You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Alan M. Carroll (Resolved) (JIRA)" <ji...@apache.org> on 2011/10/13 22:01:12 UTC

[jira] [Resolved] (TS-963) ip_allow.config parsing bug

     [ https://issues.apache.org/jira/browse/TS-963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alan M. Carroll resolved TS-963.
--------------------------------

    Resolution: Fixed

r1183051
                
> ip_allow.config parsing bug
> ---------------------------
>
>                 Key: TS-963
>                 URL: https://issues.apache.org/jira/browse/TS-963
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Configuration
>    Affects Versions: 3.1.0
>         Environment: CentOS 5.5 64-bit
>            Reporter: David Eagen
>            Assignee: Alan M. Carroll
>             Fix For: 3.1.1
>
>
> The ip_allow.config file is not read correctly. It appears that later lines replace earlier lines if the IP ranges overlap. So, a config file like this does not result in the desired range being allowed. Instead, only the reject line is used. This can be confirmed by enabling debug logging.
> src_ip=172.16.11.0-172.16.19.255        action=ip_allow
> .... more allow ranges ...
> src_ip=0.0.0.0-255.255.255.255          action=ip_deny
> This configuration results in the following debug log:
> [Sep 20 15:06:52.348] Server {0x2b19b4be3d70} DEBUG: (ip-allow) 1 ACL entries.
>   Line 33: deny  0.0.0.0 - 255.255.255.255
> Commenting out the global deny line results in:
> [Sep 20 15:14:11.247] Server {0x2b3458cf7d70} DEBUG: (ip-allow) 8 ACL entries.
> Line 16: allow 172.16.3.0 - 172.16.3.255
> ....
> Line 30: allow 172.16.79.21 - 172.16.79.26
> Client IP's outside the allow range are denied by default. So I can still implement the same thing but not with the same configuration used in previous versions of ATS. Also, The documentation indicates that the line is parsed from the top down so that the first entry matching the connecting host is used but it does not function that way. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira