tested with 32K acl rules, generated by
for x in `seq 128` ; do for y in `seq 255` ; do \
echo "Deny 10.$x.$y.0/24" ; done ; done
after loading the config (which is dogslow too), tinyproxy
required 9.5 seconds for the acl check on every request.
after switching the list implementation to sblist, a request
with the full acl check now takes only 0.025 seconds.
the time spent for loading the config file is identical for both
list implementations, roughly 30 seconds.
(in a previous test, 65K acl rules were generated, but every
connection required almost 2 minutes to crunch through the list...)
tinyproxy used to do a full hostname resolution whenever a new client
connection happened, which could cause very long delays (as reported in #198).
there's only a single place/scenario that actually requires a hostname, and
that is when an Allow/Deny rule exists for a hostname or domain, rather than
a raw IP address. since it is very likely this feature is not very widely used,
it makes absolute sense to only do the costly resolution when it is unavoidable.
The "address" member of struct acl_s is a union of a char *
and the numeric ip. So freeing the string after appending it to the
vector list is bad in two respects:
1. If the acl type was numeric, then this could (and would)
lead to a segfault due to the numeric IP data interpreted
as pointer to the string to be freed.
2. If the acl type was string, then the acl inserted into the
list contained a reference to this address string that
was freed. So in the worst case dereferencing this freed
string could segfault, or at least this could lead to
unexpectedly failing acl checks.
Michael
The compiler inlines static functions as necessary anyway.
No more inline keywords exist in Tinyproxy source code. We want to
avoid using this keyword anyway.
The modified files were indented with GNU indent using the
following command:
indent -npro -kr -i8 -ts8 -sob -l80 -ss -cs -cp1 -bs -nlps -nprs -pcs \
-saf -sai -saw -sc -cdw -ce -nut -il0
No other changes of any sort were made.
Moved the strtol() call into fill_netmask_array() and added additional
error checking to ensure that the strtol() call succeeded.
Error checking code taken from strtol() manpage.
Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
When building a numeric ACL with netmask, range check the supplied
value. In addition, the code to walk the array has been extracted and
"simplified".
Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
The notices have been changed to a more GNU look. Documentation
comments have been separated from the copyright header. I've tried to
keep all copyright notices intact. Some author contact details have
been updated.
I re-indented the source code using indent with the following options:
indent -kr -bad -bap -nut -i8 -l80 -psl -sob -ss -ncs
There are now _no_ tabs in the source files, and all indentation is
eight spaces. Lines are 80 characters long, and the procedure type is
on it's own line. Read the indent manual for more information about
what each option means.
to handle IPv6 style addresses along with the existing IPv4 and string
addresses. In addition, the hand-rolled "list" code has been replaced
with a vector (code reuse.) Also, the code should be a little easier
to understand (relatively speaking.)
I do need to add some kind of testing framework (in general) to check
that the new code does work with all the formats that will be thrown
at it.
