Skip to content

fix(plugins/ip-restriction): function cannot be called in preread phase #14750

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 15, 2025
+22 −1
Merged

fix(plugins/ip-restriction): function cannot be called in preread phase #14750

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4cc5b5e
fix(ip-restriction): error: function cannot be called in preread phase
merusso Sep 6, 2025
1f7a408
test: Add asserts to existing ip-restriction TCP tests
merusso Sep 9, 2025
4010b63
test: add more log asserts
merusso Sep 9, 2025
a9aac77
chore: Add changelog entry
merusso Sep 9, 2025
d50d73f
docs: tweak changelog
merusso Sep 9, 2025
085aec2
refactor: Replace ngx_exit with ngx.exit
merusso Sep 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions changelog/unreleased/kong/fix-ip-restriction-tcp-error.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
message: |
**ip-restriction**: Fix issue where blocking an IP over TCP would log error:
"function cannot be called in preread phase" (#14749)
type: bugfix
scope: Plugin
10 changes: 9 additions & 1 deletion kong/plugins/ip-restriction/handler.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ local kong_meta = require "kong.meta"
local error = error
local kong = kong
local log = kong.log
local ngx_exit = ngx.exit
local ngx_var = ngx.var


Expand All @@ -30,14 +31,21 @@ do
end


local is_http_subsystem = ngx.config.subsystem == "http"


local function do_exit(status, message)
status = status or 403
message = message or
string.format("IP address not allowed: %s", ngx_var.remote_addr)

log.warn(message)

return kong.response.error(status, message)
if is_http_subsystem then
return kong.response.error(status, message)
else
return ngx_exit(status)
end
end


Expand Down
9 changes: 9 additions & 0 deletions spec/03-plugins/17-ip-restriction/02-access_spec.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,10 @@ for _, strategy in helpers.each_strategy() do
tcp:close()

assert.logfile().has.line("IP address not allowed", true)
-- Ensure no preread phase errors occur (regression test for #14749)
assert.logfile().has.no.line("[error]", true)
assert.logfile().has.no.line("traceback", true)
assert.logfile().has.no.line("function cannot be called in preread phase", true)
end)

it("allows a request when the IP is not denied", function()
Expand Down Expand Up @@ -378,6 +382,11 @@ for _, strategy in helpers.each_strategy() do
local body = assert(tcp:receive("*a"))
assert.equal(MESSAGE, body)
tcp:close()

-- Ensure no preread phase errors occur (regression test for #14749)
assert.logfile().has.no.line("[error]", true)
assert.logfile().has.no.line("traceback", true)
assert.logfile().has.no.line("function cannot be called in preread phase", true)
end)

it("blocks IP with CIDR", function()
Expand Down
Loading