Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-1235

Deny occurring for IPs not in the ip_allow.config file

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.3
    • Fix Version/s: 3.3.4
    • Component/s: Configuration, Security
    • Labels:
      None
    • Environment:

      Linux server.domain.com 2.6.32-220.el6.x86_64 #1 SMP Wed Dec 7 10:41:06 EST 2011 x86_64 x86_64 x86_64 GNU/Linux

      Description

      Consistently seeing this morning IPs that are not set to deny in ip_allow.config being rejected. Here's the config file we were using:

      #

      1. ip_allow.config
        #
      2. Two types of rules:
      3. #src_ip=<range of IP addresses> action=ip_allow
      4. #src_ip=<range of IP addresses> action=ip_deny
      5. Rules are applied in the order listed starting from the top.
        #
      1. Ban all of the XXXX servers
        src_ip=AAA.BBB.CCC.134 action=ip_deny
        #src_ip=AAA.BBB.CCC.135 action=ip_deny # temp unbanning. we've talked to him
        src_ip=AAA.BBB.CCC.137 action=ip_deny
        src_ip=AAA.BBB.CCC.202 action=ip_deny
        src_ip=AAA.BBB.CCC.203 action=ip_deny
        src_ip=AAA.BBB.CCC.208 action=ip_deny
        src_ip=AAA.BBB.CCC.209 action=ip_deny
        src_ip=AAA.BBB.CCC.216 action=ip_deny
        src_ip=AAA.BBB.CCC.217 action=ip_deny
        src_ip=AAA.BBB.CCC.218 action=ip_deny
        src_ip=AAA.BBB.CCC.219 action=ip_deny
        src_ip=AAA.BBB.CCC.220 action=ip_deny
        src_ip=AAA.BBB.CCC.222 action=ip_deny
        src_ip=AAA.BBB.CCC.224 action=ip_deny
        src_ip=AAA.BBB.CCC.236 action=ip_deny
      1. Banned IPs
        src_ip=AAA.BBB.CCC.212 action=ip_deny
        src_ip=AAA.BBB.CCC.246 action=ip_deny
        src_ip=AAA.BBB.CCC.144 action=ip_deny
      1. Stock Rules
        src_ip=0.0.0.0-255.255.255.255 action=ip_allow
        src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow

      And here's log entries from when this config was active:

      [Apr 30 10:06:21.446]

      {0x2b321b2d42a0} NOTE: updated diags config
      [Apr 30 10:06:21.449] Server {0x2b321b2d42a0}

      NOTE: cache clustering disabled
      [Apr 30 10:06:21.492] Server

      {0x2b321b2d42a0} NOTE: cache clustering disabled
      [Apr 30 10:06:21.584] Server {0x2b321b2d42a0}

      NOTE: logging initialized[15], logging_mode = 3
      [Apr 30 10:06:21.591] Server

      {0x2b321b2d42a0} NOTE: traffic server running
      [Apr 30 10:06:25.140] Server {0x2b3222d2c700} NOTE: cache enabled
      [Apr 30 10:06:33.804] Server {0x2b3223534700} WARNING: connect by disallowed client AAA.BBB.CCC.111, closing
      [Apr 30 10:07:01.914] Server {0x2b324b2d2700} WARNING: connect by disallowed client AAA.BBB.CCC.111, closing
      [Apr 30 10:07:02.025] Server {0x2b324b4d4700} WARNING: connect by disallowed client AAA.BBB.CCC.144, closing
      [Apr 30 10:07:03.109] Server {0x2b3222827700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
      [Apr 30 10:07:04.594] Server {0x2b3222f2e700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
      [Apr 30 10:07:05.201] Server {0x2b3223332700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
      [Apr 30 10:07:06.170] Server {0x2b3223534700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
      [Apr 30 10:07:06.575] Server {0x2b3223736700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
      [Apr 30 10:07:06.690] Server {0x2b3223837700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
      [Apr 30 10:07:06.785] Server {0x2b3223938700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
      [Apr 30 10:07:06.817] Server {0x2b3223a39700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
      [Apr 30 10:07:06.841] Server {0x2b3223b3a700} WARNING: connect by disallowed client AAA.BBB.CCC.74, closing
      [Apr 30 10:07:10.587] Server {0x2b321b2d42a0}

      WARNING: connect by disallowed client AAA.BBB.CCC.35, closing
      FATAL: HttpSM.cc:890: failed assert `0`

      The IPS visible in the log ending in .111 and .74 are not in the deny list anywhere. The two ending in .144 and .35 are in the deny list.

      Please let me know what further information I can provide to help troubleshoot/reproduce this.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                amc Alan M. Carroll
                Reporter:
                mikey10123 Michael Turner
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: