Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.1.0
-
None
-
CentOS 5.5 64-bit
Description
The ip_allow.config file is not read correctly. It appears that later lines replace earlier lines if the IP ranges overlap. So, a config file like this does not result in the desired range being allowed. Instead, only the reject line is used. This can be confirmed by enabling debug logging.
src_ip=172.16.11.0-172.16.19.255 action=ip_allow
.... more allow ranges ...
src_ip=0.0.0.0-255.255.255.255 action=ip_deny
This configuration results in the following debug log:
[Sep 20 15:06:52.348] Server
{0x2b19b4be3d70} DEBUG: (ip-allow) 1 ACL entries.
Line 33: deny 0.0.0.0 - 255.255.255.255
Commenting out the global deny line results in:
[Sep 20 15:14:11.247] Server
{0x2b3458cf7d70} DEBUG: (ip-allow) 8 ACL entries.
Line 16: allow 172.16.3.0 - 172.16.3.255
....
Line 30: allow 172.16.79.21 - 172.16.79.26
Client IP's outside the allow range are denied by default. So I can still implement the same thing but not with the same configuration used in previous versions of ATS. Also, The documentation indicates that the line is parsed from the top down so that the first entry matching the connecting host is used but it does not function that way.