DestinationIp.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/* DEBUG: section 28 Access Control */
10
11#include "squid.h"
12#include "acl/DestinationIp.h"
13#include "acl/FilledChecklist.h"
14#include "client_side.h"
15#include "comm/Connection.h"
16#include "http/Stream.h"
17#include "HttpRequest.h"
18#include "SquidConfig.h"
19
20char const *
21ACLDestinationIP::typeString() const
22{
23 return "dst";
24}
25
26const Acl::Options &
27ACLDestinationIP::options()
28{
29 static const Acl::BooleanOption LookupBan("-n");
30 static const Acl::Options MyOptions = { &LookupBan };
31 LookupBan.linkWith(&lookupBanned);
32 return MyOptions;
33}
34
35int
36ACLDestinationIP::match(ACLChecklist *cl)
37{
38 ACLFilledChecklist *checklist = Filled(cl);
39
40 // if there is no HTTP request details fallback to the dst_addr
41 if (!checklist->request)
42 return ACLIP::match(checklist->dst_addr);
43
44 // Bug 3243: CVE 2009-0801
45 // Bypass of browser same-origin access control in intercepted communication
46 // To resolve this we will force DIRECT and only to the original client destination.
47 // In which case, we also need this ACL to accurately match the destination
48 if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted || checklist->request->flags.interceptTproxy)) {
49 const auto conn = checklist->conn();
50 return (conn && conn->clientConnection) ?
51 ACLIP::match(conn->clientConnection->local) : -1;
52 }
53
54 if (lookupBanned) {
55 if (!checklist->request->url.hostIsNumeric()) {
56 debugs(28, 3, "No-lookup DNS ACL '" << AclMatchedName << "' for " << checklist->request->url.host());
57 return 0;
58 }
59
60 if (ACLIP::match(checklist->request->url.hostIP()))
61 return 1;
62 return 0;
63 }
64
65 const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->url.host(), IP_LOOKUP_IF_MISS);
66
67 if (ia) {
68 /* Entry in cache found */
69
70 for (const auto &ip: ia->goodAndBad()) {
71 if (ACLIP::match(ip))
72 return 1;
73 }
74
75 return 0;
76 } else if (!checklist->request->flags.destinationIpLookedUp) {
77 /* No entry in cache, lookup not attempted */
78 debugs(28, 3, "can't yet compare '" << name << "' ACL for " << checklist->request->url.host());
79 if (checklist->goAsync(DestinationIPLookup::Instance()))
80 return -1;
81 // else fall through to mismatch, hiding the lookup failure (XXX)
82 }
83
84 return 0;
85}
86
87DestinationIPLookup DestinationIPLookup::instance_;
88
89DestinationIPLookup *
90DestinationIPLookup::Instance()
91{
92 return &instance_;
93}
94
95void
96DestinationIPLookup::checkForAsync(ACLChecklist *cl)const
97{
98 ACLFilledChecklist *checklist = Filled(cl);
99 ipcache_nbgethostbyname(checklist->request->url.host(), LookupDone, checklist);
100}
101
102void
103DestinationIPLookup::LookupDone(const ipcache_addrs *, const Dns::LookupDetails &details, void *data)
104{
105 ACLFilledChecklist *checklist = Filled((ACLChecklist*)data);
106 checklist->request->flags.destinationIpLookedUp = true;
107 checklist->request->recordLookup(details);
108 checklist->resumeNonBlockingCheck(DestinationIPLookup::Instance());
109}
110
Filled
ACLFilledChecklist * Filled(ACLChecklist *checklist)
convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
Definition: FilledChecklist.h:120
Config
class SquidConfig Config
Definition: SquidConfig.cc:12
conn
int conn
the current server connection FD
Definition: Transport.cc:26
ACLChecklist::goAsync
bool goAsync(AsyncState *)
Definition: Checklist.cc:114
ACLChecklist::resumeNonBlockingCheck
void resumeNonBlockingCheck(AsyncState *state)
Definition: Checklist.cc:261
ACLDestinationIP::options
virtual const Acl::Options & options()
Definition: DestinationIp.cc:27
ACLDestinationIP::match
virtual int match(ACLChecklist *checklist)
Matches the actual data in checklist against this ACL.
