Alan Carroll
2017-12-07 21:29:25 UTC
Based on discussions for issue #1971, I have some proposed changes for how
remap rule filters are applied. The current style is not well documented,
but it is "deny match" where filters are checked until a deny is found, at
which the request is denied. Only if no deny is found is the request
allowed. The change is basically
1) Do first match, not deny match.
2) Expand the syntax to be closer to that in ip_allow.config, particularly
for methods.
The point of changing to first match is that currently allow actions are
irrelevant and never have any effect. This change will enable allow actions
to override more general and lower precedence deny rules. In particular,
something like this will work as Miles expects:
map from to @action=allow @src_ip=172.20.1.0-172.20.1.255 @action=deny
to allow transactions only from the 172.20.1.0/24 network.
Links:
#1971: https://github.com/apache/trafficserver/issues/1971
remap.config documentation :
http://network-geographics.com/amc/i-1971/html/admin-guide/files/remap.config.en.html
remap rule filters are applied. The current style is not well documented,
but it is "deny match" where filters are checked until a deny is found, at
which the request is denied. Only if no deny is found is the request
allowed. The change is basically
1) Do first match, not deny match.
2) Expand the syntax to be closer to that in ip_allow.config, particularly
for methods.
The point of changing to first match is that currently allow actions are
irrelevant and never have any effect. This change will enable allow actions
to override more general and lower precedence deny rules. In particular,
something like this will work as Miles expects:
map from to @action=allow @src_ip=172.20.1.0-172.20.1.255 @action=deny
to allow transactions only from the 172.20.1.0/24 network.
Links:
#1971: https://github.com/apache/trafficserver/issues/1971
remap.config documentation :
http://network-geographics.com/amc/i-1971/html/admin-guide/files/remap.config.en.html