fix(plugins/ip-restriction): function cannot be called in preread phase

changelog/unreleased/kong/fix-ip-restriction-tcp-error.yml

@@ -0,0 +1,5 @@
+message: >
+  **ip-restriction**: Fixed an issue where blocking an IP over TCP would log error:
+  "function cannot be called in preread phase" (#14749)
+type: bugfix
+scope: Plugin

kong/plugins/ip-restriction/handler.lua

@@ -30,14 +30,21 @@ do
 end
 
 
+local is_http_subsystem = ngx.config.subsystem == "http"
+
+
 local function do_exit(status, message)
   status = status or 403
   message = message or
             string.format("IP address not allowed: %s", ngx_var.remote_addr)
 
   log.warn(message)
 
-  return kong.response.error(status, message)
+  if is_http_subsystem then
+    return kong.response.error(status, message)
+  else
+    return ngx.exit(status)
+  end
 end
 
 

spec/03-plugins/17-ip-restriction/02-access_spec.lua

@@ -344,6 +344,10 @@ for _, strategy in helpers.each_strategy() do
         tcp:close()
 
         assert.logfile().has.line("IP address not allowed", true)
+        -- Ensure no preread phase errors occur (regression test for #14749)
+        assert.logfile().has.no.line("[error]", true)
+        assert.logfile().has.no.line("traceback", true)
+        assert.logfile().has.no.line("function cannot be called in preread phase", true)
       end)
 
       it("allows a request when the IP is not denied", function()
@@ -378,6 +382,11 @@ for _, strategy in helpers.each_strategy() do
         local body = assert(tcp:receive("*a"))
         assert.equal(MESSAGE, body)
         tcp:close()
+
+        -- Ensure no preread phase errors occur (regression test for #14749)
+        assert.logfile().has.no.line("[error]", true)
+        assert.logfile().has.no.line("traceback", true)
+        assert.logfile().has.no.line("function cannot be called in preread phase", true)
       end)
 
       it("blocks IP with CIDR", function()