MXS-1111: Allow COM_PING and other commands to pass the firewall

The firewall filter should allow COM_PING and other similar commands to pass through as they are mainly used to check the status of the backend server or to display statistics. The COM_PROCESS_KILL is the exception as it affects the state of the backend server. This is better controlled with permissions in the server than in the firewall filter. Commands that require special grants aren't allowed to pass as they are mainly for maintenance purposes and these should not be done through the firewall.
2017-01-30 18:53:12 +02:00
parent 122027e4a3
commit fdee329198
2 changed files with 36 additions and 2 deletions
--- a/server/modules/filter/dbfwfilter/dbfwfilter.c
+++ b/server/modules/filter/dbfwfilter/dbfwfilter.c
@ -2174,6 +2174,26 @@ USER* find_user_data(HASHTABLE *hash, const char *name, const char *remote)
    return user;
 }

+static bool command_is_mandatory(GWBUF *buffer)
+{
+    uint8_t cmd = *(((uint8_t*)GWBUF_DATA(buffer)) + 4);
+
+    switch (cmd)
+    {
+    case MYSQL_COM_QUIT:
+    case MYSQL_COM_PING:
+    case MYSQL_COM_CHANGE_USER:
+    case MYSQL_COM_SET_OPTION:
+    case MYSQL_COM_FIELD_LIST:
+    case MYSQL_COM_PROCESS_KILL:
+    case MYSQL_COM_PROCESS_INFO:
+        return true;
+
+    default:
+        return false;
+    }
+}
+
 /**
 * The routeQuery entry point. This is passed the query buffer
 * to which the filter should be applied. Once processed the
@ -2223,7 +2243,7 @@ routeQuery(FILTER *instance, void *session, GWBUF *queue)
    else
    {
        USER *user = find_user_data(my_instance->htable, dcb->user, dcb->remote);
-        bool query_ok = false;
+        bool query_ok = command_is_mandatory(queue);

        if (user)
        {