In summary:
* use nonBlockingCheck() or fastCheck() to test ACLs.
* be prepared to handle any allow_t in the result.
ACL testing functions publicly available from ACLChecklist are:
- nonBlockingCheck (public), fastCheck public), check (public but not
to be used)
- matchAclListFast (public), matchAclListSlow (private), matchAclList
(private).
Given that there are only two types of test performed, this array of API
methods has been causing confusion and mistakes for some developers.
This patch seeks to clarify that API by correcting a flaw in the naming
of check() and matchAclListFast().
Due to "Fast" ACLs coming in two types there are two overloaded
fastCheck() functions. Now with identical output behaviour. Both return
the allow_t result of the lookup. This is expected to _usually_ be
ACCESS_ALLOWED/ACCESS_DENIED but that is not always the case. Callers
need to be written with consideration that the set of enum results may
change.
- fastCheck(), no parameters, when a full set of "Fast" *_access lines
are to be scanned. The checklist constructor accepts the list to be
scanned. This is the old fastCheck(), with the new ALLOWED/DENIED/DUNNO
result.
- fastCheck(list), one parameter, when a single-line set of ACLs is to
be scanned. This is the old matchAclListFast(), with the new
ALLOWED/DENIED/DUNNO result. Will return ALLOWED whenever the whole set
of ACLs matches. Other results may vary.
- nonBlockingCheck() - for "Slow" non-blocking lookups with
asynchronous callback handler. NP: not touched by this patch.
The output change from boolean to allow_t is due to the fastCheck
callers mixed set of needs allow/deny/other which boolean cannot meet.
Mapping that tri-state need to a boolean result has led to inconsistent
cases of fastCheck() producing unusual values for "true". Sometimes
wrongly for the caller.
Added result lookup type ACCESS_DUNNO, to indicate a test was unable to
be completed BUT there was no allow/deny/auth-required resulting.
Alters all previous calling code to use the new fastCheck() API output.
Some have been polished up to boolean where appropriate instead of
relying on integer values.
Removes matchAclListFast/matchAclListSlow,
Renames check() to matchNonBlocking;
all match*() functions are internal operations during ACL testing.
FUTURE WORK:
* update check() to send allow_t to its callbacks as well.
* update remaining messy callers from using int(0 or 1) types to bool
or allow_t as appropriate.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.9 and 3.1.12.3
=== modified file 'src/DelayId.cc'
--- src/DelayId.cc 2011-06-03 06:20:23 +0000
+++ src/DelayId.cc 2011-06-28 03:21:13 +0000
@@ -126,7 +126,7 @@
if (http->getConn() != NULL)
ch.conn(http->getConn());
- if (DelayPools::delay_data[pool].theComposite().getRaw() && ch.fastCheck()) {
+ if (DelayPools::delay_data[pool].theComposite().getRaw() && ch.fastCheck() == ACCESS_ALLOWED) {
DelayId result (pool + 1);
CompositePoolNode::CompositeSelectionDetails details;
=== modified file 'src/HttpHeaderTools.cc'
--- src/HttpHeaderTools.cc 2011-05-31 21:06:39 +0000
+++ src/HttpHeaderTools.cc 2011-06-28 03:26:35 +0000
@@ -433,7 +433,7 @@
ACLFilledChecklist checklist(hm->access_list, request, NULL);
- if (checklist.fastCheck()) {
+ if (checklist.fastCheck() == ACCESS_ALLOWED) {
/* aclCheckFast returns true for allow. */
retval = 1;
} else if (NULL == hm->replacement) {
=== modified file 'src/HttpReply.cc'
--- src/HttpReply.cc 2011-04-27 23:48:03 +0000
+++ src/HttpReply.cc 2011-06-28 03:09:43 +0000
@@ -604,7 +604,7 @@
ch.reply = HTTPMSGLOCK(this); // XXX: this lock makes method non-const
for (acl_size_t *l = Config.ReplyBodySize; l; l = l -> next) {
/* if there is no ACL list or if the ACLs listed match use this size value */
- if (!l->aclList || ch.matchAclListFast(l->aclList)) {
+ if (!l->aclList || ch.fastCheck(l->aclList) == ACCESS_ALLOWED) {
