Atlas IP过滤
Atlas实现了IP过滤,通过配置参数client-ips来指定有权限访问的IP。client-ips的配置如下所示,可以是精确IP,也可以是IP段,以逗号分隔,若不设置client-ips则允许所有IP连接,否则只允许列表中的IP连接:
client-ips = 127.0.0.1, 192.168.1
Atlas把配置的IP转换成整数,放入hash表中:
for (i = 0; config->client_ips && config->client_ips[i]; i++) {
guint* sum = g_new0(guint, 1);
char* token;
while ((token = strsep(&config->client_ips[i], ".")) != NULL) {
*sum = (*sum << 8) + atoi(token);
}
*sum = htonl(*sum);
g_hash_table_add(config->ip_table, sum);
}
guint client_ip = con->client->src->addr.ipv4.sin_addr.s_addr;
if (!online && g_hash_table_contains(config->lvs_table, &client_ip)) {
network_mysqld_con_send_error_full(con->client,
C("Proxy Warning - Offline Now"),
ER_UNKNOWN_ERROR, "07000");
return NETWORK_SOCKET_SUCCESS;
} else if (config->client_ips != NULL) {
for (i = 0; i < 3; ++i) {
if (g_hash_table_contains(config->ip_table, &client_ip)) break;
client_ip <<= 8;
}
if (i == 3 && !g_hash_table_contains(config->lvs_table,
&(con->client->src->addr.ipv4.sin_addr.s_addr))) {
network_mysqld_con_send_error_full(con->client,
C("Proxy Warning - IP Forbidden"),
ER_UNKNOWN_ERROR,
"07000");
return NETWORK_SOCKET_SUCCESS;
}
}
上面的lvs IP也是可配置的,它是挂接在Atlas前面的LVS的物理网卡的IP(注意不是虚IP),若有LVS且设置了client-ips则此项必须设置,否则可以不设置:
lvs-ips = 192.168.1.1
Atlas直接将lvs-ips转换成数字存入hash表中,同时设置了信号SIGUSR1和SIGUSR2来将lvs上下线:
for (i = 0; config->lvs_ips && config->lvs_ips[i]; i++) {
guint* lvs_ip = g_new0(guint, 1);
*lvs_ip = inet_addr(config->lvs_ips[i]);
g_hash_table_add(config->lvs_table, lvs_ip);
}
signal(SIGUSR1, handler);
signal(SIGUSR2, handler);
void handler(int sig) {
switch (sig) {
case SIGUSR1:
online = TRUE;
break;
case SIGUSR2:
online = FALSE;
break;
}
}
如上面的代码所示,在对IP进行检查时,先查看online为FALSE且访问来自lvs-ip时,则返回下线通知;另外,若IP不在client-ips中,但在lvs-ips中,则一样接受连接。