From: robertc <> Date: Sun, 21 Sep 2003 06:30:46 +0000 (+0000) Subject: Summary: ACL tweaks. X-Git-Tag: SQUID_3_0_PRE4~1204 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b448c119895906caa3c8989cb9e61e9bbef1e74a;p=thirdparty%2Fsquid.git Summary: ACL tweaks. Keywords: Move aclCheckFast to ACLChecklist::fastCheck(), and adjust callers. Move aclChecklistCreate into the ACLChecklist source. Move the common code leading into matchAclList into the top of matchACLList. --- diff --git a/src/ACLChecklist.cc b/src/ACLChecklist.cc index 12ef5fbf33..bde58fae93 100644 --- a/src/ACLChecklist.cc +++ b/src/ACLChecklist.cc @@ -1,5 +1,5 @@ /* - * $Id: ACLChecklist.cc,v 1.14 2003/08/04 22:14:38 robertc Exp $ + * $Id: ACLChecklist.cc,v 1.15 2003/09/21 00:30:48 robertc Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -194,9 +194,6 @@ ACLChecklist::markFinished() void ACLChecklist::checkAccessList() { - debug(28, 3) ("ACLChecklist::checkAccessList: %p checking '%s'\n", this, accessList->cfgline); - /* what is our result on a match? */ - currentAnswer(accessList->allow); /* does the current AND clause match */ matchAclListSlow(accessList->aclList); } @@ -239,6 +236,9 @@ void ACLChecklist::matchAclList(const acl_list * head, bool const fast) { PROF_start(aclMatchAclList); + debug(28, 3) ("ACLChecklist::matchAclList: %p checking '%s'\n", this, accessList->cfgline); + /* what is our result on a match? */ + currentAnswer(accessList->allow); const acl_list *node = head; while (node) { @@ -388,6 +388,33 @@ ACLChecklist::nonBlockingCheck(PF * callback_, void *callback_data_) check(); } +/* Warning: do not cbdata lock this here - it + * may be static or on the stack + */ +int +ACLChecklist::fastCheck() +{ + PROF_start(aclCheckFast); + currentAnswer(ACCESS_DENIED); + debug(28, 5) ("aclCheckFast: list: %p\n", accessList); + + while (accessList) { + matchAclListFast(accessList->aclList); + + if (finished()) { + PROF_stop(aclCheckFast); + return currentAnswer() == ACCESS_ALLOWED; + } + + accessList = accessList->next; + } + + debug(28, 5) ("aclCheckFast: no matches, returning: %d\n", currentAnswer() == ACCESS_DENIED); + PROF_stop(aclCheckFast); + return currentAnswer() == ACCESS_DENIED; +} + + bool ACLChecklist::destinationDomainChecked() const { @@ -426,6 +453,50 @@ ACLChecklist::checking (bool const newValue) checking_ = newValue; } +/* + * Any ACLChecklist created by aclChecklistCreate() must eventually be + * freed by ACLChecklist::operator delete(). There are two common cases: + * + * A) Using aclCheckFast(): The caller creates the ACLChecklist using + * aclChecklistCreate(), checks it using aclCheckFast(), and frees it + * using aclChecklistFree(). + * + * B) Using aclNBCheck() and callbacks: The caller creates the + * ACLChecklist using aclChecklistCreate(), and passes it to + * aclNBCheck(). Control eventually passes to ACLChecklist::checkCallback(), + * which will invoke the callback function as requested by the + * original caller of aclNBCheck(). This callback function must + * *not* invoke aclChecklistFree(). After the callback function + * returns, ACLChecklist::checkCallback() will free the ACLChecklist using + * aclChecklistFree(). + */ + +ACLChecklist * +aclChecklistCreate(const acl_access * A, HttpRequest * request, const char *ident) +{ + ACLChecklist *checklist = new ACLChecklist; + + if (A) + checklist->accessList = cbdataReference(A); + + if (request != NULL) { + checklist->request = requestLink(request); + checklist->src_addr = request->client_addr; + checklist->my_addr = request->my_addr; + checklist->my_port = request->my_port; + } + +#if USE_IDENT + if (ident) + xstrncpy(checklist->rfc931, ident, USER_IDENT_SZ); + +#endif + + checklist->auth_user_request = NULL; + + return checklist; +} + #ifndef _USE_INLINE_ #include "ACLChecklist.cci" #endif diff --git a/src/ACLChecklist.h b/src/ACLChecklist.h index fb6ae8b14e..544411e02f 100644 --- a/src/ACLChecklist.h +++ b/src/ACLChecklist.h @@ -1,6 +1,6 @@ /* - * $Id: ACLChecklist.h,v 1.17 2003/08/11 13:00:41 robertc Exp $ + * $Id: ACLChecklist.h,v 1.18 2003/09/21 00:30:48 robertc Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -91,6 +91,7 @@ class NullState : public AsyncState ACLChecklist &operator=(ACLChecklist const &); void nonBlockingCheck(PF * callback, void *callback_data); + int fastCheck(); void checkCallback(allow_t answer); _SQUID_INLINE_ bool matchAclListFast(const acl_list * list); _SQUID_INLINE_ void matchAclListSlow(const acl_list * list); @@ -154,7 +155,6 @@ private: SQUIDCEXTERN ACLChecklist *aclChecklistCreate(const acl_access *, HttpRequest *, const char *ident); -SQUIDCEXTERN int aclCheckFast(const acl_access *A, ACLChecklist *); #ifdef _USE_INLINE_ #include "ACLChecklist.cci" diff --git a/src/DelayId.cc b/src/DelayId.cc index 6f7464471f..163aec420e 100644 --- a/src/DelayId.cc +++ b/src/DelayId.cc @@ -1,6 +1,6 @@ /* - * $Id: DelayId.cc,v 1.14 2003/09/06 12:47:34 robertc Exp $ + * $Id: DelayId.cc,v 1.15 2003/09/21 00:30:48 robertc Exp $ * * DEBUG: section 77 Delay Pools * AUTHOR: Robert Collins @@ -114,8 +114,11 @@ DelayId::DelayClient(clientHttpRequest * http) ch.request = requestLink(r); + ch.accessList = DelayPools::delay_data[pool].access; + if (DelayPools::delay_data[pool].theComposite().getRaw() && - aclCheckFast(DelayPools::delay_data[pool].access, &ch)) { + ch.fastCheck()) { + ch.accessList = NULL; DelayId result (pool + 1); CompositePoolNode::CompositeSelectionDetails details; details.src_addr = ch.src_addr; @@ -124,6 +127,8 @@ DelayId::DelayClient(clientHttpRequest * http) result.compositePosition(DelayPools::delay_data[pool].theComposite()->id(details)); return result; } + + ch.accessList = NULL; } diff --git a/src/HttpHeaderTools.cc b/src/HttpHeaderTools.cc index 5dc15c8c59..920bc47f38 100644 --- a/src/HttpHeaderTools.cc +++ b/src/HttpHeaderTools.cc @@ -1,6 +1,6 @@ /* - * $Id: HttpHeaderTools.cc,v 1.44 2003/08/10 11:00:40 robertc Exp $ + * $Id: HttpHeaderTools.cc,v 1.45 2003/09/21 00:30:46 robertc Exp $ * * DEBUG: section 66 HTTP Header Tools * AUTHOR: Alex Rousskov @@ -515,7 +515,7 @@ httpHdrMangle(HttpHeaderEntry * e, HttpRequest * request) hm = &Config.header_access[e->id]; checklist = aclChecklistCreate(hm->access_list, request, NULL); - if (1 == aclCheckFast(hm->access_list, checklist)) { + if (1 == checklist->fastCheck()) { /* aclCheckFast returns 1 for allow. */ retval = 1; } else if (NULL == hm->replacement) { diff --git a/src/acl.cc b/src/acl.cc index 3b80f4b456..505aebf0c4 100644 --- a/src/acl.cc +++ b/src/acl.cc @@ -1,5 +1,5 @@ /* - * $Id: acl.cc,v 1.311 2003/08/10 11:00:40 robertc Exp $ + * $Id: acl.cc,v 1.312 2003/09/21 00:30:46 robertc Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -476,77 +476,6 @@ ACLList::matches (ACLChecklist *checklist) const return true; } -/* Warning: do not cbdata lock checklist here - it - * may be static or on the stack - */ -int -aclCheckFast(const acl_access * A, ACLChecklist * checklist) -{ - allow_t allow = ACCESS_DENIED; - PROF_start(aclCheckFast); - debug(28, 5) ("aclCheckFast: list: %p\n", A); - - while (A) { - allow = A->allow; - checklist->matchAclListFast(A->aclList); - - if (checklist->finished()) { - PROF_stop(aclCheckFast); - return allow == ACCESS_ALLOWED; - } - - A = A->next; - } - - debug(28, 5) ("aclCheckFast: no matches, returning: %d\n", allow == ACCESS_DENIED); - PROF_stop(aclCheckFast); - return allow == ACCESS_DENIED; -} - -/* - * Any ACLChecklist created by aclChecklistCreate() must eventually be - * freed by ACLChecklist::operator delete(). There are two common cases: - * - * A) Using aclCheckFast(): The caller creates the ACLChecklist using - * aclChecklistCreate(), checks it using aclCheckFast(), and frees it - * using aclChecklistFree(). - * - * B) Using aclNBCheck() and callbacks: The caller creates the - * ACLChecklist using aclChecklistCreate(), and passes it to - * aclNBCheck(). Control eventually passes to ACLChecklist::checkCallback(), - * which will invoke the callback function as requested by the - * original caller of aclNBCheck(). This callback function must - * *not* invoke aclChecklistFree(). After the callback function - * returns, ACLChecklist::checkCallback() will free the ACLChecklist using - * aclChecklistFree(). - */ - - -ACLChecklist * -aclChecklistCreate(const acl_access * A, HttpRequest * request, const char *ident) -{ - ACLChecklist *checklist = new ACLChecklist; - - if (A) - checklist->accessList = cbdataReference(A); - - if (request != NULL) { - checklist->request = requestLink(request); - checklist->src_addr = request->client_addr; - checklist->my_addr = request->my_addr; - checklist->my_port = request->my_port; - } - -#if USE_IDENT - if (ident) - xstrncpy(checklist->rfc931, ident, USER_IDENT_SZ); - -#endif - - checklist->auth_user_request = NULL; - - return checklist; -} /*********************/ /* Destroy functions */ diff --git a/src/client_side.cc b/src/client_side.cc index f972b1c871..16848fc818 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -1,6 +1,6 @@ /* - * $Id: client_side.cc,v 1.659 2003/09/06 12:47:34 robertc Exp $ + * $Id: client_side.cc,v 1.660 2003/09/21 00:30:46 robertc Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -512,7 +512,7 @@ ClientHttpRequest::logRequest() checklist->reply = al.reply; - if (!Config.accessList.log || aclCheckFast(Config.accessList.log, checklist)) { + if (!Config.accessList.log || checklist->fastCheck()) { al.request = requestLink(request); accessLogLog(&al, checklist); updateCounters(); @@ -2742,9 +2742,13 @@ httpAccept(int sock, int newfd, ConnectionDetail *details, identChecklist.my_port = ntohs(details->me.sin_port); - if (aclCheckFast(Config.accessList.identLookup, &identChecklist)) + identChecklist.accessList = Config.accessList.identLookup; + + if (identChecklist.fastCheck()) identStart(&details->me, &details->peer, clientIdentDone, connState); + identChecklist.accessList = NULL; + #endif connState->readSomeData(); diff --git a/src/forward.cc b/src/forward.cc index 7414826be7..326b3c5d5f 100644 --- a/src/forward.cc +++ b/src/forward.cc @@ -1,6 +1,6 @@ /* - * $Id: forward.cc,v 1.113 2003/09/19 13:25:37 hno Exp $ + * $Id: forward.cc,v 1.114 2003/09/21 00:30:47 robertc Exp $ * * DEBUG: section 17 Request Forwarding * AUTHOR: Duane Wessels @@ -864,7 +864,9 @@ fwdStart(int fd, StoreEntry * e, HttpRequest * r) ch.my_addr = r->my_addr; ch.my_port = r->my_port; ch.request = requestLink(r); - answer = aclCheckFast(Config.accessList.miss, &ch); + ch.accessList = Config.accessList.miss; + answer = ch.fastCheck(); + ch.accessList = NULL; if (answer == 0) { err = errorCon(ERR_FORWARDING_DENIED, HTTP_FORBIDDEN); diff --git a/src/http.cc b/src/http.cc index 1f88ba08fb..c7612e0974 100644 --- a/src/http.cc +++ b/src/http.cc @@ -1,6 +1,6 @@ /* - * $Id: http.cc,v 1.427 2003/09/01 03:49:38 robertc Exp $ + * $Id: http.cc,v 1.428 2003/09/21 00:30:47 robertc Exp $ * * DEBUG: section 11 Hypertext Transfer Protocol (HTTP) * AUTHOR: Harvest Derived @@ -1665,17 +1665,20 @@ httpSendRequestEntityDone(int fd, void *data) ACLChecklist ch; debug(11, 5) ("httpSendRequestEntityDone: FD %d\n", fd); ch.request = requestLink(httpState->request); + ch.accessList = Config.accessList.brokenPosts; if (!Config.accessList.brokenPosts) { debug(11, 5) ("httpSendRequestEntityDone: No brokenPosts list\n"); HttpStateData::SendComplete(fd, NULL, 0, COMM_OK, data); - } else if (!aclCheckFast(Config.accessList.brokenPosts, &ch)) { + } else if (!ch.fastCheck()) { debug(11, 5) ("httpSendRequestEntityDone: didn't match brokenPosts\n"); HttpStateData::SendComplete(fd, NULL, 0, COMM_OK, data); } else { debug(11, 2) ("httpSendRequestEntityDone: matched brokenPosts\n"); comm_old_write(fd, "\r\n", 2, HttpStateData::SendComplete, data, NULL); } + + ch.accessList = NULL; } static void diff --git a/src/icp_v2.cc b/src/icp_v2.cc index 8fdbc53e53..b69255e704 100644 --- a/src/icp_v2.cc +++ b/src/icp_v2.cc @@ -1,6 +1,6 @@ /* - * $Id: icp_v2.cc,v 1.83 2003/09/01 03:49:39 robertc Exp $ + * $Id: icp_v2.cc,v 1.84 2003/09/21 00:30:47 robertc Exp $ * * DEBUG: section 12 Internet Cache Protocol * AUTHOR: Duane Wessels @@ -398,7 +398,10 @@ icpAccessAllowed(struct sockaddr_in *from, HttpRequest * icp_request) checklist.src_addr = from->sin_addr; checklist.my_addr = no_addr; checklist.request = requestLink(icp_request); - return aclCheckFast(Config.accessList.icp, &checklist); + checklist.accessList = Config.accessList.icp; + int result = checklist.fastCheck(); + checklist.accessList = NULL; + return result; } char const * diff --git a/src/neighbors.cc b/src/neighbors.cc