[trafficserver] branch master updated: Clang format fix.
This is an automated email from the ASF dual-hosted git repository. shinrich pushed a commit to branch master in repository https://git-dual.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new b1f130d Clang format fix. b1f130d is described below commit b1f130d872e943106a5c0b3ea0ee0ef606ebf089 Author: shinrichAuthorDate: Wed May 4 21:15:15 2016 -0500 Clang format fix. --- iocore/net/I_SessionAccept.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/I_SessionAccept.h index 26a69e5..9e36b81 100644 --- a/iocore/net/I_SessionAccept.h +++ b/iocore/net/I_SessionAccept.h @@ -38,8 +38,7 @@ public: /* Returns NULL if the specified client_ip is not allowed by ip_allow * Returns a pointer to the relevant IP policy for later processing otherwise */ - static const AclRecord * - testIpAllowPolicy(sockaddr const *client_ip); + static const AclRecord *testIpAllowPolicy(sockaddr const *client_ip); private: virtual int mainEvent(int event, void *netvc) = 0; -- To stop receiving notification emails like this one, please contact ['"commits@trafficserver.apache.org" '].
[trafficserver] branch master updated: Fix clang build errors.
This is an automated email from the ASF dual-hosted git repository. shinrich pushed a commit to branch master in repository https://git-dual.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new 43337d3 Fix clang build errors. 43337d3 is described below commit 43337d3b95c23276204d267b8f49a65804de1717 Author: shinrichAuthorDate: Wed May 4 21:07:49 2016 -0500 Fix clang build errors. --- iocore/net/I_SessionAccept.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/I_SessionAccept.h index 8b55e74..26a69e5 100644 --- a/iocore/net/I_SessionAccept.h +++ b/iocore/net/I_SessionAccept.h @@ -27,7 +27,7 @@ #include "I_Net.h" #include "I_VConnection.h" -class AclRecord; +struct AclRecord; class SessionAccept : public Continuation { -- To stop receiving notification emails like this one, please contact ['"commits@trafficserver.apache.org" '].
[trafficserver] branch master updated: TS-3485: Support ip_allow config for HTTP2. This closes #614.
This is an automated email from the ASF dual-hosted git repository. shinrich pushed a commit to branch master in repository https://git-dual.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new 5ce103e TS-3485: Support ip_allow config for HTTP2. This closes #614. 5ce103e is described below commit 5ce103e889ef2eec9216ec06ae681916cb6e2298 Author: Susan HinrichsAuthorDate: Wed May 4 01:49:30 2016 + TS-3485: Support ip_allow config for HTTP2. This closes #614. --- iocore/net/I_SessionAccept.h | 7 ++ iocore/net/Makefile.am | 1 + iocore/net/{I_SessionAccept.h => SessionAccept.cc} | 27 +++--- proxy/http/HttpSessionAccept.cc| 19 +++ proxy/http2/Http2ClientSession.cc | 12 -- proxy/http2/Http2SessionAccept.cc | 13 --- 6 files changed, 41 insertions(+), 38 deletions(-) diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/I_SessionAccept.h index 3d25b3d..8b55e74 100644 --- a/iocore/net/I_SessionAccept.h +++ b/iocore/net/I_SessionAccept.h @@ -27,6 +27,8 @@ #include "I_Net.h" #include "I_VConnection.h" +class AclRecord; + class SessionAccept : public Continuation { public: @@ -34,6 +36,11 @@ public: ~SessionAccept() {} virtual void accept(NetVConnection *, MIOBuffer *, IOBufferReader *) = 0; + /* Returns NULL if the specified client_ip is not allowed by ip_allow + * Returns a pointer to the relevant IP policy for later processing otherwise */ + static const AclRecord * + testIpAllowPolicy(sockaddr const *client_ip); + private: virtual int mainEvent(int event, void *netvc) = 0; }; diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am index 888d3c2..45d3ee9 100644 --- a/iocore/net/Makefile.am +++ b/iocore/net/Makefile.am @@ -60,6 +60,7 @@ libinknet_a_SOURCES = \ I_UDPPacket.h \ Inline.cc \ I_SessionAccept.h \ + SessionAccept.cc \ Net.cc \ NetVConnection.cc \ P_CompletionUtil.h \ diff --git a/iocore/net/I_SessionAccept.h b/iocore/net/SessionAccept.cc similarity index 68% copy from iocore/net/I_SessionAccept.h copy to iocore/net/SessionAccept.cc index 3d25b3d..9d0ff03 100644 --- a/iocore/net/I_SessionAccept.h +++ b/iocore/net/SessionAccept.cc @@ -21,21 +21,20 @@ limitations under the License. */ -#ifndef I_SessionAccept_H_ -#define I_SessionAccept_H_ - #include "I_Net.h" #include "I_VConnection.h" +#include "../../proxy/IPAllow.h" -class SessionAccept : public Continuation +const AclRecord * +SessionAccept::testIpAllowPolicy(sockaddr const *client_ip) { -public: - SessionAccept(ProxyMutex *amutex) : Continuation(amutex) { SET_HANDLER(::mainEvent); } - ~SessionAccept() {} - virtual void accept(NetVConnection *, MIOBuffer *, IOBufferReader *) = 0; - -private: - virtual int mainEvent(int event, void *netvc) = 0; -}; - -#endif /* I_SessionAccept_H_ */ + IpAllow::scoped_config ipallow; + const AclRecord *acl_record = NULL; + if (ipallow) { +acl_record = ipallow->match(client_ip); +if (acl_record && acl_record->isEmpty()) { + acl_record = NULL; +} + } + return acl_record; +} diff --git a/proxy/http/HttpSessionAccept.cc b/proxy/http/HttpSessionAccept.cc index 394bbf7..ba5a500 100644 --- a/proxy/http/HttpSessionAccept.cc +++ b/proxy/http/HttpSessionAccept.cc @@ -33,20 +33,21 @@ HttpSessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferReade sockaddr const *client_ip = netvc->get_remote_addr(); const AclRecord *acl_record = NULL; ip_port_text_buffer ipb; - IpAllow::scoped_config ipallow; // The backdoor port is now only bound to "localhost", so no // reason to check for if it's incoming from "localhost" or not. if (backdoor) { acl_record = IpAllow::AllMethodAcl(); - } else if (ipallow && (((acl_record = ipallow->match(client_ip)) == NULL) || (acl_record->isEmpty( { - -// if client address forbidden, close immediately // - -Warning("client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb))); -netvc->do_io_close(); - -return; + } else { +acl_record = testIpAllowPolicy(client_ip); +if (!acl_record) { + + // if client address forbidden, close immediately // + + Warning("client '%s' prohibited by ip-allow policy", ats_ip_ntop(client_ip, ipb, sizeof(ipb))); + netvc->do_io_close(); + return; +} } // Set the transport type if not already set diff --git a/proxy/http2/Http2ClientSession.cc b/proxy/http2/Http2ClientSession.cc index d759c84..5930140 100644 --- a/proxy/http2/Http2ClientSession.cc +++
[trafficserver] branch master updated: TS-4075: add a state check for sslHandshakeHookState after PreAcceptHookState checking. This closes #374.
This is an automated email from the ASF dual-hosted git repository. shinrich pushed a commit to branch master in repository https://git-dual.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new 19cc051 TS-4075: add a state check for sslHandshakeHookState after PreAcceptHookState checking. This closes #374. 19cc051 is described below commit 19cc051bb9e803855d2fb424ccf8a4b9546dc49d Author: OknetAuthorDate: Mon Dec 14 20:00:45 2015 +0800 TS-4075: add a state check for sslHandshakeHookState after PreAcceptHookState checking. This closes #374. --- iocore/net/SSLNetVConnection.cc | 52 ++--- 1 file changed, 28 insertions(+), 24 deletions(-) diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 7f299c2..3f688bf 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -1042,6 +1042,11 @@ SSLNetVConnection::sslServerHandShakeEvent(int ) } } + // handle SNI Hooks after PreAccept Hooks + if (HANDSHAKE_HOOKS_DONE != sslHandshakeHookState && HANDSHAKE_HOOKS_PRE != sslHandshakeHookState) { +return SSL_WAIT_FOR_HOOK; + } + // If a blind tunnel was requested in the pre-accept calls, convert. // Again no data has been exchanged, so we can go directly // without data replay. @@ -1387,10 +1392,9 @@ SSLNetVConnection::select_next_protocol(SSL *ssl, const unsigned char **out, uns void SSLNetVConnection::reenable(NetHandler *nh) { - if (this->sslPreAcceptHookState != SSL_HOOKS_DONE) { -this->sslPreAcceptHookState = SSL_HOOKS_INVOKE; -this->readReschedule(nh); - } else { + if (sslPreAcceptHookState != SSL_HOOKS_DONE) { +sslPreAcceptHookState = SSL_HOOKS_INVOKE; + } else if (sslHandshakeHookState == HANDSHAKE_HOOKS_INVOKE) { // Reenabling from the handshake callback // // Originally, we would wait for the callback to go again to execute additinonal @@ -1400,16 +1404,17 @@ SSLNetVConnection::reenable(NetHandler *nh) // here in the reenable. if (curHook != NULL) { curHook = curHook->next(); - if (curHook != NULL) { -// Invoke the hook -curHook->invoke(TS_SSL_CERT_HOOK, this); - } } -if (curHook == NULL) { +if (curHook != NULL) { + // Invoke the hook and return, wait for next reenable + curHook->invoke(TS_SSL_CERT_HOOK, this); + return; +} else { // curHook == NULL + // empty, set state to HOOKS_DONE this->sslHandshakeHookState = HANDSHAKE_HOOKS_DONE; - this->readReschedule(nh); } } + this->readReschedule(nh); } bool @@ -1433,34 +1438,33 @@ SSLNetVConnection::callHooks(TSHttpHookID eventId) // Only dealing with the SNI/CERT hook so far. // TS_SSL_SNI_HOOK and TS_SSL_CERT_HOOK are the same value ink_assert(eventId == TS_SSL_CERT_HOOK); + Debug("ssl", "callHooks sslHandshakeHookState=%d", this->sslHandshakeHookState); - // First time through, set the type of the hook that is currently - // being invoked - if (this->sslHandshakeHookState == HANDSHAKE_HOOKS_PRE) { + // First time through, set the type of the hook that is currently being invoked + if (HANDSHAKE_HOOKS_PRE == sslHandshakeHookState) { +// the previous hook should be DONE and set curHook to NULL before trigger the sni hook. +ink_assert(curHook == NULL); +// set to HOOKS_CERT means CERT/SNI hooks has called by SSL_accept() this->sslHandshakeHookState = HANDSHAKE_HOOKS_CERT; - } - - if (this->sslHandshakeHookState == HANDSHAKE_HOOKS_CERT && eventId == TS_SSL_CERT_HOOK) { -if (curHook != NULL) { - curHook = curHook->next(); -} else { - curHook = ssl_hooks->get(TS_SSL_CERT_INTERNAL_HOOK); -} +// get Hooks +curHook = ssl_hooks->get(TS_SSL_CERT_INTERNAL_HOOK); } else { -// Not in the right state, or no plugins registered for this hook +// Not in the right state // reenable and continue return true; } bool reenabled = true; - SSLHandshakeHookState holdState = this->sslHandshakeHookState; if (curHook != NULL) { // Otherwise, we have plugin hooks to run this->sslHandshakeHookState = HANDSHAKE_HOOKS_INVOKE; curHook->invoke(eventId, this); reenabled = (this->sslHandshakeHookState != HANDSHAKE_HOOKS_INVOKE); + } else { +// no SNI-Hooks set, set state to HOOKS_DONE +// no plugins registered for this hook, return (reenabled == true) +sslHandshakeHookState = HANDSHAKE_HOOKS_DONE; } - this->sslHandshakeHookState = holdState; return reenabled; } -- To stop receiving notification emails like this one, please contact ['"commits@trafficserver.apache.org" '].
[trafficserver] branch master updated: TS-4387: When calling TSContSchedule()/TSContScheduleEvery(), the passed in parameter TSCont have to have MUTEX; otherwise if we call TSContSchedule()/TSContSche
This is an automated email from the ASF dual-hosted git repository. briang pushed a commit to branch master in repository https://git-dual.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new f96c1f5 TS-4387: When calling TSContSchedule()/TSContScheduleEvery(), the passed in parameter TSCont have to have MUTEX; otherwise if we call TSContSchedule()/TSContScheduleEvery() more than once using same TSCont, only the first call will take effect; all the following schedule are ignored due to MUTEX issue. f96c1f5 is described below commit f96c1f505564280b3f12a98c3ae7abc33b73b168 Author: Shen ZhangAuthorDate: Wed May 4 00:46:21 2016 -0700 TS-4387: When calling TSContSchedule()/TSContScheduleEvery(), the passed in parameter TSCont have to have MUTEX; otherwise if we call TSContSchedule()/TSContScheduleEvery() more than once using same TSCont, only the first call will take effect; all the following schedule are ignored due to MUTEX issue. This closes #603 --- proxy/InkAPI.cc | 4 1 file changed, 4 insertions(+) diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc index 6b2bce2..66f9f50 100644 --- a/proxy/InkAPI.cc +++ b/proxy/InkAPI.cc @@ -4217,6 +4217,8 @@ TSContSchedule(TSCont contp, ink_hrtime timeout, TSThreadPool tp) { sdk_assert(sdk_sanity_check_iocore_structure(contp) == TS_SUCCESS); + FORCE_PLUGIN_SCOPED_MUTEX(contp); + INKContInternal *i = (INKContInternal *)contp; TSAction action; @@ -4269,6 +4271,8 @@ TSContScheduleEvery(TSCont contp, ink_hrtime every, TSThreadPool tp) { sdk_assert(sdk_sanity_check_iocore_structure(contp) == TS_SUCCESS); + FORCE_PLUGIN_SCOPED_MUTEX(contp); + INKContInternal *i = (INKContInternal *)contp; TSAction action; -- To stop receiving notification emails like this one, please contact ['"commits@trafficserver.apache.org" '].