Currently, dst, dstdom, dstdom_regex (and other?) DNS-related ACLs do DNS
lookups if such a lookup is needed to convert an IP address into a domain name
or vice versa. This creates two kinds of problems:
- It is difficult to identify requests that use raw IP addresses in Request-URI
or Host headers. One would have to use something like url_regex and possibly
req_header to identify those before using dst ACLs to match the request
destination against a known IP subnet. IPv6 would only make this harder.
- It is difficult to use dst* ACLs in options that support fast ACLs only.
If an async lookup is required, the answer will be unpredictable (now)
or DUNNO (when the ACL bugs are fixed), possibly with warnings and other
complications.
This patch adds a -n option to dst, dstdom, dstdom_regex and other DNS-related
ACLs. The option disable lookups and address type conversions. If lookup or
conversion is required because the parameter type (IP or domain name) does not
match the message address type (domain name or IP), then the ACL with a -n
option would immediately declare a mismatch without any warnings or lookups.
The "--" option can be used to stop processing all options, in the case the
first acl value has '-' character as first character (for example the '-' is
a valid domain name)
For example:
# Matches requests with full URI host set to localhost
# but not requests with full URI host set to 127.0.0.1
acl toLocalRawName dstdom -n localhost
http_access allow toLocalRawName
# Use -- option to stop processing flags
acl AnACL dst_domain -n -- -cream-and-sugar.tumblr.com
# Matches requests with full URI host set to 127.0.0.1
# but not requests with full URI host set to localhost
acl toLocalRawIp dst -n 127.0.0.1/32
cache_peer_access peer1 allow toLocalRawIp
Please note that -n prohibits lookups in Squid's DNS caches as well.
Tianyin Xu [Fri, 25 Jan 2013 01:26:21 +0000 (18:26 -0700)]
Polish squid.conf parsing validation
* Updates ato*() functiosn to safer xato*() alternatives provided by
the Squid compat library. Along with error messages on invalid
configuration values detected by these.
* Add protection against integer overflow on most options
* Add parse deprecation messages on enable/disable for boolean and
and trilean options.
* Add 'wrong-value' error messages on most options.
Alex Rousskov [Thu, 24 Jan 2013 16:22:45 +0000 (09:22 -0700)]
Bug 3111: Mid-term fix for the forward.cc "err" assertion.
The assert is triggered when a close handler for the server connection
destroys FwdState before we have received anything from the origin server.
Instead of asserting, we now respond with a 502 (Bad Gateway) ERR_READ_ERROR.
That error seems the most appropriate single choice among available ones, but
it may be misleading (in access.log) when the close handler was called due to
client problems. Hopefully, another error will be logged in most of those
cases.
Propagate pinned connection persistency and closures to the client.
Squid was trying hard to forward a request after pinned connection failures
because some of those failures were benign pconn races. That meant re-pinning
failed connections. After a few iterations to correctly handle non-idempotent
requests, the code appeared to work, but the final design, with all the added
complexity and related dangers was deemed inferior to the approach we use now.
Squid now simply propagates connection closures (including pconn races) to the
client. It is now the client responsibility not to send non-idempotent requests
on idle persistent connections and to recover from pconn races.
Squid also propagates HTTP connection persistency indicators from client to
server and back, to make client job feasible. Squid will send Connection:close
and will close the client connection if the pinned server says so, even if
Squid could still maintain a persistent connection with the client.
These changes are not mean to affect regular (not pinned) transactions.
In access.log, one can detect requests that were not responded to (due to race
conditions on pinned connections) by searching for ERR_ZERO_SIZE_OBJECT
%err_code with TCP_MISS/000 status and zero response bytes.
Amos Jeffries [Tue, 22 Jan 2013 11:33:57 +0000 (00:33 +1300)]
Bug 3676: Fix Shadowed variables
This resolves a number more shadowed variables found by the more strict
compilers in the layer-02-maximus optional components.
There should be no logic changes in this patch.
Amos Jeffries [Wed, 16 Jan 2013 11:49:51 +0000 (00:49 +1300)]
squidpurge: Polish details of what filename is generated from
* change strlen(url) to strlen(ptrt) since the string under ptr is being
added to filename, not the whole URL.
* also add a few extra magic bytes to make it clear that there is space
for delimiters and termination bytes. These were previously hidden as
extra bytes in the URL prefix length.
Should resolve Coverity Scan false positive issue 740414
Amos Jeffries [Wed, 16 Jan 2013 11:22:25 +0000 (00:22 +1300)]
squidpurge: display friendly errors on missing command line options
Currently the tool will crash with a segmentation fault if any one of
several command switches which are expected to have a mandatory argument
are in fact followed by nothing.
Detect these cases and display a message about what is missing.
Amos Jeffries [Wed, 16 Jan 2013 07:30:47 +0000 (20:30 +1300)]
Fix ConnOpener IPv6 awareness
When updating IPv6 support for split-stack one USE_IPV6 wrapper was
omitted conversion to the EnabledIpv6 stack auto-detect mechanism.
This resulted in IPv6 addresses being mis-converted on split-stack
systems or with IPv6 disabled in the kernel and --enable-ipv6 built.
The visible symptom is "assert(FALSE)" in Ip::Address::GetAddrInfo().
Amos Jeffries [Tue, 15 Jan 2013 01:01:30 +0000 (18:01 -0700)]
Initialize mem_node fully
Experience in squid-2.7 shows that with MemPools use of malloc instead
of calloc mem_node requires full initialization in order to get accurate
memory accounting.
Amos Jeffries [Mon, 14 Jan 2013 05:01:04 +0000 (22:01 -0700)]
MemPools: remove zero on allocate (calloc) from some pool types
As we are closing defects identified by Coverity and improving
constructors everywhere we are creating a minor anti-pattern in
MemPool'ed objects with calloc() in the pool initializing the memory
then constructors re-initializing it in a better way for that object.
MemPools contains a doZeroOnPush flag to optimize performance by removing
use of memset() as chunks are added back into the pool. However, on
closer inspection it is clear that the following pop() process to re-use
those chunks is never performing memset() anyway. As such I believe that
there is no special need to use calloc() on these particular object types
in the first place.
Update MemPools to use malloc() instead of calloc() on all types with
doZeroOnPush set. This should increase performance a little, and allows
us to remove the anti-pattern by setting doZeroOnPush for more objects
as we can verify they are correctly initialized by their constructors.
Alex Rousskov [Sat, 12 Jan 2013 18:34:10 +0000 (11:34 -0700)]
Fix "address.GetPort() != 0" assertion for helpers on FreeBSD (at least).
The order (or set of?) #include files used by src/ssl/helper.cc (and
probably by other helper source files) has changed recently, exposing a
defines.h dependency on sys/socket.h where that system header is
required to define AF_UNIX. With AF_UNIX incorrectly undefined,
IPC_STREAM was set to IPC_TCP_SOCKET instead of IPC_UNIX_STREAM, and
helpers that do not have a notion of a listening port, were trying to
create communication sockets using TCP streams, triggering a "must have
a port" assertion in comm_connect_addr() called from ipcCreate().
TODO: Moving IPC_* defines into an IPC-specific header file may be a
better solution then exposing all defines.h users to sys/socket.h.
Amos Jeffries [Fri, 11 Jan 2013 05:05:52 +0000 (22:05 -0700)]
WCCP: Fix memory leak in mask assignment, improve debuggsing.
* Release temporary weight array allocated on each HERE_I_AM packet sent
by Squid. For mask assignment these were not released properly and may
build up to a significant size of memory over time.
* Add debug traces to send() events to report failures sending packets
* Also, on HERE_I_AM event send() failure, reduce the timeout to 2sec
for the retry in a crude attempt to prevent router state flapping.
* Silence compiler warnings on use of connect() to disconnect a socket.
Inconsistent OS behaviour makes the result useless in this case.
