth_user_request = NULL;
- sqinet_init(&checklist->my_address);
+ aclCheckSetup(checklist);
return checklist;
}
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/client_side.c Mon Sep 6 09:12:09 2010
+++ /playpen/LUSCA_HEAD_ipv6/src/client_side.c Mon Sep 6 21:39:50 2010
@@ -2586,9 +2586,9 @@
if (Config.onoff.log_fqdn)
fqdncache_gethostbyaddr6(&peer, FQDN_LOOKUP_IF_MISS);
commSetTimeout(fd, Config.Timeout.request, requestTimeout, connState);
- sqinet_init(&identChecklist.my_address);
+ aclCheckSetup(&identChecklist);
#if USE_IDENT
- identChecklist.src_addr = sqinet_get_v4_inaddr(&peer,
SQADDR_ASSERT_IS_V4);
+ sqinet_copy(&identChecklist.src_address, &peer);
sqinet_copy(&identChecklist.my_address, &me);
if (aclCheckFast(Config.accessList.identLookup, &identChecklist))
identStart(&connState->me2, &connState->peer2, clientIdentDone,
connState);
@@ -2604,7 +2604,7 @@
incoming_sockets_accepted++;
sqinet_done(&peer);
sqinet_done(&me);
- sqinet_done(&identChecklist.my_address);
+ aclCheckFinish(&identChecklist);
}
}
@@ -2756,9 +2756,9 @@
if (Config.onoff.log_fqdn)
fqdncache_gethostbyaddr6(&connState->peer2, FQDN_LOOKUP_IF_MISS);
commSetTimeout(fd, Config.Timeout.request, requestTimeout, connState);
- sqinet_init(&identChecklist.my_address);
+ aclCheckSetup(&identChecklist);
#if USE_IDENT
- identChecklist.src_addr = sqinet_get_v4_inaddr(&peer,
SQADDR_ASSERT_IS_V4);
+ sqinet_copy(&identChecklist.src_address, &peer);
sqinet_copy(&identChecklist.my_address, &me);
if (aclCheckFast(Config.accessList.identLookup, &identChecklist))
identStart(&connState->me2, &connState->peer2, clientIdentDone,
connState);
@@ -2773,7 +2773,7 @@
httpsAcceptSSL(connState, s->sslContext);
sqinet_done(&peer);
sqinet_done(&me);
- sqinet_done(&identChecklist.my_address);
+ aclCheckFinish(&identChecklist);
}
}
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/delay_pools.c Mon Jun 30 04:36:05 2008
+++ /playpen/LUSCA_HEAD_ipv6/src/delay_pools.c Mon Sep 6 21:39:50 2010
@@ -324,24 +324,36 @@
{
request_t *r;
aclCheck_t ch;
+ struct in_addr a;
ushort pool;
assert(http);
r = http->request;
memset(&ch, '\0', sizeof(ch));
+ aclCheckSetup(&ch);
ch.conn = http->conn;
ch.request = r;
if (r->client_addr.s_addr == INADDR_BROADCAST) {
debug(77, 2) ("delayClient: WARNING: Called with 'allones' address,
ignoring\n");
+ aclCheckFinish(&ch);
return delayId(0, 0);
}
for (pool = 0; pool < Config.Delay.pools; pool++) {
if (Config.Delay.access[pool] && aclCheckFast(Config.Delay.access[pool],
&ch))
break;
}
- if (pool == Config.Delay.pools)
+ if (pool == Config.Delay.pools) {
+ aclCheckFinish(&ch);
return delayId(0, 0);
- return delayPoolClient(pool, ch.src_addr.s_addr);
+ }
+#warning delay pools needs to be made v6 aware!
+ if (sqinet_get_family(&ch.src_address) != AF_INET) {
+ aclCheckFinish(&ch);
+ return delayId(0, 0);
+ }
+ a = sqinet_get_v4_inaddr(&ch.src_address, SQADDR_ASSERT_IS_V4);
+ aclCheckFinish(&ch);
+ return delayPoolClient(pool, a.s_addr);
}
delay_id
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/external_acl.c Mon Sep 6 09:06:16 2010
+++ /playpen/LUSCA_HEAD_ipv6/src/external_acl.c Mon Sep 6 21:39:50 2010
@@ -645,7 +645,8 @@
break;
#endif
case EXT_ACL_SRC:
- str = inet_ntoa(ch->src_addr);
+ (void) sqinet_ntoa(&ch->src_address, buf, sizeof(buf), SQADDR_NONE);
+ str = buf;
break;
case EXT_ACL_SRCPORT:
snprintf(buf, sizeof(buf), "%d", request->client_port);
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/forward.c Mon Sep 6 09:06:16 2010
+++ /playpen/LUSCA_HEAD_ipv6/src/forward.c Mon Sep 6 21:39:50 2010
@@ -493,22 +493,30 @@
getOutgoingAddr(request_t * request)
{
aclCheck_t ch;
+ struct in_addr r;
memset(&ch, '\0', sizeof(aclCheck_t));
+ aclCheckSetup(&ch);
if (request) {
ch.request = request;
}
- return aclMapAddr(Config.accessList.outgoing_address, &ch);
+ r = aclMapAddr(Config.accessList.outgoing_address, &ch);
+ aclCheckFinish(&ch);
+ return r;
}
unsigned long
getOutgoingTOS(request_t * request)
{
aclCheck_t ch;
+ unsigned long r;
memset(&ch, '\0', sizeof(aclCheck_t));
+ aclCheckSetup(&ch);
if (request) {
ch.request = request;
}
- return aclMapTOS(Config.accessList.outgoing_tos, &ch);
+ r = aclMapTOS(Config.accessList.outgoing_tos, &ch);
+ aclCheckFinish(&ch);
+ return r;
}
/*
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/htcp.c Sat Sep 4 07:04:25 2010
+++ /playpen/LUSCA_HEAD_ipv6/src/htcp.c Mon Sep 6 21:39:50 2010
@@ -655,13 +655,17 @@
int r;
aclCheck_t checklist;
memset(&checklist, '\0', sizeof(checklist));
- checklist.src_addr = from->sin_addr;
+ sqinet_init(&checklist.src_address);
+#warning HTCP needs to be made v6 aware!
