Updated Branches: refs/heads/master 33770526c -> a2dc96571
TS-1140: Implement HTTP method filtering in ip_allow.config Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/a2dc9657 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/a2dc9657 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/a2dc9657 Branch: refs/heads/master Commit: a2dc965711b8d75be33dfe534912756ee8db6382 Parents: 3377052 Author: Igor Brezac <[email protected]> Authored: Sun Mar 18 00:09:15 2012 -0400 Committer: Alan M. Carroll <[email protected]> Committed: Wed Mar 21 09:28:41 2012 -0500 ---------------------------------------------------------------------- CHANGES | 2 + mgmt/RecordsConfig.cc | 26 ------ proxy/IPAllow.cc | 117 +++++++++++++++++++++------ proxy/IPAllow.h | 72 ++++++++-------- proxy/config/ip_allow.config.default | 24 ++++-- proxy/config/records.config.default.in | 24 +----- proxy/http/HttpAccept.cc | 4 +- proxy/http/HttpClientSession.h | 2 + proxy/http/HttpConfig.cc | 5 - proxy/http/HttpConfig.h | 6 -- proxy/http/HttpTransact.cc | 62 +------------- 11 files changed, 158 insertions(+), 186 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a2dc9657/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index faedb56..0ff37ea 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,7 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 3.1.4 + *) [TS-1140] Combine IP Allow and QuickFilter. + *) [TS-1159] Add compiler hints to debug logging *) [TS-1143] Fixed edge case problems in IpMap. http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a2dc9657/mgmt/RecordsConfig.cc ---------------------------------------------------------------------- diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index 6c3de5b..e0d86b7 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -511,32 +511,6 @@ RecordElement RecordsConfig[] = { , {RECT_CONFIG, "proxy.config.http.accept_encoding_filter.filename", RECD_STRING, "ae_ua.config", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL} , - - // ######################## - // # HTTP Quick filtering # - // ######################## - // This is dedicated and very specific 'HTTP method' filter. - // Note: If method does not match, filtering will be skipped. - // bits 15-0 - HTTP method mask - // 0x0000 - Any possible HTTP method (or you can use 0xFFFF) - // 0x0001 - CONNECT - // 0x0002 - DELETE - // 0x0004 - GET - // 0x0008 - HEAD - // 0x0010 - ICP_QUERY - // 0x0020 - OPTIONS - // 0x0040 - POST - // 0x0080 - PURGE - // 0x0100 - PUT - // 0x0200 - TRACE - // 0x0400 - PUSH - // bits 18-16 - reserved - // bits 30-17 - reserved - // bit 31 - Action (allow=1, deny=0) - // Note: if 'proxy.config.http.quick_filter.mask' is equal 0, there is no 'quick http filtering' at all - {RECT_CONFIG, "proxy.config.http.quick_filter.mask", RECD_INT, "0x482", RECU_DYNAMIC, RR_NULL, RECC_NULL, NULL, RECA_NULL} - , - // ############################## // # parent proxy configuration # // ############################## http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a2dc9657/proxy/IPAllow.cc ---------------------------------------------------------------------- diff --git a/proxy/IPAllow.cc b/proxy/IPAllow.cc index 315a8e5..415d6cf 100644 --- a/proxy/IPAllow.cc +++ b/proxy/IPAllow.cc @@ -35,14 +35,25 @@ #include "StatSystem.h" #include "P_EventSystem.h" #include "P_Cache.h" +#include "hdrs/HdrToken.h" #include <sstream> #define IPAllowRegisterConfigUpdateFunc REC_RegisterConfigUpdateFunc #define IPAllowReadConfigStringAlloc REC_ReadConfigStringAlloc +enum AclOp { + ACL_OP_ALLOW, ///< Allow access. + ACL_OP_DENY, ///< Deny access. +}; + IpAllow* IpAllow::_instance = NULL; +// Mask for all methods. +// This can't be computed properly at process start, so it's delayed +// until the instance is initialized. +uint32_t ALL_METHOD_MASK; + static Ptr<ProxyMutex> ip_reconfig_mutex; // @@ -110,6 +121,8 @@ IpAllow::InitInstance() { // Should not have been initialized before ink_assert(_instance == NULL); + ALL_METHOD_MASK = ~(~0 << HTTP_WKSIDX_METHODS_CNT); + ip_reconfig_mutex = new_ProxyMutex(); _instance = NEW(new self("proxy.config.cache.ip_allow.filename", "IpAllow", "ip_allow")); @@ -144,8 +157,7 @@ IpAllow::IpAllow( const char *action_val ) : config_file_var(config_var), module_name(name), - action(action_val), - _allow_all(false) + action(action_val) { char *config_file; @@ -167,7 +179,6 @@ void IpAllow::Print() { std::ostringstream s; s << _map.getCount() << " ACL entries"; - if (_allow_all) s << " - ACLs are disabled, all connections are permitted"; s << '.'; for ( IpMap::iterator spot(_map.begin()), limit(_map.end()) ; spot != limit @@ -177,12 +188,29 @@ IpAllow::Print() { AclRecord const* ar = static_cast<AclRecord const*>(spot->data()); s << std::endl << " Line " << ar->_src_line << ": " - << (ACL_OP_ALLOW == ar->_op ? "allow " : "deny ") << ats_ip_ntop(spot->min(), text, sizeof text) ; if (0 != ats_ip_addr_cmp(spot->min(), spot->max())) { s << " - " << ats_ip_ntop(spot->max(), text, sizeof text); } + s << " method="; + uint32_t mask = ALL_METHOD_MASK & ar->_method_mask; + if (ALL_METHOD_MASK == mask) { + s << "ALL"; + } else if (0 == mask) { + s << "NONE"; + } else { + bool leader = false; // need leading vbar? + uint32_t test_mask = 1; // mask for current method. + for ( int i = 0 ; i < HTTP_WKSIDX_METHODS_CNT ; ++i, test_mask<<=1 ) { + if (mask & test_mask) { + if (leader) + s << '|'; + s << hdrtoken_index_to_wks(i + HTTP_WKSIDX_CONNECT); + leader = true; + } + } + } } Debug("ip-allow", "%s", s.str().c_str()); } @@ -207,7 +235,6 @@ IpAllow::BuildTable() file_buf = readIntoBuffer(config_file_path, module_name, NULL); if (file_buf == NULL) { - _allow_all = false; Warning("%s Failed to read %s. All IP Addresses will be blocked", module_name, config_file_path); return 1; } @@ -242,34 +269,75 @@ IpAllow::BuildTable() SignalError(errBuf, alarmAlready); } else { // INKqa05845 - // Search for "action=ip_allow" or "action=ip_deny". + // Search for "action=ip_allow method=PURGE method=GET ..." or "action=ip_deny method=PURGE method=GET ...". char *label, *val; + uint32_t acl_method_mask = 0; + AclOp op; + bool op_found = false, method_found = false; for (int i = 0; i < MATCHER_MAX_TOKENS; i++) { label = line_info.line[0][i]; val = line_info.line[1][i]; - if (label == NULL) + if (label == NULL) { continue; + } if (strcasecmp(label, "action") == 0) { - bool found = false; - AclOp op; - if (strcasecmp(val, "ip_allow") == 0) - found = true, op = ACL_OP_ALLOW; - else if (strcasecmp(val, "ip_deny") == 0) - found = true, op = ACL_OP_DENY; - if (found) { - _acls.push_back(AclRecord(op, line_num)); - // Color with index because at this point the address - // is volatile. - _map.fill( - &addr1, &addr2, - reinterpret_cast<void*>(_acls.size()-1) - ); - } else { - snprintf(errBuf, sizeof(errBuf), "%s discarding %s entry at line %d : %s", module_name, config_file_path, line_num, "Invalid action specified"); //changed by YTS Team, yamsat bug id -59022 - SignalError(errBuf, alarmAlready); + if (strcasecmp(val, "ip_allow") == 0) { + op_found = true, op = ACL_OP_ALLOW; + } else if (strcasecmp(val, "ip_deny") == 0) { + op_found = true, op = ACL_OP_DENY; } } } + if (op_found) { + // Loop again for methods, (in case action= appears after method=) + for (int i = 0; i < MATCHER_MAX_TOKENS; i++) { + label = line_info.line[0][i]; + val = line_info.line[1][i]; + if (label == NULL) { + continue; + } + if (strcasecmp(label, "method") == 0) { + char *method_name, *sep_ptr = 0; + // Parse method="GET|HEAD" + for (method_name = strtok_r(val, "|", &sep_ptr); method_name != NULL; method_name = strtok_r(NULL, "|", &sep_ptr)) { + if (strcasecmp(method_name, "ALL") == 0) { + method_found = false; // in case someone does method=GET|ALL + break; + } else { + int method_idx = hdrtoken_tokenize(method_name, strlen(method_name)); + if (method_idx < HTTP_WKSIDX_CONNECT || method_idx >= HTTP_WKSIDX_CONNECT + HTTP_WKSIDX_METHODS_CNT) { + Warning("Method name '%s' on line %d is not valid. Ignoring.", method_name, line_num); + } else { // valid method. + method_found = true; + acl_method_mask |= MethodIdxToMask(method_idx); + } + } + } + } + } + // If method not specified, default to ALL + if (!method_found) { + method_found = true, acl_method_mask = ALL_METHOD_MASK; + } + // When deny, use bitwise complement. (Make the rule 'allow for all + // methods except those specified') + if (op == ACL_OP_DENY) { + acl_method_mask = ALL_METHOD_MASK & ~acl_method_mask; + } + } + + if (method_found) { + _acls.push_back(AclRecord(acl_method_mask, line_num)); + // Color with index because at this point the address + // is volatile. + _map.fill( + &addr1, &addr2, + reinterpret_cast<void*>(_acls.length()-1) + ); + } else { + snprintf(errBuf, sizeof(errBuf), "%s discarding %s entry at line %d : %s", module_name, config_file_path, line_num, "Invalid action/method specified"); //changed by YTS Team, yamsat bug id -59022 + SignalError(errBuf, alarmAlready); + } } } } @@ -279,7 +347,6 @@ IpAllow::BuildTable() if (_map.getCount() == 0) { Warning("%s No entries in %s. All IP Addresses will be blocked", module_name, config_file_path); - _allow_all = false; } else { // convert the coloring from indices to pointers. for ( IpMap::iterator spot(_map.begin()), limit(_map.end()) http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a2dc9657/proxy/IPAllow.h ---------------------------------------------------------------------- diff --git a/proxy/IPAllow.h b/proxy/IPAllow.h index 753289a..f8befa3 100644 --- a/proxy/IPAllow.h +++ b/proxy/IPAllow.h @@ -1,6 +1,6 @@ /** @file - A brief file description + Access control by IP address and HTTP method. @section license License @@ -32,8 +32,10 @@ #define _IP_ALLOW_H_ #include "Main.h" -#include <ts/IpMap.h> -#include <vector> +#include "hdrs/HTTP.h" +#include "ts/IpMap.h" +#include "vector" +#include "ts/Vec.h" // forward declare in name only so it can be a friend. struct IPAllow_UpdateContinuation; @@ -45,18 +47,22 @@ struct IPAllow_UpdateContinuation; // static uint64_t const IP_ALLOW_TIMEOUT = HRTIME_HOUR; -enum AclOp { - ACL_OP_ALLOW, ///< Allow access. - ACL_OP_DENY, ///< Deny access. -}; - +/** An access control record. + It has the methods permitted and the source line. +*/ struct AclRecord { - AclOp _op; + int _method_mask; int _src_line; - AclRecord(AclOp op, int ln) : _op(op), _src_line(ln) { } + /// Default constructor. + /// Present only to make Vec<> happy, do not use. + AclRecord() : _method_mask(0), _src_line(0) { } + + AclRecord(uint32_t method_mask, int ln) : _method_mask(method_mask), _src_line(ln) { } }; +/** Singleton class for access controls. + */ class IpAllow { friend int main(int, char**); friend struct IPAllow_UpdateContinuation; @@ -67,60 +73,54 @@ public: ~IpAllow(); int BuildTable(); void Print(); - bool match(in_addr_t addr) const; - bool match(IpEndpoint const* ip) const; - bool match(sockaddr const* ip) const; + uint32_t match(IpEndpoint const* ip) const; + uint32_t match(sockaddr const* ip) const; /// @return The global instance. static self* instance(); + + static bool CheckMask(uint32_t, int); private: static void InitInstance(); static void ReloadInstance(); + static uint32_t MethodIdxToMask(int); const char *config_file_var; char config_file_path[PATH_NAME_MAX]; const char *module_name; const char *action; - bool _allow_all; IpMap _map; - // Can't use Vec<> because it requires a default constructor for AclRecord. - std::vector<AclRecord> _acls; + Vec<AclRecord> _acls; static self* _instance; }; inline IpAllow* IpAllow::instance() { return _instance; } -inline bool -IpAllow::match(in_addr_t addr) const { - bool zret = _allow_all; - if (!zret) { - void* raw; - if (_map.contains(addr, &raw)) { - AclRecord* acl = static_cast<AclRecord*>(raw); - zret = acl && ACL_OP_ALLOW == acl->_op; - } - } - return zret; -} +inline uint32_t IpAllow::MethodIdxToMask(int idx) { return 1 << (idx - HTTP_WKSIDX_CONNECT); } -inline bool +inline uint32_t IpAllow::match(IpEndpoint const* ip) const { return this->match(&ip->sa); } -inline bool +inline uint32_t IpAllow::match(sockaddr const* ip) const { - bool zret = _allow_all; - if (!zret) { - void* raw; - if (_map.contains(ip, &raw)) { - AclRecord* acl = static_cast<AclRecord*>(raw); - zret = acl && ACL_OP_ALLOW == acl->_op; + uint32_t zret = 0; + void* raw; + if (_map.contains(ip, &raw)) { + AclRecord* acl = static_cast<AclRecord*>(raw); + if (acl) { + zret = acl->_method_mask; } } return zret; } +inline bool +IpAllow::CheckMask(uint32_t mask, int method_idx) { + return ((mask & MethodIdxToMask(method_idx)) != 0); +} + #endif http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a2dc9657/proxy/config/ip_allow.config.default ---------------------------------------------------------------------- diff --git a/proxy/config/ip_allow.config.default b/proxy/config/ip_allow.config.default index c082261..323dbad 100644 --- a/proxy/config/ip_allow.config.default +++ b/proxy/config/ip_allow.config.default @@ -1,10 +1,22 @@ -# # ip_allow.config # -# Two types of rules: -# src_ip=<range of IP addresses> action=ip_allow -# src_ip=<range of IP addresses> action=ip_deny +# Rules: +# src_ip=<range of IP addresses> action=<action> [<method=<list of methods separated by '|'>] +# +# Actions: ip_allow, ip_deny +# +# Multiple method keywords can be specified (method=GET method=HEAD), or +# multiple methods can be separated by an '|' (method=GET|HEAD). The method +# keyword is optional and it is defaulted to ALL. +# Available methods: ALL, GET, CONNECT, DELETE, HEAD, ICP_QUERY, OPTIONS, +# POST, PURGE, PUT, TRACE, PUSH +# # Rules are applied in the order listed starting from the top. # -src_ip=0.0.0.0-255.255.255.255 action=ip_allow -src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow +# Allow anything on localhost (this is the default configuration based on the +# depricated CONFIG proxy.config.http.quick_filter.mask INT 0x482) +src_ip=127.0.0.1 action=ip_allow method=ALL +src_ip=::1 action=ip_allow method=ALL +# Deny PURGE, DELETE, and PUSH for all (this implies allow other methods for all) +src_ip=0.0.0.0-255.255.255.255 action=ip_deny method=PUSH|PURGE|DELETE +src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_deny method=PUSH|PURGE|DELETE http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a2dc9657/proxy/config/records.config.default.in ---------------------------------------------------------------------- diff --git a/proxy/config/records.config.default.in b/proxy/config/records.config.default.in index 977f7fa..b6a7c30 100644 --- a/proxy/config/records.config.default.in +++ b/proxy/config/records.config.default.in @@ -205,29 +205,7 @@ CONFIG proxy.config.http.push_method_enabled INT 0 # ################################### # # HTTP Quick filtering (security) # # ################################### -# This is dedicated and very specific 'HTTP method' filter. -# Note: If method does not match, filtering will be skipped. -# bits 15-0 - HTTP method mask -# 0x0000 - Any possible HTTP method (or you can use 0xFFFF) -# 0x0001 - CONNECT -# 0x0002 - DELETE -# 0x0004 - GET -# 0x0008 - HEAD -# 0x0010 - ICP_QUERY -# 0x0020 - OPTIONS -# 0x0040 - POST -# 0x0080 - PURGE -# 0x0100 - PUT -# 0x0200 - TRACE -# 0x0400 - PUSH -# bits 18-16 - IP address type -# reserved -# bits 30-19 - reserved -# bit 31 - Action (allow=1, deny=0), leave at zero -# Note: if 'proxy.config.http.quick_filter.mask' is equal 0, there is no 'quick http filtering' at all -# -# The default (0x482 or 1154) denies all PUSH, PURGE and DELETE requests (except from 127.0.0.1) -CONFIG proxy.config.http.quick_filter.mask INT 0x482 +# this functionality is moved to ip_allow.config ################# # cache control # http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a2dc9657/proxy/http/HttpAccept.cc ---------------------------------------------------------------------- diff --git a/proxy/http/HttpAccept.cc b/proxy/http/HttpAccept.cc index f90b7b0..b239e20 100644 --- a/proxy/http/HttpAccept.cc +++ b/proxy/http/HttpAccept.cc @@ -40,11 +40,12 @@ HttpAccept::mainEvent(int event, void *data) //////////////////////////////////////////////////// NetVConnection *netvc = static_cast<NetVConnection *>(data); sockaddr const* client_ip = netvc->get_remote_addr(); + uint32_t acl_method_mask = 0; ip_port_text_buffer ipb; // The backdoor port is now only bound to "localhost", so reason to // check for if it's incoming from "localhost" or not. - if (!backdoor && IpAllow::instance() && (!IpAllow::instance()->match(client_ip))) { + if (!backdoor && IpAllow::instance() && ((acl_method_mask = IpAllow::instance()->match(client_ip)) == 0)) { Warning("connect by disallowed client %s, closing", ats_ip_ntop(client_ip, ipb, sizeof(ipb))); netvc->do_io_close(); @@ -63,6 +64,7 @@ HttpAccept::mainEvent(int event, void *data) new_session->outbound_ip4 = outbound_ip4; new_session->outbound_ip6 = outbound_ip6; new_session->outbound_port = outbound_port; + new_session->acl_method_mask = acl_method_mask; new_session->new_connection(netvc, backdoor); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a2dc9657/proxy/http/HttpClientSession.h ---------------------------------------------------------------------- diff --git a/proxy/http/HttpClientSession.h b/proxy/http/HttpClientSession.h index 47d2a3e..b7aaa83 100644 --- a/proxy/http/HttpClientSession.h +++ b/proxy/http/HttpClientSession.h @@ -151,6 +151,8 @@ public: uint16_t outbound_port; /// Set outbound connection to transparent. bool f_outbound_transparent; + /// acl method mask - cache IpAllow::match() call + uint32_t acl_method_mask; // for DI. An active connection is one that a request has // been successfully parsed (PARSE_DONE) and it remains to http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a2dc9657/proxy/http/HttpConfig.cc ---------------------------------------------------------------------- diff --git a/proxy/http/HttpConfig.cc b/proxy/http/HttpConfig.cc index c382a5b..9737450 100644 --- a/proxy/http/HttpConfig.cc +++ b/proxy/http/HttpConfig.cc @@ -1316,9 +1316,6 @@ HttpConfig::startup() // HTTP Accept_Encoding filtering (depends on User-Agent) HttpEstablishStaticConfigByte(c.accept_encoding_filter_enabled, "proxy.config.http.accept_encoding_filter_enabled"); - // HTTP Quick filter - HttpEstablishStaticConfigLongLong(c.quick_filter_mask, "proxy.config.http.quick_filter.mask"); - // Negative caching HttpEstablishStaticConfigLongLong(c.oride.down_server_timeout, "proxy.config.http.down_server.cache_time"); HttpEstablishStaticConfigLongLong(c.oride.client_abort_threshold, "proxy.config.http.down_server.abort_threshold"); @@ -1578,8 +1575,6 @@ HttpConfig::reconfigure() params->accept_encoding_filter_enabled = INT_TO_BOOL(m_master.accept_encoding_filter_enabled); - params->quick_filter_mask = m_master.quick_filter_mask; - params->oride.down_server_timeout = m_master.oride.down_server_timeout; params->oride.client_abort_threshold = m_master.oride.client_abort_threshold; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a2dc9657/proxy/http/HttpConfig.h ---------------------------------------------------------------------- diff --git a/proxy/http/HttpConfig.h b/proxy/http/HttpConfig.h index cdd2608..d8c6f7a 100644 --- a/proxy/http/HttpConfig.h +++ b/proxy/http/HttpConfig.h @@ -713,11 +713,6 @@ public: //////////////////////////////////////////////////////// MgmtByte accept_encoding_filter_enabled; - ////////////////////////// - // HTTP Quick filtering // - ////////////////////////// - MgmtInt quick_filter_mask; - ////////////////// // Transparency // ////////////////// @@ -939,7 +934,6 @@ HttpConfigParams::HttpConfigParams() referer_filter_enabled(0), referer_format_redirect(0), accept_encoding_filter_enabled(0), - quick_filter_mask(0), client_transparency_enabled(0), server_transparency_enabled(0), reverse_proxy_enabled(0), http://git-wip-us.apache.org/repos/asf/trafficserver/blob/a2dc9657/proxy/http/HttpTransact.cc ---------------------------------------------------------------------- diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc index b10930b..5576e6d 100644 --- a/proxy/http/HttpTransact.cc +++ b/proxy/http/HttpTransact.cc @@ -47,6 +47,7 @@ #include "StatPages.h" #include "HttpClientSession.h" #include "I_Machine.h" +#include "IPAllow.h" static const char *URL_MSG = "Unable to process requested URL.\n"; @@ -847,9 +848,7 @@ HttpTransact::EndRemapRequest(State* s) ///////////////////////////////////////////////////// // Quick HTTP filtering (primary key: http method) // ///////////////////////////////////////////////////// - if (s->http_config_param->quick_filter_mask) { - process_quick_http_filter(s, method); - } + process_quick_http_filter(s, method); ///////////////////////////////////////////////////////////////////////// // We must close this connection if client_connection_enabled == false // ///////////////////////////////////////////////////////////////////////// @@ -6537,67 +6536,14 @@ HttpTransact::service_transaction_in_proxy_only_mode(State* s) void HttpTransact::process_quick_http_filter(State* s, int method) { - int quick_filter_mask; - - // TODO: This code is really a bastard solution, leftovers from a totally - // different internal implementation. We ought to either rewrite this - // completely, or just remove it. - - // Please refer to mgmt/RecordsConfig.cc file, - // "proxy.config.http.quick_filter.mask" variable for - // detailed information about quick_filter_mask layout. - // connection already disabled by previous ACL filtering, don't modify it. if (!s->client_connection_enabled) { return; } - // Exempt for "localhost", avoid denying for localhost. - if (ats_is_ip_loopback(&s->client_info.addr)) { - return; - } - - // See if there are any methods for the quick filter to apply to. - if (((quick_filter_mask = s->http_config_param->quick_filter_mask) & 0x0FFF) != 0) { - int method_mask = (method - HTTP_WKSIDX_CONNECT); // fastest way to do it - - if (likely(method_mask >= 0 && method_mask < HTTP_WKSIDX_METHODS_CNT)) { - method_mask = 1 << method_mask; - } else { // impossible case, but we have to check it - if (method == HTTP_WKSIDX_GET) - method_mask = 0x0004; - else if (method == HTTP_WKSIDX_HEAD) - method_mask = 0x0008; - else if (method == HTTP_WKSIDX_POST) - method_mask = 0x0040; - else if (method == HTTP_WKSIDX_DELETE) - method_mask = 0x0002; - else if (method == HTTP_WKSIDX_OPTIONS) - method_mask = 0x0020; - else if (method == HTTP_WKSIDX_PURGE) - method_mask = 0x0080; - else if (method == HTTP_WKSIDX_PUT) - method_mask = 0x0100; - else if (method == HTTP_WKSIDX_TRACE) - method_mask = 0x0200; - else if (method == HTTP_WKSIDX_PUSH) - method_mask = 0x0400; - else if (method == HTTP_WKSIDX_CONNECT) - method_mask = 0x0001; - else if (method == HTTP_WKSIDX_ICP_QUERY) - method_mask = 0x0010; - else - method_mask = 0x0000; - } - if ((quick_filter_mask & method_mask) == 0) { - return; // enable request processing because method does not match - } - } - - if ((quick_filter_mask & 0x80000000) == 0) + if (!IpAllow::CheckMask(s->state_machine->ua_session->acl_method_mask, method)) { s->client_connection_enabled = false; - else - s->client_connection_enabled = true; + } }
