[master] 7b64147e9 Add debug.sweep_acl() for ACL testing

Poul-Henning Kamp phk at FreeBSD.org
Tue Mar 23 10:16:05 UTC 2021 

commit 7b64147e9cdb77361f3b53a58f5a30fdd3813779
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date:   Tue Mar 23 10:11:35 2021 +0000

    Add debug.sweep_acl() for ACL testing

diff --git a/vmod/automake_boilerplate_debug.am b/vmod/automake_boilerplate_debug.am
index 88f89a403..5617c04c9 100644
--- a/vmod/automake_boilerplate_debug.am
+++ b/vmod/automake_boilerplate_debug.am
@@ -4,6 +4,7 @@ vmod_LTLIBRARIES += libvmod_debug.la
 
 libvmod_debug_la_SOURCES = \
 	vmod_debug.c \
+	vmod_debug_acl.c \
 	vmod_debug_dyn.c \
 	vmod_debug_obj.c
 
diff --git a/vmod/vmod_debug.c b/vmod/vmod_debug.c
index 8f123c276..a203af31b 100644
--- a/vmod/vmod_debug.c
+++ b/vmod/vmod_debug.c
@@ -665,17 +665,6 @@ xyzzy_vcl_discard_delay(VRT_CTX, struct vmod_priv *priv, VCL_DURATION delay)
 	priv_vcl->vcl_discard_delay = delay;
 }
 
-VCL_BOOL v_matchproto_(td_debug_match_acl)
-xyzzy_match_acl(VRT_CTX, VCL_ACL acl, VCL_IP ip)
-{
-
-	CHECK_OBJ_ORNULL(ctx, VRT_CTX_MAGIC);
-	AN(acl);
-	assert(VSA_Sane(ip));
-
-	return (VRT_acl_match(ctx, acl, ip));
-}
-
 VCL_VOID v_matchproto_(td_debug_test_probe)
 xyzzy_test_probe(VRT_CTX, VCL_PROBE probe, VCL_PROBE same)
 {
diff --git a/vmod/vmod_debug.vcc b/vmod/vmod_debug.vcc
index c15079630..cdafcc4d3 100644
--- a/vmod/vmod_debug.vcc
+++ b/vmod/vmod_debug.vcc
@@ -178,6 +178,22 @@ $Function BOOL match_acl(ACL acl, IP ip)
 
 Perform an IP match against a named ACL.
 
+$Function BLOB sweep_acl(ACL acl, IP ip0, IP ip1, INT step = 1)
+
+Sweep `acl` through IP#s `ip0` ... `ip1` and return a hash-signature
+of the results.
+
+VSL_Debug lines will be emitted for every 64 addresses (you probably want:
+`-p vsl_mask=+Debug,-VCL_acl`
+
+Only the lower 64 bits of IPv4 addresses are stepped.
+
+$Function DURATION time_acl(ACL acl, IP ip0, IP ip1, INT step = 1, INT rounds = 1000)
+
+Time `rounds` sweeps from `ip0` to `ip1` through `acl`.
+
+Consider: `-p vsl_mask=-VCL_acl`
+
 $Function VOID test_probe(PROBE probe, PROBE same = 0)
 
