kozorizki/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MEDIUM: acl: use temp_pattern to store any address-type information

Browse Source 
IPv4 and IPv6 addresses are now stored into temp_pattern instead of
the dirty hack consisting into storing them into the consumer's target
address.

Some refactoring should now be possible since the methods used to fetch
source and destination addresses are similar between patterns and ACLs.
This commit is contained in:
Willy Tarreau 2011-12-16 17:49:52 +01:00
parent a5e375646c
commit f4362b3e3b
3 changed files with 39 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/acl.c
View File

@ -832,10 +832,10 @@ int acl_match_ip(struct acl_test *test, struct acl_pattern *pattern)
{
struct in_addr *s;
if (test->i != AF_INET)
if (temp_pattern.type != PATTERN_TYPE_IP)
return ACL_PAT_FAIL;
s = (void *)test->ptr;
s = &temp_pattern.data.ip;
if (((s->s_addr ^ pattern->val.ipv4.addr.s_addr) & pattern->val.ipv4.mask.s_addr) == 0)
return ACL_PAT_PASS;
return ACL_PAT_FAIL;
@ -848,11 +848,10 @@ void *acl_lookup_ip(struct acl_test *test, struct acl_expr *expr)
{
struct in_addr *s;
if (test->i != AF_INET)
if (temp_pattern.type != PATTERN_TYPE_IP)
return ACL_PAT_FAIL;
s = (void *)test->ptr;
s = &temp_pattern.data.ip;
return ebmb_lookup_longest(&expr->pattern_tree, &s->s_addr);
}

19
src/proto_http.c
View File

@ -7967,8 +7967,10 @@ acl_fetch_url_ip(struct proxy *px, struct session *l4, void *l7, int dir,
/* Parse HTTP request */
url2sa(txn->req.sol + txn->req.sl.rq.u, txn->req.sl.rq.u_l, &l4->req->cons->addr.to);
test->ptr = (void *)&((struct sockaddr_in *)&l4->req->cons->addr.to)->sin_addr;
test->i = AF_INET;
if (((struct sockaddr_in *)&l4->req->cons->addr.to)->sin_family != AF_INET)
return 0;
temp_pattern.type = PATTERN_TYPE_IP;
temp_pattern.data.ip = ((struct sockaddr_in *)&l4->req->cons->addr.to)->sin_addr;
/*
* If we are parsing url in frontend space, we prepare backend stage
@ -7977,7 +7979,7 @@ acl_fetch_url_ip(struct proxy *px, struct session *l4, void *l7, int dir,
if (px->options & PR_O_HTTP_PROXY)
l4->flags |= SN_ADDR_SET;
test->flags = ACL_TEST_F_READ_ONLY;
test->flags = 0;
return 1;
}
@ -8215,15 +8217,14 @@ acl_fetch_hdr_ip(struct proxy *px, struct session *l4, void *l7, char *sol,
/* search for header from the beginning */
ctx->idx = 0;
if (http_find_header2(expr->arg.str, expr->arg_len, sol, idx, ctx)) {
while (http_find_header2(expr->arg.str, expr->arg_len, sol, idx, ctx)) {
test->flags |= ACL_TEST_F_FETCH_MORE;
test->flags |= ACL_TEST_F_VOL_HDR;
/* Same optimization as url_ip */
memset(&((struct sockaddr_in *)&l4->req->cons->addr.to)->sin_addr, 0, sizeof(((struct sockaddr_in *)&l4->req->cons->addr.to)->sin_addr));
url2ipv4((char *)ctx->line + ctx->val, &((struct sockaddr_in *)&l4->req->cons->addr.to)->sin_addr);
test->ptr = (void *)&((struct sockaddr_in *)&l4->req->cons->addr.to)->sin_addr;
test->i = AF_INET;
return 1;
temp_pattern.type = PATTERN_TYPE_IP;
if (url2ipv4((char *)ctx->line + ctx->val, &temp_pattern.data.ip))
return 1;
/* Dods not look like an IP address, let's fetch next one */
}
test->flags &= ~ACL_TEST_F_FETCH_MORE;

40
src/proto_tcp.c
View File

@ -1245,20 +1245,25 @@ static int tcp_parse_tcp_req(char **args, int section_type, struct proxy *curpx,
/* All supported ACL keywords must be declared here. */
/************************************************************************/
/* set test->ptr to point to the source IPv4/IPv6 address and test->i to the family */
/* copy the source IPv4/v6 address into temp_pattern */
static int
acl_fetch_src(struct proxy *px, struct session *l4, void *l7, int dir,
struct acl_expr *expr, struct acl_test *test)
{
test->i = l4->si[0].addr.from.ss_family;
if (test->i == AF_INET)
test->ptr = (char *)&((struct sockaddr_in *)&l4->si[0].addr.from)->sin_addr;
else if (test->i == AF_INET6)
test->ptr = (char *)&((struct sockaddr_in6 *)(&l4->si[0].addr.from))->sin6_addr;
else
switch (l4->si[0].addr.from.ss_family) {
case AF_INET:
temp_pattern.data.ip = ((struct sockaddr_in *)&l4->si[0].addr.from)->sin_addr;
temp_pattern.type = PATTERN_TYPE_IP;
break;
case AF_INET6:
temp_pattern.data.ipv6 = ((struct sockaddr_in6 *)(&l4->si[0].addr.from))->sin6_addr;
temp_pattern.type = PATTERN_TYPE_IPV6;
break;
default:
return 0;
}
test->flags = ACL_TEST_F_READ_ONLY;
test->flags = 0;
return 1;
}
@ -1307,15 +1312,20 @@ acl_fetch_dst(struct proxy *px, struct session *l4, void *l7, int dir,
if (!(l4->flags & SN_FRT_ADDR_SET))
get_frt_addr(l4);
test->i = l4->si[0].addr.to.ss_family;
if (test->i == AF_INET)
test->ptr = (char *)&((struct sockaddr_in *)&l4->si[0].addr.to)->sin_addr;
else if (test->i == AF_INET6)
test->ptr = (char *)&((struct sockaddr_in6 *)(&l4->si[0].addr.to))->sin6_addr;
else
switch (l4->si[0].addr.to.ss_family) {
case AF_INET:
temp_pattern.data.ip = ((struct sockaddr_in *)&l4->si[0].addr.to)->sin_addr;
temp_pattern.type = PATTERN_TYPE_IP;
break;
case AF_INET6:
temp_pattern.data.ipv6 = ((struct sockaddr_in6 *)(&l4->si[0].addr.to))->sin6_addr;
temp_pattern.type = PATTERN_TYPE_IPV6;
break;
default:
return 0;
}
test->flags = ACL_TEST_F_READ_ONLY;
test->flags = 0;
return 1;
}