debugs(58, 4, HERE << "bodySizeMax=" << bodySizeMax);
bodySizeMax = l->size; // may be -1
break;
=== modified file 'src/HttpRequest.cc'
--- src/HttpRequest.cc 2011-06-04 12:48:45 +0000
+++ src/HttpRequest.cc 2011-06-28 03:10:03 +0000
@@ -666,7 +666,7 @@
for (acl_size_t *l = Config.rangeOffsetLimit; l; l = l -> next) {
/* if there is no ACL list or if the ACLs listed match use this limit value */
- if (!l->aclList || ch.matchAclListFast(l->aclList)) {
+ if (!l->aclList || ch.fastCheck(l->aclList) == ACCESS_ALLOWED) {
debugs(58, 4, HERE << "rangeOffsetLimit=" << rangeOffsetLimit);
rangeOffsetLimit = l->size; // may be -1
break;
=== modified file 'src/ICP.h'
--- src/ICP.h 2010-10-02 08:39:22 +0000
+++ src/ICP.h 2011-06-28 10:32:36 +0000
@@ -131,7 +131,7 @@
HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from);
/// \ingroup ServerProtocolICPAPI
-int icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request);
+bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request);
/// \ingroup ServerProtocolICPAPI
SQUIDCEXTERN void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pad, int fd, const Ip::Address &from);
=== modified file 'src/acl/Acl.h'
--- src/acl/Acl.h 2009-03-08 19:45:44 +0000
+++ src/acl/Acl.h 2011-06-28 03:05:18 +0000
@@ -107,6 +107,7 @@
typedef enum {
ACCESS_DENIED,
ACCESS_ALLOWED,
+ ACCESS_DUNNO,
ACCESS_REQ_PROXY_AUTH
} allow_t;
=== modified file 'src/acl/Checklist.cc'
--- src/acl/Checklist.cc 2011-06-15 08:47:09 +0000
+++ src/acl/Checklist.cc 2011-06-28 11:53:09 +0000
@@ -49,7 +49,7 @@
}
void
-ACLChecklist::check()
+ACLChecklist::matchNonBlocking()
{
if (checking())
return;
@@ -169,7 +169,7 @@
{
preCheck();
/* does the current AND clause match */
- matchAclListSlow(accessList->aclList);
+ matchAclList(accessList->aclList, false);
}
void
@@ -197,12 +197,6 @@
}
void
-ACLChecklist::matchAclListSlow(const ACLList * list)
-{
- matchAclList(list, false);
-}
-
-void
ACLChecklist::matchAclList(const ACLList * head, bool const fast)
{
PROF_start(aclMatchAclList);
@@ -328,25 +322,40 @@
{
callback = callback_;
callback_data = cbdataReference(callback_data_);
- check();
+ matchNonBlocking();
+}
+
+allow_t const &
+ACLChecklist::fastCheck(const ACLList * list)
+{
+ PROF_start(aclCheckFast);
+ currentAnswer(ACCESS_DUNNO);
+ matchAclList(list, true);
+ // assume ALLOWED on matches due to not having an acl_access object
+ if (finished())
+ currentAnswer(ACCESS_ALLOWED);
+ PROF_stop(aclCheckFast);
+ return currentAnswer();
}
/* Warning: do not cbdata lock this here - it
* may be static or on the stack
*/
-int
+allow_t const &
ACLChecklist::fastCheck()
{
PROF_start(aclCheckFast);
- currentAnswer(ACCESS_DENIED);
+ currentAnswer(ACCESS_DUNNO);
+
debugs(28, 5, "aclCheckFast: list: " << accessList);
const acl_access *acl = cbdataReference(accessList);
while (acl != NULL && cbdataReferenceValid(acl)) {
currentAnswer(acl->allow);
- if (matchAclListFast(acl->aclList)) {
+ matchAclList(acl->aclList, true);
+ if (finished()) {
PROF_stop(aclCheckFast);
cbdataReferenceDone(acl);
- return currentAnswer() == ACCESS_ALLOWED;
+ return currentAnswer();
}
/*
@@ -357,10 +366,10 @@
cbdataReferenceDone(A);
}
- debugs(28, 5, "aclCheckFast: no matches, returning: " << (currentAnswer() == ACCESS_DENIED));
-
+ debugs(28, 5, "aclCheckFast: no matches, returning: " << currentAnswer());
PROF_stop(aclCheckFast);
- return currentAnswer() == ACCESS_DENIED;
+
+ return currentAnswer();
}
@@ -381,12 +390,3 @@
{
return !cbdataReferenceValid(callback_data);
}
-
-bool
-ACLChecklist::matchAclListFast(const ACLList * list)
-{
- matchAclList(list, true);
- return finished();
-}
-
-
=== modified file 'src/acl/Checklist.h'
--- src/acl/Checklist.h 2011-06-15 08:47:09 +0000
+++ src/acl/Checklist.h 2011-06-28 11:52:35 +0000
@@ -107,34 +107,20 @@
* knowledge of the ACL usage rather than depend on this default.
* That will also save on work setting up ACLChecklist fields for a no-op.
*
- * \retval 1/true Access Allowed
- * \retval 0/false Access Denied
- */
- int fastCheck();
-
- /**
- * Trigger a blocking access check for a single ACL line (a AND b AND c).
- *
- * ACLs which cannot be satisfied directly from available data are ignored.
- * This means any proxy_auth, external_acl, DNS lookups, Ident lookups etc
- * which have not already been performed and cached will not be checked.
- *
- * \retval 1/true Access Allowed
- * \retval 0/false Access Denied
- */
- bool matchAclListFast(const ACLList * list);
-
- /**
- * Attempt to check the current checklist against current data.
- * This is the core routine behind all ACL test routines.
- * As much as possible of current tests are performed immediately
- * and the result is maybe delayed to wait for async lookups.
- *
- * When all tests are done callback is presented with one of:
- * - ACCESS_ALLOWED Access explicitly Allowed
- * - ACCESS_DENIED Access explicitly Denied
- */
- void check();
+ * \retval ACCESS_DUNNO Unable to determine any result
+ * \retval ACCESS_ALLOWED Access Allowed
+ * \retval ACCESS_DENIED Access Denied
+ */
+ allow_t const & fastCheck();
+
+ /**
+ * A version of fastCheck() for use when there is a one-line set of ACLs
+ * to be tested and a match determins the result action to be done.
+ *
+ * \retval ACCESS_DUNNO Unable to determine any result
+ * \retval ACCESS_ALLOWED ACLs all matched
+ */
+ allow_t const & fastCheck(const ACLList * list);
bool asyncInProgress() const;
void asyncInProgress(bool const);
@@ -156,6 +142,7 @@
protected:
virtual void checkCallback(allow_t answer);
+
private:
void checkAccessList();
void checkForAsync();
@@ -166,10 +153,21 @@
PF *callback;
void *callback_data;
+ /**
+ * Attempt to check the current checklist against current data.
+ * This is the core routine behind all ACL test routines.
+ * As much as possible of current tests are performed immediately
+ * and the result is maybe delayed to wait for async lookups.
+ *
+ * When all tests are done callback is presented with one of:
+ * - ACCESS_ALLOWED Access explicitly Allowed
+ * - ACCESS_DENIED Access explicitly Denied
+ */
+ void matchNonBlocking();
+
private: /* internal methods */
void preCheck();
void matchAclList(const ACLList * list, bool const fast);
- void matchAclListSlow(const ACLList * list);
bool async_;
bool finished_;
=== modified file 'src/acl/DestinationDomain.cc'
--- src/acl/DestinationDomain.cc 2011-05-15 08:42:17 +0000
+++ src/acl/DestinationDomain.cc 2011-06-28 12:06:45 +0000
@@ -68,7 +68,7 @@
checklist->changeState (ACLChecklist::NullState::Instance());
checklist->markDestinationDomainChecked();
checklist->request->recordLookup(details);
- checklist->check();
+ checklist->matchNonBlocking();
}
=== modified file 'src/acl/DestinationIp.cc'
--- src/acl/DestinationIp.cc 2011-06-23 08:33:13 +0000
+++ src/acl/DestinationIp.cc 2011-06-28 12:06:36 +0000
@@ -94,7 +94,7 @@
checklist->request->recordLookup(details);
checklist->asyncInProgress(false);
checklist->changeState (ACLChecklist::NullState::Instance());
- checklist->check();
+ checklist->matchNonBlocking();
}
