trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shinr...@apache.org
Subject [trafficserver] branch master updated: TS-3485: Support ip_allow config for HTTP2. This closes #614.
Date Wed, 04 May 2016 23:38:06 GMT
This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/trafficserver.git

The following commit(s) were added to refs/heads/master by this push:
       new  5ce103e   TS-3485: Support ip_allow config for HTTP2.  This closes #614.
5ce103e is described below

commit 5ce103e889ef2eec9216ec06ae681916cb6e2298
Author: Susan Hinrichs <shinrich@ieee.org>
AuthorDate: Wed May 4 01:49:30 2016 +0000

    TS-3485: Support ip_allow config for HTTP2.  This closes #614.
---
 iocore/net/I_SessionAccept.h                       |  7 ++++++
 iocore/net/Makefile.am                             |  1 +
 iocore/net/{I_SessionAccept.h => SessionAccept.cc} | 27 +++++++++++-----------
 proxy/http/HttpSessionAccept.cc                    | 19 +++++++--------
 proxy/http2/Http2ClientSession.cc                  | 12 ----------
 proxy/http2/Http2SessionAccept.cc                  | 13 ++++++++---
 6 files changed, 41 insertions(+), 38 deletions(-)

diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/I_SessionAccept.h
index 3d25b3d..8b55e74 100644
--- a/iocore/net/I_SessionAccept.h
+++ b/iocore/net/I_SessionAccept.h
@@ -27,6 +27,8 @@
 #include "I_Net.h"
 #include "I_VConnection.h"
 
+class AclRecord;
+
 class SessionAccept : public Continuation
 {
 public:
@@ -34,6 +36,11 @@ public:
   ~SessionAccept() {}
   virtual void accept(NetVConnection *, MIOBuffer *, IOBufferReader *) = 0;
 
+  /* Returns NULL if the specified client_ip is not allowed by ip_allow
+   * Returns a pointer to the relevant IP policy for later processing otherwise */
+  static const AclRecord *
+  testIpAllowPolicy(sockaddr const *client_ip);
+
 private:
   virtual int mainEvent(int event, void *netvc) = 0;
 };
diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am
index 888d3c2..45d3ee9 100644
--- a/iocore/net/Makefile.am
+++ b/iocore/net/Makefile.am
@@ -60,6 +60,7 @@ libinknet_a_SOURCES = \
   I_UDPPacket.h \
   Inline.cc \
   I_SessionAccept.h \
+  SessionAccept.cc \
   Net.cc \
   NetVConnection.cc \
   P_CompletionUtil.h \
diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/SessionAccept.cc
similarity index 68%
copy from iocore/net/I_SessionAccept.h
copy to iocore/net/SessionAccept.cc
index 3d25b3d..9d0ff03 100644
--- a/iocore/net/I_SessionAccept.h
+++ b/iocore/net/SessionAccept.cc
@@ -21,21 +21,20 @@
   limitations under the License.
  */
 
-#ifndef I_SessionAccept_H_
-#define I_SessionAccept_H_
-
 #include "I_Net.h"
 #include "I_VConnection.h"
+#include "../../proxy/IPAllow.h"
 
-class SessionAccept : public Continuation
+const AclRecord *
+SessionAccept::testIpAllowPolicy(sockaddr const *client_ip)
 {
-public:
-  SessionAccept(ProxyMutex *amutex) : Continuation(amutex) { SET_HANDLER(&SessionAccept::mainEvent);
}
-  ~SessionAccept() {}
-  virtual void accept(NetVConnection *, MIOBuffer *, IOBufferReader *) = 0;
-
-private:
-  virtual int mainEvent(int event, void *netvc) = 0;
-};
-
-#endif /* I_SessionAccept_H_ */
+  IpAllow::scoped_config ipallow;
+  const AclRecord *acl_record = NULL;
+  if (ipallow) {
+    acl_record = ipallow->match(client_ip);
+    if (acl_record && acl_record->isEmpty()) {
+      acl_record = NULL;
+    }
+  }
+  return acl_record;
+}
diff --git a/proxy/http/HttpSessionAccept.cc b/proxy/http/HttpSessionAccept.cc
index 394bbf7..ba5a500 100644
--- a/proxy/http/HttpSessionAccept.cc
+++ b/proxy/http/HttpSessionAccept.cc
@@ -33,20 +33,21 @@ HttpSessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferReade
   sockaddr const *client_ip = netvc->get_remote_addr();
   const AclRecord *acl_record = NULL;
   ip_port_text_buffer ipb;
-  IpAllow::scoped_config ipallow;
 
