trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a..@apache.org
Subject [trafficserver] branch master updated: TS-4593: Extend IPAllow to filter outbound connections and be controlled from remap. (#1)
Date Wed, 02 Nov 2016 21:10:25 GMT
This is an automated email from the ASF dual-hosted git repository.

amc pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/trafficserver.git

The following commit(s) were added to refs/heads/master by this push:
       new  b92a6b3   TS-4593: Extend IPAllow to filter outbound connections and be controlled
from remap. (#1)
b92a6b3 is described below

commit b92a6b3fd5d7addb84aa36622877c70128b9172b
Author: Alan M. Carroll <amc@network-geographics.com>
AuthorDate: Wed Nov 2 15:04:26 2016 -0500

    TS-4593: Extend IPAllow to filter outbound connections and be controlled from remap. (#1)
    
    Merged
---
 doc/admin-guide/files/ip_allow.config.en.rst | 33 +++++++++++++-----
 iocore/net/SessionAccept.cc                  |  4 +--
 lib/ts/MatcherUtils.cc                       |  4 ++-
 lib/ts/MatcherUtils.h                        |  3 +-
 proxy/IPAllow.cc                             | 42 +++++++++++++++--------
 proxy/IPAllow.h                              | 50 +++++++++++++++++++++-------
 proxy/InkAPI.cc                              |  2 +-
 proxy/http/HttpSM.cc                         | 46 ++++++++++++++++++++++++-
 proxy/http/HttpTransact.cc                   | 16 +++++++++
 proxy/http/HttpTransact.h                    |  1 +
 proxy/http/remap/RemapConfig.cc              | 35 +++++++++++++++----
 proxy/http/remap/RemapConfig.h               |  2 ++
 proxy/http/remap/UrlMapping.h                |  1 +
 13 files changed, 191 insertions(+), 48 deletions(-)

diff --git a/doc/admin-guide/files/ip_allow.config.en.rst b/doc/admin-guide/files/ip_allow.config.en.rst
index 203d577..6687805 100644
--- a/doc/admin-guide/files/ip_allow.config.en.rst
+++ b/doc/admin-guide/files/ip_allow.config.en.rst
@@ -22,10 +22,12 @@ ip_allow.config
 .. configfile:: ip_allow.config
 
 The :file:`ip_allow.config` file controls client access to the Traffic
-Server proxy cache. You can specify ranges of IP addresses that are
-allowed to use the Traffic Server as a web proxy cache. After you modify
-the :file:`ip_allow.config` file, navigate to the Traffic Server bin
-directory and run the :option:`traffic_ctl config reload` command to apply changes. When
+Server proxy cache and Traffic Server connections to the servers. You
+can specify ranges of IP addresses that are allowed to use the Traffic
+Server as a web proxy cache or that are allowed to be remapped by
+Traffic Server. After you modify the :file:`ip_allow.config` file,
+navigate to the Traffic Server bin directory and run the
+:option:`traffic_ctl config reload` command to apply changes. When
 you apply the changes to a node in a cluster, Traffic Server
 automatically applies the changes to all other nodes in the cluster.
 
@@ -36,13 +38,18 @@ Each line in the :file:`ip_allow.config` file must have the following
 format::
 
     src_ip=<range of IP addresses> action=<action> [method=<list of methods
separated by '|'>]
+    dest_ip=<range of IP addresses> action=<action> [method=<list of methods
separated by '|'>]
 
 where src_ip is the IP address or range of IP addresses of the
-client(s). The action ``ip_allow`` enables the specified client(s) to
-access the Traffic Server proxy cache, and ``ip_deny`` denies the
-specified client(s) to access the Traffic Server proxy cache. Multiple
-method keywords can be specified (method=GET method=HEAD), or multiple
-methods can be separated by an '\|' (method=GET\|HEAD). The method
+client(s) and dest_ip is the IP address or range of IP addresses of the
+server(s). When src_ip is indicated, the action ``ip_allow`` enables
+the specified client(s) to access the Traffic Server proxy cache,
+and ``ip_deny`` denies the specified client(s) to access the Traffic
+Server proxy cache. When dest_ip is indicated, the action ``ip_allow``
+enables the Traffic Server to access the specified server(s), and
+``ip_deny`` denies the Traffic Server to access the specified server(s).
+Multiple method keywords can be specified (method=GET method=HEAD), or
+multiple methods can be separated by an '\|' (method=GET\|HEAD). The method
 keyword is optional and it is defaulted to ALL. This supports ANY string
 as the HTTP method, meaning no validation is done to check whether it
 is a valid HTTP method. This allows you to create filters for any method
@@ -78,3 +85,11 @@ the Traffic Server proxy cache::
 
