MINOR: pattern: forbid dns resolutions
This patch adds the flags "-n" on the acl parser. the flag "-n" forbif
the DNS resolutions. The maps have always the dns resolutions disabled.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 46bee9b..2875355 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -8909,6 +8909,7 @@
-i : ignore case during matching of all subsequent patterns.
-f : load patterns from a file.
-m : use a specific pattern matching method
+ -n : forbid the DNS resolutions
-M : load the file pointed by -f like a map file.
-u : force the unique id of the ACL
-- : force end of flags. Useful when a string looks like one of the flags.
@@ -8954,6 +8955,15 @@
that were not initially planned, or with sample fetch methods which return a
string. The matching method also affects the way the patterns are parsed.
+The "-n" flag forbids the dns resolutions. It is used with the load of ip files.
+By default, if the parser cannot parse ip address it considers that the parsed
+string is maybe a domain name and try dns resolution. The flag "-n" disable this
+resolution. It is useful for detecting malformed ip lists. Note that if the DNS
+server is not reachable, the haproxy configuration parsing may last many minutes
+waiting fir the timeout. During this time no error messages are displayed. The
+flag "-n" disable this behavior. Note also that during the runtime, this
+function is disabled for the dynamic acl modifications.
+
There are some restrictions however. Not all methods can be used with all
sample fetch methods. Also, if "-m" is used in conjunction with "-f", it must
be placed first. The pattern matching method must be one of the following :
diff --git a/include/types/pattern.h b/include/types/pattern.h
index 839eae6..3859eda 100644
--- a/include/types/pattern.h
+++ b/include/types/pattern.h
@@ -65,6 +65,7 @@
enum {
PAT_F_IGNORE_CASE = 1 << 0, /* ignore case */
PAT_F_TREE = 1 << 1, /* some patterns are arranged in a tree */
+ PAT_F_NO_DNS = 1 << 2, /* dont perform any DNS requests */
};
/* ACL match methods */
diff --git a/src/acl.c b/src/acl.c
index 7efd89e..8d14c68 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -428,6 +428,8 @@
while (**args == '-') {
if ((*args)[1] == 'i')
patflags |= PAT_F_IGNORE_CASE;
+ else if ((*args)[1] == 'n')
+ patflags |= PAT_F_NO_DNS;
else if ((*args)[1] == 'u') {
unique_id = strtol(args[1], &error, 10);
if (*error != '\0') {
diff --git a/src/map.c b/src/map.c
index 597907d..570937c 100644
--- a/src/map.c
+++ b/src/map.c
@@ -153,7 +153,7 @@
}
/* Load map. */
- if (!pattern_read_from_file(&desc->pat, PAT_REF_MAP, arg[0].data.str.str, 0,
+ if (!pattern_read_from_file(&desc->pat, PAT_REF_MAP, arg[0].data.str.str, PAT_F_NO_DNS,
1, err, file, line))
return 0;
diff --git a/src/pattern.c b/src/pattern.c
index 22aa9d4..86f94db 100644
--- a/src/pattern.c
+++ b/src/pattern.c
@@ -405,7 +405,7 @@
*/
int pat_parse_ip(const char *text, struct pattern *pattern, char **err)
{
- if (str2net(text, global.mode & MODE_STARTING,
+ if (str2net(text, !(pattern->flags & PAT_F_NO_DNS) && (global.mode & MODE_STARTING),
&pattern->val.ipv4.addr, &pattern->val.ipv4.mask)) {
pattern->type = SMP_T_IPV4;
return 1;