From 0c025b00e4112fc4dfd895db110b10993f2801c7 Mon Sep 17 00:00:00 2001 From: "Alan M. Carroll" Date: Wed, 2 Nov 2016 15:04:26 -0500 Subject: [PATCH] TS-4593: Extend IPAllow to filter outbound connections and be controlled from remap. (#1) Merged --- doc/admin-guide/files/ip_allow.config.en.rst | 33 +++++++++---- iocore/net/SessionAccept.cc | 4 +- lib/ts/MatcherUtils.cc | 4 +- lib/ts/MatcherUtils.h | 3 +- proxy/IPAllow.cc | 42 ++++++++++------ proxy/IPAllow.h | 50 +++++++++++++++----- proxy/InkAPI.cc | 2 +- proxy/http/HttpSM.cc | 46 +++++++++++++++++- proxy/http/HttpTransact.cc | 16 +++++++ proxy/http/HttpTransact.h | 1 + proxy/http/remap/RemapConfig.cc | 35 +++++++++++--- proxy/http/remap/RemapConfig.h | 2 + proxy/http/remap/UrlMapping.h | 1 + 13 files changed, 191 insertions(+), 48 deletions(-) diff --git a/doc/admin-guide/files/ip_allow.config.en.rst b/doc/admin-guide/files/ip_allow.config.en.rst index 203d5775763..66878055f42 100644 --- a/doc/admin-guide/files/ip_allow.config.en.rst +++ b/doc/admin-guide/files/ip_allow.config.en.rst @@ -22,10 +22,12 @@ ip_allow.config .. configfile:: ip_allow.config The :file:`ip_allow.config` file controls client access to the Traffic -Server proxy cache. You can specify ranges of IP addresses that are -allowed to use the Traffic Server as a web proxy cache. After you modify -the :file:`ip_allow.config` file, navigate to the Traffic Server bin -directory and run the :option:`traffic_ctl config reload` command to apply changes. When +Server proxy cache and Traffic Server connections to the servers. You +can specify ranges of IP addresses that are allowed to use the Traffic +Server as a web proxy cache or that are allowed to be remapped by +Traffic Server. After you modify the :file:`ip_allow.config` file, +navigate to the Traffic Server bin directory and run the +:option:`traffic_ctl config reload` command to apply changes. When you apply the changes to a node in a cluster, Traffic Server automatically applies the changes to all other nodes in the cluster. @@ -36,13 +38,18 @@ Each line in the :file:`ip_allow.config` file must have the following format:: src_ip= action= [method=] + dest_ip= action= [method=] where src_ip is the IP address or range of IP addresses of the -client(s). The action ``ip_allow`` enables the specified client(s) to -access the Traffic Server proxy cache, and ``ip_deny`` denies the -specified client(s) to access the Traffic Server proxy cache. Multiple -method keywords can be specified (method=GET method=HEAD), or multiple -methods can be separated by an '\|' (method=GET\|HEAD). The method +client(s) and dest_ip is the IP address or range of IP addresses of the +server(s). When src_ip is indicated, the action ``ip_allow`` enables +the specified client(s) to access the Traffic Server proxy cache, +and ``ip_deny`` denies the specified client(s) to access the Traffic +Server proxy cache. When dest_ip is indicated, the action ``ip_allow`` +enables the Traffic Server to access the specified server(s), and +``ip_deny`` denies the Traffic Server to access the specified server(s). +Multiple method keywords can be specified (method=GET method=HEAD), or +multiple methods can be separated by an '\|' (method=GET\|HEAD). The method keyword is optional and it is defaulted to ALL. This supports ANY string as the HTTP method, meaning no validation is done to check whether it is a valid HTTP method. This allows you to create filters for any method @@ -78,3 +85,11 @@ the Traffic Server proxy cache:: src_ip=123.45.6.0-123.45.6.123 action=ip_deny +The following example enables the Traffic Server to access all servers:: + + dest_ip=0.0.0.0-255.255.255.255 action=ip_allow + +The following example denies the Traffic Server to access all servers +on a specific subnet:: + + dest_ip=10.0.0.0-10.0.0.255 action=ip_deny diff --git a/iocore/net/SessionAccept.cc b/iocore/net/SessionAccept.cc index 8f144e9368e..1bb1f021e19 100644 --- a/iocore/net/SessionAccept.cc +++ b/iocore/net/SessionAccept.cc @@ -31,8 +31,8 @@ SessionAccept::testIpAllowPolicy(sockaddr const *client_ip) IpAllow::scoped_config ipallow; const AclRecord *acl_record = nullptr; if (ipallow) { - acl_record = ipallow->match(client_ip); - if (acl_record && acl_record->isEmpty()) { + acl_record = ipallow->match(client_ip, IpAllow::SRC_ADDR); + if (acl_record && acl_record->isEmpty() && ipallow->isAcceptCheckEnabled()) { acl_record = nullptr; } } diff --git a/lib/ts/MatcherUtils.cc b/lib/ts/MatcherUtils.cc index a064d2b96a0..5c5f32f7053 100644 --- a/lib/ts/MatcherUtils.cc +++ b/lib/ts/MatcherUtils.cc @@ -401,7 +401,9 @@ processDurationString(char *str, int *seconds) const matcher_tags http_dest_tags = {"dest_host", "dest_domain", "dest_ip", "url_regex", "url", "host_regex", true}; -const matcher_tags ip_allow_tags = {nullptr, nullptr, "src_ip", nullptr, nullptr, nullptr, false}; +const matcher_tags ip_allow_src_tags = {nullptr, nullptr, "src_ip", nullptr, nullptr, nullptr, false}; + +const matcher_tags ip_allow_dest_tags = {nullptr, nullptr, "dest_ip", nullptr, nullptr, nullptr, true}; const matcher_tags socks_server_tags = {nullptr, nullptr, "dest_ip", nullptr, nullptr, nullptr, false}; diff --git a/lib/ts/MatcherUtils.h b/lib/ts/MatcherUtils.h index 44d308b28e6..4893234f00a 100644 --- a/lib/ts/MatcherUtils.h +++ b/lib/ts/MatcherUtils.h @@ -108,7 +108,8 @@ struct matcher_tags { }; extern const matcher_tags http_dest_tags; -extern const matcher_tags ip_allow_tags; +extern const matcher_tags ip_allow_src_tags; +extern const matcher_tags ip_allow_dest_tags; extern const matcher_tags socks_server_tags; const char *parseConfigLine(char *line, matcher_line *p_line, const matcher_tags *tags); diff --git a/proxy/IPAllow.cc b/proxy/IPAllow.cc index 3e0af828f41..bece005b0cf 100644 --- a/proxy/IPAllow.cc +++ b/proxy/IPAllow.cc @@ -45,7 +45,8 @@ enum AclOp { const AclRecord IpAllow::ALL_METHOD_ACL(AclRecord::ALL_METHOD_MASK); -int IpAllow::configid = 0; +int IpAllow::configid = 0; +bool IpAllow::accept_check_p = true; // initializing global flag for fast deny static ConfigUpdateHandler *ipAllowUpdate; @@ -108,12 +109,11 @@ IpAllow::~IpAllow() } void -IpAllow::Print() +IpAllow::PrintMap(IpMap *map) { std::ostringstream s; - s << _map.getCount() << " ACL entries"; - s << '.'; - for (IpMap::iterator spot(_map.begin()), limit(_map.end()); spot != limit; ++spot) { + s << map->getCount() << " ACL entries."; + for (IpMap::iterator spot(map->begin()), limit(map->end()); spot != limit; ++spot) { char text[INET6_ADDRSTRLEN]; AclRecord const *ar = static_cast(spot->data()); @@ -156,6 +156,15 @@ IpAllow::Print() Debug("ip-allow", "%s", s.str().c_str()); } +void +IpAllow::Print() +{ + Debug("ip-allow", "Printing src map"); + PrintMap(&_src_map); + Debug("ip-allow", "Printing dest map"); + PrintMap(&_dest_map); +} + int IpAllow::BuildTable() { @@ -171,7 +180,7 @@ IpAllow::BuildTable() bool alarmAlready = false; // Table should be empty - ink_assert(_map.getCount() == 0); + ink_assert(_src_map.getCount() == 0 && _dest_map.getCount() == 0); file_buf = readIntoBuffer(config_file_path, module_name, nullptr); @@ -190,6 +199,8 @@ IpAllow::BuildTable() } if (*line != '\0' && *line != '#') { + const matcher_tags &ip_allow_tags = + strstr(line, ip_allow_dest_tags.match_ip) != nullptr ? ip_allow_dest_tags : ip_allow_src_tags; errPtr = parseConfigLine(line, &line_info, &ip_allow_tags); if (errPtr != nullptr) { @@ -211,6 +222,7 @@ IpAllow::BuildTable() uint32_t acl_method_mask = 0; AclRecord::MethodSet nonstandard_methods; bool deny_nonstandard_methods = false; + bool is_dest_ip = (strcasecmp(line_info.line[0][line_info.dest_entry], "dest_ip") == 0); AclOp op = ACL_OP_DENY; // "shut up", I explained to the compiler. bool op_found = false, method_found = false; for (int i = 0; i < MATCHER_MAX_TOKENS; i++) { @@ -272,10 +284,11 @@ IpAllow::BuildTable() } if (method_found) { - _acls.push_back(AclRecord(acl_method_mask, line_num, nonstandard_methods, deny_nonstandard_methods)); - // Color with index because at this point the address - // is volatile. - _map.fill(&addr1, &addr2, reinterpret_cast(_acls.length() - 1)); + Vec &acls = is_dest_ip ? _dest_acls : _src_acls; + IpMap &map = is_dest_ip ? _dest_map : _src_map; + acls.push_back(AclRecord(acl_method_mask, line_num, nonstandard_methods, deny_nonstandard_methods)); + // Color with index in acls because at this point the address is volatile. + map.fill(&addr1, &addr2, reinterpret_cast(acls.length() - 1)); } else { snprintf(errBuf, sizeof(errBuf), "%s discarding %s entry at line %d : %s", module_name, config_file_path, line_num, "Invalid action/method specified"); // changed by YTS Team, yamsat bug id -59022 @@ -288,13 +301,14 @@ IpAllow::BuildTable() line = tokLine(nullptr, &tok_state); } - if (_map.getCount() == 0) { + if (_src_map.getCount() == 0 && _dest_map.getCount() == 0) { // TODO: check Warning("%s No entries in %s. All IP Addresses will be blocked", module_name, config_file_path); } else { // convert the coloring from indices to pointers. - for (IpMap::iterator spot(_map.begin()), limit(_map.end()); spot != limit; ++spot) { - spot->setData(&_acls[reinterpret_cast(spot->data())]); - } + for (auto &item : _src_map) + item.setData(&_src_acls[reinterpret_cast(item.data())]); + for (auto &item : _dest_map) + item.setData(&_dest_acls[reinterpret_cast(item.data())]); } if (is_debug_tag_set("ip-allow")) { diff --git a/proxy/IPAllow.h b/proxy/IPAllow.h index f2218fc1fa9..a0a6f8bf115 100644 --- a/proxy/IPAllow.h +++ b/proxy/IPAllow.h @@ -110,12 +110,14 @@ class IpAllow : public ConfigInfo public: typedef IpAllow self; ///< Self reference type. + // indicator for whether we should be checking the acl record for src ip or dest ip + enum match_key_t { SRC_ADDR, DEST_ADDR }; IpAllow(const char *config_var, const char *name, const char *action_val); ~IpAllow(); void Print(); - AclRecord *match(IpEndpoint const *ip) const; - AclRecord *match(sockaddr const *ip) const; + AclRecord *match(IpEndpoint const *ip, match_key_t key) const; + AclRecord *match(sockaddr const *ip, match_key_t key) const; static void startup(); static void reconfigure(); @@ -130,35 +132,59 @@ class IpAllow : public ConfigInfo return &ALL_METHOD_ACL; } + /* @return The previous accept check state + * This is a global variable that is independent of + * the ip_allow configuration + */ + static bool + enableAcceptCheck(bool state) + { + bool temp = accept_check_p; + accept_check_p = state; + return temp; + } + /* @return The current accept check state + * This is a global variable that is independent of + * the ip_allow configuration + */ + static bool + isAcceptCheckEnabled() + { + return accept_check_p; + } + typedef ConfigProcessor::scoped_config scoped_config; private: static int configid; static const AclRecord ALL_METHOD_ACL; + static bool accept_check_p; + void PrintMap(IpMap *map); int BuildTable(); char config_file_path[PATH_NAME_MAX]; const char *module_name; const char *action; - IpMap _map; - Vec _acls; + IpMap _src_map; + IpMap _dest_map; + Vec _src_acls; + Vec _dest_acls; }; inline AclRecord * -IpAllow::match(IpEndpoint const *ip) const +IpAllow::match(IpEndpoint const *ip, match_key_t key) const { - return this->match(&ip->sa); + return this->match(&ip->sa, key); } inline AclRecord * -IpAllow::match(sockaddr const *ip) const +IpAllow::match(sockaddr const *ip, match_key_t key) const { - void *raw; - if (_map.contains(ip, &raw)) { - return static_cast(raw); - } - return nullptr; + void *raw = nullptr; + const IpMap &map = (key == SRC_ADDR) ? _src_map : _dest_map; + map.contains(ip, &raw); + return static_cast(raw); } #endif diff --git a/proxy/InkAPI.cc b/proxy/InkAPI.cc index d95f7014584..48697d56a11 100644 --- a/proxy/InkAPI.cc +++ b/proxy/InkAPI.cc @@ -7298,7 +7298,7 @@ const char * TSMatcherParseSrcIPConfigLine(char *line, TSMatcherLine ml) { sdk_assert(sdk_sanity_check_null_ptr((void *)line) == TS_SUCCESS); - return parseConfigLine(line, (matcher_line *)ml, &ip_allow_tags); + return parseConfigLine(line, (matcher_line *)ml, &ip_allow_src_tags); } char * diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index ffabb6e0b1b..f2638d0fe5e 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -42,6 +42,7 @@ #include "HttpPages.h" +#include "IPAllow.h" //#include "I_Auth.h" //#include "HttpAuthParams.h" #include "congest/Congestion.h" @@ -4730,7 +4731,50 @@ HttpSM::do_http_server_open(bool raw) milestones[TS_MILESTONE_SERVER_FIRST_CONNECT] = milestones[TS_MILESTONE_SERVER_CONNECT]; } - if (t_state.pCongestionEntry != nullptr) { + // Check for remap rule. If so, only apply ip_allow filter if it is activated (ip_allow_check_enabled_p set). + // Otherwise, if no remap rule is defined, apply the ip_allow filter. + if (!t_state.url_remap_success || t_state.url_map.getMapping()->ip_allow_check_enabled_p) { + // Method allowed on dest IP address check + sockaddr *server_ip = &t_state.current.server->dst_addr.sa; + IpAllow::scoped_config ip_allow; + + if (ip_allow) { + const AclRecord *acl_record = ip_allow->match(server_ip, IpAllow::DEST_ADDR); + bool deny_request = false; // default is fail open. + int method = t_state.hdr_info.server_request.method_get_wksidx(); + + if (acl_record) { + // If empty, nothing is allowed, deny. Conversely if all methods are allowed it's OK, do not deny. + // Otherwise the method has to be checked specifically. + if (acl_record->isEmpty()) { + deny_request = true; + } else if (acl_record->_method_mask != AclRecord::ALL_METHOD_MASK) { + if (method != -1) { + deny_request = !acl_record->isMethodAllowed(method); + } else { + int method_str_len; + const char *method_str = t_state.hdr_info.server_request.method_get(&method_str_len); + deny_request = !acl_record->isNonstandardMethodAllowed(std::string(method_str, method_str_len)); + } + } + } + + if (deny_request) { + if (is_debug_tag_set("ip-allow")) { + ip_text_buffer ipb; + Warning("server '%s' prohibited by ip-allow policy", ats_ip_ntop(server_ip, ipb, sizeof(ipb))); + Debug("ip-allow", "Denial on %s:%s with mask %x", ats_ip_ntop(&t_state.current.server->dst_addr.sa, ipb, sizeof(ipb)), + hdrtoken_index_to_wks(method), acl_record ? acl_record->_method_mask : 0x0); + } + t_state.current.attempts = t_state.txn_conf->connect_attempts_max_retries; // prevent any more retries with this IP + call_transact_and_set_next_state(HttpTransact::Forbidden); + return; + } + } + } + + // Congestion Check + if (t_state.pCongestionEntry != NULL) { if (t_state.pCongestionEntry->F_congested() && (!t_state.pCongestionEntry->proxy_retry(milestones[TS_MILESTONE_SERVER_CONNECT]))) { t_state.congestion_congested_or_failed = 1; diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc index 0647a90446d..8e378c404a7 100644 --- a/proxy/http/HttpTransact.cc +++ b/proxy/http/HttpTransact.cc @@ -565,6 +565,16 @@ HttpTransact::BadRequest(State *s) TRANSACT_RETURN(SM_ACTION_SEND_ERROR_CACHE_NOOP, nullptr); } +void +HttpTransact::Forbidden(State *s) +{ + DebugTxn("http_trans", "[Forbidden]" + "IpAllow marked request forbidden"); + bootstrap_state_variables_from_request(s, &s->hdr_info.client_request); + build_error_response(s, HTTP_STATUS_FORBIDDEN, "Access Denied", "access#denied", NULL); + TRANSACT_RETURN(SM_ACTION_SEND_ERROR_CACHE_NOOP, NULL); +} + void HttpTransact::HandleBlindTunnel(State *s) { @@ -6576,6 +6586,12 @@ HttpTransact::process_quick_http_filter(State *s, int method) return; } + // if ipallow rules are disabled by remap then don't modify anything + url_mapping *mp = s->url_map.getMapping(); + if (mp && !mp->ip_allow_check_enabled_p) { + return; + } + if (s->state_machine->ua_session) { const AclRecord *acl_record = s->state_machine->ua_session->get_acl_record(); bool deny_request = (acl_record == nullptr); diff --git a/proxy/http/HttpTransact.h b/proxy/http/HttpTransact.h index 63f9925563f..dd81a4998f2 100644 --- a/proxy/http/HttpTransact.h +++ b/proxy/http/HttpTransact.h @@ -1200,6 +1200,7 @@ class HttpTransact static void StartAuth(State *s); static void HandleRequestAuthorized(State *s); static void BadRequest(State *s); + static void Forbidden(State *s); static void HandleFiltering(State *s); static void DecideCacheLookup(State *s); static void LookupSkipOpenServer(State *s); diff --git a/proxy/http/remap/RemapConfig.cc b/proxy/http/remap/RemapConfig.cc index cef1c40d794..40f245bee62 100644 --- a/proxy/http/remap/RemapConfig.cc +++ b/proxy/http/remap/RemapConfig.cc @@ -31,6 +31,7 @@ #include "ts/ink_cap.h" #include "ts/ink_file.h" #include "ts/Tokenizer.h" +#include "../../proxy/IPAllow.h" #define modulePrefix "[ReverseProxy]" @@ -75,7 +76,8 @@ clear_xstr_array(char *v[], size_t vsize) } } -BUILD_TABLE_INFO::BUILD_TABLE_INFO() : remap_optflg(0), paramc(0), argc(0), rules_list(nullptr), rewrite(nullptr) +BUILD_TABLE_INFO::BUILD_TABLE_INFO() + : remap_optflg(0), paramc(0), argc(0), ip_allow_check_enabled_p(true), accept_check_p(true), rules_list(nullptr), rewrite(nullptr) { memset(this->paramv, 0, sizeof(this->paramv)); memset(this->argv, 0, sizeof(this->argv)); @@ -107,7 +109,7 @@ process_filter_opt(url_mapping *mp, const BUILD_TABLE_INFO *bti, char *errStrBuf for (rp = bti->rules_list; rp; rp = rp->next) { if (rp->active_queue_flag) { Debug("url_rewrite", "[process_filter_opt] Add active main filter \"%s\" (argc=%d)", - rp->filter_name ? rp->filter_name : "", rp->argc); + rp->filter_name ? rp->filter_name : "", rp->argc); for (rpp = &mp->filter; *rpp; rpp = &((*rpp)->next)) { ; } @@ -123,6 +125,9 @@ process_filter_opt(url_mapping *mp, const BUILD_TABLE_INFO *bti, char *errStrBuf } errStr = remap_validate_filter_args(rpp, (const char **)bti->argv, bti->argc, errStrBuf, errStrBufSize); } + // Set the ip allow flag for this rule to the current ip allow flag state + mp->ip_allow_check_enabled_p = bti->ip_allow_check_enabled_p; + return errStr; } @@ -211,6 +216,12 @@ parse_activate_directive(const char *directive, BUILD_TABLE_INFO *bti, char *err return (const char *)errbuf; } + // Check if for ip_allow filter + if (strcmp((const char *)bti->paramv[1], "ip_allow") == 0) { + bti->ip_allow_check_enabled_p = true; + return nullptr; + } + if ((rp = acl_filter_rule::find_byname(bti->rules_list, (const char *)bti->paramv[1])) == nullptr) { snprintf(errbuf, errbufsize, "Undefined filter \"%s\" in directive \"%s\"", bti->paramv[1], directive); Debug("url_rewrite", "[parse_directive] %s", errbuf); @@ -232,6 +243,12 @@ parse_deactivate_directive(const char *directive, BUILD_TABLE_INFO *bti, char *e return (const char *)errbuf; } + // Check if for ip_allow filter + if (strcmp((const char *)bti->paramv[1], "ip_allow") == 0) { + bti->ip_allow_check_enabled_p = false; + return nullptr; + } + if ((rp = acl_filter_rule::find_byname(bti->rules_list, (const char *)bti->paramv[1])) == nullptr) { snprintf(errbuf, errbufsize, "Undefined filter \"%s\" in directive \"%s\"", bti->paramv[1], directive); Debug("url_rewrite", "[parse_directive] %s", errbuf); @@ -577,9 +594,9 @@ remap_validate_filter_args(acl_filter_rule **rule_pp, const char **argv, int arg } if (ul & REMAP_OPTFLG_ACTION) { /* "action=" option */ - if (is_inkeylist(argptr, "0", "off", "deny", "disable", NULL)) { + if (is_inkeylist(argptr, "0", "off", "deny", "disable", nullptr)) { rule->allow_flag = 0; - } else if (is_inkeylist(argptr, "1", "on", "allow", "enable", NULL)) { + } else if (is_inkeylist(argptr, "1", "on", "allow", "enable", nullptr)) { rule->allow_flag = 1; } else { Debug("url_rewrite", "[validate_filter_args] Unknown argument \"%s\"", argv[i]); @@ -750,7 +767,7 @@ remap_load_plugin(const char **argv, int argc, url_mapping *mp, char *errbuf, in } } else { if (unlikely(!mp || (remap_check_option(argv, argc, REMAP_OPTFLG_PLUGIN, &idx) & REMAP_OPTFLG_PLUGIN) == 0)) { - snprintf(errbuf, errbufsize, "Can't find remap plugin keyword or \"url_mapping\" is NULL"); + snprintf(errbuf, errbufsize, "Can't find remap plugin keyword or \"url_mapping\" is nullptr"); return -1; /* incorrect input data - almost impossible case */ } } @@ -952,7 +969,7 @@ process_regex_mapping_config(const char *from_host_lower, url_mapping *new_mappi reg_map->url_map = new_mapping; // using from_host_lower (and not new_mapping->fromURL.host_get()) - // as this one will be NULL-terminated (required by pcre_compile) + // as this one will be nullptr-terminated (required by pcre_compile) if (reg_map->regular_expression.compile(from_host_lower) == false) { Warning("pcre_compile failed! Regex has error starting at %s", from_host_lower); goto lFail; @@ -1153,6 +1170,9 @@ remap_parse_config_bti(const char *path, BUILD_TABLE_INFO *bti) goto MAP_ERROR; } + // update sticky flag + bti->accept_check_p = bti->accept_check_p && bti->ip_allow_check_enabled_p; + new_mapping->map_id = 0; if ((bti->remap_optflg & REMAP_OPTFLG_MAP_ID) != 0) { int idx = 0; @@ -1413,8 +1433,9 @@ remap_parse_config_bti(const char *path, BUILD_TABLE_INFO *bti) delete reg_map; delete new_mapping; return false; - } /* end of while(cur_line != NULL) */ + } /* end of while(cur_line != nullptr) */ + IpAllow::enableAcceptCheck(bti->accept_check_p); return true; } diff --git a/proxy/http/remap/RemapConfig.h b/proxy/http/remap/RemapConfig.h index 300eaea15d0..0d76156a9fc 100644 --- a/proxy/http/remap/RemapConfig.h +++ b/proxy/http/remap/RemapConfig.h @@ -53,6 +53,8 @@ struct BUILD_TABLE_INFO { char *paramv[BUILD_TABLE_MAX_ARGS]; char *argv[BUILD_TABLE_MAX_ARGS]; + bool ip_allow_check_enabled_p; + bool accept_check_p; acl_filter_rule *rules_list; // all rules defined in config files as .define_filter foobar @src_ip=..... UrlRewrite *rewrite; // Pointer to the UrlRewrite object we are parsing for. diff --git a/proxy/http/remap/UrlMapping.h b/proxy/http/remap/UrlMapping.h index d4634b8e6a5..73f87c75a7b 100644 --- a/proxy/http/remap/UrlMapping.h +++ b/proxy/http/remap/UrlMapping.h @@ -107,6 +107,7 @@ class url_mapping unsigned int map_id; referer_info *referer_list; redirect_tag_str *redir_chunk_list; + bool ip_allow_check_enabled_p; acl_filter_rule *filter; // acl filtering (list of rules) unsigned int _plugin_count; LINK(url_mapping, link); // For use with the main Queue linked list holding all the mapping