From 261a4a4fdf1946c08a374b62705d39666572113e Mon Sep 17 00:00:00 2001
From: Aaron Hurt <ahurt@anbcs.com>
Date: Tue, 27 Nov 2018 09:09:32 -0600
Subject: [PATCH] fix ip access rules within tcp proxy - fixes #576 (#577)

* add debug logging to ip access checks
* properly format remote connection address prior to verification
---
 route/access_rules.go | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/route/access_rules.go b/route/access_rules.go
index 4b73108f7..f28c69d1b 100644
--- a/route/access_rules.go
+++ b/route/access_rules.go
@@ -64,9 +64,16 @@ func (t *Target) AccessDeniedHTTP(r *http.Request) bool {
 
 // AccessDeniedTCP checks rules on the target for TCP proxy routes.
 func (t *Target) AccessDeniedTCP(c net.Conn) bool {
-	ip := net.ParseIP(c.RemoteAddr().String())
-	if t.denyByIP(ip) {
-		return true
+	var addr *net.TCPAddr
+	var ok bool
+	// validate remote address assertion
+	if addr, ok = c.RemoteAddr().(*net.TCPAddr); !ok {
+		log.Printf("[ERROR] failed to assert remote connection address for %s", t.Service)
+		return false
+	}
+	// check remote connection address
+	if t.denyByIP(addr.IP) {
+			return true
 	}
 	// default allow
 	return false
@@ -82,10 +89,15 @@ func (t *Target) denyByIP(ip net.IP) bool {
 		var block *net.IPNet
 		for _, x := range t.accessRules[ipAllowTag] {
 			if block, ok = x.(*net.IPNet); !ok {
-				log.Print("[ERROR] failed to assert ip block while checking allow rule for ", t.Service)
+				log.Printf("[ERROR] failed to assert ip block while checking allow rule for %s", t.Service)
 				continue
 			}
+			// debug logging
+			log.Printf("[DEBUG] checking %s against ip allow rule %s", ip.String(), block.String())
+			// check block
 			if block.Contains(ip) {
+				// debug logging
+				log.Printf("[DEBUG] allowing request from %s via %s", ip.String(), block.String())
 				// specific allow matched - allow this request
 				return false
 			}
@@ -101,9 +113,12 @@ func (t *Target) denyByIP(ip net.IP) bool {
 		var block *net.IPNet
 		for _, x := range t.accessRules[ipDenyTag] {
 			if block, ok = x.(*net.IPNet); !ok {
-				log.Print("[INFO] failed to assert ip block while checking deny rule for ", t.Service)
+				log.Printf("[INFO] failed to assert ip block while checking deny rule for %s", t.Service)
 				continue
 			}
+			// debug logging
+			log.Printf("[DEBUG] checking %s against ip deny rule %s", ip.String(), block.String())
+			// check block
 			if block.Contains(ip) {
 				// specific deny matched - deny this request
 				log.Printf("[INFO] route rules denied access from %s to %s",
@@ -113,6 +128,9 @@ func (t *Target) denyByIP(ip net.IP) bool {
 		}
 	}
 
+	// debug logging
+	log.Printf("[DEBUG] default allowing request from %s that was not denied", ip.String())
+
 	// default - do not deny
 	return false
 }