DestinationIp.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/* DEBUG: section 28 Access Control */
10
11#include "squid.h"
12#include "acl/DestinationIp.h"
13#include "acl/FilledChecklist.h"
14#include "client_side.h"
15#include "comm/Connection.h"
16#include "http/Stream.h"
17#include "HttpRequest.h"
18#include "SquidConfig.h"
19
20char const *
22{
23 return "dst";
24}
25
26const Acl::Options &
28{
29 static const Acl::BooleanOption LookupBan("-n");
30 static const Acl::Options MyOptions = { &LookupBan };
31 LookupBan.linkWith(&lookupBanned);
32 return MyOptions;
33}
34
35int
37{
38 ACLFilledChecklist *checklist = Filled(cl);
39
40 // if there is no HTTP request details fallback to the dst_addr
41 if (!checklist->request)
42 return ACLIP::match(checklist->dst_addr);
43
44 // Bug 3243: CVE 2009-0801
45 // Bypass of browser same-origin access control in intercepted communication
46 // To resolve this we will force DIRECT and only to the original client destination.
47 // In which case, we also need this ACL to accurately match the destination
49 const auto conn = checklist->conn();
50 return (conn && conn->clientConnection) ?
51 ACLIP::match(conn->clientConnection->local) : -1;
52 }
53
54 if (lookupBanned) {
55 if (!checklist->request->url.hostIsNumeric()) {
56 debugs(28, 3, "No-lookup DNS ACL '" << AclMatchedName << "' for " << checklist->request->url.host());
57 return 0;
58 }
59
60 if (ACLIP::match(checklist->request->url.hostIP()))
61 return 1;
62 return 0;
63 }
64
66
67 if (ia) {
68 /* Entry in cache found */
69
70 for (const auto &ip: ia->goodAndBad()) {
71 if (ACLIP::match(ip))
72 return 1;
73 }
74
75 return 0;
76 } else if (!checklist->request->flags.destinationIpLookedUp) {
77 /* No entry in cache, lookup not attempted */
78 debugs(28, 3, "can't yet compare '" << name << "' ACL for " << checklist->request->url.host());
79 if (checklist->goAsync(DestinationIPLookup::Instance()))
80 return -1;
81 // else fall through to mismatch, hiding the lookup failure (XXX)
82 }
83
84 return 0;
85}
86
88
91{
92 return &instance_;
93}
94
95void
97{
98 ACLFilledChecklist *checklist = Filled(cl);
99 ipcache_nbgethostbyname(checklist->request->url.host(), LookupDone, checklist);
100}
101
102void
103DestinationIPLookup::LookupDone(const ipcache_addrs *, const Dns::LookupDetails &details, void *data)
104{
105 ACLFilledChecklist *checklist = Filled((ACLChecklist*)data);
106 checklist->request->flags.destinationIpLookedUp = true;
107 checklist->request->recordLookup(details);
109}
110
ACLFilledChecklist * Filled(ACLChecklist *checklist)
convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
class SquidConfig Config
Definition: SquidConfig.cc:12
int conn
the current server connection FD
Definition: Transport.cc:26
bool goAsync(AsyncState *)
Definition: Checklist.cc:114
void resumeNonBlockingCheck(AsyncState *state)
Definition: Checklist.cc:261
char const * typeString() const override
int match(ACLChecklist *checklist) override
Matches the actual data in checklist against this ACL.
Acl::BooleanOptionValue lookupBanned
are DNS lookups allowed?
Definition: DestinationIp.h:38
const Acl::Options & options() override
ConnStateData * conn() const
The client connection manager.
Ip::Address dst_addr
HttpRequest::Pointer request
int match(ACLChecklist *checklist) override=0
Matches the actual data in checklist against this ACL.
char name[ACL_NAME_SZ]
Definition: Acl.h:87
a type-specific Option (e.g., a boolean –toggle or -m=SBuf)
Definition: Options.h:130
void linkWith(Recipient *recipient) const
who to tell when this option is enabled
Definition: Options.h:137
void host(const char *src)
Definition: Uri.cc:100
Ip::Address const & hostIP(void) const
Definition: Uri.h:87
int hostIsNumeric(void) const
Definition: Uri.h:86
void checkForAsync(ACLChecklist *) const override
static DestinationIPLookup * Instance()
static IPH LookupDone
Definition: DestinationIp.h:25
static DestinationIPLookup instance_
Definition: DestinationIp.h:24
IpsSelector< IpsIterator > goodAndBad() const
all IPs
Definition: ipcache.h:249
encapsulates DNS lookup results
Definition: LookupDetails.h:23
void recordLookup(const Dns::LookupDetails &detail)
Definition: HttpRequest.cc:580
RequestFlags flags
Definition: HttpRequest.h:141
AnyP::Uri url
the request URI
Definition: HttpRequest.h:115
bool interceptTproxy
Set for requests handled by a "tproxy" port.
Definition: RequestFlags.h:70
bool intercepted
Definition: RequestFlags.h:66
bool destinationIpLookedUp
Definition: RequestFlags.h:113
int client_dst_passthru
Definition: SquidConfig.h:338
struct SquidConfig::@106 onoff
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:194
#define IP_LOOKUP_IF_MISS
Definition: defines.h:39
const char * AclMatchedName
Definition: Acl.cc:29
const ipcache_addrs * ipcache_gethostbyname(const char *name, int flags)
Definition: ipcache.cc:728
void ipcache_nbgethostbyname(const char *name, IPH *handler, void *handlerData)
Definition: ipcache.cc:608
std::vector< const Option * > Options
Definition: Options.h:214

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors