File rec-acl-4.1.16.diff of Package pdns-recursor.openSUSE_Backports_SLE-15-SP1_Update

diff --git a/sstuff.hh b/sstuff.hh
index 707b1ad12..5ae66854e 100644
--- a/sstuff.hh
+++ b/sstuff.hh
@@ -111,7 +111,7 @@ public:
   }
 
   //! Check remote address against netmaskgroup ng
-  bool acl(NetmaskGroup &ng)
+  bool acl(const NetmaskGroup &ng)
   {
     ComboAddress remote;
     if (getRemote(remote))
diff --git a/webserver.cc b/webserver.cc
index f1a95f4e2..5a7054bd7 100644
--- a/webserver.cc
+++ b/webserver.cc
@@ -344,16 +344,13 @@ void WebServer::go()
   if(!d_server)
     return;
   try {
-    NetmaskGroup acl;
-    acl.toMasks(::arg()["webserver-allow-from"]);
-
     while(true) {
       try {
         auto client = d_server->accept();
         if (!client) {
           continue;
         }
-        if (client->acl(acl)) {
+        if (client->acl(d_acl)) {
           std::thread webHandler(WebServerConnectionThreadStart, this, client);
           webHandler.detach();
         } else {
diff --git a/webserver.hh b/webserver.hh
index b3ede8925..2de84fd25 100644
--- a/webserver.hh
+++ b/webserver.hh
@@ -139,6 +139,11 @@ class WebServer : public boost::noncopyable
 public:
   WebServer(const string &listenaddress, int port);
   virtual ~WebServer() { };
+
+  void setACL(const NetmaskGroup &nmg) {
+    d_acl = nmg;
+  }
+
   void bind();
   void go();
 
@@ -160,6 +165,8 @@ protected:
   int d_port;
   string d_password;
   std::shared_ptr<Server> d_server;
+
+  NetmaskGroup d_acl;
 };
 
 #endif /* WEBSERVER_HH */
diff --git a/ws-recursor.cc b/ws-recursor.cc
index 0f71ee4f0..2393d754b 100644
--- a/ws-recursor.cc
+++ b/ws-recursor.cc
@@ -450,6 +450,11 @@ RecursorWebServer::RecursorWebServer(FDMultiplexer* fdm)
   registerAllStats();
 
   d_ws = new AsyncWebServer(fdm, arg()["webserver-address"], arg().asNum("webserver-port"));
+
+  NetmaskGroup acl;
+  acl.toMasks(::arg()["webserver-allow-from"]);
+  d_ws->setACL(acl);
+
   d_ws->bind();
 
   // legacy dispatch
@@ -610,6 +615,10 @@ void AsyncServer::newConnection()
 // This is an entry point from FDM, so it needs to catch everything.
 void AsyncWebServer::serveConnection(std::shared_ptr<Socket> client) const
 try {
+  if (!client->acl(d_acl)) {
+    return;
+  }
+
   HttpRequest req;
   YaHTTP::AsyncRequestLoader yarl;
   yarl.initialize(&req);
diff --git a/ws-recursor.hh b/ws-recursor.hh
index 9df3a81c7..13a3707a7 100644
--- a/ws-recursor.hh
+++ b/ws-recursor.hh
@@ -32,7 +32,10 @@ class HttpResponse;
 
 class AsyncServer : public Server {
 public:
-  AsyncServer(const string &localaddress, int port) : Server(localaddress, port) { };
+  AsyncServer(const string &localaddress, int port) : Server(localaddress, port)
+  {
+    d_server_socket.setNonBlocking();
+  };
 
   friend void AsyncServerNewConnectionMT(void *p);