Issue 1971 and possible changes to remap.config for ATS 8.0

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Issue 1971 and possible changes to remap.config for ATS 8.0

Alan Carroll-2
Based on discussions for issue #1971, I have some proposed changes for how remap rule filters are applied. The current style is not well documented, but it is "deny match" where filters are checked until a deny is found, at which the request is denied. Only if no deny is found is the request allowed. The change is basically

1) Do first match, not deny match.
2) Expand the syntax to be closer to that in ip_allow.config, particularly for methods.

The point of changing to first match is that currently allow actions are irrelevant and never have any effect. This change will enable allow actions to override more general and lower precedence deny rules. In particular, something like this will work as Miles expects:

map from to @action=allow @src_ip=172.20.1.0-172.20.1.255 @action=deny

to allow transactions only from the 172.20.1.0/24 network.

Links:

remap.config documentation : http://network-geographics.com/amc/i-1971/html/admin-guide/files/remap.config.en.html