Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
I have child/parent setup where I would like to block some IP ranges by providing ip_allow filters on the child. The child is accepting connections from those blocked client IPs. This is an issue and needs to be addressed.
After taking a closer look at the logs, it is evident that ip_allow filtering is happening after parent selection and hence child accepts the connection from client. The child then talks to parent and connection goes through successfully.
##################
Child
##################
Child's IP: 10.11.11.11
Remap on child:
map foo.com foo.com \
@src_ip=10.11.0.0-10.11.255.255 \
@action=allow
parent.config on child:
dest_domain=. parent="proxy1.example.com:8080" round_robin=strict
##################
Parent
##################
Remap on Parent:
map foo.com origin \
@src_ip=10.11.0.0-10.11.255.255 \
@action=allow
When I curl from client(Eg: 10.44.2.2), the connection goes through successfully.
- Child does parent selection before ip_allow filtering. Hence it connects to parent.
- Child talks to parent as client and hence the connection will go through successfully. I looked into logs on parent which shows that the clientIP has child's IP 10.11.11.11. Since 10.11.11.11 is a valid IP range for parent, the connection goes through.
The issue is only with parent child setup. On a standalone ATS setup, it blocks the IP and works as expected.