You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2011/09/21 21:17:08 UTC

[jira] [Updated] (TS-963) ip_allow.config parsing bug

     [ https://issues.apache.org/jira/browse/TS-963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom updated TS-963:
-----------------------------

    Fix Version/s: 3.1.1
         Assignee: Alan M. Carroll

Alan: I'm assigning this to you, just in case you're to blame ;). But seriously, is this related to any of the changes we've done lately to IPv6 and/or IP range handling?

> ip_allow.config parsing bug
> ---------------------------
>
>                 Key: TS-963
>                 URL: https://issues.apache.org/jira/browse/TS-963
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Configuration
>    Affects Versions: 3.1.0
>         Environment: CentOS 5.5 64-bit
>            Reporter: David Eagen
>            Assignee: Alan M. Carroll
>             Fix For: 3.1.1
>
>
> The ip_allow.config file is not read correctly. It appears that later lines replace earlier lines if the IP ranges overlap. So, a config file like this does not result in the desired range being allowed. Instead, only the reject line is used. This can be confirmed by enabling debug logging.
> src_ip=172.16.11.0-172.16.19.255        action=ip_allow
> .... more allow ranges ...
> src_ip=0.0.0.0-255.255.255.255          action=ip_deny
> This configuration results in the following debug log:
> [Sep 20 15:06:52.348] Server {0x2b19b4be3d70} DEBUG: (ip-allow) 1 ACL entries.
>   Line 33: deny  0.0.0.0 - 255.255.255.255
> Commenting out the global deny line results in:
> [Sep 20 15:14:11.247] Server {0x2b3458cf7d70} DEBUG: (ip-allow) 8 ACL entries.
> Line 16: allow 172.16.3.0 - 172.16.3.255
> ....
> Line 30: allow 172.16.79.21 - 172.16.79.26
> Client IP's outside the allow range are denied by default. So I can still implement the same thing but not with the same configuration used in previous versions of ATS. Also, The documentation indicates that the line is parsed from the top down so that the first entry matching the connecting host is used but it does not function that way. 

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira