You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by sh...@apache.org on 2016/05/04 23:38:06 UTC
[trafficserver] branch master updated: TS-3485: Support ip_allow
config for HTTP2. This closes #614.
This is an automated email from the ASF dual-hosted git repository.
shinrich pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 5ce103e TS-3485: Support ip_allow config for HTTP2. This closes #614.
5ce103e is described below
commit 5ce103e889ef2eec9216ec06ae681916cb6e2298
Author: Susan Hinrichs <sh...@ieee.org>
AuthorDate: Wed May 4 01:49:30 2016 +0000
TS-3485: Support ip_allow config for HTTP2. This closes #614.
---
iocore/net/I_SessionAccept.h | 7 ++++++
iocore/net/Makefile.am | 1 +
iocore/net/{I_SessionAccept.h => SessionAccept.cc} | 27 +++++++++++-----------
proxy/http/HttpSessionAccept.cc | 19 +++++++--------
proxy/http2/Http2ClientSession.cc | 12 ----------
proxy/http2/Http2SessionAccept.cc | 13 ++++++++---
6 files changed, 41 insertions(+), 38 deletions(-)
diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/I_SessionAccept.h
index 3d25b3d..8b55e74 100644
--- a/iocore/net/I_SessionAccept.h
+++ b/iocore/net/I_SessionAccept.h
@@ -27,6 +27,8 @@
#include "I_Net.h"
#include "I_VConnection.h"
+class AclRecord;
+
class SessionAccept : public Continuation
{
public:
@@ -34,6 +36,11 @@ public:
~SessionAccept() {}
virtual void accept(NetVConnection *, MIOBuffer *, IOBufferReader *) = 0;
+ /* Returns NULL if the specified client_ip is not allowed by ip_allow
+ * Returns a pointer to the relevant IP policy for later processing otherwise */
+ static const AclRecord *
+ testIpAllowPolicy(sockaddr const *client_ip);
+
private:
virtual int mainEvent(int event, void *netvc) = 0;
};
diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am
index 888d3c2..45d3ee9 100644
--- a/iocore/net/Makefile.am
+++ b/iocore/net/Makefile.am
@@ -60,6 +60,7 @@ libinknet_a_SOURCES = \
I_UDPPacket.h \
Inline.cc \
I_SessionAccept.h \
+ SessionAccept.cc \
Net.cc \
NetVConnection.cc \
P_CompletionUtil.h \
diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/SessionAccept.cc
similarity index 68%
copy from iocore/net/I_SessionAccept.h
copy to iocore/net/SessionAccept.cc
index 3d25b3d..9d0ff03 100644
--- a/iocore/net/I_SessionAccept.h
+++ b/iocore/net/SessionAccept.cc
@@ -21,21 +21,20 @@
limitations under the License.
*/
-#ifndef I_SessionAccept_H_
-#define I_SessionAccept_H_
-
#include "I_Net.h"
#include "I_VConnection.h"
+#include "../../proxy/IPAllow.h"
-class SessionAccept : public Continuation
+const AclRecord *
+SessionAccept::testIpAllowPolicy(sockaddr const *client_ip)
{
-public:
- SessionAccept(ProxyMutex *amutex) : Continuation(amutex) { SET_HANDLER(&SessionAccept::mainEvent); }
- ~SessionAccept() {}
- virtual void accept(NetVConnection *, MIOBuffer *, IOBufferReader *) = 0;
-
-private:
- virtual int mainEvent(int event, void *netvc) = 0;
-};
-
-#endif /* I_SessionAccept_H_ */
+ IpAllow::scoped_config ipallow;
+ const AclRecord *acl_record = NULL;
+ if (ipallow) {
+ acl_record = ipallow->match(client_ip);
+ if (acl_record && acl_record->isEmpty()) {
+ acl_record = NULL;
+ }
+ }
+ return acl_record;
+}
diff --git a/proxy/http/HttpSessionAccept.cc b/proxy/http/HttpSessionAccept.cc
index 394bbf7..ba5a500 100644
--- a/proxy/http/HttpSessionAccept.cc
+++ b/proxy/http/HttpSessionAccept.cc
@@ -33,20 +33,21 @@ HttpSessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferReade
sockaddr const *client_ip = netvc->get_remote_addr();
const AclRecord *acl_record = NULL;
ip_port_text_buffer ipb;
- IpAllow::scoped_config ipallow;
// The backdoor port is now only bound to "localhost", so no
// reason to check for if it's incoming from "localhost" or not.
