summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2007-11-21 11:06:22 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2007-11-21 11:06:22 +0000
commit58a45bd3fc8545f2f426bf7208337a15505fabdb (patch)
treef955ab9c6e364a54861cc9f1f245e5fa0cac2ffb
parente8543b947a61189a7b9629e7c2540487e1a6ab54 (diff)
more work on the "filter" action: close the connection instantly when
receiving a filtered entity, fix some remaining issues.
-rw-r--r--usr.sbin/hoststated/relay.c19
-rw-r--r--usr.sbin/relayd/relay.c19
2 files changed, 30 insertions, 8 deletions
diff --git a/usr.sbin/hoststated/relay.c b/usr.sbin/hoststated/relay.c
index 584f85e9456..4553adb4a3a 100644
--- a/usr.sbin/hoststated/relay.c
+++ b/usr.sbin/hoststated/relay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: relay.c,v 1.60 2007/11/20 17:11:50 reyk Exp $ */
+/* $OpenBSD: relay.c,v 1.61 2007/11/21 11:06:21 reyk Exp $ */
/*
* Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org>
@@ -858,9 +858,11 @@ relay_resolve(struct ctl_relay_event *cre,
switch (pn->action) {
case NODE_ACTION_FILTER:
- if (cre->nodes[proot->id] <= 1)
+ id = cre->nodes[proot->id];
+ if (SIMPLEQ_NEXT(pn, entry) == NULL)
+ cre->nodes[proot->id] = 0;
+ if (id <= 1)
return (0);
- cre->nodes[pn->id] = 0;
break;
case NODE_ACTION_EXPECT:
id = cre->nodes[proot->id];
@@ -1011,16 +1013,25 @@ relay_handle_http(struct ctl_relay_event *cre, struct protonode *proot,
relay_close_http(con, 400, "repeated header line");
return (PN_FAIL);
}
- ret = PN_PASS;
/* FALLTHROUGH */
case NODE_ACTION_FILTER:
DPRINTF("relay_handle_http: %s '%s: %s'",
(pn->action == NODE_ACTION_EXPECT) ? "expect" : "filter",
pn->key, pn->value);
+
+ /* Do not drop the entity */
+ ret = PN_PASS;
+
if (fnmatch(pn->value, pk->value, FNM_CASEFOLD) == 0) {
if (pn->flags & PNFLAG_MARK)
cre->marked++;
cre->nodes[proot->id] = 1;
+
+ /* Fail instantly */
+ if (pn->action == NODE_ACTION_FILTER) {
+ relay_close_http(con, 403, "rejecting request");
+ return (PN_FAIL);
+ }
}
if (SIMPLEQ_NEXT(pn, entry) == NULL)
cre->nodes[proot->id]++;
diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c
index 584f85e9456..4553adb4a3a 100644
--- a/usr.sbin/relayd/relay.c
+++ b/usr.sbin/relayd/relay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: relay.c,v 1.60 2007/11/20 17:11:50 reyk Exp $ */
+/* $OpenBSD: relay.c,v 1.61 2007/11/21 11:06:21 reyk Exp $ */
/*
* Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org>
@@ -858,9 +858,11 @@ relay_resolve(struct ctl_relay_event *cre,
switch (pn->action) {
case NODE_ACTION_FILTER:
- if (cre->nodes[proot->id] <= 1)
+ id = cre->nodes[proot->id];
+ if (SIMPLEQ_NEXT(pn, entry) == NULL)
+ cre->nodes[proot->id] = 0;
+ if (id <= 1)
return (0);
- cre->nodes[pn->id] = 0;
break;
case NODE_ACTION_EXPECT:
id = cre->nodes[proot->id];
@@ -1011,16 +1013,25 @@ relay_handle_http(struct ctl_relay_event *cre, struct protonode *proot,
relay_close_http(con, 400, "repeated header line");
return (PN_FAIL);
}
- ret = PN_PASS;
/* FALLTHROUGH */
case NODE_ACTION_FILTER:
DPRINTF("relay_handle_http: %s '%s: %s'",
(pn->action == NODE_ACTION_EXPECT) ? "expect" : "filter",
pn->key, pn->value);
+
+ /* Do not drop the entity */
+ ret = PN_PASS;
+
if (fnmatch(pn->value, pk->value, FNM_CASEFOLD) == 0) {
if (pn->flags & PNFLAG_MARK)
cre->marked++;
cre->nodes[proot->id] = 1;
+
+ /* Fail instantly */
+ if (pn->action == NODE_ACTION_FILTER) {
+ relay_close_http(con, 403, "rejecting request");
+ return (PN_FAIL);
+ }
}
if (SIMPLEQ_NEXT(pn, entry) == NULL)
cre->nodes[proot->id]++;