DestinationIp.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 28 Access Control */
10 
11 #include "squid.h"
12 #include "acl/DestinationIp.h"
13 #include "acl/FilledChecklist.h"
14 #include "client_side.h"
15 #include "comm/Connection.h"
16 #include "http/Stream.h"
17 #include "HttpRequest.h"
18 #include "SquidConfig.h"
19 
20 char const *
21 ACLDestinationIP::typeString() const
22 {
23  return "dst";
24 }
25 
26 const Acl::Options &
27 ACLDestinationIP::options()
28 {
29  static const Acl::BooleanOption LookupBan;
30  static const Acl::Options MyOptions = { { "-n", &LookupBan } };
31  LookupBan.linkWith(&lookupBanned);
32  return MyOptions;
33 }
34 
35 int
36 ACLDestinationIP::match(ACLChecklist *cl)
37 {
38  ACLFilledChecklist *checklist = Filled(cl);
39 
40  // if there is no HTTP request details fallback to the dst_addr
41  if (!checklist->request)
42  return ACLIP::match(checklist->dst_addr);
43 
44  // Bug 3243: CVE 2009-0801
45  // Bypass of browser same-origin access control in intercepted communication
46  // To resolve this we will force DIRECT and only to the original client destination.
47  // In which case, we also need this ACL to accurately match the destination
48  if (Config.onoff.client_dst_passthru && (checklist->request->flags.intercepted || checklist->request->flags.interceptTproxy)) {
49  const auto conn = checklist->conn();
50  return (conn && conn->clientConnection) ?
51  ACLIP::match(conn->clientConnection->local) : -1;
52  }
53 
54  if (lookupBanned) {
55  if (!checklist->request->url.hostIsNumeric()) {
56  debugs(28, 3, "No-lookup DNS ACL '" << AclMatchedName << "' for " << checklist->request->url.host());
57  return 0;
58  }
59 
60  if (ACLIP::match(checklist->request->url.hostIP()))
61  return 1;
62  return 0;
63  }
64 
65  const ipcache_addrs *ia = ipcache_gethostbyname(checklist->request->url.host(), IP_LOOKUP_IF_MISS);
66 
67  if (ia) {
68  /* Entry in cache found */
69 
70  for (const auto ip: ia->goodAndBad()) {
71  if (ACLIP::match(ip))
72  return 1;
73  }
74 
75  return 0;
76  } else if (!checklist->request->flags.destinationIpLookedUp) {
77  /* No entry in cache, lookup not attempted */
78  debugs(28, 3, "can't yet compare '" << name << "' ACL for " << checklist->request->url.host());
79  if (checklist->goAsync(DestinationIPLookup::Instance()))
80  return -1;
81  // else fall through to mismatch, hiding the lookup failure (XXX)
82  }
83 
84  return 0;
85 }
86 
87 DestinationIPLookup DestinationIPLookup::instance_;
88 
89 DestinationIPLookup *
90 DestinationIPLookup::Instance()
91 {
92  return &instance_;
93 }
94 
95 void
96 DestinationIPLookup::checkForAsync(ACLChecklist *cl)const
97 {
98  ACLFilledChecklist *checklist = Filled(cl);
99  ipcache_nbgethostbyname(checklist->request->url.host(), LookupDone, checklist);
100 }
101 
102 void
103 DestinationIPLookup::LookupDone(const ipcache_addrs *, const Dns::LookupDetails &details, void *data)
104 {
105  ACLFilledChecklist *checklist = Filled((ACLChecklist*)data);
106  checklist->request->flags.destinationIpLookedUp = true;
107  checklist->request->recordLookup(details);
108  checklist->resumeNonBlockingCheck(DestinationIPLookup::Instance());
109 }
110 
111 ACL *
112 ACLDestinationIP::clone() const
113 {
114  return new ACLDestinationIP(*this);
115 }
116 
HttpRequest::recordLookup
void recordLookup(const Dns::LookupDetails &detail)
Definition: HttpRequest.cc:586
RequestFlags::interceptTproxy
bool interceptTproxy
Set for requests handled by a "tproxy" port.
Definition: RequestFlags.h:68
DestinationIPLookup::instance_
static DestinationIPLookup instance_
Definition: DestinationIp.h:24
ACLFilledChecklist::dst_addr
Ip::Address dst_addr
Definition: FilledChecklist.h:74
SquidConfig::onoff
struct SquidConfig::@113 onoff
Filled
ACLFilledChecklist * Filled(ACLChecklist *checklist)
convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
Definition: FilledChecklist.h:114
ACL
Definition: Acl.h:39
SquidConfig::client_dst_passthru
int client_dst_passthru
Definition: SquidConfig.h:338
client_side.h
ACLDestinationIP::options
virtual const Acl::Options & options()
Definition: DestinationIp.cc:27
AnyP::Uri::hostIP
Ip::Address const & hostIP(void) const
Definition: Uri.h:78
Dns::LookupDetails
encapsulates DNS lookup results
Definition: LookupDetails.h:20
conn
int conn
the current server connection FD
Definition: Transport.cc:26
ACLDestinationIP::typeString
virtual char const * typeString() const
Definition: DestinationIp.cc:21
ACLFilledChecklist::conn
ConnStateData * conn() const
The client connection manager.
Definition: FilledChecklist.cc:144
RequestFlags::destinationIpLookedUp
bool destinationIpLookedUp
Definition: RequestFlags.h:106
debugs
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Debug.h:124
ACLChecklist::goAsync
bool goAsync(AsyncState *)
Definition: Checklist.cc:115
ACLIP::match
virtual int match(ACLChecklist *checklist)=0
Matches the actual data in checklist against this ACL.
IP_LOOKUP_IF_MISS
#define IP_LOOKUP_IF_MISS
Definition: defines.h:65
HttpRequest::url
AnyP::Uri url
the request URI
Definition: HttpRequest.h:103
DestinationIPLookup::LookupDone
static IPH LookupDone
Definition: DestinationIp.h:25
ACLDestinationIP::lookupBanned
Acl::BooleanOptionValue lookupBanned
are DNS lookups allowed?
Definition: DestinationIp.h:40
ipcache_nbgethostbyname
void ipcache_nbgethostbyname(const char *name, IPH *handler, void *handlerData)
Definition: ipcache.cc:600
AclMatchedName
const char * AclMatchedName
Definition: Acl.cc:30
AnyP::Uri::host
void host(const char *src)
Definition: Uri.cc:47
Acl::TypedOption::linkWith
void linkWith(Recipient *recipient) const
who to tell when this option is enabled
Definition: Options.h:90
ACLFilledChecklist::request
HttpRequest * request
Definition: FilledChecklist.h:79
HttpRequest::flags
RequestFlags flags
Definition: HttpRequest.h:129
ACLChecklist::resumeNonBlockingCheck
void resumeNonBlockingCheck(AsyncState *state)
Definition: Checklist.cc:262
ipcache_gethostbyname
const ipcache_addrs * ipcache_gethostbyname(const char *name, int flags)
Definition: ipcache.cc:720
RequestFlags::intercepted
bool intercepted
Definition: RequestFlags.h:64
ACLDestinationIP::match
virtual int match(ACLChecklist *checklist)
Matches the actual data in checklist against this ACL.
Definition: DestinationIp.cc:36
Acl::Options
std::map< OptionName, const Option *, OptionNameCmp > Options
name:option map
Definition: Options.h:159
DestinationIPLookup::checkForAsync
virtual void checkForAsync(ACLChecklist *) const
Definition: DestinationIp.cc:96
ACLDestinationIP::clone
virtual ACL * clone() const
Definition: DestinationIp.cc:112
ACL::name
char name[ACL_NAME_SZ]
Definition: Acl.h:83
Acl::TypedOption
a type-specific Option (e.g., a boolean –toggle or -m=SBuf)
Definition: Options.h:83
AnyP::Uri::hostIsNumeric
int hostIsNumeric(void) const
Definition: Uri.h:77
DestinationIPLookup::Instance
static DestinationIPLookup * Instance()
Definition: DestinationIp.cc:90
Dns::CachedIps::goodAndBad
IpsSelector< IpsIterator > goodAndBad() const
all IPs
Definition: ipcache.h:249
Config
class SquidConfig Config
Definition: SquidConfig.cc:12

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors