[master] 1e45d97c3 Introduce 'acl <name> +log {...}' flag and disable VSL logging by default.
Poul-Henning Kamp
phk at FreeBSD.org
Mon Apr 12 09:50:05 UTC 2021
commit 1e45d97c32b80232d84f6b2dec9c5e275a94c3f8
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date: Mon Apr 12 09:48:09 2021 +0000
Introduce 'acl <name> +log {...}' flag and disable VSL logging by default.
diff --git a/bin/varnishtest/tests/c00005.vtc b/bin/varnishtest/tests/c00005.vtc
index 448d6f80c..6e8feaaa8 100644
--- a/bin/varnishtest/tests/c00005.vtc
+++ b/bin/varnishtest/tests/c00005.vtc
@@ -72,7 +72,7 @@ varnish v1 -vcl {
backend dummy None;
- acl acl1 {
+ acl acl1 +log {
# bad notation (confusing)
"1.2.3.4"/24;
"1.2.3.66"/26;
diff --git a/bin/varnishtest/tests/c00087.vtc b/bin/varnishtest/tests/c00087.vtc
index d84862860..832f63993 100644
--- a/bin/varnishtest/tests/c00087.vtc
+++ b/bin/varnishtest/tests/c00087.vtc
@@ -6,7 +6,7 @@ server s1 -listen "${tmpdir}/s1.sock" {
} -start
varnish v1 -syntax 4.1 -arg "-a foo=${tmpdir}/v1.sock" -vcl+backend {
- acl acl1 {
+ acl acl1 +log {
"${localhost}";
}
diff --git a/bin/varnishtest/tests/v00017.vtc b/bin/varnishtest/tests/v00017.vtc
index 6e35d0c23..17f94582d 100644
--- a/bin/varnishtest/tests/v00017.vtc
+++ b/bin/varnishtest/tests/v00017.vtc
@@ -100,3 +100,19 @@ varnish v1 -errvcl {/mask only allowed once} {
}
sub vcl_recv { if (client.ip ~ a) { return(pass); } }
}
+
+varnish v1 -errvcl {Expected ACL flag after:} {
+ backend b { .host = "${localhost}"; }
+ acl a + foobar {
+ "10.0.1.0/22" / 22;
+ }
+ sub vcl_recv { if (client.ip ~ a) { return(pass); } }
+}
+
+varnish v1 -errvcl {Unknown ACL flag:} {
+ backend b { .host = "${localhost}"; }
+ acl a +foobar {
+ "10.0.1.0/22" / 22;
+ }
+ sub vcl_recv { if (client.ip ~ a) { return(pass); } }
+}
diff --git a/doc/changes.rst b/doc/changes.rst
index b63db87c8..1fe26459f 100644
--- a/doc/changes.rst
+++ b/doc/changes.rst
@@ -31,6 +31,13 @@ http://varnish-cache.org/docs/trunk/whats-new/index.html and via
individual releases. These documents are updated as part of the
release process.
+================================
+Varnish Cache 7.x.x (2021-09-15)
+================================
+
+* ACLs no longer produce VSL `VCL_acl` records by default, this must be
+ explicitly enabled with `vcl <name> +log { ... }`.
