MINOR: pattern: forbid dns resolutions

This patch adds the flags "-n" on the acl parser. the flag "-n" forbif
the DNS resolutions. The maps have always the dns resolutions disabled.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 46bee9bdd138f2d4edfd22c95fe1d87a004b32f6..2875355561cd81765fdec4cde2d333e21663f8cd 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -8909,6 +8909,7 @@ The following ACL flags are currently supported :
    -i : ignore case during matching of all subsequent patterns.
    -f : load patterns from a file.
    -m : use a specific pattern matching method
+   -n : forbid the DNS resolutions
    -M : load the file pointed by -f like a map file.
    -u : force the unique id of the ACL
    -- : force end of flags. Useful when a string looks like one of the flags.
@@ -8954,6 +8955,15 @@ default one for the criterion. This makes it possible to match contents in ways
 that were not initially planned, or with sample fetch methods which return a
 string. The matching method also affects the way the patterns are parsed.
 
+The "-n" flag forbids the dns resolutions. It is used with the load of ip files.
+By default, if the parser cannot parse ip address it considers that the parsed
+string is maybe a domain name and try dns resolution. The flag "-n" disable this
+resolution. It is useful for detecting malformed ip lists. Note that if the DNS
+server is not reachable, the haproxy configuration parsing may last many minutes
+waiting fir the timeout. During this time no error messages are displayed. The
+flag "-n" disable this behavior. Note also that during the runtime, this
+function is disabled for the dynamic acl modifications.
+
 There are some restrictions however. Not all methods can be used with all
 sample fetch methods. Also, if "-m" is used in conjunction with "-f", it must
 be placed first. The pattern matching method must be one of the following :

diff --git a/include/types/pattern.h b/include/types/pattern.h
index 839eae686f2c464d79bd6a77a9a70ea774e5f355..3859edab96b24f4e650f78f99364dbceca9400a6 100644 (file)
--- a/include/types/pattern.h
+++ b/include/types/pattern.h
@@ -65,6 +65,7 @@ enum pat_match_res {
 enum {
        PAT_F_IGNORE_CASE = 1 << 0,       /* ignore case */
        PAT_F_TREE        = 1 << 1,       /* some patterns are arranged in a tree */
+       PAT_F_NO_DNS      = 1 << 2,       /* dont perform any DNS requests */
 };
 
 /* ACL match methods */

diff --git a/src/acl.c b/src/acl.c
index 7efd89e84b728c64004edac68acd555b43cd752f..8d14c68d6f82f9d1ea789fb96a386ef7e41a172b 100644 (file)
--- a/src/acl.c
+++ b/src/acl.c
@@ -428,6 +428,8 @@ struct acl_expr *parse_acl_expr(const char **args, char **err, struct arg_list *
        while (**args == '-') {
                if ((*args)[1] == 'i')
                        patflags |= PAT_F_IGNORE_CASE;
+               else if ((*args)[1] == 'n')
+                       patflags |= PAT_F_NO_DNS;
                else if ((*args)[1] == 'u') {
                        unique_id = strtol(args[1], &error, 10);
                        if (*error != '\0') {

diff --git a/src/map.c b/src/map.c
index 597907de94efc48002bc4f4c17fa98a61d7c869b..570937c5a9b84da1bd0551481aed2c7b6d606624 100644 (file)
--- a/src/map.c
+++ b/src/map.c
@@ -153,7 +153,7 @@ static int sample_load_map(struct arg *arg, struct sample_conv *conv,
        }
 
        /* Load map. */
-       if (!pattern_read_from_file(&desc->pat, PAT_REF_MAP, arg[0].data.str.str, 0,
+       if (!pattern_read_from_file(&desc->pat, PAT_REF_MAP, arg[0].data.str.str, PAT_F_NO_DNS,
                                    1, err, file, line))
                return 0;
 

diff --git a/src/pattern.c b/src/pattern.c
index 22aa9d4b7165352c7a86bf30f716fe600b8977bc..86f94db8dceae1fa29ed6805e9777663fe23c7ad 100644 (file)
--- a/src/pattern.c
+++ b/src/pattern.c
@@ -405,7 +405,7 @@ int pat_parse_dotted_ver(const char *text, struct pattern *pattern, char **err)
  */
 int pat_parse_ip(const char *text, struct pattern *pattern, char **err)
 {
-       if (str2net(text, global.mode & MODE_STARTING,
+       if (str2net(text, !(pattern->flags & PAT_F_NO_DNS) && (global.mode & MODE_STARTING),
                    &pattern->val.ipv4.addr, &pattern->val.ipv4.mask)) {
                pattern->type = SMP_T_IPV4;
                return 1;