only allowing one connection per IP address
Trustin Lee
tlee at redhat.com
Fri Apr 3 14:20:40 EDT 2009
Hi Frederic,
On Fri, Apr 3, 2009 at 10:54 PM, Frederic Bregier <fredbregier at free.fr> wrote:
> OK, I come back on your comments:
>
>>> Only channelConnectedAccept and channelClosedWasBlocked (not so happy with this name
>>> but I couldn't figure something more acceptable rigt now) are still there.
>>
>> I think we can simplify this further. Can we remove
>> channelConnectedAccept and channelClosedWasBlocked, and just use
>> accept() and the attachment? We can move the code in
>> channelConnectedAccept() to handleUpstream() and get rid of
>> channelConnectedAccept() and channelClosedWasBlocked().
>
>
> OK, I remove them. I keep :
> -accept
> -handleRefusedChannel
> -isBlocked (see later on)
>
> I also change the FutureChannel handling. Can you check if it seems ok ?
Looks good. You could use ChannelFutureListener.CLOSE instead of
IpFilteringFutureListener though - we don't need to create code
duplication. ;)
>>> - I only trap by default CONNECTED and CLOSED events.
>>> However, if a channel was blocked (accept returning false), all events will not
>>> be passed to the next entry in the pipeline.
>>
>> This is somewhat inconsistent in that there's possibility that
>> channelOpen() and channelBound() can be handed off to the next
>> handlers while channelClosed() will never be handed off. We should
>> block all events or none.
>
> OK, so I change a bit the logic. All events (except OPEN and BOUND since
> they occur before CONNECT so before the filter) are blocked by default.
> But the user can change it either by overridden isBlocked (in OneIpFilter
> it can be a problem) or by overridden handleUpstream.
> WDYT ?
I'm not sure how this resolves the problem I addressed. Let's say
that a user put some initialization code in channelOpen(). When a
channel is closed, the user will expect channelClosed() will be
invoked and he or she can destroy resources allocated in
channelOpen(). Every state event must be symmetric - if channelOpen
is fired, channelClosed must be fired in the end. Same applies for
channelBound/Unbound and channelConnected/Disconnected. We do have
control over channelConnected/Disconnected, but not over
channelOpen/Closed and channelBound/Unbound. Perhaps we should
maintain some flags to determine if channelClosed / channelUnbound
needs to be handed off to the next handler? Pretty tricky..
>> It look OK, but I think it should work fine with IPv6 addresses, too.
>> Could you consider this?
>
> I agreen but why not considering another IpSubnet implementation for IPV6.
> CIDR for instance seems not ok for IPV6 (am I right ?).
CIDR also applies to IPv6. The only difference is that the prefix
length ranges from 0 to 128. Therefore, I think IpSubnet should
support both IPv4 and IPv6 address.
>> This needs to be independent from IpSubnet, which means, IpSubnet
>> shouldn't decide its address should be allowed or denied.
>
> I agree, so I introduce a new Interface IpSet which IpSubnet implements.
> Then IpFilterRule is an interface of IpSet plus ALLOW DENY property.
> And then we've got IpSubnetFilterRule which implements this interface
> by extending IpSubnet.
> WDYT ?
Very cool. :)
>> It's getting better and better. Please keep up the great work!
> I hope so ;-)
It is! :-D
Cheers,
— Trustin Lee, http://gleamynode.net/
More information about the netty-users
mailing list