     src_ip=123.45.6.0-123.45.6.123 action=ip_deny
 
+The following example enables the Traffic Server to access all servers::
+
+    dest_ip=0.0.0.0-255.255.255.255 action=ip_allow
+
+The following example denies the Traffic Server to access all servers
+on a specific subnet::
+
+    dest_ip=10.0.0.0-10.0.0.255 action=ip_deny
diff --git a/iocore/net/SessionAccept.cc b/iocore/net/SessionAccept.cc
index 8f144e9..1bb1f02 100644
--- a/iocore/net/SessionAccept.cc
+++ b/iocore/net/SessionAccept.cc
@@ -31,8 +31,8 @@ SessionAccept::testIpAllowPolicy(sockaddr const *client_ip)
   IpAllow::scoped_config ipallow;
   const AclRecord *acl_record = nullptr;
   if (ipallow) {
-    acl_record = ipallow->match(client_ip);
-    if (acl_record && acl_record->isEmpty()) {
+    acl_record = ipallow->match(client_ip, IpAllow::SRC_ADDR);
+    if (acl_record && acl_record->isEmpty() && ipallow->isAcceptCheckEnabled())
{
       acl_record = nullptr;
     }
   }
diff --git a/lib/ts/MatcherUtils.cc b/lib/ts/MatcherUtils.cc
index a064d2b..5c5f32f 100644
--- a/lib/ts/MatcherUtils.cc
+++ b/lib/ts/MatcherUtils.cc
@@ -401,7 +401,9 @@ processDurationString(char *str, int *seconds)
 
 const matcher_tags http_dest_tags = {"dest_host", "dest_domain", "dest_ip", "url_regex",
"url", "host_regex", true};
 
-const matcher_tags ip_allow_tags = {nullptr, nullptr, "src_ip", nullptr, nullptr, nullptr,
false};
+const matcher_tags ip_allow_src_tags = {nullptr, nullptr, "src_ip", nullptr, nullptr, nullptr,
false};
+
+const matcher_tags ip_allow_dest_tags = {nullptr, nullptr, "dest_ip", nullptr, nullptr, nullptr,
true};
 
 const matcher_tags socks_server_tags = {nullptr, nullptr, "dest_ip", nullptr, nullptr, nullptr,
false};
 
diff --git a/lib/ts/MatcherUtils.h b/lib/ts/MatcherUtils.h
index 44d308b..4893234 100644
--- a/lib/ts/MatcherUtils.h
+++ b/lib/ts/MatcherUtils.h
@@ -108,7 +108,8 @@ struct matcher_tags {
 };
 
 extern const matcher_tags http_dest_tags;
-extern const matcher_tags ip_allow_tags;
+extern const matcher_tags ip_allow_src_tags;
+extern const matcher_tags ip_allow_dest_tags;
 extern const matcher_tags socks_server_tags;
 
 const char *parseConfigLine(char *line, matcher_line *p_line, const matcher_tags *tags);
diff --git a/proxy/IPAllow.cc b/proxy/IPAllow.cc
index 3e0af82..bece005 100644
--- a/proxy/IPAllow.cc
+++ b/proxy/IPAllow.cc
@@ -45,7 +45,8 @@ enum AclOp {
 
 const AclRecord IpAllow::ALL_METHOD_ACL(AclRecord::ALL_METHOD_MASK);
 
-int IpAllow::configid = 0;
+int IpAllow::configid        = 0;
+bool IpAllow::accept_check_p = true; // initializing global flag for fast deny
 
 static ConfigUpdateHandler<IpAllow> *ipAllowUpdate;
 
@@ -108,12 +109,11 @@ IpAllow::~IpAllow()
 }
 
 void
-IpAllow::Print()
+IpAllow::PrintMap(IpMap *map)
 {
   std::ostringstream s;
-  s << _map.getCount() << " ACL entries";
-  s << '.';
-  for (IpMap::iterator spot(_map.begin()), limit(_map.end()); spot != limit; ++spot) {
+  s << map->getCount() << " ACL entries.";
+  for (IpMap::iterator spot(map->begin()), limit(map->end()); spot != limit; ++spot)
{
     char text[INET6_ADDRSTRLEN];
     AclRecord const *ar = static_cast<AclRecord const *>(spot->data());
 
@@ -156,6 +156,15 @@ IpAllow::Print()
   Debug("ip-allow", "%s", s.str().c_str());
 }
 
+void
+IpAllow::Print()
+{
+  Debug("ip-allow", "Printing src map");
+  PrintMap(&_src_map);
+  Debug("ip-allow", "Printing dest map");
+  PrintMap(&_dest_map);
+}
+
 int
 IpAllow::BuildTable()
 {
@@ -171,7 +180,7 @@ IpAllow::BuildTable()
   bool alarmAlready = false;
 
   // Table should be empty
-  ink_assert(_map.getCount() == 0);
+  ink_assert(_src_map.getCount() == 0 && _dest_map.getCount() == 0);
 
   file_buf = readIntoBuffer(config_file_path, module_name, nullptr);
 
@@ -190,6 +199,8 @@ IpAllow::BuildTable()
     }
 
     if (*line != '\0' && *line != '#') {
+      const matcher_tags &ip_allow_tags =
+        strstr(line, ip_allow_dest_tags.match_ip) != nullptr ? ip_allow_dest_tags : ip_allow_src_tags;
       errPtr = parseConfigLine(line, &line_info, &ip_allow_tags);
 
       if (errPtr != nullptr) {
@@ -211,6 +222,7 @@ IpAllow::BuildTable()
           uint32_t acl_method_mask = 0;
           AclRecord::MethodSet nonstandard_methods;
           bool deny_nonstandard_methods = false;
+          bool is_dest_ip               = (strcasecmp(line_info.line[0][line_info.dest_entry],
"dest_ip") == 0);
           AclOp op                      = ACL_OP_DENY; // "shut up", I explained to the compiler.
           bool op_found = false, method_found = false;
           for (int i = 0; i < MATCHER_MAX_TOKENS; i++) {
@@ -272,10 +284,11 @@ IpAllow::BuildTable()
           }
 
           if (method_found) {
-            _acls.push_back(AclRecord(acl_method_mask, line_num, nonstandard_methods, deny_nonstandard_methods));
-            // Color with index because at this point the address
-            // is volatile.
-            _map.fill(&addr1, &addr2, reinterpret_cast<void *>(_acls.length()
- 1));
+            Vec<AclRecord> &acls = is_dest_ip ? _dest_acls : _src_acls;
+            IpMap &map           = is_dest_ip ? _dest_map : _src_map;
+            acls.push_back(AclRecord(acl_method_mask, line_num, nonstandard_methods, deny_nonstandard_methods));
+            // Color with index in acls because at this point the address is volatile.
+            map.fill(&addr1, &addr2, reinterpret_cast<void *>(acls.length()
- 1));
           } else {
             snprintf(errBuf, sizeof(errBuf), "%s discarding %s entry at line %d : %s", module_name,
config_file_path, line_num,
                      "Invalid action/method specified"); // changed by YTS Team, yamsat bug
id -59022
@@ -288,13 +301,14 @@ IpAllow::BuildTable()
     line = tokLine(nullptr, &tok_state);
   }
 
-  if (_map.getCount() == 0) {
+  if (_src_map.getCount() == 0 && _dest_map.getCount() == 0) { // TODO: check
     Warning("%s No entries in %s. All IP Addresses will be blocked", module_name, config_file_path);
   } else {
     // convert the coloring from indices to pointers.
-    for (IpMap::iterator spot(_map.begin()), limit(_map.end()); spot != limit; ++spot) {
-      spot->setData(&_acls[reinterpret_cast<size_t>(spot->data())]);
-    }
+    for (auto &item : _src_map)
+      item.setData(&_src_acls[reinterpret_cast<size_t>(item.data())]);
+    for (auto &item : _dest_map)
+      item.setData(&_dest_acls[reinterpret_cast<size_t>(item.data())]);
   }
 
   if (is_debug_tag_set("ip-allow")) {
diff --git a/proxy/IPAllow.h b/proxy/IPAllow.h
index f2218fc..a0a6f8b 100644
--- a/proxy/IPAllow.h
+++ b/proxy/IPAllow.h
@@ -110,12 +110,14 @@ class IpAllow : public ConfigInfo
 
 public:
   typedef IpAllow self; ///< Self reference type.
+  // indicator for whether we should be checking the acl record for src ip or dest ip
+  enum match_key_t { SRC_ADDR, DEST_ADDR };
 
   IpAllow(const char *config_var, const char *name, const char *action_val);
   ~IpAllow();
   void Print();
-  AclRecord *match(IpEndpoint const *ip) const;
-  AclRecord *match(sockaddr const *ip) const;
+  AclRecord *match(IpEndpoint const *ip, match_key_t key) const;
+  AclRecord *match(sockaddr const *ip, match_key_t key) const;
 
   static void startup();
   static void reconfigure();
@@ -130,35 +132,59 @@ public:
     return &ALL_METHOD_ACL;
   }
 
+  /* @return The previous accept check state
+   * This is a global variable that is independent of
+   * the ip_allow configuration
+   */
+  static bool
+  enableAcceptCheck(bool state)
+  {
+    bool temp      = accept_check_p;
+    accept_check_p = state;
+    return temp;
+  }
+  /* @return The current accept check state
+   * This is a global variable that is independent of
+   * the ip_allow configuration
+   */
+  static bool
+  isAcceptCheckEnabled()
+  {
+    return accept_check_p;
+  }
+
   typedef ConfigProcessor::scoped_config<IpAllow, IpAllow> scoped_config;
 
 private:
   static int configid;
   static const AclRecord ALL_METHOD_ACL;
+  static bool accept_check_p;
 
+  void PrintMap(IpMap *map);
   int BuildTable();
 
   char config_file_path[PATH_NAME_MAX];
   const char *module_name;
   const char *action;
-  IpMap _map;
-  Vec<AclRecord> _acls;
+  IpMap _src_map;
+  IpMap _dest_map;
+  Vec<AclRecord> _src_acls;
+  Vec<AclRecord> _dest_acls;
 };
 
 inline AclRecord *
-IpAllow::match(IpEndpoint const *ip) const
+IpAllow::match(IpEndpoint const *ip, match_key_t key) const
 {
-  return this->match(&ip->sa);
+  return this->match(&ip->sa, key);
 }
 
 inline AclRecord *
-IpAllow::match(sockaddr const *ip) const
+IpAllow::match(sockaddr const *ip, match_key_t key) const
 {
-  void *raw;
-  if (_map.contains(ip, &raw)) {
-    return static_cast<AclRecord *>(raw);
-  }
-  return nullptr;
+  void *raw        = nullptr;
+  const IpMap &map = (key == SRC_ADDR) ? _src_map : _dest_map;
+  map.contains(ip, &raw);
+  return static_cast<AclRecord *>(raw);
 }
 
 #endif
diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc
index d95f701..48697d5 100644
--- a/proxy/InkAPI.cc
+++ b/proxy/InkAPI.cc
@@ -7298,7 +7298,7 @@ const char *
 TSMatcherParseSrcIPConfigLine(char *line, TSMatcherLine ml)
 {
   sdk_assert(sdk_sanity_check_null_ptr((void *)line) == TS_SUCCESS);
-  return parseConfigLine(line, (matcher_line *)ml, &ip_allow_tags);
+  return parseConfigLine(line, (matcher_line *)ml, &ip_allow_src_tags);
 }
 
 char *
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index ffabb6e..f2638d0 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -42,6 +42,7 @@
 
 #include "HttpPages.h"
 
+#include "IPAllow.h"
 //#include "I_Auth.h"
 //#include "HttpAuthParams.h"
 #include "congest/Congestion.h"
@@ -4730,7 +4731,50 @@ HttpSM::do_http_server_open(bool raw)
     milestones[TS_MILESTONE_SERVER_FIRST_CONNECT] = milestones[TS_MILESTONE_SERVER_CONNECT];
   }
 
-  if (t_state.pCongestionEntry != nullptr) {
+  // Check for remap rule. If so, only apply ip_allow filter if it is activated (ip_allow_check_enabled_p
set).
+  // Otherwise, if no remap rule is defined, apply the ip_allow filter.
+  if (!t_state.url_remap_success || t_state.url_map.getMapping()->ip_allow_check_enabled_p)
{
+    // Method allowed on dest IP address check
+    sockaddr *server_ip = &t_state.current.server->dst_addr.sa;
+    IpAllow::scoped_config ip_allow;
+
+    if (ip_allow) {
+      const AclRecord *acl_record = ip_allow->match(server_ip, IpAllow::DEST_ADDR);
+      bool deny_request           = false; // default is fail open.
+      int method                  = t_state.hdr_info.server_request.method_get_wksidx();
+
+      if (acl_record) {
+        // If empty, nothing is allowed, deny. Conversely if all methods are allowed it's
OK, do not deny.
+        // Otherwise the method has to be checked specifically.
+        if (acl_record->isEmpty()) {
+          deny_request = true;
+        } else if (acl_record->_method_mask != AclRecord::ALL_METHOD_MASK) {
+          if (method != -1) {
+            deny_request = !acl_record->isMethodAllowed(method);
+          } else {
+            int method_str_len;
+            const char *method_str = t_state.hdr_info.server_request.method_get(&method_str_len);
+            deny_request           = !acl_record->isNonstandardMethodAllowed(std::string(method_str,
method_str_len));
+          }
+        }
+      }
+
+      if (deny_request) {
+        if (is_debug_tag_set("ip-allow")) {
+          ip_text_buffer ipb;
+          Warning("server '%s' prohibited by ip-allow policy", ats_ip_ntop(server_ip, ipb,
sizeof(ipb)));
+          Debug("ip-allow", "Denial on %s:%s with mask %x", ats_ip_ntop(&t_state.current.server->dst_addr.sa,
ipb, sizeof(ipb)),
+                hdrtoken_index_to_wks(method), acl_record ? acl_record->_method_mask :
0x0);
+        }
+        t_state.current.attempts = t_state.txn_conf->connect_attempts_max_retries; //
prevent any more retries with this IP
+        call_transact_and_set_next_state(HttpTransact::Forbidden);
+        return;
+      }
+    }
+  }
+
+  // Congestion Check
+  if (t_state.pCongestionEntry != NULL) {
     if (t_state.pCongestionEntry->F_congested() &&
         (!t_state.pCongestionEntry->proxy_retry(milestones[TS_MILESTONE_SERVER_CONNECT])))
{
       t_state.congestion_congested_or_failed = 1;
diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
index 0647a90..8e378c4 100644
--- a/proxy/http/HttpTransact.cc
+++ b/proxy/http/HttpTransact.cc
@@ -566,6 +566,16 @@ HttpTransact::BadRequest(State *s)
 }
 
 void
+HttpTransact::Forbidden(State *s)
+{
+  DebugTxn("http_trans", "[Forbidden]"
+                         "IpAllow marked request forbidden");
+  bootstrap_state_variables_from_request(s, &s->hdr_info.client_request);
+  build_error_response(s, HTTP_STATUS_FORBIDDEN, "Access Denied", "access#denied", NULL);
+  TRANSACT_RETURN(SM_ACTION_SEND_ERROR_CACHE_NOOP, NULL);
+}
+
+void
 HttpTransact::HandleBlindTunnel(State *s)
 {
   NetVConnection *vc         = s->state_machine->ua_session->get_netvc();
@@ -6576,6 +6586,12 @@ HttpTransact::process_quick_http_filter(State *s, int method)
     return;
   }
 
+  // if ipallow rules are disabled by remap then don't modify anything
+  url_mapping *mp = s->url_map.getMapping();
+  if (mp && !mp->ip_allow_check_enabled_p) {
+    return;
+  }
+
   if (s->state_machine->ua_session) {
     const AclRecord *acl_record = s->state_machine->ua_session->get_acl_record();
     bool deny_request           = (acl_record == nullptr);
diff --git a/proxy/http/HttpTransact.h b/proxy/http/HttpTransact.h
index 63f9925..dd81a49 100644
--- a/proxy/http/HttpTransact.h
+++ b/proxy/http/HttpTransact.h
@@ -1200,6 +1200,7 @@ public:
   static void StartAuth(State *s);
   static void HandleRequestAuthorized(State *s);
   static void BadRequest(State *s);
+  static void Forbidden(State *s);
   static void HandleFiltering(State *s);
   static void DecideCacheLookup(State *s);
   static void LookupSkipOpenServer(State *s);
diff --git a/proxy/http/remap/RemapConfig.cc b/proxy/http/remap/RemapConfig.cc
index cef1c40..40f245b 100644
--- a/proxy/http/remap/RemapConfig.cc
+++ b/proxy/http/remap/RemapConfig.cc
@@ -31,6 +31,7 @@
 #include "ts/ink_cap.h"
 #include "ts/ink_file.h"
 #include "ts/Tokenizer.h"
+#include "../../proxy/IPAllow.h"
 
 #define modulePrefix "[ReverseProxy]"
 
@@ -75,7 +76,8 @@ clear_xstr_array(char *v[], size_t vsize)
   }
 }
 
-BUILD_TABLE_INFO::BUILD_TABLE_INFO() : remap_optflg(0), paramc(0), argc(0), rules_list(nullptr),
rewrite(nullptr)
+BUILD_TABLE_INFO::BUILD_TABLE_INFO()
+  : remap_optflg(0), paramc(0), argc(0), ip_allow_check_enabled_p(true), accept_check_p(true),
rules_list(nullptr), rewrite(nullptr)
 {
   memset(this->paramv, 0, sizeof(this->paramv));
   memset(this->argv, 0, sizeof(this->argv));
@@ -107,7 +109,7 @@ process_filter_opt(url_mapping *mp, const BUILD_TABLE_INFO *bti, char
*errStrBuf
   for (rp = bti->rules_list; rp; rp = rp->next) {
     if (rp->active_queue_flag) {
       Debug("url_rewrite", "[process_filter_opt] Add active main filter \"%s\" (argc=%d)",
-            rp->filter_name ? rp->filter_name : "<NULL>", rp->argc);
+            rp->filter_name ? rp->filter_name : "<nullptr>", rp->argc);
       for (rpp = &mp->filter; *rpp; rpp = &((*rpp)->next)) {
         ;
       }
@@ -123,6 +125,9 @@ process_filter_opt(url_mapping *mp, const BUILD_TABLE_INFO *bti, char
*errStrBuf
     }
     errStr = remap_validate_filter_args(rpp, (const char **)bti->argv, bti->argc, errStrBuf,
errStrBufSize);
   }
+  // Set the ip allow flag for this rule to the current ip allow flag state
+  mp->ip_allow_check_enabled_p = bti->ip_allow_check_enabled_p;
+
   return errStr;
 }
 
@@ -211,6 +216,12 @@ parse_activate_directive(const char *directive, BUILD_TABLE_INFO *bti,
char *err
     return (const char *)errbuf;
   }
 
+  // Check if for ip_allow filter
+  if (strcmp((const char *)bti->paramv[1], "ip_allow") == 0) {
+    bti->ip_allow_check_enabled_p = true;
+    return nullptr;
+  }
+
   if ((rp = acl_filter_rule::find_byname(bti->rules_list, (const char *)bti->paramv[1]))
== nullptr) {
     snprintf(errbuf, errbufsize, "Undefined filter \"%s\" in directive \"%s\"", bti->paramv[1],
directive);
     Debug("url_rewrite", "[parse_directive] %s", errbuf);
@@ -232,6 +243,12 @@ parse_deactivate_directive(const char *directive, BUILD_TABLE_INFO *bti,
char *e
     return (const char *)errbuf;
   }
 
+  // Check if for ip_allow filter
+  if (strcmp((const char *)bti->paramv[1], "ip_allow") == 0) {
+    bti->ip_allow_check_enabled_p = false;
+    return nullptr;
+  }
+
   if ((rp = acl_filter_rule::find_byname(bti->rules_list, (const char *)bti->paramv[1]))
== nullptr) {
     snprintf(errbuf, errbufsize, "Undefined filter \"%s\" in directive \"%s\"", bti->paramv[1],
directive);
     Debug("url_rewrite", "[parse_directive] %s", errbuf);
@@ -577,9 +594,9 @@ remap_validate_filter_args(acl_filter_rule **rule_pp, const char **argv,
int arg
     }
 
