only allowing one connection per IP address

Trustin Lee tlee at redhat.com
Sat Mar 21 11:08:36 EDT 2009 

Hi Frederic,

Thanks for prototypng.  This is so nice!

A couple comments:

  * ChannelFilterHandler sounds somewhat confusing, thanks to MINA.
Let's think about a different class and package name.  What I can
think of right now is.. 'IpFilteringHandler'?

  * ChannelFilterHandler should intercept all event types, considering
a handler can be added at anytime.  Therefore, there's no need to
extend SimpleChannelHandler.  Let's implement ChannelUpstreamHandler
directly.  Also, the ChannelStateEvent parameter in isAccept() and
sendBackConnectionRefused() needs to be replaced with ChannelEvent.

  * I don't think ChannelFilterHandler will deal with a SocketAddress
which is not an InetSocketAddress.  Therefore, we could simply add an
InetSocketAddress parameter to isAccept() and
sendBackConnectionRefused().

  * I would rename isAccept() to accept(), following the JDK convention.

  * I'd replace sendBackConnectionRefused() with 'void
handleRefusedChannel()' so that a user can choose whatever needed
rather than sending a message.  Of course, the default implementation
should be closing the channel immediately.

  * OneIpFilterHandler needs better data structure.  It's
linear-searching the address.

  * BannedIpHandler could be replaced with more generic rule based IP
filter.  For example, a user could specify a list of ALLOWs and DENYs
using CIDR or subnet mask (see http://en.wikipedia.org/wiki/CIDR):

    DENY:192.168.0.100,ALLOW:192.168.0.0/24,DENY:0.0.0.0/32 (i.e.
allow 192.168.0.0-99 and 101-255)

That's all.  :)

We are about to enter CR after documentation and unit testing, so we
might need to think about adding this feature in 3.2.  Until we start
to work on 3.2 in trunk, we could keep this in a branch.  I don't
think the core API will change anytime soon, so the overhead to
maintain the branch for your work will be minimal.  WDYT?

Cheers,

— Trustin Lee, http://gleamynode.net/

On Sat, Mar 21, 2009 at 5:54 AM, Frederic Bregier <fredbregier at free.fr> wrote:
>
> Hi William,
>
> I think about your need. I think it could be included as a handler
> in Netty for other users, so I try to develop a simple handler to do
> that.
>
> I implement first an abstract handler that stands to allow or disallow
> connection
> based on some methods to implement. See
> http://n2.nabble.com/file/n2511111/ChannelFilterHandler.java
> ChannelFilterHandler.java
>
> Then I implement your need by first another abstract class that extends the
> first one.
> Its purpose is to check based on inetaddress if this one was already used,
> and if so, it reject the connection.
> It is an abstract since one may want to return something to the client
> before closing
> the connection (like "connection not allowed"). See
> http://n2.nabble.com/file/n2511111/OneIpFilterHandler.java
> OneIpFilterHandler.java
>
> Then I implement the real class that just extends and implements the second
> class
> with the method returning a message. See example that I used in my FTP
> server
> program just to see if it works (it returns the 421 code from FTP RFC):
> http://n2.nabble.com/file/n2511111/FtpOneIpFilter.java FtpOneIpFilter.java
>
> You just have to add this filter in the pipeline like :
> pipeline.addLast("OneIpFilter", oneIpFilter);
> where oneIpFilter is constructed once for all connections (same object
> reused).
>
> I found easy now to implement a simple class (still abstract in order to
> allow
> specific reply) for banned inetAddress (black list filter). See
> http://n2.nabble.com/file/n2511111/BannedIpHandler.java BannedIpHandler.java
>
>
> Any comments, ideas or corrections are more than welcomed !!!
>
> HTH,
>
> Cheers,
> Frederic
>
> -----
> Hardware/Software Architect
> --
> View this message in context: http://n2.nabble.com/only-allowing-one-connection-per-IP-address-tp2495797p2511111.html
> Sent from the Netty User Group mailing list archive at Nabble.com.
>
> _______________________________________________
> netty-users mailing list
> netty-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/netty-users
>

More information about the netty-users mailing list