[master] 6c8f25e71 add vcc_acl_pedantic parameter

Nils Goroll nils.goroll at uplex.de
Wed Apr 1 18:48:08 UTC 2020 

commit 6c8f25e712bcd59b85a0486044eba740848a739b
Author: Nils Goroll <nils.goroll at uplex.de>
Date:   Fri Dec 13 15:28:33 2019 +0100

    add vcc_acl_pedantic parameter
    
    See also previous commit:
    
    With this parameter set to on, any ACL entries in non-canonical form
    cause a VCL compilation error rather than only a warning.

diff --git a/bin/varnishd/mgt/mgt.h b/bin/varnishd/mgt/mgt.h
index 7daf52b60..43987de1c 100644
--- a/bin/varnishd/mgt/mgt.h
+++ b/bin/varnishd/mgt/mgt.h
@@ -222,6 +222,7 @@ extern char *mgt_cc_cmd;
 extern const char *mgt_vcl_path;
 extern const char *mgt_vmod_path;
 extern unsigned mgt_vcc_err_unref;
+extern unsigned mgt_vcc_acl_pedantic;
 extern unsigned mgt_vcc_allow_inline_c;
 extern unsigned mgt_vcc_unsafe_path;
 
diff --git a/bin/varnishd/mgt/mgt_param_tbl.c b/bin/varnishd/mgt/mgt_param_tbl.c
index f0fabec51..fec7493a9 100644
--- a/bin/varnishd/mgt/mgt_param_tbl.c
+++ b/bin/varnishd/mgt/mgt_param_tbl.c
@@ -76,6 +76,19 @@ struct parspec mgt_parspec[] = {
 		NULL, NULL, "on",
 		"bool",
 		"Unreferenced VCL objects result in error." },
+	{ "vcc_acl_pedantic", tweak_bool, &mgt_vcc_acl_pedantic,
+		NULL, NULL, "off",
+		"bool",
+		"Insist that network numbers used in ACLs have an "
+		"all-zero host part, e.g. make 1.2.3.4/24 an error.\n"
+		"With this option set to off (the default), the host "
+		"part of network numbers is being fixed to all-zeroes "
+		"(e.g. the above changed to 1.2.3.0/24), a warning is "
+		"output during VCL compilation and any ACL entry hits "
+		"are logged with the fixed address as \"fixed: ...\" "
+		"after the original VCL entry.\n"
+		"With this option set to on, any ACL entries with non-zero "
+		"host parts cause VCL compilation to fail." },
 	{ "vcc_allow_inline_c", tweak_bool, &mgt_vcc_allow_inline_c,
 		NULL, NULL, "off",
 		"bool",
diff --git a/bin/varnishtest/tests/c00005.vtc b/bin/varnishtest/tests/c00005.vtc
index 0eed7ef55..a39d5ee04 100644
--- a/bin/varnishtest/tests/c00005.vtc
+++ b/bin/varnishtest/tests/c00005.vtc
@@ -148,3 +148,19 @@ client c1 {
 } -run
 
 logexpect l1 -wait
+
+varnish v1 -cliok "param.set vcc_acl_pedantic on"
+
+varnish v1 -errvcl {Address/Netmask mismatch, need be 1.2.3.0/24} {
+	import std;
+
+	backend dummy None;
+
+	acl acl1 {
+		"1.2.3.4"/24;
+	}
+
+	sub vcl_recv {
+		if (client.ip ~ acl1) {}
+	}
+}
diff --git a/include/tbl/params.h b/include/tbl/params.h
index bfbeb5ac9..b67c3c0dc 100644
--- a/include/tbl/params.h
+++ b/include/tbl/params.h
@@ -1551,6 +1551,26 @@ PARAM(
 	/* flags */	EXPERIMENTAL
 )
 
+/* actual location mgt_param_tbl.c */
+PARAM(
+	/* name */	vcc_acl_pedantic,
+	/* type */	bool,
+	/* min */	NULL,
+	/* max */	NULL,
+	/* def */	"off",	// XXX change to on in 7.x ?
+	/* units */	"bool",
+	/* descr */
+	"Insist that network numbers used in ACLs have an all-zero host part, "
+	"e.g. make 1.2.3.4/24 an error.\n"
+	"With this option set to off (the default), the host part of network "
+	"numbers is being fixed to all-zeroes (e.g. the above changed to "
+	"1.2.3.0/24), a warning is output during VCL compilation and any ACL "
+	"entry hits are logged with the fixed address as \"fixed: ...\" "
+	"after the original VCL entry.\n"
+	"With this option set to on, any ACL entries with non-zero host parts "
+	"cause VCL compilation to fail."
+)
+
 /* actual location mgt_param_tbl.c */
 PARAM(
 	/* name */	vcc_allow_inline_c,
diff --git a/lib/libvcc/vcc_acl.c b/lib/libvcc/vcc_acl.c
index 443d9189e..274f158de 100644
--- a/lib/libvcc/vcc_acl.c
+++ b/lib/libvcc/vcc_acl.c
@@ -43,6 +43,8 @@
 #include <vtcp.h>
 #include <vsa.h>
 
+unsigned mgt_vcc_acl_pedantic;
+
 #define ACL_MAXADDR	(sizeof(struct in6_addr) + 1)
 
 struct acl_e {
@@ -138,9 +140,13 @@ vcc_acl_chk(struct vcc *tl, const struct acl_e *ae, const int l,
 	AN(sa);
 	VTCP_name(sa, h, sizeof h, NULL, 0);
 	bprintf(t, "%s/%d", h, ae->mask);
-	VSB_printf(tl->sb, "Address/Netmask mismatch, changed to %s\n", t);
+	if (mgt_vcc_acl_pedantic)
+		VSB_printf(tl->sb, "Address/Netmask mismatch, need be %s\n", t);
+	else
+		VSB_printf(tl->sb, "Address/Netmask mismatch, changed to %s\n", t);
 	vcc_ErrWhere(tl, ae->t_addr);
-	vcc_Warn(tl);
+	if (mgt_vcc_acl_pedantic == 0)
+		vcc_Warn(tl);
 	return (strdup(t));
 }

More information about the varnish-commit mailing list