Am 29.09.25 um 13:03 schrieb Rémy Maucherat:
On Mon, Sep 29, 2025 at 11:51 AM Mark Thomas <[email protected]> wrote:
All,
We have a PR [1] that adds CIDR notation support to the RemoteIpFilter.
I have a set of changes stashed locally that fixes a couple of
formatting nits and expands it to the RemoteIpValve as well.
Currently, it is coded so the the regular expression (internalProxies,
trustedProxies) based attributes are used unless the corresponding CIDR
attribute is used (internalProxiesCidr, trustedProxiesCidr) in which
case the regular expression is ignored and the CIDR attribute used instead.
Before I commit this, I was wondering what the long term plan might be
here and whether there was a better default.
Will we always support regular expressions and CIDR?
I think RemoteIpFilter and RemoteIpValve predate the Netmask util class
by at least 10 years. I never liked the RegExp use for IP networks,
because they are quite hard to get right. Number RegExps are based on
decimal digits, but IP network ranges are based on binary digits and
patterns.
Do we want to (eventually) move from regular expressions to CIDR?
I would be very much in favor of this.
If we want to move towards CIDR then I was thinking we might want to:
- move the default from internalProxies to internalProxiesCidr
- use the CIDR attributes by default but ignore them and use the regular
expression ones if set
- deprecated the regular expression attributes and remove them in 12.0.x
That should be backwards compatible since:
- if a user has set the regular expression attributes they will be used
- the defaults will be unchanged
- new usage can use CIDR
Thoughts?
To prevent users making wrong assumptions what happens if they mix the
RegExp and the CIDR based configs: what about adding a binary attribute
like "useCIDR", stick with old attribute names and let the binary
"useCIDR" decide, how the patterns are interpreted, as RegExp or CIDR.
Default would be useCIDR="false" for 9.0.x to 11.0.x and could switch
for 12.0.x to "true", maybe with a deprecation for the RegExp use.
There's also RemoteCIDRFilter/Valve, is there any real difference ? It
has allow/deny and uses the same NetMask utility class.
I find it always confusing. The RemoteIP classes, Mark refers to above,
are for setting the client IP address not from the client side of the
current network socket, but from headers forwarded by proxies. So they
allow to override the client IP. The CIDR use above is not applied to
client IPs, but instead to the proxy IPs from which headers with client
IPs are trusted.
The notion RemoteIp is taken from the Apache httpd module mod_remoteip,
which has mostly the same functionality in the httpd world.
BUT: we have Remote(Addr|Host)(Valve|Filter) which are doing access
control based on client IP or host name. Those are the ones, that one
mabe could merge with RemoteCIDR(Valve|Filter). The two are based on the
common super class RequestFilterValve resp. RequestFilter. So lots of
possible confusion for "Remote" versus "Request".
So somehow the analogous question would arise for these access control
classes.
Best regards,
Rainer
Rémy
Mark
[1] https://github.com/apache/tomcat/pull/894
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
