TS-3582: Add @dst_ip to remap filters

apache · May 5, 2015 · 3a36535 · 3a36535
1 parent e521a6f
commit 3a36535
Show file tree

Hide file tree

Showing 5 changed files with 92 additions and 2 deletions.
diff --git a/proxy/http/remap/AclFiltering.cc b/proxy/http/remap/AclFiltering.cc
@@ -46,6 +46,10 @@ acl_filter_rule::reset(void)
     src_ip_array[i].reset();
   }
   src_ip_valid = 0;
+  for (i = (dst_ip_cnt = 0); i < ACL_FILTER_MAX_DST_IP; i++) {
+    dst_ip_array[i].reset();
+  }
+  dst_ip_valid = 0;
   internal = 0;
 }
 
@@ -92,9 +96,9 @@ acl_filter_rule::print(void)
 {
   int i;
   printf("-----------------------------------------------------------------------------------------\n");
-  printf("Filter \"%s\" status: allow_flag=%s, src_ip_valid=%s, internal=%s, active_queue_flag=%d\n",
+  printf("Filter \"%s\" status: allow_flag=%s, src_ip_valid=%s, dst_ip_valid=%s, internal=%s, active_queue_flag=%d\n",
          filter_name ? filter_name : "<NONAME>", allow_flag ? "true" : "false", src_ip_valid ? "true" : "false",
-         internal ? "true" : "false", (int)active_queue_flag);
+         dst_ip_valid ? "true" : "false", internal ? "true" : "false", (int)active_queue_flag);
   printf("standard methods=");
   for (i = 0; i < HTTP_WKSIDX_METHODS_CNT; i++) {
     if (standard_method_lookup[i]) {
@@ -111,6 +115,13 @@ acl_filter_rule::print(void)
     ip_text_buffer b1, b2;
     printf("%s - %s", ats_ip_ntop(&src_ip_array[i].start.sa, b1, sizeof(b1)), ats_ip_ntop(&src_ip_array[i].end.sa, b2, sizeof(b2)));
   }
+  printf("\n");
+  printf("dst_ip_cnt=%d\n", dst_ip_cnt);
+  for (i = 0; i < dst_ip_cnt; i++) {
+    ip_text_buffer b1, b2;
+    printf("%s - %s", ats_ip_ntop(&dst_ip_array[i].start.sa, b1, sizeof(b1)), ats_ip_ntop(&dst_ip_array[i].end.sa, b2, sizeof(b2)));
+  }
+  printf("\n");
   for (i = 0; i < argc; i++) {
     printf("argv[%d] = \"%s\"\n", i, argv[i]);
   }

diff --git a/proxy/http/remap/AclFiltering.h b/proxy/http/remap/AclFiltering.h
@@ -35,6 +35,7 @@
 // ACL like filtering defs (per one remap rule)
 
 static int const ACL_FILTER_MAX_SRC_IP = 128;
+static int const ACL_FILTER_MAX_DST_IP = 8;
 static int const ACL_FILTER_MAX_ARGV = 512;
 
 struct src_ip_info_t {
@@ -71,6 +72,7 @@ class acl_filter_rule
   char *filter_name;           // optional filter name
   unsigned int allow_flag : 1, // action allow deny
     src_ip_valid : 1,          // src_ip range valid
+    dst_ip_valid : 1,
     active_queue_flag : 1,     // filter is in active state (used by .useflt directive)
     internal : 1;              // filter internal HTTP requests
 
@@ -88,6 +90,11 @@ class acl_filter_rule
   // src_ip
   int src_ip_cnt; // how many valid src_ip rules we have
   src_ip_info_t src_ip_array[ACL_FILTER_MAX_SRC_IP];
+
+  // dst_ip
+  int dst_ip_cnt; // how many valid dst_ip rules we have
+  src_ip_info_t dst_ip_array[ACL_FILTER_MAX_DST_IP];
+
   acl_filter_rule();
   ~acl_filter_rule();
   void name(const char *_name = NULL);

diff --git a/proxy/http/remap/RemapConfig.cc b/proxy/http/remap/RemapConfig.cc
@@ -470,6 +470,45 @@ remap_validate_filter_args(acl_filter_rule **rule_pp, const char **argv, int arg
       }
     }
 
+    if (ul & REMAP_OPTFLG_DST_IP) { /* "dst_ip=" option */
+      if (rule->dst_ip_cnt >= ACL_FILTER_MAX_DST_IP) {
+        Debug("url_rewrite", "[validate_filter_args] Too many \"dst_ip=\" filters");
+        snprintf(errStrBuf, errStrBufSize, "Defined more than %d \"dst_ip=\" filters!", ACL_FILTER_MAX_DST_IP);
+        errStrBuf[errStrBufSize - 1] = 0;
+        if (new_rule_flg) {
+          delete rule;
+          *rule_pp = NULL;
+        }
+        return (const char *)errStrBuf;
+      }
+      ipi = &rule->dst_ip_array[rule->dst_ip_cnt];
+      if (ul & REMAP_OPTFLG_INVERT)
+        ipi->invert = true;
+      ink_strlcpy(tmpbuf, argptr, sizeof(tmpbuf));
+      // important! use copy of argument
+      if (ExtractIpRange(tmpbuf, &ipi->start.sa, &ipi->end.sa) != NULL) {
+        Debug("url_rewrite", "[validate_filter_args] Unable to parse IP value in %s", argv[i]);
+        snprintf(errStrBuf, errStrBufSize, "Unable to parse IP value in %s", argv[i]);
+        errStrBuf[errStrBufSize - 1] = 0;
+        if (new_rule_flg) {
+          delete rule;
+          *rule_pp = NULL;
+        }
+        return (const char *)errStrBuf;
+      }
+      for (j = 0; j < rule->dst_ip_cnt; j++) {
+        if (rule->dst_ip_array[j].start == ipi->start && rule->dst_ip_array[j].end == ipi->end) {
+          ipi->reset();
+          ipi = NULL;
+          break; /* we have the same src_ip in the list */
+        }
+      }
+      if (ipi) {
+        rule->dst_ip_cnt++;
+        rule->dst_ip_valid = 1;
+      }
+    }
+
     if (ul & REMAP_OPTFLG_ACTION) { /* "action=" option */
       if (is_inkeylist(argptr, "0", "off", "deny", "disable", NULL)) {
         rule->allow_flag = 0;
@@ -542,6 +581,18 @@ remap_check_option(const char **argv, int argc, unsigned long findmode, int *_re
         if (argptr)
           *argptr = &argv[i][7];
         ret_flags |= REMAP_OPTFLG_SRC_IP;
+      } else if (!strncasecmp(argv[i], "dst_ip=~", 8)) {
+        if ((findmode & REMAP_OPTFLG_DST_IP) != 0)
+          idx = i;
+        if (argptr)
+          *argptr = &argv[i][8];
+        ret_flags |= (REMAP_OPTFLG_DST_IP | REMAP_OPTFLG_INVERT);
+      } else if (!strncasecmp(argv[i], "dst_ip=", 7)) {
+        if ((findmode & REMAP_OPTFLG_DST_IP) != 0)
+          idx = i;
+        if (argptr)
+          *argptr = &argv[i][7];
+        ret_flags |= REMAP_OPTFLG_DST_IP;
       } else if (!strncasecmp(argv[i], "action=", 7)) {
         if ((findmode & REMAP_OPTFLG_ACTION) != 0)
           idx = i;

diff --git a/proxy/http/remap/RemapConfig.h b/proxy/http/remap/RemapConfig.h
@@ -38,6 +38,7 @@ class UrlRewrite;
 #define REMAP_OPTFLG_SRC_IP 0x0010u           /* "src_ip=" option (used for ACL filtering) */
 #define REMAP_OPTFLG_ACTION 0x0020u           /* "action=" option (used for ACL filtering) */
 #define REMAP_OPTFLG_INTERNAL 0x0040u         /* only allow internal requests to hit this remap */
+#define REMAP_OPTFLG_DST_IP 0x0080u           /* "dst_ip=" option (used for ACL filtering)*/
 #define REMAP_OPTFLG_MAP_ID 0x0800u           /* associate a map ID with this rule */
 #define REMAP_OPTFLG_INVERT 0x80000000u       /* "invert" the rule (for src_ip at least) */
 #define REMAP_OPTFLG_ALL_FILTERS (REMAP_OPTFLG_METHOD | REMAP_OPTFLG_SRC_IP | REMAP_OPTFLG_ACTION | REMAP_OPTFLG_INTERNAL)

diff --git a/proxy/http/remap/UrlRewrite.cc b/proxy/http/remap/UrlRewrite.cc
@@ -452,6 +452,26 @@ UrlRewrite::PerformACLFiltering(HttpTransact::State *s, url_mapping *map)
         }
       }
 
+      if (match && rp->dst_ip_valid) {
+        Debug("url_rewrite", "match was true and we have specified a dst_ip field");
+        match = false;
+        for (int j = 0; j < rp->dst_ip_cnt && !match; j++) {
+          IpEndpoint incoming_addr;
+          incoming_addr.assign(s->state_machine->ua_session->get_netvc()->get_local_addr());
+
+          bool in_range = rp->dst_ip_array[j].contains(incoming_addr);
+          if (rp->dst_ip_array[j].invert) {
+            if (!in_range) {
+              match = true;
+            }
+          } else {
+            if (in_range) {
+              match = true;
+            }
+          }
+        }
+      }
+
       if (rp->internal) {
         match = s->state_machine->ua_session->get_netvc()->get_is_internal_request();
         Debug("url_rewrite", "%s an internal request", match ? "matched" : "didn't match");