From b7729c96a4915516aed5bf850607aba0a6bc5abc Mon Sep 17 00:00:00 2001 From: Thierry FOURNIER Date: Tue, 11 Feb 2014 16:24:41 +0100 Subject: [PATCH] MINOR: pattern: forbid dns resolutions This patch adds the flags "-n" on the acl parser. the flag "-n" forbif the DNS resolutions. The maps have always the dns resolutions disabled. --- doc/configuration.txt | 10 ++++++++++ include/types/pattern.h | 1 + src/acl.c | 2 ++ src/map.c | 2 +- src/pattern.c | 2 +- 5 files changed, 15 insertions(+), 2 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 46bee9bdd..287535556 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -8909,6 +8909,7 @@ The following ACL flags are currently supported : -i : ignore case during matching of all subsequent patterns. -f : load patterns from a file. -m : use a specific pattern matching method + -n : forbid the DNS resolutions -M : load the file pointed by -f like a map file. -u : force the unique id of the ACL -- : force end of flags. Useful when a string looks like one of the flags. @@ -8954,6 +8955,15 @@ default one for the criterion. This makes it possible to match contents in ways that were not initially planned, or with sample fetch methods which return a string. The matching method also affects the way the patterns are parsed. +The "-n" flag forbids the dns resolutions. It is used with the load of ip files. +By default, if the parser cannot parse ip address it considers that the parsed +string is maybe a domain name and try dns resolution. The flag "-n" disable this +resolution. It is useful for detecting malformed ip lists. Note that if the DNS +server is not reachable, the haproxy configuration parsing may last many minutes +waiting fir the timeout. During this time no error messages are displayed. The +flag "-n" disable this behavior. Note also that during the runtime, this +function is disabled for the dynamic acl modifications. + There are some restrictions however. Not all methods can be used with all sample fetch methods. Also, if "-m" is used in conjunction with "-f", it must be placed first. The pattern matching method must be one of the following : diff --git a/include/types/pattern.h b/include/types/pattern.h index 839eae686..3859edab9 100644 --- a/include/types/pattern.h +++ b/include/types/pattern.h @@ -65,6 +65,7 @@ enum pat_match_res { enum { PAT_F_IGNORE_CASE = 1 << 0, /* ignore case */ PAT_F_TREE = 1 << 1, /* some patterns are arranged in a tree */ + PAT_F_NO_DNS = 1 << 2, /* dont perform any DNS requests */ }; /* ACL match methods */ diff --git a/src/acl.c b/src/acl.c index 7efd89e84..8d14c68d6 100644 --- a/src/acl.c +++ b/src/acl.c @@ -428,6 +428,8 @@ struct acl_expr *parse_acl_expr(const char **args, char **err, struct arg_list * while (**args == '-') { if ((*args)[1] == 'i') patflags |= PAT_F_IGNORE_CASE; + else if ((*args)[1] == 'n') + patflags |= PAT_F_NO_DNS; else if ((*args)[1] == 'u') { unique_id = strtol(args[1], &error, 10); if (*error != '\0') { diff --git a/src/map.c b/src/map.c index 597907de9..570937c5a 100644 --- a/src/map.c +++ b/src/map.c @@ -153,7 +153,7 @@ static int sample_load_map(struct arg *arg, struct sample_conv *conv, } /* Load map. */ - if (!pattern_read_from_file(&desc->pat, PAT_REF_MAP, arg[0].data.str.str, 0, + if (!pattern_read_from_file(&desc->pat, PAT_REF_MAP, arg[0].data.str.str, PAT_F_NO_DNS, 1, err, file, line)) return 0; diff --git a/src/pattern.c b/src/pattern.c index 22aa9d4b7..86f94db8d 100644 --- a/src/pattern.c +++ b/src/pattern.c @@ -405,7 +405,7 @@ int pat_parse_dotted_ver(const char *text, struct pattern *pattern, char **err) */ int pat_parse_ip(const char *text, struct pattern *pattern, char **err) { - if (str2net(text, global.mode & MODE_STARTING, + if (str2net(text, !(pattern->flags & PAT_F_NO_DNS) && (global.mode & MODE_STARTING), &pattern->val.ipv4.addr, &pattern->val.ipv4.mask)) { pattern->type = SMP_T_IPV4; return 1;