By incrementing the counters when the session is created, we know that the
counter will always be decremented correctly. This does cause the listener
session to be counted as an actual session but this is already present in
the statistics calculations and is something we have to live with in 2.3
This change also makes it possible to overshoot the connection count
limitation as the session creation is delayed until authentication
fails. Both of these problems are fixed in 2.4.
The number of sessions wasn't always incremented but it was always
decremented. This happened primarily when authentication failed. By making
the management of the counters a part of the object lifecycle, this
problem goes away.
Necessary if the firewall should be able to block columns when
'ANSI_QUOTES' as enabled and " instead of backticks are used.
Without this, the following
> set @@sql_mode='ANSI_QUOTES';
> select "ssn" from person;
will not be blocked if the database firewall has been configured
to block the column ssn.
The masking filter will now consider all string arguments to
functions to be fields. This in order to prevent bypassing of
the masking with
> set @@sql_mode='ANSI_QUOTES';
> select concat("ssn") from masking;
This may lead to false positives, but no can do.
If set to true and if any of the other blocking related parameters
is true, then a statement that cannot be fully parsed will be blocked.
Default is true.
- Check textual prepared statements for use of columns to be masked
in conjunction with functions.
- Check binary prepared statements for use of columns to be masked
in conjunction with functions.
- Prevent creation of textual prepared statement from variable.
As the masking filter must reject statements that use columns to be
masked as arguments to functions, a statement that cannot be fully
parsed must be rejected. Unless a statement can be fully parsed we
cannot know whether such usage occurs.
By always setting the position of the next event, the replication cannot
break if the slave server has to reconnect after receiving an event that
was generated by the binlogfilter.
The code used a rather questionable method for parsing SQL statements
instead of using the query classifier for detecting transaction start and
stop events.
Clean up, comments and enhancements. StopWatch lap() didn't mean lap-time, but elapsed time. Changed meaning to lap-time and added split() for split-time.
Replaced SPINLOCK with std::mutex where possible, leaving out the more
complex cases. The big offenders remaining are the binlogrouter and the
gateway.cc OpenSSL locks.
Removed unused code, ordered function definitions that declarations aren't
needed, changed functions to pass pointers to the event body instead of
the start of the protocol packet.
Added `match` and `exclude` functionality. This allows versatile filtering
without a large investment of development time by leveraging the benefits
of PCRE2 regular expressions.
Also cleaned up the filter and removed the single table matching and
active parameter that were obsoleted by the regular expression parameters.