+
================================
Varnish Cache 6.6.0 (2021-03-15)
================================
diff --git a/doc/sphinx/users-guide/vcl-syntax.rst b/doc/sphinx/users-guide/vcl-syntax.rst
index 2cc6fc6a5..7ef4dd7e7 100644
--- a/doc/sphinx/users-guide/vcl-syntax.rst
+++ b/doc/sphinx/users-guide/vcl-syntax.rst
@@ -59,6 +59,16 @@ To match an IP address against an ACL, simply use the match operator::
return (pipe);
}
+In Varnish versions before 7.0, ACLs would always emit a `VCL_acl`
+record in the VSL log, from 7.0 and forward, this must be explicitly
+enabled by specifying the `+log` flag::
+
+ acl local +log {
+ "localhost"; // myself
+ "192.0.2.0"/24; // and everyone on the local network
+ ! "192.0.2.23"; // except for the dialin router
+ }
+
Operators
~~~~~~~~~
diff --git a/include/tbl/vsl_tags.h b/include/tbl/vsl_tags.h
index c98646d26..94ed41409 100644
--- a/include/tbl/vsl_tags.h
+++ b/include/tbl/vsl_tags.h
@@ -287,7 +287,7 @@ SLTM(Fetch_Body, 0, "Body fetched from backend",
)
SLTM(VCL_acl, 0, "VCL ACL check results",
- "Logs VCL ACL evaluation results.\n\n"
+ "ACLs with the `+log` flag emits this record with the result.\n\n"
"The format is::\n\n"
"\t%s [%s [%s [fixed: %s]]]\n"
"\t| | | |\n"
diff --git a/lib/libvcc/vcc_acl.c b/lib/libvcc/vcc_acl.c
index a89d0f022..08f8a135f 100644
--- a/lib/libvcc/vcc_acl.c
+++ b/lib/libvcc/vcc_acl.c
@@ -52,6 +52,8 @@ struct acl {
unsigned magic;
#define VCC_ACL_MAGIC 0xb9fb3cd0
+ int flag_log;
+
struct acl_tree acl_tree;
};
@@ -493,7 +495,8 @@ vcc_acl_emit(struct vcc *tl, const struct symbol *sym)
Fh(tl, 0, "\n");
Fh(tl, 0, "\tfam = VRT_VSA_GetPtr(ctx, p, &a);\n");
Fh(tl, 0, "\tif (fam < 0) {\n");
- Fh(tl, 0, "\t\tVPI_acl_log(ctx, \"NO_FAM %s\");\n", sym->name);
+ if (tl->acl->flag_log)
+ Fh(tl, 0, "\t\tVPI_acl_log(ctx, \"NO_FAM %s\");\n", sym->name);
Fh(tl, 0, "\t\treturn(0);\n");
Fh(tl, 0, "\t}\n\n");
if (!tl->err_unref) {
@@ -546,10 +549,12 @@ vcc_acl_emit(struct vcc *tl, const struct symbol *sym)
i = ((int)ae->mask + 7) / 8;
- Fh(tl, 0, "\t%*sVPI_acl_log(ctx, \"%sMATCH %s \" ",
- -i, "", ae->not ? "NEG_" : "", sym->name);
- vcc_acl_emit_tokens(tl, ae);
- Fh(tl, 0, ");\n");
+ if (tl->acl->flag_log) {
+ Fh(tl, 0, "\t%*sVPI_acl_log(ctx, \"%sMATCH %s \" ",
+ -i, "", ae->not ? "NEG_" : "", sym->name);
+ vcc_acl_emit_tokens(tl, ae);
+ Fh(tl, 0, ");\n");
+ }
Fh(tl, 0, "\t%*sreturn (%d);\n", -i, "", ae->not ? 0 : 1);
}
@@ -559,7 +564,8 @@ vcc_acl_emit(struct vcc *tl, const struct symbol *sym)
Fh(tl, 0, "\t%*.*s}\n", depth, depth, "");
/* Deny by default */
- Fh(tl, 0, "\tVPI_acl_log(ctx, \"NO_MATCH %s\");\n", sym->name);
+ if (tl->acl->flag_log)
+ Fh(tl, 0, "\tVPI_acl_log(ctx, \"NO_MATCH %s\");\n", sym->name);
Fh(tl, 0, "\treturn (0);\n}\n");
/* Emit the struct that will be referenced */
@@ -579,6 +585,7 @@ void
vcc_ParseAcl(struct vcc *tl)
{
struct symbol *sym;
+ struct token *sign;
struct acl acl[1];
INIT_OBJ(acl, VCC_ACL_MAGIC);
@@ -592,6 +599,24 @@ vcc_ParseAcl(struct vcc *tl)
ERRCHK(tl);
AN(sym);
+ while (tl->t->tok == '-' || tl->t->tok == '+') {
+ sign = tl->t;
+ vcc_NextToken(tl);
+ if (tl->t->b != sign->e) {
+ VSB_cat(tl->sb, "Expected ACL flag after:\n");
+ vcc_ErrWhere(tl, sign);
+ return;
+ }
+ if (vcc_IdIs(tl->t, "log")) {
+ acl->flag_log = sign->tok == '+';
+ vcc_NextToken(tl);
+ } else {
+ VSB_cat(tl->sb, "Unknown ACL flag:\n");
+ vcc_ErrWhere(tl, tl->t);
+ return;
+ }
+ }
+
SkipToken(tl, '{');
while (tl->t->tok != '}') {
More information about the varnish-commit
mailing list