[jira] [Commented] (TS-1235) Deny occurring for IPs not in the ip_allow.config file

Alan M. Carroll (JIRA) Thu, 28 Mar 2013 09:43:16 -0700

    [ 
https://issues.apache.org/jira/browse/TS-1235?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13616405#comment-13616405
 ]


Alan M. Carroll commented on TS-1235:
-------------------------------------

I think this is because the IpMap is not being locked during update. I am 
working on a fix.
                
> Deny occurring for IPs not in the ip_allow.config file
> ------------------------------------------------------
>
>                 Key: TS-1235
>                 URL: https://issues.apache.org/jira/browse/TS-1235
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Configuration, Security
>    Affects Versions: 3.1.3
>         Environment: Linux server.domain.com 2.6.32-220.el6.x86_64 #1 SMP Wed 
> Dec 7 10:41:06 EST 2011 x86_64 x86_64 x86_64 GNU/Linux
>            Reporter: Michael Turner
>            Assignee: Alan M. Carroll
>             Fix For: 3.3.4
>
>
> Consistently seeing this morning IPs that are not set to deny in 
> ip_allow.config being rejected.  Here's the config file we were using:
> #
> # ip_allow.config
> #
> # Two types of rules:
> # #src_ip=<range of IP addresses> action=ip_allow
> # #src_ip=<range of IP addresses> action=ip_deny
> # Rules are applied in the order listed starting from the top.
> #
> # Ban all of the XXXX servers
> src_ip=AAA.BBB.CCC.134  action=ip_deny
> #src_ip=AAA.BBB.CCC.135       action=ip_deny # temp unbanning. we've talked 
> to him
> src_ip=AAA.BBB.CCC.137        action=ip_deny
> src_ip=AAA.BBB.CCC.202        action=ip_deny
> src_ip=AAA.BBB.CCC.203        action=ip_deny
> src_ip=AAA.BBB.CCC.208        action=ip_deny
> src_ip=AAA.BBB.CCC.209        action=ip_deny
> src_ip=AAA.BBB.CCC.216        action=ip_deny
> src_ip=AAA.BBB.CCC.217        action=ip_deny
> src_ip=AAA.BBB.CCC.218        action=ip_deny
> src_ip=AAA.BBB.CCC.219        action=ip_deny
> src_ip=AAA.BBB.CCC.220        action=ip_deny
> src_ip=AAA.BBB.CCC.222        action=ip_deny
> src_ip=AAA.BBB.CCC.224        action=ip_deny
> src_ip=AAA.BBB.CCC.236        action=ip_deny
> # Banned IPs
> src_ip=AAA.BBB.CCC.212        action=ip_deny
> src_ip=AAA.BBB.CCC.246        action=ip_deny
> src_ip=AAA.BBB.CCC.144        action=ip_deny
> # Stock Rules
> src_ip=0.0.0.0-255.255.255.255                action=ip_allow
> src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow
> And here's log entries from when this config was active:
> [Apr 30 10:06:21.446] {0x2b321b2d42a0} NOTE: updated diags config
> [Apr 30 10:06:21.449] Server {0x2b321b2d42a0} NOTE: cache clustering disabled
> [Apr 30 10:06:21.492] Server {0x2b321b2d42a0} NOTE: cache clustering disabled
> [Apr 30 10:06:21.584] Server {0x2b321b2d42a0} NOTE: logging initialized[15], 
> logging_mode = 3
> [Apr 30 10:06:21.591] Server {0x2b321b2d42a0} NOTE: traffic server running
> [Apr 30 10:06:25.140] Server {0x2b3222d2c700} NOTE: cache enabled
> [Apr 30 10:06:33.804] Server {0x2b3223534700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.111, closing
> [Apr 30 10:07:01.914] Server {0x2b324b2d2700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.111, closing
> [Apr 30 10:07:02.025] Server {0x2b324b4d4700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.144, closing
> [Apr 30 10:07:03.109] Server {0x2b3222827700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:04.594] Server {0x2b3222f2e700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:05.201] Server {0x2b3223332700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.170] Server {0x2b3223534700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.575] Server {0x2b3223736700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.690] Server {0x2b3223837700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.785] Server {0x2b3223938700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.817] Server {0x2b3223a39700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:06.841] Server {0x2b3223b3a700} WARNING: connect by disallowed 
> client AAA.BBB.CCC.74, closing
> [Apr 30 10:07:10.587] Server {0x2b321b2d42a0} WARNING: connect by disallowed 
> client AAA.BBB.CCC.35, closing
> FATAL: HttpSM.cc:890: failed assert `0`
> The IPS visible in the log ending in .111 and .74 are not in the deny list 
> anywhere.  The two ending in .144 and .35 are in the deny list.
> Please let me know what further information I can provide to help 
> troubleshoot/reproduce this.  

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (TS-1235) Deny occurring for IPs not in the ip_allow.config file

Reply via email to