 Only here to make sure probe definitions are passed properly.
diff --git a/vmod/vmod_debug_acl.c b/vmod/vmod_debug_acl.c
new file mode 100644
index 000000000..cb5fd3424
--- /dev/null
+++ b/vmod/vmod_debug_acl.c
@@ -0,0 +1,250 @@
+/*-
+ * Copyright (c) 2012-2019 Varnish Software AS
+ * All rights reserved.
+ *
+ * Author: Poul-Henning Kamp <phk at FreeBSD.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <unistd.h>
+
+// #include "vdef.h"
+//#include "vas.h"
+#include "cache/cache.h"
+#include "vend.h"
+#include "vsa.h"
+#include "vsb.h"
+#include "vsha256.h"
+#include "vtcp.h"
+#include "vtim.h"
+#include "vcc_debug_if.h"
+
+VCL_BOOL v_matchproto_(td_debug_match_acl)
+xyzzy_match_acl(VRT_CTX, VCL_ACL acl, VCL_IP ip)
+{
+
+	CHECK_OBJ_ORNULL(ctx, VRT_CTX_MAGIC);
+	AN(acl);
+	assert(VSA_Sane(ip));
+
+	return (VRT_acl_match(ctx, acl, ip));
+}
+
+/*
+ * The code below is more intimate with VSA than anything is supposed to.
+ */
+
+struct acl_sweep {
+	int			family;
+	const uint8_t		*ip0_p;
+	const uint8_t		*ip1_p;
+	struct suckaddr		*probe;
+	uint8_t			*probe_p;
+	VCL_INT			step;
+	uint64_t		reset;
+	uint64_t		this;
+	uint64_t		count;
+};
+
+static void
+reset_sweep(struct acl_sweep *asw)
+{
+	asw->this = asw->reset;
+}
+
+static int
+setup_sweep(VRT_CTX, struct acl_sweep *asw, VCL_IP ip0, VCL_IP ip1,
+    VCL_INT step)
+{
+	int fam0, fam1;
+	const uint8_t *ptr;
+
+	AN(asw);
+	memset(asw, 0, sizeof *asw);
+
+	AN(ip0);
+	AN(ip1);
+	fam0 = VSA_GetPtr(ip0, &asw->ip0_p);
+	fam1 = VSA_GetPtr(ip1, &asw->ip1_p);
+	if (fam0 != fam1) {
+		VRT_fail(ctx, "IPs have different families (0x%x vs 0x%x)",
+		    fam0, fam1);
+		return (-1);
+	}
+
+	asw->family = fam0;
+	if (asw->family == PF_INET) {
+		if (memcmp(asw->ip0_p, asw->ip1_p, 4) > 0) {
+			VRT_fail(ctx, "Sweep: ipv4.end < ipv4.start");
+			return (-1);
+		}
+		asw->reset = vbe32dec(asw->ip0_p);
+	} else {
+		if (memcmp(asw->ip0_p, asw->ip1_p, 16) > 0) {
+			VRT_fail(ctx, "Sweep: ipv6.end < ipv6.start");
+			return (-1);
+		}
+		asw->reset = vbe64dec(asw->ip0_p + 8);
+	}
+	asw->this = asw->reset;
+
+	asw->probe = VSA_Clone(ip0);
+	(void)VSA_GetPtr(asw->probe, &ptr);
+	asw->probe_p = TRUST_ME(ptr);
+
+	asw->step = step;
+
+	return (0);
+}
+
+static void
+cleanup_sweep(struct acl_sweep *asw)
+{
+	free(asw->probe);
+	memset(asw, 0, sizeof *asw);
+}
+
+static int
+step_sweep(struct acl_sweep *asw)
+{
+
+	AN(asw);
+	asw->count++;
+	asw->this += asw->step;
+	if (asw->family == PF_INET) {
+		vbe32enc(asw->probe_p, asw->this);
+		return (memcmp(asw->probe_p, asw->ip1_p, 4));
+	} else {
+		vbe64enc(asw->probe_p + 8, asw->this);
+		return (memcmp(asw->probe_p, asw->ip1_p, 16));
+	}
+}
+
+
+VCL_BLOB
+xyzzy_sweep_acl(VRT_CTX, VCL_ACL acl, VCL_IP ip0, VCL_IP ip1, VCL_INT step)
+{
+	struct acl_sweep asw[1];
+	int i, j;
+	struct vsb *vsb;
+	char abuf[VTCP_ADDRBUFSIZE];
+	char pbuf[VTCP_PORTBUFSIZE];
+	unsigned char digest[VSHA256_DIGEST_LENGTH];
+	struct VSHA256Context vsha[1];
+	struct vrt_blob *b;
+	ssize_t sz;
+
+	vsb = VSB_new_auto();
+	AN(vsb);
+
+	CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
+	AN(acl);
+	AN(ip0);
+	AN(ip1);
+	assert(step > 0);
+	if (setup_sweep(ctx, asw, ip0, ip1, step))
+		return(NULL);
+	VSHA256_Init(vsha);
+	for (j = 0; ; j++) {
+		if ((j & 0x3f) == 0x00) {
+			VTCP_name(asw->probe, abuf, sizeof abuf,
+			    pbuf, sizeof pbuf);
+			VSB_printf(vsb, "Sweep: %-15s", abuf);
+		}
+		i = VRT_acl_match(ctx, acl, asw->probe);
+		assert(0 <= i && i <= 1);
+		VSB_putc(vsb, "-X"[i]);
+		if ((j & 0x3f) == 0x3f) {
+			AZ(VSB_finish(vsb));
+			VSLb(ctx->vsl, SLT_Debug, "%s", VSB_data(vsb));
+			sz =VSB_len(vsb);
+			assert (sz > 0);
+			VSHA256_Update(vsha, VSB_data(vsb), sz);
+			VSB_clear(vsb);
+		}
+		if (step_sweep(asw) > 0)
+			break;
+	}
+	if (VSB_len(vsb)) {
+		AZ(VSB_finish(vsb));
+		VSLb(ctx->vsl, SLT_Debug, "%s", VSB_data(vsb));
+		sz =VSB_len(vsb);
+		assert (sz > 0);
+		VSHA256_Update(vsha, VSB_data(vsb), sz);
+		VSB_clear(vsb);
+	}
+	VSB_destroy(&vsb);
+
+	VSHA256_Final(digest, vsha);
+	b = WS_Alloc(ctx->ws, sizeof *b + sizeof digest);
+	if (b != NULL) {
+		memcpy(b + 1, digest, sizeof digest);
+		b->blob = b + 1;
+		b->len = sizeof digest;
+	}
+	cleanup_sweep(asw);
+	return (b);
+}
+
+VCL_DURATION
+xyzzy_time_acl(VRT_CTX, VCL_ACL acl, VCL_IP ip0, VCL_IP ip1,
+    VCL_INT step, VCL_INT turnus)
+{
+	struct acl_sweep asw[1];
+	vtim_mono t0, t1;
+	VCL_INT cnt;
+
+	CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
+	AN(acl);
+	AN(ip0);
+	AN(ip1);
+	assert(step > 0);
+	assert(turnus > 0);
+
+	if (setup_sweep(ctx, asw, ip0, ip1, step))
+		return(-1);
+	do {
+		(void)VRT_acl_match(ctx, acl, asw->probe);
+	} while (step_sweep(asw) <= 0);
+	asw->count = 0;
+	t0 = VTIM_mono();
+	for (cnt = 0; cnt < turnus; cnt++) {
+		reset_sweep(asw);
+		do {
+			(void)VRT_acl_match(ctx, acl, asw->probe);
+		} while (step_sweep(asw) <= 0);
+	}
+	t1 = VTIM_mono();
+	VSLb(ctx->vsl, SLT_Debug,
+	    "Timed ACL: %.9f -> %.9f = %.9f %.9f/round, %.9f/IP %jd IPs",
+	    t0, t1, t1 - t0, (t1-t0) / turnus, (t1-t0) / asw->count, asw->count);
+	return ((t1 - t0) / asw->count);
+}

More information about the varnish-commit mailing list