=== modified file 'src/acl/Gadgets.cc'
--- src/acl/Gadgets.cc 2009-12-22 23:24:28 +0000
+++ src/acl/Gadgets.cc 2011-06-28 12:06:55 +0000
@@ -196,7 +196,7 @@
for (B = *head, T = head; B; T = &B->next, B = B->next);
*T = A;
- /* We lock _acl_access structures in ACLChecklist::check() */
+ /* We lock _acl_access structures in ACLChecklist::matchNonBlocking() */
}
void
=== modified file 'src/acl/SourceDomain.cc'
--- src/acl/SourceDomain.cc 2009-07-12 22:56:47 +0000
+++ src/acl/SourceDomain.cc 2011-06-28 12:07:06 +0000
@@ -66,7 +66,7 @@
checklist->changeState (ACLChecklist::NullState::Instance());
checklist->markSourceDomainChecked();
checklist->request->recordLookup(details);
- checklist->check();
+ checklist->matchNonBlocking();
}
=== modified file 'src/adaptation/icap/Launcher.cc'
--- src/adaptation/icap/Launcher.cc 2011-03-11 23:02:23 +0000
+++ src/adaptation/icap/Launcher.cc 2011-06-28 03:14:57 +0000
@@ -136,7 +136,7 @@
new ACLFilledChecklist(TheConfig.repeat, info.icapRequest, dash_str);
cl->reply = HTTPMSGLOCK(info.icapReply);
- const bool result = cl->fastCheck();
+ bool result = cl->fastCheck() == ACCESS_ALLOWED;
delete cl;
return result;
}
=== modified file 'src/adaptation/icap/Xaction.cc'
--- src/adaptation/icap/Xaction.cc 2011-06-17 10:41:10 +0000
+++ src/adaptation/icap/Xaction.cc 2011-06-28 03:15:24 +0000
@@ -501,7 +501,7 @@
{
if (IcapLogfileStatus == LOG_ENABLE) {
ACLChecklist *checklist = new ACLFilledChecklist(::Config.accessList.icap, al.request, dash_str);
- if (!::Config.accessList.icap || checklist->fastCheck()) {
+ if (!::Config.accessList.icap || checklist->fastCheck() == ACCESS_ALLOWED) {
finalizeLogInfo();
icapLogLog(&al, checklist);
}
=== modified file 'src/auth/AclProxyAuth.cc'
--- src/auth/AclProxyAuth.cc 2010-05-06 11:07:19 +0000
+++ src/auth/AclProxyAuth.cc 2011-06-28 12:06:25 +0000
@@ -170,7 +170,7 @@
checklist->asyncInProgress(false);
checklist->changeState (ACLChecklist::NullState::Instance());
- checklist->check();
+ checklist->matchNonBlocking();
}
void
=== modified file 'src/client_side.cc'
--- src/client_side.cc 2011-06-23 08:31:56 +0000
+++ src/client_side.cc 2011-06-28 03:20:38 +0000
@@ -672,7 +672,7 @@
if (al.reply)
checklist->reply = HTTPMSGLOCK(al.reply);
- if (!Config.accessList.log || checklist->fastCheck()) {
+ if (!Config.accessList.log || checklist->fastCheck() == ACCESS_ALLOWED) {
if (request)
al.adapted_request = HTTPMSGLOCK(request);
accessLogLog(&al, checklist);
@@ -3128,7 +3128,7 @@
ACLFilledChecklist identChecklist(Ident::TheConfig.identLookup, NULL, NULL);
identChecklist.src_addr = client->remote;
identChecklist.my_addr = client->local;
- if (identChecklist.fastCheck())
+ if (identChecklist.fastCheck() == ACCESS_ALLOWED)
Ident::Start(client, clientIdentDone, result);
}
#endif
@@ -3187,21 +3187,18 @@
/* it was said several times that client write limiter does not work if client_db is disabled */
ClientDelayPools& pools(Config.ClientDelay.pools);
+ ACLFilledChecklist ch(NULL, NULL, NULL);
+
+ // TODO: we check early to limit error response bandwith but we
+ // should recheck when we can honor delay_pool_uses_indirect
+ // TODO: we should also pass the port details for myportname here.
