[Privoxy-commits] [privoxy] 12/38: Add code to make debugging ACL rules more convenient
User Git
git at git.privoxy.org
Thu Apr 9 09:37:10 CEST 2026
This is an automated email from the git hooks/post-receive script.
git pushed a commit to branch master
in repository privoxy.
commit 2eea4ff6f1ce95d478fa29b10bb6153a369d8247
Author: Fabian Keil <fk at fabiankeil.de>
AuthorDate: Tue Mar 31 14:40:21 2026 +0200
Add code to make debugging ACL rules more convenient
It can be enabled with the new configure parameter --enable-acl-debugging.
---
configure.in | 6 ++++++
filters.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
jbsockets.c | 3 +++
loadcfg.c | 14 ++++++++++++++
project.h | 7 +++++++
5 files changed, 81 insertions(+)
diff --git a/configure.in b/configure.in
index c0c59c97..2b571b2e 100644
--- a/configure.in
+++ b/configure.in
@@ -956,6 +956,12 @@ AC_ARG_ENABLE(acl-support,
fi],
AC_DEFINE(FEATURE_ACL))
+AC_ARG_ENABLE(acl-debugging,
+[ --enable-acl-debugging Enable code that makes debugging ACLs more convenient],
+[if test $enableval = yes; then
+ AC_DEFINE(ACL_DEBUG,1,[Define to make debugging ACLs more convenient.])
+fi])
+
AC_ARG_ENABLE(trust-files,
[ --disable-trust-files Prevents the use of trust files.],
[if test $enableval = yes; then
diff --git a/filters.c b/filters.c
index 3d605517..8c227832 100644
--- a/filters.c
+++ b/filters.c
@@ -74,6 +74,13 @@
#include "win32.h"
#endif
+#ifdef ACL_DEBUG
+#ifndef RFC_2553
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#endif
+#endif
+
typedef char *(*filter_function_ptr)(struct client_state *csp);
static filter_function_ptr get_filter_function(const struct client_state *csp);
static jb_err prepare_for_filtering(struct client_state *csp);
@@ -249,6 +256,14 @@ static int match_sockaddr(const struct sockaddr_storage *network,
int block_acl(const struct client_state *csp, const struct access_control_addr *dst)
{
struct access_control_list *acl = csp->config->acl;
+#ifdef ACL_DEBUG
+#ifdef HAVE_RFC2553
+ int retval;
+ char dst_string[NI_MAXHOST];
+#else
+ char *dst_string;
+#endif
+#endif
/* if not using an access control list, then permit the connection */
if (acl == NULL)
@@ -256,9 +271,45 @@ int block_acl(const struct client_state *csp, const struct access_control_addr *
return(0);
}
+#ifdef ACL_DEBUG
+ if (dst == NULL)
+ {
+#ifdef HAVE_RFC2553
+ strlcpy(dst_string, "not yet known", sizeof(dst_string));
+#else
+ dst_string = "not yet known";
+#endif
+ }
+ else
+ {
+#ifdef HAVE_RFC2553
+ retval = getnameinfo((const struct sockaddr *)&dst->addr, dst->addr_length,
+ dst_string, NI_MAXHOST, NULL, 0, NI_NUMERICHOST);
+ if (retval)
+ {
+ log_error(LOG_LEVEL_ERROR,
+ "Failed to get the host name from the ACL destination: %s",
+ gai_strerror(retval));
+ strlcpy(dst_string, "getnaminfo() failed!", sizeof(dst_string));
+ }
+#else
+ struct in_addr dst_addr;
+ dst_addr.s_addr = htonl(dst->addr);
+ dst_string = inet_ntoa(dst_addr);
+#endif
+ }
+#endif
+
/* search the list */
while (acl != NULL)
{
+#ifdef ACL_DEBUG
+ log_error(LOG_LEVEL_CONNECT,
+ "Checking client address %s against %s rule for source %s and destination %s. "
+ "Destination: %s.",
+ csp->ip_addr_str, (acl->action == ACL_PERMIT) ? "permit" : "deny",
+ acl->src_string, acl->dst_string, dst_string);
+#endif
if (
#ifdef HAVE_RFC2553
match_sockaddr(&acl->src->addr, &acl->src->mask, &csp->tcp_addr)
diff --git a/jbsockets.c b/jbsockets.c
index 02598b81..c8dc781c 100644
--- a/jbsockets.c
+++ b/jbsockets.c
@@ -257,6 +257,9 @@ static jb_socket rfc2553_connect_to(const char *host, int portnum, struct client
#ifdef FEATURE_ACL
memcpy(&dst->addr, rp->ai_addr, rp->ai_addrlen);
+#ifdef ACL_DEBUG
+ dst->addr_length = rp->ai_addrlen;
+#endif
if (block_acl(csp, dst))
{
diff --git a/loadcfg.c b/loadcfg.c
index c83cc991..e6dbad03 100644
--- a/loadcfg.c
+++ b/loadcfg.c
@@ -229,6 +229,10 @@ static void unload_configfile (void * data)
while (cur_acl != NULL)
{
struct access_control_list * next_acl = cur_acl->next;
+#ifdef ACL_DEBUG
+ free(cur_acl->src_string);
+ free(cur_acl->dst_string);
+#endif
free(cur_acl);
cur_acl = next_acl;
}
@@ -1013,6 +1017,11 @@ struct configuration_spec * load_config(void)
cur_acl->wildcard_dst = 1;
}
+#ifdef ACL_DEBUG
+ cur_acl->src_string = strdup_or_die(vec[0]);
+ cur_acl->dst_string = strdup_or_die((vec_count == 2) ? vec[1] : "none specified");
+#endif
+
/*
* Add it to the list. Note we reverse the list to get the
* behaviour the user expects. With both the ACL and
@@ -1567,6 +1576,11 @@ struct configuration_spec * load_config(void)
cur_acl->wildcard_dst = 1;
}
+#ifdef ACL_DEBUG
+ cur_acl->src_string = strdup_or_die(vec[0]);
+ cur_acl->dst_string = strdup_or_die((vec_count == 2) ? vec[1] : "none specified");
+#endif
+
/*
* Add it to the list. Note we reverse the list to get the
* behaviour the user expects. With both the ACL and
diff --git a/project.h b/project.h
index 30297c51..d6e26510 100644
--- a/project.h
+++ b/project.h
@@ -1370,6 +1370,9 @@ struct access_control_addr
#ifdef HAVE_RFC2553
struct sockaddr_storage addr; /* <The TCP address in network order. */
struct sockaddr_storage mask; /* <The TCP mask in network order. */
+#ifdef ACL_DEBUG
+ socklen_t addr_length;
+#endif
#else
unsigned long addr; /**< The IP address as an integer. */
unsigned long mask; /**< The network mask as an integer. */
@@ -1386,6 +1389,10 @@ struct access_control_list
{
struct access_control_addr src[1]; /**< Client IP address */
struct access_control_addr dst[1]; /**< Website or parent proxy IP address */
+#ifdef ACL_DEBUG
+ char *src_string;
+ char *dst_string;
+#endif
short wildcard_dst; /** < dst address is wildcard */
short action; /**< ACL_PERMIT or ACL_DENY */
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Privoxy-commits
mailing list