index c3048542b0..535e066815 100644 --- a/src/neighbors.cc +++ b/src/neighbors.cc @@ -1,6 +1,6 @@ /* - * $Id: neighbors.cc,v 1.322 2003/08/13 00:39:16 wessels Exp $ + * $Id: neighbors.cc,v 1.323 2003/09/21 00:30:47 robertc Exp $ * * DEBUG: section 15 Neighbor Routines * AUTHOR: Harvest Derived @@ -185,6 +185,8 @@ peerAllowedToUse(const peer * p, HttpRequest * request) checklist.request = requestLink(request); + checklist.accessList = p->access; + #if 0 && USE_IDENT /* * this is currently broken because 'request->user_ident' has been @@ -196,7 +198,11 @@ peerAllowedToUse(const peer * p, HttpRequest * request) #endif - return aclCheckFast(p->access, &checklist); + int result = checklist.fastCheck(); + + checklist.accessList = NULL; + + return result; } /* Return TRUE if it is okay to send an ICP request to this peer. */ diff --git a/src/redirect.cc b/src/redirect.cc index 6400c8dd4b..c31cf4e788 100644 --- a/src/redirect.cc +++ b/src/redirect.cc @@ -1,6 +1,6 @@ /* - * $Id: redirect.cc,v 1.101 2003/07/14 14:16:02 robertc Exp $ + * $Id: redirect.cc,v 1.102 2003/09/21 00:30:47 robertc Exp $ * * DEBUG: section 61 Redirector * AUTHOR: Duane Wessels @@ -129,12 +129,16 @@ redirectStart(clientHttpRequest * http, RH * handler, void *data) } ch.request = requestLink(http->request); + ch.accessList = Config.accessList.redirector; - if (!aclCheckFast(Config.accessList.redirector, &ch)) { + if (!ch.fastCheck()) { + ch.accessList = NULL; /* denied -- bypass redirector */ handler(data, NULL); return; } + + ch.accessList = NULL; } if (Config.onoff.redirector_bypass && redirectors->stats.queue_size) { diff --git a/src/snmp_core.cc b/src/snmp_core.cc index 6c7ec78f7e..b50f5d3a88 100644 --- a/src/snmp_core.cc +++ b/src/snmp_core.cc @@ -1,6 +1,6 @@ /* - * $Id: snmp_core.cc,v 1.64 2003/02/25 12:24:35 robertc Exp $ + * $Id: snmp_core.cc,v 1.65 2003/09/21 00:30:47 robertc Exp $ * * DEBUG: section 49 SNMP support * AUTHOR: Glenn Chisholm @@ -540,9 +540,12 @@ snmpDecodePacket(snmp_request_t * rq) ACLChecklist checklist; checklist.src_addr = rq->from.sin_addr; checklist.snmp_community = (char *) Community; + checklist.accessList = Config.accessList.snmp; if (Community) - allow = aclCheckFast(Config.accessList.snmp, &checklist); + allow = checklist.fastCheck(); + + checklist.accessList = NULL; if ((snmp_coexist_V2toV1(PDU)) && (Community) && (allow)) { rq->community = Community; diff --git a/src/tunnel.cc b/src/tunnel.cc index fc7d060f36..c1c5901dd7 100644 --- a/src/tunnel.cc +++ b/src/tunnel.cc @@ -1,6 +1,6 @@ /* - * $Id: tunnel.cc,v 1.145 2003/08/10 11:00:44 robertc Exp $ + * $Id: tunnel.cc,v 1.146 2003/09/21 00:30:47 robertc Exp $ * * DEBUG: section 26 Secure Sockets Layer Proxy * AUTHOR: Duane Wessels @@ -561,7 +561,9 @@ sslStart(clientHttpRequest * http, size_t * size_ptr, int *status_ptr) ch.my_addr = request->my_addr; ch.my_port = request->my_port; ch.request = requestLink(request); - answer = aclCheckFast(Config.accessList.miss, &ch); + ch.accessList = Config.accessList.miss; + answer = ch.fastCheck(); + ch.accessList = NULL; if (answer == 0) { err = errorCon(ERR_FORWARDING_DENIED, HTTP_FORBIDDEN);