| Age | Commit message (Collapse) | Author |
|---|
|
the acl.c code parsing a site-spec has been factored out into a
new TU: hostspec. it was superior to the parsing code in
upstream.c in that it properly deals with both ipv4 and ipv6.
both upstream and acl now use the new code for parsing, and upstream
also for checking for a match.
acl.c still uses the old matching code as it has a lot of special case
code for specifications containing a hostname, and in case such
a spec is encountered, tries to do reverse name lookup to see if
a numeric ip matches that spec.
removing that code could break existing usecases, however since
that was never implemented for upstream nobody will miss it there.
|
|
introduced in 0ad8904b40d699405f60655606db42475c011b67
closes #327
|
|
|
|
tested with 32K acl rules, generated by
for x in `seq 128` ; do for y in `seq 255` ; do \
echo "Deny 10.$x.$y.0/24" ; done ; done
after loading the config (which is dogslow too), tinyproxy
required 9.5 seconds for the acl check on every request.
after switching the list implementation to sblist, a request
with the full acl check now takes only 0.025 seconds.
the time spent for loading the config file is identical for both
list implementations, roughly 30 seconds.
(in a previous test, 65K acl rules were generated, but every
connection required almost 2 minutes to crunch through the list...)
|
|
this allows to switch the underlying implementation easily.
|
|
if there's a long list of acl's, doing full_inet_pton() over
and over with the same IP isn't really efficient.
|
|
regression introduced in f6d4da5d81694721bf50b2275621e7ce84e6da30.
this has been overlooked due to the assert macro being optimized out in
non-debug builds.
|
|
tinyproxy used to do a full hostname resolution whenever a new client
connection happened, which could cause very long delays (as reported in #198).
there's only a single place/scenario that actually requires a hostname, and
that is when an Allow/Deny rule exists for a hostname or domain, rather than
a raw IP address. since it is very likely this feature is not very widely used,
it makes absolute sense to only do the costly resolution when it is unavoidable.
|
|
Thanks to John Horne who diagnosed this issue and found the problem.
|
|
|
|
|
|
Signed-off-by: Michael Adam <obnox@samba.org>
|
|
Change insert_acl, check_acl and flush_access_list to take a corresponding
argument.
Michael
|
|
|
|
|
|
The "address" member of struct acl_s is a union of a char *
and the numeric ip. So freeing the string after appending it to the
vector list is bad in two respects:
1. If the acl type was numeric, then this could (and would)
lead to a segfault due to the numeric IP data interpreted
as pointer to the string to be freed.
2. If the acl type was string, then the acl inserted into the
list contained a reference to this address string that
was freed. So in the worst case dereferencing this freed
string could segfault, or at least this could lead to
unexpectedly failing acl checks.
Michael
|
|
This reads the mask bits as an unsigned int instead of as signend.
This is also what mask bits really are - there is no negative mask. :-)
Michael
|
|
|
|
|
|
Not including limits.h caused an issue when building on FreeBSD.
|
|
|
|
The compiler inlines static functions as necessary anyway.
No more inline keywords exist in Tinyproxy source code. We want to
avoid using this keyword anyway.
|
|
The modified files were indented with GNU indent using the
following command:
indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \
-saf -sai -saw -sc -cdw -ce -nut -il0
No other changes of any sort were made.
|
|
|
|
Provides safe fallback for switch statement, just in case..
Michael
|
|
Host name and IP address are provided instead.
Michael
|
|
Michael
|
|
to reduce compiler warnings.
Michael
|
|
vector_lenth() returns < 0 if the vectore is NULL but this has been
checked before, so we can safely cast.
Michael
|
|
|
|
|
|
This is a commit which simply ran all C source code files
through GNU indent. No other modifications were made.
|
|
Also fix the type which is passed in from various places.
|
|
Moved the strtol() call into fill_netmask_array() and added additional
error checking to ensure that the strtol() call succeeded.
Error checking code taken from strtol() manpage.
Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
|
|
When building a numeric ACL with netmask, range check the supplied
value. In addition, the code to walk the array has been extracted and
"simplified".
Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
|
|
The notices have been changed to a more GNU look. Documentation
comments have been separated from the copyright header. I've tried to
keep all copyright notices intact. Some author contact details have
been updated.
|
|
I re-indented the source code using indent with the following options:
indent -kr -bad -bap -nut -i8 -l80 -psl -sob -ss -ncs
There are now _no_ tabs in the source files, and all indentation is
eight spaces. Lines are 80 characters long, and the procedure type is
on it's own line. Read the indent manual for more information about
what each option means.
|
|
Updated the copyright email addresses for Robert James Kaes. The
users.sourceforge.net address should always exist.
|
|
gcc 2.95.
|
|
to handle IPv6 style addresses along with the existing IPv4 and string
addresses. In addition, the hand-rolled "list" code has been replaced
with a vector (code reuse.) Also, the code should be a little easier
to understand (relatively speaking.)
I do need to add some kind of testing framework (in general) to check
that the new code does work with all the formats that will be thrown
at it.
|
|
should never have added them in the first place. They don't really
buy anything, and they can hide bugs.
|
|
cleanly with a C++ compiler. (Tested using GCC 3.3)
|
|
and into it's own function because it now does two (2) tests. If the ACL string is a complete host name, in other words doesn't start with a period, than a reverse DNS look-up is done on the host name and compared to the IP address of the client; otherwise, the normal text string comparison is done.
(check_acl): Moved the string text out of the function and removed some logging code by jumping to the "Deny" code at the end of the function.
|
|
|
|
memory usage tracking.
|
|
address from the calling function.
|
|
table. Very nice.
|
|
|
|
|
|
tinyproxy.h and all the other files include the tinyproxy.h header. This
moves all the dependancy issues into one file.
|
