[trafficserver] branch master updated: Fix sni ip_allow and host_sni_policy (#7349)

[sh...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 1fc1406  Fix sni ip_allow and host_sni_policy (#7349)
1fc1406 is described below

commit 1fc140640ed004b6d5c1641648196f58ab8a8dea
Author: Susan Hinrichs <sh...@yahoo-inc.com>
AuthorDate: Wed Dec 2 11:30:07 2020 -0600

    Fix sni ip_allow and host_sni_policy (#7349)
---
 doc/admin-guide/files/records.config.en.rst | 2 +-
 iocore/net/P_SNIActionPerformer.h           | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index d9d0025..8ec7b22 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -1894,7 +1894,7 @@ Security
 
    You can override this global setting on a per domain basis in the :file:`sni.yaml` file using the :ref:`host_sni_policy attribute<override-host-sni-policy>` action.
 
-   Currently, only the verify_client policy is checked for host name and SNI matching.
+   Currently, only the verify_client and ip_allow policies are checked for host name and SNI matching.
 
 Cache Control
 =============
diff --git a/iocore/net/P_SNIActionPerformer.h b/iocore/net/P_SNIActionPerformer.h
index c94a74d..89067ae 100644
--- a/iocore/net/P_SNIActionPerformer.h
+++ b/iocore/net/P_SNIActionPerformer.h
@@ -325,8 +325,9 @@ public:
   TestClientSNIAction(const char *servrername, const IpEndpoint &ep, int &policy) const override
   {
     bool retval = false;
-    if (ip_map.contains(ep)) {
-      retval = true;
+    if (ip_map.count() > 0) {
+      // Only triggers if the map didn't contain the address
+      retval = !ip_map.contains(ep);
     }
     return retval;
   }