mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-23 06:41:32 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: pattern: forbid dns resolutions

Browse Source 
This patch adds the flags "-n" on the acl parser. the flag "-n" forbif
the DNS resolutions. The maps have always the dns resolutions disabled.
This commit is contained in:
Thierry FOURNIER 2014-02-11 16:24:41 +01:00 committed by Willy Tarreau
parent 66eb9bf691
commit b7729c96a4
5 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/configuration.txt
View File

@ -8909,6 +8909,7 @@ The following ACL flags are currently supported :
-i : ignore case during matching of all subsequent patterns. -i : ignore case during matching of all subsequent patterns.
-f : load patterns from a file. -f : load patterns from a file.
-m : use a specific pattern matching method -m : use a specific pattern matching method
-n : forbid the DNS resolutions
-M : load the file pointed by -f like a map file. -M : load the file pointed by -f like a map file.
-u : force the unique id of the ACL -u : force the unique id of the ACL
-- : force end of flags. Useful when a string looks like one of the flags. -- : force end of flags. Useful when a string looks like one of the flags.
@ -8954,6 +8955,15 @@ default one for the criterion. This makes it possible to match contents in ways
that were not initially planned, or with sample fetch methods which return a that were not initially planned, or with sample fetch methods which return a
string. The matching method also affects the way the patterns are parsed. string. The matching method also affects the way the patterns are parsed.
The "-n" flag forbids the dns resolutions. It is used with the load of ip files.
By default, if the parser cannot parse ip address it considers that the parsed
string is maybe a domain name and try dns resolution. The flag "-n" disable this
resolution. It is useful for detecting malformed ip lists. Note that if the DNS
server is not reachable, the haproxy configuration parsing may last many minutes
waiting fir the timeout. During this time no error messages are displayed. The
flag "-n" disable this behavior. Note also that during the runtime, this
function is disabled for the dynamic acl modifications.
There are some restrictions however. Not all methods can be used with all There are some restrictions however. Not all methods can be used with all
sample fetch methods. Also, if "-m" is used in conjunction with "-f", it must sample fetch methods. Also, if "-m" is used in conjunction with "-f", it must
be placed first. The pattern matching method must be one of the following : be placed first. The pattern matching method must be one of the following :

1
include/types/pattern.h
View File

@ -65,6 +65,7 @@ enum pat_match_res {
enum { enum {
PAT_F_IGNORE_CASE = 1 << 0, /* ignore case */ PAT_F_IGNORE_CASE = 1 << 0, /* ignore case */
PAT_F_TREE = 1 << 1, /* some patterns are arranged in a tree */ PAT_F_TREE = 1 << 1, /* some patterns are arranged in a tree */
PAT_F_NO_DNS = 1 << 2, /* dont perform any DNS requests */
}; };
/* ACL match methods */ /* ACL match methods */

2
src/acl.c
View File

@ -428,6 +428,8 @@ struct acl_expr *parse_acl_expr(const char **args, char **err, struct arg_list *
while (**args == '-') { while (**args == '-') {
if ((*args)[1] == 'i') if ((*args)[1] == 'i')
patflags |= PAT_F_IGNORE_CASE; patflags |= PAT_F_IGNORE_CASE;
else if ((*args)[1] == 'n')
patflags |= PAT_F_NO_DNS;
else if ((*args)[1] == 'u') { else if ((*args)[1] == 'u') {
unique_id = strtol(args[1], &error, 10); unique_id = strtol(args[1], &error, 10);
if (*error != '\0') { if (*error != '\0') {

2
src/map.c
View File

@ -153,7 +153,7 @@ static int sample_load_map(struct arg *arg, struct sample_conv *conv,
} }
/* Load map. */ /* Load map. */
if (!pattern_read_from_file(&desc->pat, PAT_REF_MAP, arg[0].data.str.str, 0, if (!pattern_read_from_file(&desc->pat, PAT_REF_MAP, arg[0].data.str.str, PAT_F_NO_DNS,
1, err, file, line)) 1, err, file, line))
return 0; return 0;

2
src/pattern.c
View File

@ -405,7 +405,7 @@ int pat_parse_dotted_ver(const char *text, struct pattern *pattern, char **err)
*/ */
int pat_parse_ip(const char *text, struct pattern *pattern, char **err) int pat_parse_ip(const char *text, struct pattern *pattern, char **err)
{ {
if (str2net(text, global.mode & MODE_STARTING, if (str2net(text, !(pattern->flags & PAT_F_NO_DNS) && (global.mode & MODE_STARTING),
&pattern->val.ipv4.addr, &pattern->val.ipv4.mask)) { &pattern->val.ipv4.addr, &pattern->val.ipv4.mask)) {
pattern->type = SMP_T_IPV4; pattern->type = SMP_T_IPV4;
return 1; return 1;