+ ch.src_addr = details->remote;
+ ch.my_addr = details->local;
+
for (unsigned int pool = 0; pool < pools.size(); pool++) {
/* pools require explicit 'allow' to assign a client into them */
- if (!pools[pool].access)
- continue; // warned in ClientDelayConfig::Finalize()
-
- ACLFilledChecklist ch(pools[pool].access, NULL, NULL);
-
- // TODO: we check early to limit error response bandwith but we
- // should recheck when we can honor delay_pool_uses_indirect
-
- ch.src_addr = details->remote;
- ch.my_addr = details->local;
-
- if (ch.fastCheck()) {
+ if (pools[pool].access && ch.fastCheck(pools[pool].access) == ACCESS_ALLOWED) {
/* request client information from db after we did all checks
this will save hash lookup if client failed checks */
=== modified file 'src/external_acl.cc'
--- src/external_acl.cc 2011-06-04 12:48:45 +0000
+++ src/external_acl.cc 2011-06-28 12:06:03 +0000
@@ -1562,7 +1562,7 @@
checklist->extacl_entry = cbdataReference((external_acl_entry *)result);
checklist->asyncInProgress(false);
checklist->changeState (ACLChecklist::NullState::Instance());
- checklist->check();
+ checklist->matchNonBlocking();
}
/* This registers "external" in the registry. To do dynamic definitions
=== modified file 'src/forward.cc'
--- src/forward.cc 2011-06-23 08:33:13 +0000
+++ src/forward.cc 2011-06-28 03:22:34 +0000
@@ -209,9 +209,7 @@
ACLFilledChecklist ch(Config.accessList.miss, request, NULL);
ch.src_addr = request->client_addr;
ch.my_addr = request->my_addr;
- int answer = ch.fastCheck();
-
- if (answer == 0) {
+ if (ch.fastCheck() == ACCESS_DENIED) {
err_type page_id;
page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 1);
@@ -804,7 +802,9 @@
return;
}
- request->flags.pinned = 0;
+ request->flags.pinned = 0; // XXX: what if the ConnStateData set this to flag existing credentials?
+ // XXX: answer: the peer selection *should* catch it and give us only the pinned peer. so we reverse the =0 step below.
+ // XXX: also, logs will now lie if pinning is broken and leads to an error message.
if (serverDestinations[0]->peerType == PINNED) {
ConnStateData *pinned_connection = request->pinnedConnection();
assert(pinned_connection);
@@ -1212,7 +1212,7 @@
acl_tos *l;
for (l = head; l; l = l->next) {
- if (!l->aclList || ch->matchAclListFast(l->aclList))
+ if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED)
return l->tos;
}
@@ -1226,7 +1226,7 @@
acl_nfmark *l;
for (l = head; l; l = l->next) {
- if (!l->aclList || ch->matchAclListFast(l->aclList))
+ if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED)
return l->nfmark;
}
@@ -1284,7 +1284,7 @@
if (conn->remote.IsIPv4() != l->addr.IsIPv4()) continue;
/* check ACLs for this outgoing address */
- if (!l->aclList || ch.matchAclListFast(l->aclList)) {
+ if (!l->aclList || ch.fastCheck(l->aclList) == ACCESS_ALLOWED) {
conn->local = l->addr;
return;
}
=== modified file 'src/htcp.cc'
--- src/htcp.cc 2011-05-13 08:13:01 +0000
+++ src/htcp.cc 2011-06-28 09:49:29 +0000
@@ -848,18 +848,17 @@
return d;
}
-static int
-htcpAccessCheck(acl_access * acl, htcpSpecifier * s, Ip::Address &from)
+static bool
+htcpAccessAllowed(acl_access * acl, htcpSpecifier * s, Ip::Address &from)
{
/* default deny if no access list present */
if (!acl)
- return 0;
+ return false;
ACLFilledChecklist checklist(acl, s->request, NULL);
checklist.src_addr = from;
checklist.my_addr.SetNoAddr();
- int result = checklist.fastCheck();