+ sqinet_set_family(&checklist.src_address, AF_INET);
+ sqinet_set_v4_inaddr(&checklist.src_address, &from->sin_addr);
sqinet_init(&checklist.my_address);
sqinet_set_family(&checklist.my_address, AF_INET); /* XXX will need to
be taught about "from"! -adrian */
sqinet_set_noaddr(&checklist.my_address);
checklist.request = s->request;
r = aclCheckFast(acl, &checklist);
sqinet_done(&checklist.my_address);
+ sqinet_done(&checklist.src_address);
return r;
}
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/http.c Wed Aug 4 22:24:11 2010
+++ /playpen/LUSCA_HEAD_ipv6/src/http.c Mon Sep 6 21:39:50 2010
@@ -424,6 +424,7 @@
if (strcmp(name, "accept-encoding") == 0) {
aclCheck_t checklist;
memset(&checklist, 0, sizeof(checklist));
+ aclCheckSetup(&checklist);
checklist.request = request;
checklist.reply = reply;
if (Config.accessList.vary_encoding &&
aclCheckFast(Config.accessList.vary_encoding, &checklist)) {
@@ -431,6 +432,7 @@
request->vary_encoding = httpHeaderGetStrOrList(&request->header,
HDR_ACCEPT_ENCODING);
strCat(request->vary_encoding, "");
}
+ aclCheckFinish(&checklist);
}
if (strcmp(name, "*") == 0) {
/* Can not handle "Vary: *" efficiently, bail out making the response
not cached */
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/icp_v2.c Sat Sep 4 07:04:25 2010
+++ /playpen/LUSCA_HEAD_ipv6/src/icp_v2.c Mon Sep 6 21:39:50 2010
@@ -229,8 +229,9 @@
break;
}
memset(&checklist, '\0', sizeof(checklist));
- checklist.src_addr = from.sin_addr;
- sqinet_init(&checklist.my_address);
+ aclCheckSetup(&checklist);
+ sqinet_set_family(&checklist.src_address, AF_INET);
+ sqinet_set_v4_inaddr(&checklist.src_address, &from.sin_addr);
#warning needs to be made v6 "my_address" aware!
sqinet_set_family(&checklist.my_address, AF_INET);
sqinet_set_noaddr(&checklist.my_address);
@@ -321,7 +322,7 @@
}
if (icp_request)
requestDestroy(icp_request);
- sqinet_done(&checklist.my_address);
+ aclCheckFinish(&checklist);
}
#ifdef ICP_PKT_DUMP
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/icp_v3.c Sat Sep 4 07:04:25 2010
+++ /playpen/LUSCA_HEAD_ipv6/src/icp_v3.c Mon Sep 6 21:39:50 2010
@@ -82,8 +82,9 @@
break;
}
memset(&checklist, '\0', sizeof(checklist));
- checklist.src_addr = from.sin_addr;
- sqinet_init(&checklist.my_address);
+ aclCheckSetup(&checklist);
+ sqinet_set_family(&checklist.src_address, AF_INET);
+ sqinet_set_v4_inaddr(&checklist.src_address, &from.sin_addr);
#warning needs to be made ipv6-aware for "my_address"!
sqinet_set_family(&checklist.my_address, AF_INET);
sqinet_set_noaddr(&checklist.my_address);
@@ -161,5 +162,5 @@
}
if (icp_request)
requestDestroy(icp_request);
- sqinet_done(&checklist.my_address);
-}
+ aclCheckFinish(&checklist);
+}
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/snmp_core.c Sun Jul 4 06:56:53 2010
+++ /playpen/LUSCA_HEAD_ipv6/src/snmp_core.c Mon Sep 6 21:39:50 2010
@@ -452,7 +452,8 @@
rq->session.Version = SNMP_VERSION_1;
Community = snmp_parse(&rq->session, PDU, buf, len);
memset(&checklist, '\0', sizeof(checklist));
- checklist.src_addr = rq->from.sin_addr;
+ aclCheckSetup(&checklist);
+ sqinet_set_v4_inaddr(&checklist.src_address, &rq->from.sin_addr);
checklist.snmp_community = (char *) Community;
if (Community)
@@ -469,6 +470,7 @@
}
if (Community)
xfree(Community);
+ aclCheckFinish(&checklist);
}
/*
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/structs.h Mon Sep 6 09:12:29 2010
+++ /playpen/LUSCA_HEAD_ipv6/src/structs.h Mon Sep 6 21:39:50 2010
@@ -286,7 +286,7 @@
struct _aclCheck_t {
const acl_access *access_list;
- struct in_addr src_addr;
+ sqaddr_t src_address;
struct in_addr dst_addr;
struct in_addr fwdip_addr;
sqaddr_t my_address;
--
You received this message because you are subscribed to the Google Groups
"lusca-commit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/lusca-commit?hl=en.
