[MINOR] implement acl_parse_ip and acl_match_ip

The ACL can now compare IP addresses. The client's IP address can be checked.
2025-01-02 10:12:03 +00:00 · 2007-05-08 19:50:09 +02:00 · 2007-05-08 19:50:09 +02:00 · a67fad9d68
commit a67fad9d68
parent 5c8e3e09e9
4 changed files with 38 additions and 2 deletions
--- a/include/proto/acl.h
+++ b/include/proto/acl.h
@ -118,6 +118,13 @@ int acl_parse_range(const char *text, struct acl_pattern *pattern);
 /* Parse a string. It is allocated and duplicated. */
 int acl_parse_str(const char *text, struct acl_pattern *pattern);

+/* Parse an IP address and an optional mask in the form addr[/mask].
+ * The addr may either be an IPv4 address or a hostname. The mask
+ * may either be a dotted mask or a number of bits. Returns 1 if OK,
+ * otherwise 0.
+ */
+int acl_parse_ip(const char *text, struct acl_pattern *pattern);
+
 /* Checks that the pattern matches the end of the tested string. */
 int acl_match_end(struct acl_test *test, struct acl_pattern *pattern);

@ -139,6 +146,9 @@ int acl_match_dir(struct acl_test *test, struct acl_pattern *pattern);
 */
 int acl_match_dom(struct acl_test *test, struct acl_pattern *pattern);

+/* Check that the IPv4 address in <test> matches the IP/mask in pattern */
+int acl_match_ip(struct acl_test *test, struct acl_pattern *pattern);
+
 #endif /* _PROTO_ACL_H */

 /*
--- a/include/types/acl.h
+++ b/include/types/acl.h
@ -74,7 +74,10 @@ struct acl_pattern {
 	union {
 		int i;                          /* integer value */
 		struct { int min, max; } range; /* integer range */
-		struct sockaddr_in ipv4;        /* IPv4 address */
+		struct {
+			struct in_addr addr;
+			struct in_addr mask;
+		} ipv4;                         /* IPv4 address */
 		struct acl_time time;           /* valid hours and days */
 	} val;                                  /* direct value */
 	union {
--- a/src/acl.c
+++ b/src/acl.c
@ -172,6 +172,19 @@ int acl_match_max(struct acl_test *test, struct acl_pattern *pattern)
 	return 0;
 }

+int acl_match_ip(struct acl_test *test, struct acl_pattern *pattern)
+{
+	struct in_addr *s;
+
+	if (test->i != AF_INET)
+		return 0;
+
+	s = (void *)test->ptr;
+	if (((s->s_addr ^ pattern->val.ipv4.addr.s_addr) & pattern->val.ipv4.mask.s_addr) == 0)
+		return 1;
+	return 0;
+}
+
 /* Parse a string. It is allocated and duplicated. */
 int acl_parse_str(const char *text, struct acl_pattern *pattern)
 {
@ -222,6 +235,16 @@ int acl_parse_range(const char *text, struct acl_pattern *pattern)
 	return 1;
 }

+/* Parse an IP address and an optional mask in the form addr[/mask].
+ * The addr may either be an IPv4 address or a hostname. The mask
+ * may either be a dotted mask or a number of bits. Returns 1 if OK,
+ * otherwise 0.
+ */
+int acl_parse_ip(const char *text, struct acl_pattern *pattern)
+{
+	return str2net(text, &pattern->val.ipv4.addr, &pattern->val.ipv4.mask);
+}
+
 /*
 * Registers the ACL keyword list <kwl> as a list of valid keywords for next
 * parsing sessions.
--- a/src/client.c
+++ b/src/client.c
@ -489,8 +489,8 @@ static int acl_fetch_dconn(struct proxy *px, struct session *l4, void *l7, void
 /* Note: must not be declared <const> as its list will be overwritten */
 static struct acl_kw_list acl_kws = {{ },{
 	{ "src_port",   acl_parse_range, acl_fetch_sport,  acl_match_range },
-#if 0
 	{ "src",        acl_parse_ip,    acl_fetch_src,    acl_match_ip    },
+#if 0
 	{ "dst",        acl_parse_ip,    acl_fetch_dst,    acl_match_ip    },

 	{ "dst_port",   acl_parse_range, acl_fetch_dport,  acl_match_range },