Amos Jeffries [Tue, 8 Jan 2013 23:51:02 +0000 (16:51 -0700)]
Bug 3731: use 'int' on all systems settign TOS value.
FreeBSD is confirmed erroring out on 8-bit variable size. Other BSD are
documented in a way that implies they do as well, although not at this
stage confirmed to be failing.
Linux seems to be the only confirmed system workign with 8-bit size sent
to setsockopt(). So we revert this to 'int' (32-bit or 64-bit) as was
working in Squid 3.1.
Alex Rousskov [Wed, 2 Jan 2013 18:50:24 +0000 (11:50 -0700)]
Fixed SMP cache mgr request handling.
Coordinator could not successfully parse any SMP cache manager request since
r12410 "Polish: Http::MethodType upgrade" because the parsing code assumed the
presence of the request method ID field that was no longer added by the
request packing code.
Amos Jeffries [Tue, 1 Jan 2013 03:20:47 +0000 (20:20 -0700)]
Fix memory leaks in ICMP
InitAddrInfo() and GetAddrInfo() both allocate addrinfo structs which
must be freed by FreeAddrInfo(). Several places in ICMP were not doing
that free step.
Detected by Coverity Scan. Issues 740434, 740435, 740436, 740437.
Amos Jeffries [Mon, 31 Dec 2012 07:42:32 +0000 (20:42 +1300)]
squidpurge: fix META TLV parsing issues
* current Squid may stoe objects with up to 64KB URLs and 64KB headers
in the disk cache. Increas the tool buffer to 128KB to prevent
truncating the loaded meta data.
* check for and report when meta data overruns the end of loaded buffer
content. Ignore the truncated TLV entry and produce a WARNING.
* validate the TLV size field loaded from disk to prevent buffer overrun
errors from corrupted files on disk.
Fix some issues revealed by Coverty Scan, improve documentation of parseHttpRequest
Address issues for the defect classes:
- Array compared against 0
- Copy into fixed size buffer
- Dereference after null check
- Dereference before null check
Amos Jeffries [Thu, 27 Dec 2012 10:17:04 +0000 (03:17 -0700)]
Fix various issues in unit tests
* Define MemObject stub constructor to initialize teh stub object properly
apparently store unit tests needs one defined. Best to make it work and
set base values than leave garbage in the object fields.
* Buffer overrun on config parser if test is ever given a too-long
string input.
* Memory leak in HttpRequest testing. One instance of a short array.
* Range: header testing may thor exceptions which were not caught by the
test binary. Could lead to difficulty debugging exception errors.
Detected by Coverity Scan. Issues 740523, 740482, 740440, 740498
Amos Jeffries [Thu, 27 Dec 2012 01:42:48 +0000 (14:42 +1300)]
kqueue: update status from experimental to fully available net I/O method
kqueue has been in use on FreeBSD and maybe others for some time now and
has less bugs than epoll. So the issues on record should not be held
against it.
The attached patch adds auto-detection for the kqueue dependencies and
enables it by default when it can build. Unfortunately due to the
dependencies we cannot add it to maximus layer for force-enable, but the
default layer will test it on FreeBSD at least. It is still less
preferred than epoll(), but more than select() and poll().
Alex Rousskov [Fri, 14 Dec 2012 16:10:05 +0000 (09:10 -0700)]
Polished helper messages debugging slightly.
Made stateful and stateless debugging a little bit more similar/symmetric.
Debug helperStatefulSubmit message contents length.
Debug accumulated helperStatefulHandleRead buffer.
Polished helperHandleRead buffer debugging.
Alex Rousskov [Fri, 14 Dec 2012 16:07:18 +0000 (09:07 -0700)]
Added Raw, an std::ostream manipulator to print possibly non-terminated buffers
and their labels/sizes.
The Raw manipulator tries to be smart about printing buffers at various
debugging levels: Large buffers are only printed at DBG_DATA by default.
This allows the caller to mix higher-level debug messages with dumping
of potentially large volumes of data. This smartness can be overruled
using an explicit minLevel() method call.
projects / thirdparty / squid.git / log
