DestinationIp.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 28 Access Control */
10 
11 #include "squid.h"
12 #include "acl/DestinationIp.h"
13 #include "acl/FilledChecklist.h"
14 #include "client_side.h"
15 #include "comm/Connection.h"
16 #include "http/Stream.h"
17 #include "HttpRequest.h"
18 #include "SquidConfig.h"
19 
20 char const *
22 {
23  return "dst";
24 }
25 
26 const Acl::Options &
28 {
29  static const Acl::BooleanOption LookupBan;
30  static const Acl::Options MyOptions = { { "-n", &LookupBan } };
31  LookupBan.linkWith(&lookupBanned);
32  return MyOptions;
33 }
34 
35 int
37 {
38  ACLFilledChecklist *checklist = Filled(cl);
39 
40  // if there is no HTTP request details fallback to the dst_addr
41  if (!checklist->request)
42  return ACLIP::match(checklist->dst_addr);
43 
44  // Bug 3243: CVE 2009-0801
45  // Bypass of browser same-origin access control in intercepted communication
46  // To resolve this we will force DIRECT and only to the original client destination.
47  // In which case, we also need this ACL to accurately match the destination
49  const auto conn = checklist->conn();
50  return (conn && conn->clientConnection) ?
51  ACLIP::match(conn->clientConnection->local) : -1;
52  }
53 
54  if (lookupBanned) {
55  if (!checklist->request->url.hostIsNumeric()) {
56  debugs(28, 3, "No-lookup DNS ACL '" << AclMatchedName << "' for " << checklist->request->url.host());
57  return 0;
58  }
59 
60  if (ACLIP::match(checklist->request->url.hostIP()))
61  return 1;
62  return 0;
63  }
64 
66 
67  if (ia) {
68  /* Entry in cache found */
69 
70  for (const auto ip: ia->goodAndBad()) {
71  if (ACLIP::match(ip))
72  return 1;
73  }
74 
75  return 0;
76  } else if (!checklist->request->flags.destinationIpLookedUp) {
77  /* No entry in cache, lookup not attempted */
78  debugs(28, 3, "can't yet compare '" << name << "' ACL for " << checklist->request->url.host());
79  if (checklist->goAsync(DestinationIPLookup::Instance()))
80  return -1;
81  // else fall through to mismatch, hiding the lookup failure (XXX)
82  }
83 
84  return 0;
85 }
86 
88 
91 {
92  return &instance_;
93 }
94 
95 void
97 {
98  ACLFilledChecklist *checklist = Filled(cl);
99  ipcache_nbgethostbyname(checklist->request->url.host(), LookupDone, checklist);
100 }
101 
102 void
103 DestinationIPLookup::LookupDone(const ipcache_addrs *, const Dns::LookupDetails &details, void *data)
104 {
105  ACLFilledChecklist *checklist = Filled((ACLChecklist*)data);
106  checklist->request->flags.destinationIpLookedUp = true;
107  checklist->request->recordLookup(details);
109 }
110 
111 ACL *
113 {
114  return new ACLDestinationIP(*this);
115 }
116 
void recordLookup(const Dns::LookupDetails &detail)
Definition: HttpRequest.cc:587
bool interceptTproxy
Set for requests handled by a "tproxy" port.
Definition: RequestFlags.h:68
int hostIsNumeric(void) const
Definition: URL.h:71
static DestinationIPLookup instance_
Definition: DestinationIp.h:24
Ip::Address dst_addr
ACLFilledChecklist * Filled(ACLChecklist *checklist)
convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
Definition: Acl.h:39
int client_dst_passthru
Definition: SquidConfig.h:338
virtual const Acl::Options & options()
encapsulates DNS lookup results
Definition: LookupDetails.h:20
int conn
the current server connection FD
Definition: Transport.cc:26
virtual char const * typeString() const
ConnStateData * conn() const
The client connection manager.
void host(const char *src)
Definition: url.cc:47
bool destinationIpLookedUp
Definition: RequestFlags.h:106
Ip::Address const & hostIP(void) const
Definition: URL.h:72
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Debug.h:123
bool goAsync(AsyncState *)
Definition: Checklist.cc:115
virtual int match(ACLChecklist *checklist)=0
Matches the actual data in checklist against this ACL.
#define IP_LOOKUP_IF_MISS
Definition: defines.h:65
static IPH LookupDone
Definition: DestinationIp.h:25
Acl::BooleanOptionValue lookupBanned
are DNS lookups allowed?
Definition: DestinationIp.h:40
void ipcache_nbgethostbyname(const char *name, IPH *handler, void *handlerData)
Definition: ipcache.cc:600
const char * AclMatchedName
Definition: Acl.cc:30
URL url
the request URI
Definition: HttpRequest.h:103
void linkWith(Recipient *recipient) const
who to tell when this option is enabled
Definition: Options.h:90
struct SquidConfig::@112 onoff
HttpRequest * request
RequestFlags flags
Definition: HttpRequest.h:129
void resumeNonBlockingCheck(AsyncState *state)
Definition: Checklist.cc:262
const ipcache_addrs * ipcache_gethostbyname(const char *name, int flags)
Definition: ipcache.cc:720
bool intercepted
Definition: RequestFlags.h:64
virtual int match(ACLChecklist *checklist)
Matches the actual data in checklist against this ACL.
std::map< OptionName, const Option *, OptionNameCmp > Options
name:option map
Definition: Options.h:159
virtual void checkForAsync(ACLChecklist *) const
virtual ACL * clone() const
char name[ACL_NAME_SZ]
Definition: Acl.h:83
a type-specific Option (e.g., a boolean –toggle or -m=SBuf)
Definition: Options.h:83
static DestinationIPLookup * Instance()
IpsSelector< IpsIterator > goodAndBad() const
all IPs
Definition: ipcache.h:249
class SquidConfig Config
Definition: SquidConfig.cc:12

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors