#925 implement ignore_deviceports and hide_deviceports
This commit is contained in:
Oliver Gorwits
@@ -94,25 +94,26 @@ sub check_acl {
|
||||
|
||||
my $real_ip = $thing;
|
||||
if (blessed $thing) {
|
||||
$real_ip = ($thing->can('alias') ? $thing->alias : (
|
||||
$thing->can('ip') ? $thing->ip : (
|
||||
$thing->can('addr') ? $thing->addr : $thing )));
|
||||
$real_ip = (
|
||||
$thing->can('alias') ? $thing->alias : (
|
||||
$thing->can('ip') ? $thing->ip : (
|
||||
$thing->can('addr') ? $thing->addr : $thing )));
|
||||
}
|
||||
return 0 if !defined $real_ip
|
||||
or blessed $real_ip; # class we do not understand
|
||||
return 0 if blessed $real_ip; # class we do not understand
|
||||
$real_ip ||= ''; # valid to be empty
|
||||
|
||||
$config = [$config] if ref '' eq ref $config;
|
||||
$config = [$config] if ref q{} eq ref $config;
|
||||
if (ref [] ne ref $config) {
|
||||
error "error: acl is not a single item or list (cannot compare to $real_ip)";
|
||||
error "error: acl is not a single item or list (cannot compare to '$real_ip')";
|
||||
return 0;
|
||||
}
|
||||
my $all = (scalar grep {$_ eq 'op:and'} @$config);
|
||||
|
||||
# common case of using plain IP in ACL, so string compare for speed
|
||||
my $find = (scalar grep {not reftype $_ and $_ eq $real_ip} @$config);
|
||||
return 1 if $find and not $all;
|
||||
return 1 if $real_ip and $find and not $all;
|
||||
|
||||
my $addr = NetAddr::IP::Lite->new($real_ip) or return 0;
|
||||
my $addr = NetAddr::IP::Lite->new($real_ip);
|
||||
my $name = undef; # only look up once, and only if qr// is used
|
||||
my $ropt = { retry => 1, retrans => 1, udp_timeout => 1, tcp_timeout => 2 };
|
||||
my $qref = ref qr//;
|
||||
@@ -122,6 +123,9 @@ sub check_acl {
|
||||
next INLIST if !defined $item or $item eq 'op:and';
|
||||
|
||||
if ($qref eq ref $item) {
|
||||
# if no IP addr, cannot match its dns
|
||||
next INLIST unless $addr;
|
||||
|
||||
$name = ($name || hostname_from_ip($addr->addr, $ropt) || '!!none!!');
|
||||
if ($name =~ $item) {
|
||||
return 1 if not $all;
|
||||
@@ -147,16 +151,23 @@ sub check_acl {
|
||||
next INLIST;
|
||||
}
|
||||
|
||||
if ($item =~ m/^([^:]+):([^:]+)$/) {
|
||||
if ($item =~ m/^([^:]+):([^:]*)$/) {
|
||||
my $prop = $1;
|
||||
my $match = $2;
|
||||
my $match = $2 || '';
|
||||
|
||||
# if not an object, we can't do much with properties
|
||||
next INLIST unless blessed $thing;
|
||||
|
||||
# lazy version of vendor: and model:
|
||||
if ($neg xor ($thing->can($prop) and defined eval { $thing->$prop }
|
||||
and $thing->$prop =~ m/^$match$/)) {
|
||||
# prop:val
|
||||
if ($neg xor ($thing->can($prop) and
|
||||
defined eval { $thing->$prop } and
|
||||
ref $thing->$prop eq q{}
|
||||
and $thing->$prop =~ m/^$match$/) ) {
|
||||
return 1 if not $all;
|
||||
}
|
||||
# empty or missing property
|
||||
elsif ($neg xor ($match eq q{} and
|
||||
(!defined eval { $thing->$prop } or $thing->$prop eq q{})) ) {
|
||||
return 1 if not $all;
|
||||
}
|
||||
else {
|
||||
@@ -169,6 +180,9 @@ sub check_acl {
|
||||
my $first = $1;
|
||||
my $last = $2;
|
||||
|
||||
# if no IP addr, cannot match IP range
|
||||
next INLIST unless $addr;
|
||||
|
||||
if ($item =~ m/:/) {
|
||||
next INLIST if $addr->bits != 128 and not $all;
|
||||
|
||||
@@ -208,6 +222,9 @@ sub check_acl {
|
||||
# could be something in error, and IP/host is only option left
|
||||
next INLIST if ref $item;
|
||||
|
||||
# if no IP addr, cannot match IP prefix
|
||||
next INLIST unless $addr;
|
||||
|
||||
my $ip = NetAddr::IP::Lite->new($item)
|
||||
or next INLIST;
|
||||
next INLIST if $ip->bits != $addr->bits and not $all;
|
||||
|
||||
Reference in New Issue
Block a user