   // The backdoor port is now only bound to "localhost", so no
   // reason to check for if it's incoming from "localhost" or not.
   if (backdoor) {
     acl_record = IpAllow::AllMethodAcl();
-  } else if (ipallow && (((acl_record = ipallow->match(client_ip)) == NULL) ||
(acl_record->isEmpty()))) {
-    ////////////////////////////////////////////////////
-    // if client address forbidden, close immediately //
-    ////////////////////////////////////////////////////
-    Warning("client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb)));
-    netvc->do_io_close();
-
-    return;
+  } else {
+    acl_record = testIpAllowPolicy(client_ip);
+    if (!acl_record) {
+      ////////////////////////////////////////////////////
+      // if client address forbidden, close immediately //
+      ////////////////////////////////////////////////////
+      Warning("client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb)));
+      netvc->do_io_close();
+      return;
+    }
   }
 
   // Set the transport type if not already set
diff --git a/proxy/http2/Http2ClientSession.cc b/proxy/http2/Http2ClientSession.cc
index d759c84..5930140 100644
--- a/proxy/http2/Http2ClientSession.cc
+++ b/proxy/http2/Http2ClientSession.cc
@@ -24,7 +24,6 @@
 #include "Http2ClientSession.h"
 #include "HttpDebugNames.h"
 #include "ts/ink_base64.h"
-#include "../IPAllow.h"
 
 #define STATE_ENTER(state_name, event)                                                  
    \
   do {                                                                                  
    \
@@ -132,17 +131,6 @@ Http2ClientSession::start()
 void
 Http2ClientSession::new_connection(NetVConnection *new_vc, MIOBuffer *iobuf, IOBufferReader
*reader, bool backdoor)
 {
-  acl_record = NULL;
-  sockaddr const *client_ip = new_vc->get_remote_addr();
-  IpAllow::scoped_config ipallow;
-  if (ipallow && (((acl_record = ipallow->match(client_ip)) == NULL) || (acl_record->isEmpty())))
{
-    ip_port_text_buffer ipb;
-    Warning("http2 client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb,
sizeof(ipb)));
-  } else if (!acl_record) {
-    ip_port_text_buffer ipb;
-    Warning("http2 client '%s' no ip-allow policy specified", ats_ip_ntop(client_ip, ipb,
sizeof(ipb)));
-  }
-
   ink_assert(new_vc->mutex->thread_holding == this_ethread());
   HTTP2_INCREMENT_THREAD_DYN_STAT(HTTP2_STAT_CURRENT_CLIENT_SESSION_COUNT, new_vc->mutex->thread_holding);
   HTTP2_INCREMENT_THREAD_DYN_STAT(HTTP2_STAT_TOTAL_CLIENT_CONNECTION_COUNT, new_vc->mutex->thread_holding);
diff --git a/proxy/http2/Http2SessionAccept.cc b/proxy/http2/Http2SessionAccept.cc
index 7aeefc7..3699d4c 100644
--- a/proxy/http2/Http2SessionAccept.cc
+++ b/proxy/http2/Http2SessionAccept.cc
@@ -25,6 +25,7 @@
 #include "Http2ClientSession.h"
 #include "I_Machine.h"
 #include "Error.h"
+#include "../IPAllow.h"
 
 Http2SessionAccept::Http2SessionAccept(const HttpSessionAccept::Options &_o) : SessionAccept(NULL),
options(_o)
 {
@@ -38,9 +39,16 @@ Http2SessionAccept::~Http2SessionAccept()
 void
 Http2SessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferReader *reader)
 {
+  sockaddr const *client_ip = netvc->get_remote_addr();
+  const AclRecord *session_acl_record = testIpAllowPolicy(client_ip);
+  if (!session_acl_record) {
+    ip_port_text_buffer ipb;
+    Warning("HTTP/2 client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb,
sizeof(ipb)));
+    netvc->do_io_close();
+    return;
+  }
   netvc->attributes = this->options.transport_type;
 
-  const sockaddr *client_ip = netvc->get_remote_addr();
   if (is_debug_tag_set("http2_seq")) {
     ip_port_text_buffer ipb;
 
@@ -48,9 +56,8 @@ Http2SessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferRead
           ats_ip_nptop(client_ip, ipb, sizeof(ipb)), netvc->attributes);
   }
 
-  // XXX Allocate a Http2ClientSession
   Http2ClientSession *new_session = THREAD_ALLOC_INIT(http2ClientSessionAllocator, this_ethread());
-
+  new_session->acl_record = session_acl_record;
   new_session->new_connection(netvc, iobuf, reader, false /* backdoor */);
 }
 

-- 
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" <commits@trafficserver.apache.org>'].

Mime
View raw message