r558 - in trunk/varnish-cache: bin/varnishd include lib/libvcl
phk at projects.linpro.no
phk at projects.linpro.no
Sat Jul 22 12:41:00 CEST 2006
Author: phk
Date: 2006-07-22 12:41:00 +0200 (Sat, 22 Jul 2006)
New Revision: 558
Modified:
trunk/varnish-cache/bin/varnishd/cache_vrt_acl.c
trunk/varnish-cache/include/shmlog_tags.h
trunk/varnish-cache/include/vcl_returns.h
trunk/varnish-cache/include/vrt.h
trunk/varnish-cache/lib/libvcl/vcc_acl.c
trunk/varnish-cache/lib/libvcl/vcc_fixed_token.c
Log:
Change the acl syntax slightly: the ( ... ) should enclose all of
the rule (ie: also ! and /mask if present).
Implement matching for IPv4.
Acl tests are shmlogged as follows (doc candidate):
shmlog tag: VCL_actl
"NO_MATCH $acl"
client did not match access list $acl
"FAIL $acl $rule"
getaddrinfo(3) failed on $rule which had a '!'
"MATCH $acl $rule"
client matched $rule
"NEG_MATCH $acl $rule"
client matched negated (!) $rule
Modified: trunk/varnish-cache/bin/varnishd/cache_vrt_acl.c
===================================================================
--- trunk/varnish-cache/bin/varnishd/cache_vrt_acl.c 2006-07-22 10:35:39 UTC (rev 557)
+++ trunk/varnish-cache/bin/varnishd/cache_vrt_acl.c 2006-07-22 10:41:00 UTC (rev 558)
@@ -19,14 +19,85 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
+#include <netinet/in.h>
+static unsigned ipv4mask[] = {
+ [0] = 0xffffffff,
+#define M(n) [n] = (0xffffffff << (32 - n))
+ M( 1), M( 2), M( 3), M( 4), M( 5), M( 6), M( 7), M( 8), M( 9), M(10),
+ M(11), M(12), M(13), M(14), M(15), M(16), M(17), M(18), M(19), M(20),
+ M(21), M(22), M(23), M(24), M(25), M(26), M(27), M(28), M(29), M(30),
+ M(31), M(32)
+};
+
+static int
+vrt_acl_vsl(struct sess *sp, const char *acl, struct vrt_acl *ap, int r)
+{
+
+ assert(ap != NULL);
+ if (ap->name == NULL) {
+ assert(r == 0);
+ VSL(SLT_VCL_acl, sp->fd, "NO_MATCH %s", acl);
+ return (r);
+ }
+ if (ap->priv == NULL) {
+ assert(r == 0);
+ VSL(SLT_VCL_acl, sp->fd, "FAIL %s %s", acl, ap->desc);
+ return (r);
+ }
+
+ VSL(SLT_VCL_acl, sp->fd, "%s %s %s",
+ r ? "MATCH" : "NEG_MATCH", acl, ap->desc);
+ return (r);
+}
+
int
-VRT_acl_match(struct sess *sp, struct vrt_acl *ap)
+VRT_acl_match(struct sess *sp, const char *acl, struct vrt_acl *ap)
{
- (void)sp;
- (void)ap;
- return (0);
+ struct addrinfo *a1;
+ struct sockaddr_in *sin1, *sin2;
+
+ if (sp->sockaddr->sa_family == AF_INET) {
+ assert(sp->sockaddrlen >= sizeof *sin1);
+ sin1 = (void*)sp->sockaddr;
+ } else {
+ sin1 = NULL;
+ }
+
+ for ( ; ap->name != NULL; ap++) {
+ if (ap->priv == NULL && ap->paren)
+ continue;
+ if (ap->priv == NULL && ap->not) {
+ return (vrt_acl_vsl(sp, acl, ap, 0));
+ }
+ if (ap->priv == NULL)
+ continue;
+ for (a1 = ap->priv; a1 != NULL; a1 = a1->ai_next) {
+
+ /* only match the right family */
+ if (a1->ai_family != sp->sockaddr->sa_family)
+ continue;
+
+ if (a1->ai_family == AF_INET) {
+ assert(sin1 != NULL);
+ assert(a1->ai_addrlen >= sizeof (*sin2));
+ sin2 = (void*)a1->ai_addr;
+ if (0 == ((
+ htonl(sin1->sin_addr.s_addr) ^
+ htonl(sin2->sin_addr.s_addr)) &
+ ipv4mask[ap->mask > 32 ? 32 : ap->mask]))
+ return (
+ vrt_acl_vsl(sp, acl, ap, !ap->not));
+ continue;
+ }
+
+ /* Not rules for unknown protos match */
+ if (ap->not)
+ return (vrt_acl_vsl(sp, acl, ap, 0));
+ }
+ }
+ return (vrt_acl_vsl(sp, acl, ap, 0));
}
void
Modified: trunk/varnish-cache/include/shmlog_tags.h
===================================================================
--- trunk/varnish-cache/include/shmlog_tags.h 2006-07-22 10:35:39 UTC (rev 557)
+++ trunk/varnish-cache/include/shmlog_tags.h 2006-07-22 10:41:00 UTC (rev 558)
@@ -33,6 +33,7 @@
SLTM(TxHeader)
SLTM(LostHeader)
SLTM(TTL)
+SLTM(VCL_acl)
SLTM(VCL_call)
SLTM(VCL_trace)
SLTM(VCL_return)
Modified: trunk/varnish-cache/include/vcl_returns.h
===================================================================
--- trunk/varnish-cache/include/vcl_returns.h 2006-07-22 10:35:39 UTC (rev 557)
+++ trunk/varnish-cache/include/vcl_returns.h 2006-07-22 10:41:00 UTC (rev 558)
@@ -1,5 +1,5 @@
/*
- * $Id: vcc_gen_fixed_token.tcl 553 2006-07-21 21:57:43Z phk $
+ * $Id: vcc_gen_fixed_token.tcl 556 2006-07-22 09:38:09Z phk $
*
* NB: This file is machine generated, DO NOT EDIT!
*
Modified: trunk/varnish-cache/include/vrt.h
===================================================================
--- trunk/varnish-cache/include/vrt.h 2006-07-22 10:35:39 UTC (rev 557)
+++ trunk/varnish-cache/include/vrt.h 2006-07-22 10:41:00 UTC (rev 558)
@@ -20,14 +20,15 @@
struct vrt_acl {
unsigned char not;
+ unsigned char mask;
unsigned char paren;
- unsigned char mask;
const char *name;
+ const char *desc;
void *priv;
};
/* ACL related */
-int VRT_acl_match(struct sess *, struct vrt_acl *);
+int VRT_acl_match(struct sess *, const char *, struct vrt_acl *);
void VRT_acl_init(struct vrt_acl *);
void VRT_acl_fini(struct vrt_acl *);
Modified: trunk/varnish-cache/lib/libvcl/vcc_acl.c
===================================================================
--- trunk/varnish-cache/lib/libvcl/vcc_acl.c 2006-07-22 10:35:39 UTC (rev 557)
+++ trunk/varnish-cache/lib/libvcl/vcc_acl.c 2006-07-22 10:41:00 UTC (rev 558)
@@ -33,7 +33,7 @@
vcc_NextToken(tl);
ExpectErr(tl, ID);
AddRef(tl, tl->t, R_ACL);
- Fc(tl, 1, "VRT_acl_match(sp, acl_%T)\n", tl->t);
+ Fc(tl, 1, "VRT_acl_match(sp, \"%T\", acl_%T)\n", tl->t, tl->t);
vcc_NextToken(tl);
break;
default:
@@ -51,6 +51,7 @@
{
unsigned mask, para, not;
struct token *t, *an;
+ char *p;
vcc_NextToken(tl);
@@ -71,13 +72,13 @@
not = para = mask = 0;
- if (tl->t->tok == '!') {
- not = 1;
+ if (tl->t->tok == '(') {
+ para = 1;
vcc_NextToken(tl);
}
- if (tl->t->tok == '(') {
- para = 1;
+ if (tl->t->tok == '!') {
+ not = 1;
vcc_NextToken(tl);
}
@@ -90,7 +91,19 @@
ExpectErr(tl, CNUM);
mask = UintVal(tl);
}
- Fc(tl, 1, "{ %u, %u, %u, %T },\n", not, mask, para, t);
+ Fc(tl, 1, "{ %u, %u, %u, %T, \"", not, mask, para, t);
+ if (para)
+ Fc(tl, 0, "(");
+ if (not)
+ Fc(tl, 0, "!");
+ p = EncString(t);
+ Fc(tl, 0, "%s", p);
+ free(p);
+ if (mask)
+ Fc(tl, 0, "/%u", mask);
+ if (para)
+ Fc(tl, 0, ")");
+ Fc(tl, 0, "\" },\n");
if (para) {
ExpectErr(tl, ')');
@@ -99,7 +112,7 @@
ExpectErr(tl, ';');
vcc_NextToken(tl);
}
- Fc(tl, 1, "{ 0, 0, 0, (void*)0}\n", 0, 0);
+ Fc(tl, 1, "{ 0, 0, 0, (void*)0, ""}\n", 0, 0);
tl->indent -= INDENT;
Fc(tl, 1, "};\n\n");
Modified: trunk/varnish-cache/lib/libvcl/vcc_fixed_token.c
===================================================================
--- trunk/varnish-cache/lib/libvcl/vcc_fixed_token.c 2006-07-22 10:35:39 UTC (rev 557)
+++ trunk/varnish-cache/lib/libvcl/vcc_fixed_token.c 2006-07-22 10:41:00 UTC (rev 558)
@@ -486,14 +486,15 @@
fputs("\n", f);
fputs("struct vrt_acl {\n", f);
fputs(" unsigned char not;\n", f);
+ fputs(" unsigned char mask;\n", f);
fputs(" unsigned char paren;\n", f);
- fputs(" unsigned char mask;\n", f);
fputs(" const char *name;\n", f);
+ fputs(" const char *desc;\n", f);
fputs(" void *priv;\n", f);
fputs("};\n", f);
fputs("\n", f);
fputs("/* ACL related */\n", f);
- fputs("int VRT_acl_match(struct sess *, struct vrt_acl *);\n", f);
+ fputs("int VRT_acl_match(struct sess *, const char *, struct vrt_acl *);\n", f);
fputs("void VRT_acl_init(struct vrt_acl *);\n", f);
fputs("void VRT_acl_fini(struct vrt_acl *);\n", f);
fputs("\n", f);
More information about the varnish-commit
mailing list