- return result;
+ return (checklist.fastCheck() == ACCESS_ALLOWED);
}
static void
@@ -1206,7 +1205,7 @@
return;
}
- if (!htcpAccessCheck(Config.accessList.htcp, s, from)) {
+ if (!htcpAccessAllowed(Config.accessList.htcp, s, from)) {
debugs(31, 2, "htcpHandleTstRequest: Access denied");
htcpLogHtcp(from, dhdr->opcode, LOG_UDP_DENIED, s->uri);
htcpFreeSpecifier(s);
@@ -1279,7 +1278,7 @@
return;
}
- if (!htcpAccessCheck(Config.accessList.htcp_clr, s, from)) {
+ if (!htcpAccessAllowed(Config.accessList.htcp_clr, s, from)) {
debugs(31, 2, "htcpHandleClr: Access denied");
htcpLogHtcp(from, hdr->opcode, LOG_UDP_DENIED, s->uri);
htcpFreeSpecifier(s);
=== modified file 'src/icp_v2.cc'
--- src/icp_v2.cc 2011-05-15 08:42:17 +0000
+++ src/icp_v2.cc 2011-06-28 09:50:23 +0000
@@ -445,18 +445,17 @@
}
}
-int
+bool
icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request)
{
/* absent an explicit allow, we deny all */
if (!Config.accessList.icp)
- return 0;
+ return true;
ACLFilledChecklist checklist(Config.accessList.icp, icp_request, NULL);
checklist.src_addr = from;
checklist.my_addr.SetNoAddr();
- int result = checklist.fastCheck();
- return result;
+ return (checklist.fastCheck() == ACCESS_ALLOWED);
}
char const *
=== modified file 'src/ident/AclIdent.cc'
--- src/ident/AclIdent.cc 2011-02-02 10:23:15 +0000
+++ src/ident/AclIdent.cc 2011-06-28 12:06:16 +0000
@@ -159,7 +159,7 @@
checklist->asyncInProgress(false);
checklist->changeState(ACLChecklist::NullState::Instance());
- checklist->check();
+ checklist->matchNonBlocking();
}
#endif /* USE_IDENT */
=== modified file 'src/log/access_log.cc'
--- src/log/access_log.cc 2011-03-30 04:29:35 +0000
+++ src/log/access_log.cc 2011-06-28 03:11:30 +0000
@@ -111,7 +111,7 @@
xstrncpy(al->hier.host, dash_str, SQUIDHOSTNAMELEN);
for (; log; log = log->next) {
- if (checklist && log->aclList && !checklist->matchAclListFast(log->aclList))
+ if (log->aclList && checklist && checklist->fastCheck(log->aclList) != ACCESS_ALLOWED)
continue;
if (log->logfile) {
=== modified file 'src/neighbors.cc'
--- src/neighbors.cc 2011-06-04 12:48:45 +0000
+++ src/neighbors.cc 2011-06-28 11:15:42 +0000
@@ -55,7 +55,7 @@
/* count mcast group peers every 15 minutes */
#define MCAST_COUNT_RATE 900
-int peerAllowedToUse(const peer *, HttpRequest *);
+bool peerAllowedToUse(const peer *, HttpRequest *);
static int peerWouldBePinged(const peer *, HttpRequest *);
static void neighborRemove(peer *);
static void neighborAlive(peer *, const MemObject *, const icp_common_t *);
@@ -138,18 +138,14 @@
return p->type;
}
-/*
- * peerAllowedToUse
- *
- * this function figures out if it is appropriate to fetch REQUEST
- * from PEER.
+/**
+ * \return Whether it is appropriate to fetch REQUEST from PEER.
*/
-int
+bool
peerAllowedToUse(const peer * p, HttpRequest * request)
{
const struct _domain_ping *d = NULL;
- int do_ping = 1;
assert(request != NULL);
if (neighborType(p, request) == PEER_SIBLING) {
@@ -159,28 +155,27 @@
debugs(15, 2, "peerAllowedToUse(" << p->name << ", " << request->GetHost() << ") : multicast-siblings optimization match");
#endif
if (request->flags.nocache)
- return 0;
+ return false;
if (request->flags.refresh)
- return 0;
+ return false;
if (request->flags.loopdetect)
- return 0;
+ return false;
if (request->flags.need_validation)
- return 0;
+ return false;
}
// CONNECT requests are proxy requests. Not to be forwarded to origin servers.