Definition: DestinationIp.cc:36
ACLDestinationIP::typeString
virtual char const * typeString() const
Definition: DestinationIp.cc:21
ACLDestinationIP::lookupBanned
Acl::BooleanOptionValue lookupBanned
are DNS lookups allowed?
Definition: DestinationIp.h:38
ACLFilledChecklist::request
HttpRequest * request
Definition: FilledChecklist.h:79
ACLFilledChecklist::conn
ConnStateData * conn() const
The client connection manager.
Definition: FilledChecklist.cc:144
ACLFilledChecklist::dst_addr
Ip::Address dst_addr
Definition: FilledChecklist.h:74
ACLIP::match
virtual int match(ACLChecklist *checklist)=0
Matches the actual data in checklist against this ACL.
ACL::name
char name[ACL_NAME_SZ]
Definition: Acl.h:81
Acl::TypedOption
a type-specific Option (e.g., a boolean –toggle or -m=SBuf)
Definition: Options.h:130
Acl::TypedOption::linkWith
void linkWith(Recipient *recipient) const
who to tell when this option is enabled
Definition: Options.h:137
AnyP::Uri::host
void host(const char *src)
Definition: Uri.cc:99
AnyP::Uri::hostIP
Ip::Address const & hostIP(void) const
Definition: Uri.h:87
AnyP::Uri::hostIsNumeric
int hostIsNumeric(void) const
Definition: Uri.h:86
DestinationIPLookup::checkForAsync
virtual void checkForAsync(ACLChecklist *) const
Definition: DestinationIp.cc:96
DestinationIPLookup::Instance
static DestinationIPLookup * Instance()
Definition: DestinationIp.cc:90
DestinationIPLookup::LookupDone
static IPH LookupDone
Definition: DestinationIp.h:25
DestinationIPLookup::instance_
static DestinationIPLookup instance_
Definition: DestinationIp.h:24
Dns::CachedIps::goodAndBad
IpsSelector< IpsIterator > goodAndBad() const
all IPs
Definition: ipcache.h:248
Dns::LookupDetails
encapsulates DNS lookup results
Definition: LookupDetails.h:21
HttpRequest::recordLookup
void recordLookup(const Dns::LookupDetails &detail)
Definition: HttpRequest.cc:583
HttpRequest::flags
RequestFlags flags
Definition: HttpRequest.h:141
HttpRequest::url
AnyP::Uri url
the request URI
Definition: HttpRequest.h:115
RequestFlags::interceptTproxy
bool interceptTproxy
Set for requests handled by a "tproxy" port.
Definition: RequestFlags.h:66
RequestFlags::intercepted
bool intercepted
Definition: RequestFlags.h:62
RequestFlags::destinationIpLookedUp
bool destinationIpLookedUp
Definition: RequestFlags.h:104
SquidConfig::onoff
struct SquidConfig::@111 onoff
SquidConfig::client_dst_passthru
int client_dst_passthru
Definition: SquidConfig.h:336
client_side.h
debugs
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:196
IP_LOOKUP_IF_MISS
#define IP_LOOKUP_IF_MISS
Definition: defines.h:39
AclMatchedName
const char * AclMatchedName
Definition: Acl.cc:29
ipcache_gethostbyname
const ipcache_addrs * ipcache_gethostbyname(const char *name, int flags)
Definition: ipcache.cc:719
ipcache_nbgethostbyname
void ipcache_nbgethostbyname(const char *name, IPH *handler, void *handlerData)
Definition: ipcache.cc:599
Acl::Options
std::vector< const Option * > Options
Definition: Options.h:214

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors