MINOR: pattern: forbid dns resolutions

This patch adds the flags "-n" on the acl parser. the flag "-n" forbif the DNS resolutions. The maps have always the dns resolutions disabled.
2025-09-23 06:41:32 +02:00 · 2014-02-11 16:24:41 +01:00 · 2014-02-11 16:24:41 +01:00 · b7729c96a4
commit b7729c96a4
parent 66eb9bf691
5 changed files with 15 additions and 2 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -8909,6 +8909,7 @@ The following ACL flags are currently supported :
   -i : ignore case during matching of all subsequent patterns.
   -f : load patterns from a file.
   -m : use a specific pattern matching method
+   -n : forbid the DNS resolutions
   -M : load the file pointed by -f like a map file.
   -u : force the unique id of the ACL
   -- : force end of flags. Useful when a string looks like one of the flags.
@ -8954,6 +8955,15 @@ default one for the criterion. This makes it possible to match contents in ways
 that were not initially planned, or with sample fetch methods which return a
 string. The matching method also affects the way the patterns are parsed.

+The "-n" flag forbids the dns resolutions. It is used with the load of ip files.
+By default, if the parser cannot parse ip address it considers that the parsed
+string is maybe a domain name and try dns resolution. The flag "-n" disable this
+resolution. It is useful for detecting malformed ip lists. Note that if the DNS
+server is not reachable, the haproxy configuration parsing may last many minutes
+waiting fir the timeout. During this time no error messages are displayed. The
+flag "-n" disable this behavior. Note also that during the runtime, this
+function is disabled for the dynamic acl modifications.
+
 There are some restrictions however. Not all methods can be used with all
 sample fetch methods. Also, if "-m" is used in conjunction with "-f", it must
 be placed first. The pattern matching method must be one of the following :
--- a/include/types/pattern.h
+++ b/include/types/pattern.h
@ -65,6 +65,7 @@ enum pat_match_res {
 enum {
 	PAT_F_IGNORE_CASE = 1 << 0,       /* ignore case */
 	PAT_F_TREE        = 1 << 1,       /* some patterns are arranged in a tree */
+	PAT_F_NO_DNS      = 1 << 2,       /* dont perform any DNS requests */
 };

 /* ACL match methods */
--- a/src/acl.c
+++ b/src/acl.c
@ -428,6 +428,8 @@ struct acl_expr *parse_acl_expr(const char **args, char **err, struct arg_list *
 	while (**args == '-') {
 		if ((*args)[1] == 'i')
 			patflags |= PAT_F_IGNORE_CASE;
+		else if ((*args)[1] == 'n')
+			patflags |= PAT_F_NO_DNS;
 		else if ((*args)[1] == 'u') {
 			unique_id = strtol(args[1], &error, 10);
 			if (*error != '\0') {
--- a/src/map.c
+++ b/src/map.c
@ -153,7 +153,7 @@ static int sample_load_map(struct arg *arg, struct sample_conv *conv,
 	}

 	/* Load map. */
-	if (!pattern_read_from_file(&desc->pat, PAT_REF_MAP, arg[0].data.str.str, 0,
+	if (!pattern_read_from_file(&desc->pat, PAT_REF_MAP, arg[0].data.str.str, PAT_F_NO_DNS,
 	                            1, err, file, line))
 		return 0;

--- a/src/pattern.c
+++ b/src/pattern.c
@ -405,7 +405,7 @@ int pat_parse_dotted_ver(const char *text, struct pattern *pattern, char **err)
 */
 int pat_parse_ip(const char *text, struct pattern *pattern, char **err)
 {
-	if (str2net(text, global.mode & MODE_STARTING,
+	if (str2net(text, !(pattern->flags & PAT_F_NO_DNS) && (global.mode & MODE_STARTING),
 	            &pattern->val.ipv4.addr, &pattern->val.ipv4.mask)) {
 		pattern->type = SMP_T_IPV4;
 		return 1;