From d0d41f07bec85a00222db3150e85bace30f82e43 Mon Sep 17 00:00:00 2001 From: wessels <> Date: Tue, 17 Mar 1998 07:05:54 +0000 Subject: [PATCH] Henrik's domain regex patch --- src/acl.cc | 43 ++++++++++++++++++++++++++++++++++++++++--- src/cf.data.pre | 47 +++++++++++++++++++++++++++-------------------- src/enums.h | 2 ++ 3 files changed, 69 insertions(+), 23 deletions(-) diff --git a/src/acl.cc b/src/acl.cc index cb2392e70b..f3ab4d2d6e 100644 --- a/src/acl.cc +++ b/src/acl.cc @@ -1,6 +1,6 @@ /* - * $Id: acl.cc,v 1.149 1998/03/16 23:12:55 wessels Exp $ + * $Id: acl.cc,v 1.150 1998/03/17 00:05:54 wessels Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -176,6 +176,10 @@ aclStrToType(const char *s) return ACL_DST_DOMAIN; if (!strcmp(s, "srcdomain")) return ACL_SRC_DOMAIN; + if (!strcmp(s, "dstdom_regex")) + return ACL_DST_DOM_REGEX; + if (!strcmp(s, "srcdom_regex")) + return ACL_SRC_DOM_REGEX; if (!strcmp(s, "time")) return ACL_TIME; if (!strcmp(s, "pattern")) @@ -218,6 +222,10 @@ aclTypeToStr(squid_acl type) return "dstdomain"; if (type == ACL_SRC_DOMAIN) return "srcdomain"; + if (type == ACL_DST_DOM_REGEX) + return "dstdom_regex"; + if (type == ACL_SRC_DOM_REGEX) + return "srcdom_regex"; if (type == ACL_TIME) return "time"; if (type == ACL_URLPATH_REGEX) @@ -773,6 +781,10 @@ aclParseAclLine(acl ** head) case ACL_DST_DOMAIN: aclParseDomainList(&A->data); break; + case ACL_SRC_DOM_REGEX: + case ACL_DST_DOM_REGEX: + aclParseRegexList(&A->data); + break; case ACL_TIME: aclParseTimeSpec(&A->data); break; @@ -1319,9 +1331,34 @@ aclMatchAcl(acl * acl, aclCheck_t * checklist) acl->name, inet_ntoa(checklist->src_addr)); checklist->state[ACL_SRC_DOMAIN] = ACL_LOOKUP_NEEDED; return 0; - } else { - return aclMatchDomainList(&acl->data, "none"); } + return aclMatchDomainList(&acl->data, "none"); + /* NOTREACHED */ + case ACL_DST_DOM_REGEX: + if ((ia = ipcacheCheckNumeric(r->host)) == NULL) + return aclMatchRegex(acl->data, r->host); + fqdn = fqdncache_gethostbyaddr(ia->in_addrs[0], FQDN_LOOKUP_IF_MISS); + if (fqdn) + return aclMatchRegex(acl->data, fqdn); + if (checklist->state[ACL_DST_DOMAIN] == ACL_LOOKUP_NONE) { + debug(28, 3) ("aclMatchAcl: Can't yet compare '%s' ACL for '%s'\n", + acl->name, inet_ntoa(ia->in_addrs[0])); + checklist->state[ACL_DST_DOMAIN] = ACL_LOOKUP_NEEDED; + return 0; + } + return aclMatchRegex(acl->data, "none"); + /* NOTREACHED */ + case ACL_SRC_DOM_REGEX: + fqdn = fqdncache_gethostbyaddr(checklist->src_addr, FQDN_LOOKUP_IF_MISS); + if (fqdn) { + return aclMatchRegex(acl->data, fqdn); + } else if (checklist->state[ACL_SRC_DOMAIN] == ACL_LOOKUP_NONE) { + debug(28, 3) ("aclMatchAcl: Can't yet compare '%s' ACL for '%s'\n", + acl->name, inet_ntoa(checklist->src_addr)); + checklist->state[ACL_SRC_DOMAIN] = ACL_LOOKUP_NEEDED; + return 0; + } + return aclMatchRegex(acl->data, "none"); /* NOTREACHED */ case ACL_TIME: return aclMatchTime(acl->data, squid_curtime); diff --git a/src/cf.data.pre b/src/cf.data.pre index 985a92f540..ebd58282d1 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -150,7 +150,7 @@ DOC_START hostname type http_port icp_port - For example, + For example, # proxy icp # hostname type port port options @@ -677,7 +677,7 @@ TYPE: string DEFAULT: @DEFAULT_PID_FILE@ LOC: Config.pidFilename DOC_START - A filename to write the process-id to. To disable, enter "none". + A filename to write the process-id to. To disable, enter "none". pid_filename @DEFAULT_PID_FILE@ DOC_END @@ -1199,8 +1199,15 @@ DOC_START acl aclname src ip-address/netmask ... (clients IP address) acl aclname src addr1-addr2/netmask ... (range of addresses) acl aclname dst ip-address/netmask ... (URL host's IP address) - acl aclname srcdomain foo.com ... (taken from reverse DNS lookup) - acl aclname dstdomain foo.com ... (taken from the URL) + + acl aclname srcdomain foo.com ... # reverse lookup, client IP + acl aclname dstdomain foo.com ... # Destination server from URL + acl aclname srcdom_regex xxx ... # regex matching client name + acl aclname dstdom_regex xxx ... # regex matching server + # For dstdomain and dstdom_regex a reverse lookup is tried if a IP + # based URL is used. The name "none" is used if the reverse lookup + # fails. + acl aclname time [day-abbrevs] [h1:m1-h2:m2] day-abbrevs: S - Sunday @@ -1212,7 +1219,7 @@ DOC_START A - Saturday h1:m1 must be less than h2:m2 acl aclname url_regex ^http:// ... # regex matching on whole URL - acl aclname urlpath_regex \.gif$ ... # regex matching on URL path only + acl aclname urlpath_regex \.gif$ ... # regex matching on URL path acl aclname port 80 70 21 ... acl aclname proto HTTP FTP ... acl aclname method GET POST ... @@ -1227,7 +1234,7 @@ DOC_START # example for routing all requests for AS#1241 and only # those to mycache.mydomain.net: # acl asexample dst_as 1241 - # cache_host_acl mycache.mydomain.net asexample + # cache_host_acl mycache.mydomain.net asexample # cache_host_acl mycache_mydomain.net !all acl aclname proxy_auth passwd_file [ refresh ] @@ -1616,7 +1623,7 @@ DOC_START If set, Squid will keep pools of allocated (but unused) memory available for future use. If memory is a premium on your system and you believe your malloc library outperforms Squid - routines, disable this. + routines, disable this. memory_pools on DOC_END @@ -1917,7 +1924,7 @@ TYPE: acl_access LOC: Config.accessList.NeverDirect DEFAULT: none DOC_START - Usage: never_direct allow|deny [!]aclname ... + Usage: never_direct allow|deny [!]aclname ... never_direct is the opposite of always_direct. Please read the description for always_direct if you have not already. @@ -1929,10 +1936,10 @@ DOC_START example, to force the use of a proxy for all requests, except those in your local domain, use something like: - acl local-servers dstdomain my.domain.net + acl local-servers dstdomain my.domain.net acl all src 0.0.0.0/0.0.0.0 - never_direct deny local-servers - never_direct allow all + never_direct deny local-servers + never_direct allow all DOC_END NAME: fake_user_agent @@ -1940,13 +1947,13 @@ TYPE: eol LOC: Config.fake_ua DEFAULT: none DOC_START - If you use the paranoid http_anonymizer setting, Squid will strip - your User-agent string from the request. Some Web servers will - refuse your request without a User-agent string. Use this to - fake one up. For example: + If you use the paranoid http_anonymizer setting, Squid will strip + your User-agent string from the request. Some Web servers will + refuse your request without a User-agent string. Use this to + fake one up. For example: - fake_user_agent Nutscrape/1.0 (CP/M; 8-bit) - (credit to Paul Southworth pauls@etext.org for this one!) + fake_user_agent Nutscrape/1.0 (CP/M; 8-bit) + (credit to Paul Southworth pauls@etext.org for this one!) fake_user_agent none DOC_END @@ -2054,9 +2061,9 @@ DOC_START allow you to set Squid into port 161 and your system's snmpd to another port by changing /etc/services. - WARNING: Because of Squid acting as a proxy snmpd for system - you have to do security checks on THIS snmpd for all objects. - Check your snmp_config_file. + WARNING: Because of Squid acting as a proxy snmpd for system + you have to do security checks on THIS snmpd for all objects. + Check your snmp_config_file. forward_snmpd_port 0 DOC_END diff --git a/src/enums.h b/src/enums.h index 1a5867ec58..2dce6324ae 100644 --- a/src/enums.h +++ b/src/enums.h @@ -58,6 +58,8 @@ typedef enum { ACL_DST_IP, ACL_SRC_DOMAIN, ACL_DST_DOMAIN, + ACL_SRC_DOM_REGEX, + ACL_DST_DOM_REGEX, ACL_TIME, ACL_URLPATH_REGEX, ACL_URL_REGEX, -- 2.47.3