if (backdoor) {
acl_record = IpAllow::AllMethodAcl();
- } else if (ipallow && (((acl_record = ipallow->match(client_ip)) == NULL) || (acl_record->isEmpty()))) {
- ////////////////////////////////////////////////////
- // if client address forbidden, close immediately //
- ////////////////////////////////////////////////////
- Warning("client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb)));
- netvc->do_io_close();
-
- return;
+ } else {
+ acl_record = testIpAllowPolicy(client_ip);
+ if (!acl_record) {
+ ////////////////////////////////////////////////////
+ // if client address forbidden, close immediately //
+ ////////////////////////////////////////////////////
+ Warning("client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb)));
+ netvc->do_io_close();
+ return;
+ }
}
// Set the transport type if not already set
diff --git a/proxy/http2/Http2ClientSession.cc b/proxy/http2/Http2ClientSession.cc
index d759c84..5930140 100644
--- a/proxy/http2/Http2ClientSession.cc
+++ b/proxy/http2/Http2ClientSession.cc
@@ -24,7 +24,6 @@
#include "Http2ClientSession.h"
#include "HttpDebugNames.h"
#include "ts/ink_base64.h"
-#include "../IPAllow.h"
#define STATE_ENTER(state_name, event) \
do { \
@@ -132,17 +131,6 @@ Http2ClientSession::start()
void
Http2ClientSession::new_connection(NetVConnection *new_vc, MIOBuffer *iobuf, IOBufferReader *reader, bool backdoor)
{
- acl_record = NULL;
- sockaddr const *client_ip = new_vc->get_remote_addr();
- IpAllow::scoped_config ipallow;
- if (ipallow && (((acl_record = ipallow->match(client_ip)) == NULL) || (acl_record->isEmpty()))) {
- ip_port_text_buffer ipb;
- Warning("http2 client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb)));
- } else if (!acl_record) {
- ip_port_text_buffer ipb;
- Warning("http2 client '%s' no ip-allow policy specified", ats_ip_ntop(client_ip, ipb, sizeof(ipb)));
- }
-
ink_assert(new_vc->mutex->thread_holding == this_ethread());
HTTP2_INCREMENT_THREAD_DYN_STAT(HTTP2_STAT_CURRENT_CLIENT_SESSION_COUNT, new_vc->mutex->thread_holding);
HTTP2_INCREMENT_THREAD_DYN_STAT(HTTP2_STAT_TOTAL_CLIENT_CONNECTION_COUNT, new_vc->mutex->thread_holding);
diff --git a/proxy/http2/Http2SessionAccept.cc b/proxy/http2/Http2SessionAccept.cc
index 7aeefc7..3699d4c 100644
--- a/proxy/http2/Http2SessionAccept.cc
+++ b/proxy/http2/Http2SessionAccept.cc
@@ -25,6 +25,7 @@
#include "Http2ClientSession.h"
#include "I_Machine.h"
#include "Error.h"
+#include "../IPAllow.h"
Http2SessionAccept::Http2SessionAccept(const HttpSessionAccept::Options &_o) : SessionAccept(NULL), options(_o)
{
@@ -38,9 +39,16 @@ Http2SessionAccept::~Http2SessionAccept()
void
Http2SessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferReader *reader)
{
+ sockaddr const *client_ip = netvc->get_remote_addr();
+ const AclRecord *session_acl_record = testIpAllowPolicy(client_ip);
+ if (!session_acl_record) {
+ ip_port_text_buffer ipb;
+ Warning("HTTP/2 client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb)));
+ netvc->do_io_close();
+ return;
+ }
netvc->attributes = this->options.transport_type;
- const sockaddr *client_ip = netvc->get_remote_addr();
if (is_debug_tag_set("http2_seq")) {
ip_port_text_buffer ipb;
@@ -48,9 +56,8 @@ Http2SessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferRead
ats_ip_nptop(client_ip, ipb, sizeof(ipb)), netvc->attributes);
}
- // XXX Allocate a Http2ClientSession
Http2ClientSession *new_session = THREAD_ALLOC_INIT(http2ClientSessionAllocator, this_ethread());
-
+ new_session->acl_record = session_acl_record;
new_session->new_connection(netvc, iobuf, reader, false /* backdoor */);
}
--
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" <co...@trafficserver.apache.org>'].