From: Amos Jeffries Date: Mon, 18 Mar 2013 10:10:13 +0000 (-0600) Subject: Polish: clarify authenticate_ip_ttl code X-Git-Tag: SQUID_3_4_0_1~230 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c35dd84844eb8706872edd412deadc5fdadfb26f;p=thirdparty%2Fsquid.git Polish: clarify authenticate_ip_ttl code This patch alters the directive implementation to only perform TTL addition when setting the expiry value. This improves speed a little when comparing timestamps, and allows the config file to display 1 second TTL instead of displaying 0 seconds and actually being 0-1 seconds. Which resolves some confusion about why max_user_ip ACL still works when the TTL is set to 0 seconds. Also, document the AuthUserIP class used to store the IP information. --- diff --git a/src/auth/User.cc b/src/auth/User.cc index d42041109d..95fd1d49e2 100644 --- a/src/auth/User.cc +++ b/src/auth/User.cc @@ -105,7 +105,7 @@ Auth::User::absorb(Auth::User::Pointer from) new_ipdata = static_cast(from->ip_list.head->data); /* If this IP has expired - ignore the expensive merge actions. */ - if (new_ipdata->ip_expiretime + ::Config.authenticateIpTTL < squid_curtime) { + if (new_ipdata->ip_expiretime <= squid_curtime) { /* This IP has expired - remove from the source list */ dlinkDelete(&new_ipdata->node, &(from->ip_list)); cbdataFree(new_ipdata); @@ -124,7 +124,7 @@ Auth::User::absorb(Auth::User::Pointer from) /* update IP ttl and stop searching. */ ipdata->ip_expiretime = max(ipdata->ip_expiretime, new_ipdata->ip_expiretime); break; - } else if (ipdata->ip_expiretime + ::Config.authenticateIpTTL < squid_curtime) { + } else if (ipdata->ip_expiretime <= squid_curtime) { /* This IP has expired - cleanup the destination list */ dlinkDelete(&ipdata->node, &ip_list); cbdataFree(ipdata); @@ -309,7 +309,7 @@ Auth::User::addIp(Ip::Address ipaddr) found = 1; /* update IP ttl */ ipdata->ip_expiretime = squid_curtime; - } else if (ipdata->ip_expiretime + ::Config.authenticateIpTTL < squid_curtime) { + } else if (ipdata->ip_expiretime <= squid_curtime) { /* This IP has expired - remove from the seen list */ dlinkDelete(&ipdata->node, &ip_list); cbdataFree(ipdata); @@ -327,7 +327,7 @@ Auth::User::addIp(Ip::Address ipaddr) /* This ip is not in the seen list */ ipdata = cbdataAlloc(AuthUserIP); - ipdata->ip_expiretime = squid_curtime; + ipdata->ip_expiretime = squid_curtime + ::Config.authenticateIpTTL; ipdata->ipaddr = ipaddr; diff --git a/src/auth/UserRequest.h b/src/auth/UserRequest.h index f175573bbf..a59337539f 100644 --- a/src/auth/UserRequest.h +++ b/src/auth/UserRequest.h @@ -50,14 +50,24 @@ class HttpRequest; // AYJ: must match re-definition in helpers/negotiate_auth/kerberos/negotiate_kerb_auth.cc #define MAX_AUTHTOKEN_LEN 32768 -/// \ingroup AuthAPI +/** + * Node used to link an IP address to some user credentials + * for the max_user_ip ACL feature. + * + * \ingroup AuthAPI + */ class AuthUserIP { public: dlink_node node; - /* IP addr this user authenticated from */ + /// IP address this user authenticated from Ip::Address ipaddr; + + /** When this IP should be forgotten. + * Set to the time of last request made from this + * (user,IP) pair plus authenticate_ip_ttl seconds + */ time_t ip_expiretime; }; diff --git a/src/cf.data.pre b/src/cf.data.pre index 2f0b212f52..e38603b1b5 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -615,7 +615,7 @@ DOC_END NAME: authenticate_ip_ttl TYPE: time_t LOC: Config.authenticateIpTTL -DEFAULT: 0 seconds +DEFAULT: 1 second DOC_START If you use proxy authentication and the 'max_user_ip' ACL, this directive controls how long Squid remembers the IP