-
Notifications
You must be signed in to change notification settings - Fork 796
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
7+ regression: acl filters in remap rules #1971
Comments
I'm a bit confused - consider this example
The claim is this incorrectly denies the request, but doesn't |
I tested 5.3.x and 6.2.x - as far as I can tell the behavior is the same as 7.x in this regard. E.g. with previous rule
Reading the documentation and examining the code, this seems expected. The first |
The feature we can't get to work is to have multiple rules. Eg, Only allow requests from 1.2.3.4 and Deny all POSTs. Here are all my remap rule tests, their goals, and their results. Goal: deny all POSTs
Result: successfully deny post, allow get
|
Just to be sure I;m testing the same things; There's no global ip_allow.config rules here that would conflict / override right ? |
I'll look at this some more. So far I see what the problem is, what I don't see is any evidence this ever worked as expected. I see why this happens, based on the code, but that code is the same in 5.3. I checked back to 5.0 looking at the code and I see the same logic. Basically, if any deny rule matches, the request is denied, and rules are checked until a deny is found or there are no more rules. Even if you could put an |
Pondering this a bit, I would be tempted to do a PR with two changes:
|
I'm not convinced that adding yet another configuration just for backwards compatibility is all that great. Our configurations are already convoluted as they are :-). |
@vmamidi is going to look at this one some more. |
in ATS <7, multiple acl_filters work in remap rules. For instance, this works
(eg, only allow connections from 192.168.0.0/16 or 10.0.0.0/8, AND do not allow CONNECT/POST, etc methods.) In ATS 7+ that remap fails to have both ACLs.
In ATS7+:
(eg, only allow connections from 192.168.0.0/16 or 10.0.0.0/8,)
(eg, do not allow CONNECT/POST, etc methods)
The text was updated successfully, but these errors were encountered: