masaori335 commented on code in PR #11633:
URL: https://github.com/apache/trafficserver/pull/11633#discussion_r1699218862
##########
doc/admin-guide/files/remap.config.en.rst:
##########
@@ -581,67 +581,159 @@ Note the step 1 happens at the start of the connection
before any transactions a
ATS v10 introduced following matching policies. Prior to the change, ATS
traverses all matched ACL filters by IP and "deny"
action had priority.
+ACL Action Behavior Changes for 10.x
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Before |TS| 10.x, ACL filters used the same action names as
:file:`ip_allow.yaml` (``allow`` and ``deny``) but these
+actions behaved differently.
+
+- As described in :file:`ip_allow.yaml`, for any transaction matching an
:file:`ip_allow.yaml` rule whose action is
+ ``allow``, any request with a method in the allow list will be accepted,
while all other methods are denied. ``deny``
+ actions instead list methods which are denied, while all other methods are
implicitly allowed.
+- These same action names for ACL filters, on the other hand, functioned
essentially additively in nature. For instance,
+ an ``allow`` ACL filter action would list a set of methods which would be
allowed in addition to any other allowed
+ methods specified by :file:`ip_allow.yaml` rules. Similarly, a ``deny`` ACL
filter action would list a set of methods
+ which would be denied in addition to any other denied methods specified by
:file:`ip_allow.yaml` rules.
+
+This difference in behavior lead at times to confusion as users would expect
the two actions having the same name to
+behave the same across the ACL filter and :file:`ip_allow.yaml` rule systems.
+
+For |TS| 10.x, these ACL filter actions are transitioning to be more
consistent with :file:`ip_allow.yaml` rules while
+still allowing additive action behavior via two new rules: ``add_allow`` and
``add_deny``:
+
+- ``allow``: as with ``allow`` actions for :file:`ip_allow.yaml` rules, this
action specifies a list of HTTP methods
+ which are allowed. All requests with a methods in this list will be allowed,
requests with methods not in this list
+ will be denied, and no other filters or :file:`ip_allow.yaml` rules will be
applied.
Review Comment:
I think this describes behavior of `set_allow` or
`proxy.config.url_remap.acl_matching_policy` is `1`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