// Unless the destination port matches, in which case we MAY perform a 'DIRECT' to this peer.
if (p->options.originserver && request->method == METHOD_CONNECT && request->port != p->in_addr.GetPort())
- return 0;
+ return false;
if (p->peer_domain == NULL && p->access == NULL)
- return do_ping;
-
- do_ping = 0;
-
+ return true;
+
+ bool do_ping = false;
for (d = p->peer_domain; d; d = d->next) {
if (0 == matchDomainName(request->GetHost(), d->domain)) {
do_ping = d->do_ping;
@@ -190,8 +185,8 @@
do_ping = !d->do_ping;
}
- if (p->peer_domain && 0 == do_ping)
- return do_ping;
+ if (p->peer_domain && !do_ping)
+ return false;
if (p->access == NULL)
return do_ping;
@@ -211,7 +206,7 @@
#endif
- return checklist.fastCheck();
+ return (checklist.fastCheck() == ACCESS_ALLOWED);
}
/* Return TRUE if it is okay to send an ICP request to this peer. */
=== modified file 'src/peer_select.cc'
--- src/peer_select.cc 2011-06-24 04:05:33 +0000
+++ src/peer_select.cc 2011-06-28 11:16:00 +0000
@@ -427,7 +427,7 @@
peerSelectDnsPaths(ps);
}
-int peerAllowedToUse(const peer * p, HttpRequest * request);
+bool peerAllowedToUse(const peer * p, HttpRequest * request);
/**
* peerSelectPinned
=== modified file 'src/snmp_core.cc'
--- src/snmp_core.cc 2011-05-13 08:13:01 +0000
+++ src/snmp_core.cc 2011-06-28 03:44:53 +0000
@@ -444,7 +444,12 @@
u_char *Community;
u_char *buf = rq->buf;
int len = rq->len;
- int allow = 0;
+ allow_t allow = ACCESS_DENIED;
+
+ if (!Config.accessList.snmp) {
+ debugs(49, DBG_IMPORTANT, "WARNING: snmp_access not configured. agent query DENIED from : " << rq->from);
+ return;
+ }
debugs(49, 5, HERE << "Called.");
PDU = snmp_pdu_create(0);
@@ -454,25 +459,26 @@
/* Check if we have explicit permission to access SNMP data.
* default (set above) is to deny all */
- if (Community && Config.accessList.snmp) {
+ if (Community) {
ACLFilledChecklist checklist(Config.accessList.snmp, NULL, NULL);
checklist.src_addr = rq->from;
checklist.snmp_community = (char *) Community;
allow = checklist.fastCheck();
- }
-
- if ((snmp_coexist_V2toV1(PDU)) && (Community) && (allow)) {
- rq->community = Community;
- rq->PDU = PDU;
- debugs(49, 5, "snmpAgentParse: reqid=[" << PDU->reqid << "]");
- snmpConstructReponse(rq);
+
+ if (allow == ACCESS_ALLOWED && (snmp_coexist_V2toV1(PDU))) {
+ rq->community = Community;
+ rq->PDU = PDU;
+ debugs(49, 5, "snmpAgentParse: reqid=[" << PDU->reqid << "]");
+ snmpConstructReponse(rq);
+ } else {
+ debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from);
+ }
+ xfree(Community);
+
} else {
- debugs(49, 1, HERE << "Failed SNMP agent query from : " << rq->from);
+ debugs(49, DBG_IMPORTANT, "WARNING: Failed SNMP agent query from : " << rq->from);
snmp_free_pdu(PDU);
}
-
- if (Community)
- xfree(Community);
}
/*
=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc 2011-06-23 00:23:48 +0000
+++ src/ssl/support.cc 2011-06-28 03:46:24 +0000
@@ -240,7 +240,7 @@
if (check) {
Filled(check)->ssl_error = error_no;
- if (check->fastCheck()) {
+ if (check->fastCheck() == ACCESS_ALLOWED) {
debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer);
ok = 1;
} else {
=== modified file 'src/tunnel.cc'
--- src/tunnel.cc 2011-06-24 05:07:06 +0000
+++ src/tunnel.cc 2011-06-28 03:47:28 +0000
@@ -595,7 +595,6 @@
/* Create state structure. */
TunnelStateData *tunnelState = NULL;
ErrorState *err = NULL;
- int answer;
HttpRequest *request = http->request;
char *url = http->uri;
@@ -613,9 +612,7 @@
ACLFilledChecklist ch(Config.accessList.miss, request, NULL);
ch.src_addr = request->client_addr;
ch.my_addr = request->my_addr;
- answer = ch.fastCheck();
-
- if (answer == 0) {
+ if (ch.fastCheck() == ACCESS_DENIED) {
err = errorCon(ERR_FORWARDING_DENIED, HTTP_FORBIDDEN, request);
*status_ptr = HTTP_FORBIDDEN;
errorSend(http->getConn()->clientConnection, err);