     if (ul & REMAP_OPTFLG_ACTION) { /* "action=" option */
-      if (is_inkeylist(argptr, "0", "off", "deny", "disable", NULL)) {
+      if (is_inkeylist(argptr, "0", "off", "deny", "disable", nullptr)) {
         rule->allow_flag = 0;
-      } else if (is_inkeylist(argptr, "1", "on", "allow", "enable", NULL)) {
+      } else if (is_inkeylist(argptr, "1", "on", "allow", "enable", nullptr)) {
         rule->allow_flag = 1;
       } else {
         Debug("url_rewrite", "[validate_filter_args] Unknown argument \"%s\"", argv[i]);
@@ -750,7 +767,7 @@ remap_load_plugin(const char **argv, int argc, url_mapping *mp, char *errbuf,
in
     }
   } else {
     if (unlikely(!mp || (remap_check_option(argv, argc, REMAP_OPTFLG_PLUGIN, &idx) &
REMAP_OPTFLG_PLUGIN) == 0)) {
-      snprintf(errbuf, errbufsize, "Can't find remap plugin keyword or \"url_mapping\" is
NULL");
+      snprintf(errbuf, errbufsize, "Can't find remap plugin keyword or \"url_mapping\" is
nullptr");
       return -1; /* incorrect input data - almost impossible case */
     }
   }
@@ -952,7 +969,7 @@ process_regex_mapping_config(const char *from_host_lower, url_mapping
*new_mappi
   reg_map->url_map = new_mapping;
 
   // using from_host_lower (and not new_mapping->fromURL.host_get())
-  // as this one will be NULL-terminated (required by pcre_compile)
+  // as this one will be nullptr-terminated (required by pcre_compile)
   if (reg_map->regular_expression.compile(from_host_lower) == false) {
     Warning("pcre_compile failed! Regex has error starting at %s", from_host_lower);
     goto lFail;
@@ -1153,6 +1170,9 @@ remap_parse_config_bti(const char *path, BUILD_TABLE_INFO *bti)
       goto MAP_ERROR;
     }
 
+    // update sticky flag
+    bti->accept_check_p = bti->accept_check_p && bti->ip_allow_check_enabled_p;
+
     new_mapping->map_id = 0;
     if ((bti->remap_optflg & REMAP_OPTFLG_MAP_ID) != 0) {
       int idx = 0;
@@ -1413,8 +1433,9 @@ remap_parse_config_bti(const char *path, BUILD_TABLE_INFO *bti)
     delete reg_map;
     delete new_mapping;
     return false;
-  } /* end of while(cur_line != NULL) */
+  } /* end of while(cur_line != nullptr) */
 
+  IpAllow::enableAcceptCheck(bti->accept_check_p);
   return true;
 }
 
diff --git a/proxy/http/remap/RemapConfig.h b/proxy/http/remap/RemapConfig.h
index 300eaea..0d76156 100644
--- a/proxy/http/remap/RemapConfig.h
+++ b/proxy/http/remap/RemapConfig.h
@@ -53,6 +53,8 @@ struct BUILD_TABLE_INFO {
   char *paramv[BUILD_TABLE_MAX_ARGS];
   char *argv[BUILD_TABLE_MAX_ARGS];
 
+  bool ip_allow_check_enabled_p;
+  bool accept_check_p;
   acl_filter_rule *rules_list; // all rules defined in config files as .define_filter foobar
@src_ip=.....
   UrlRewrite *rewrite;         // Pointer to the UrlRewrite object we are parsing for.
 
diff --git a/proxy/http/remap/UrlMapping.h b/proxy/http/remap/UrlMapping.h
index d4634b8..73f87c7 100644
--- a/proxy/http/remap/UrlMapping.h
+++ b/proxy/http/remap/UrlMapping.h
@@ -107,6 +107,7 @@ public:
   unsigned int map_id;
   referer_info *referer_list;
   redirect_tag_str *redir_chunk_list;
+  bool ip_allow_check_enabled_p;
   acl_filter_rule *filter; // acl filtering (list of rules)
   unsigned int _plugin_count;
   LINK(url_mapping, link); // For use with the main Queue linked list holding all the mapping

-- 
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" <commits@trafficserver.apache.org>'].

Mime
View raw message