only allowing one connection per IP address

Frederic Bregier fredbregier at free.fr
Wed Apr 1 02:15:23 EDT 2009 

Hi Trustin and all users,

Sorry for the delay...

I commit on the branch located at 
http://anonsvn.jboss.org/repos/netty/branches/ipfilter 
a new proposal, trying to follow as much as possible your ideas and my understanding.

I make a small resume:

- channelOpenAccept / channelBoundAccept are completely removed.

  Only channelConnectedAccept and channelClosedWasBlocked (not so happy with this name
  but I couldn't figure something more acceptable rigt now) are still there.

- handleRefusedChannel returns a ChannelFuture (may be null).
  channelConnectedAccept therefore wait for this future to finish (except if null)
  before closing the channel.

- I only trap by default CONNECTED and CLOSED events.
  However, if a channel was blocked (accept returning false), all events will not
  be passed to the next entry in the pipeline.

  This can be changed in two ways if one wants to change it:
  - In handleRefusedChannel, the user might want to call directly the 
    ctx.sendUpstream(e) for CONNECT event.
  - In channelClosedWasBlocked, same ctx.sendUpstream(e) for CLOSED event.
  - Or more generally change the implementation of isBlocked method by returning
    false if he wants the event to continue (does not work for CONNECT, the user
    has to call sendUpstream explicitely in the handleRefusedChannel method).

- I create an interface IpFilterRule that one might want to implement to fit his need.
  A default implementation IpSubnet is proposed (both standard and CIDR notations).
  The main change is as the following.

  An IpFilterRule have two kind of informations:
  - A subnet (or whatever it is) where a InetAddress can be compared by the method
    contains. This method returns true if the InetAddress is in this IpFilterRule.
  - A DENY or ALLOW flag that says if the previous call to contains should be
    considered as a DENY or ALLOW rule.

  - A constructor enables to define a IpSubnet DENY/ALLOW ALL by just setting the flag.

- I change a bit the OneIpFilterHandler (mainly HashMap to Set).

- I change a bit the IpBlackWhiteListHandler mainly to reflect other changes.

- I create a new handler named IpFilterRuleHandler which could replace the BlackWhite
  one as it is more general. The BlackWhite is an handler that have only two lists:
  Black or deny list then White or allow list in that order.
  IpFilterRuleHandler is like a standard Firewall ruleset where you can mix in whatever
  order you want IpFilter which are ALLOW or DENY. 

  As in Firewall, the first rule that is found to match (contains), it returns its
  status (isAllow). If no rules are found to match, by default it allows the channel 
  (like if a ALLOW ALL would be at the end of the rules list). Of course this behaviour 
  can be changed easily by adding a DENY ALL at the end.

  I implement it on a CopyOnWriteArrayList which is efficient in traversal but
  not in adding/removing elements. I choose this since I feel like most of the time,
  rules will not change everytime.
  I add most of the useful method inspired from CopyOnWriteArrayList directy in the
  handler so as to make it easier for the user. I would recommand (as stand in the
  comment) that if a rule should change a lot, one could replace it by a DENY ALL
  or ALLOW ALL when necessary instead of removing/adding it.

I hope those changes will be more ok.
Please take care that I didn't test them correctly, it is just a prototype!!!

Cheers,
Frederic


-----
Hardware/Software Architect
-- 
View this message in context: http://n2.nabble.com/only-allowing-one-connection-per-IP-address-tp2495797p2567351.html
Sent from the Netty User Group mailing list archive at Nabble.com.

More information about the netty-users mailing list