[master] 65c9d4474 Make `pedantic` a per-acl feature flag, default to true.

Poul-Henning Kamp phk at FreeBSD.org
Tue May 4 12:05:07 UTC 2021 

commit 65c9d447404a60a977afaffd0afdcd43b2e888ea
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date:   Tue May 4 12:03:02 2021 +0000

    Make `pedantic` a per-acl feature flag, default to true.
    
    Also document `table` and `log` feature flags.
    
    Fixes #3269

diff --git a/bin/varnishtest/tests/c00005.vtc b/bin/varnishtest/tests/c00005.vtc
index 6e8feaaa8..255f42232 100644
--- a/bin/varnishtest/tests/c00005.vtc
+++ b/bin/varnishtest/tests/c00005.vtc
@@ -72,7 +72,7 @@ varnish v1 -vcl {
 
 	backend dummy None;
 
-	acl acl1 +log {
+	acl acl1 +log -pedantic {
 		# bad notation (confusing)
 		"1.2.3.4"/24;
 		"1.2.3.66"/26;
@@ -149,14 +149,12 @@ client c1 {
 
 logexpect l1 -wait
 
-varnish v1 -cliok "param.set vcc_acl_pedantic on"
-
-varnish v1 -errvcl {Address/Netmask mismatch, need be 1.2.3.0/24} {
+varnish v1 -errvcl {Non-zero bits in masked part} {
 	import std;
 
 	backend dummy None;
 
-	acl acl1 {
+	acl acl1 +pedantic {
 		"1.2.3.4"/24;
 	}
 
diff --git a/bin/varnishtest/tests/m00023.vtc b/bin/varnishtest/tests/m00023.vtc
index 749201696..3ecfbde70 100644
--- a/bin/varnishtest/tests/m00023.vtc
+++ b/bin/varnishtest/tests/m00023.vtc
@@ -12,7 +12,7 @@ varnish v1 -vcl+backend {
 		"127"/24;
 	}
 
-	acl locals {
+	acl locals -pedantic {
 		// We assume c1 and s1 comes from same address
 		"${s1_addr}"/24;
 	}
diff --git a/bin/varnishtest/tests/r01312.vtc b/bin/varnishtest/tests/r01312.vtc
index ded2787e2..3fad2f0e5 100644
--- a/bin/varnishtest/tests/r01312.vtc
+++ b/bin/varnishtest/tests/r01312.vtc
@@ -40,11 +40,11 @@ varnish v1 -vcl+backend {
 	import std;
 	import debug;
 
-	acl foo {
+	acl foo -pedantic {
 		"127.0.0.2";
 		"127.0.1"/19;
 	}
-	acl bar {
+	acl bar -pedantic {
 		"127.0.1.2";
 		"127.0.1"/19;
 	}
diff --git a/doc/changes.rst b/doc/changes.rst
index 1fe26459f..7c82a0c3e 100644
--- a/doc/changes.rst
+++ b/doc/changes.rst
@@ -38,6 +38,11 @@ Varnish Cache 7.x.x (2021-09-15)
 * ACLs no longer produce VSL `VCL_acl` records by default, this must be
   explicitly enabled with `vcl <name> +log { ... }`.
 
+* ACLs can be compiled into a table format, which runs a little bit
+  slower, but compiles much faster for large ACLs.
+
+* ACLs default to `pedantic` which is no a per-ACL feature flag.
+
 ================================
 Varnish Cache 6.6.0 (2021-03-15)
 ================================
diff --git a/doc/sphinx/reference/vcl.rst b/doc/sphinx/reference/vcl.rst
index 3dbae425b..3513f0eb6 100644
--- a/doc/sphinx/reference/vcl.rst
+++ b/doc/sphinx/reference/vcl.rst
@@ -264,7 +264,8 @@ If an ACL entry specifies a host name which Varnish is unable to
 resolve, it will match any address it is compared to. Consequently,
 if it is preceded by a negation mark, it will reject any address it is
 compared to, which may not be what you intended. If the entry is
-enclosed in parentheses, however, it will simply be ignored.
+enclosed in parentheses, however, it will simply be ignored if the
+host name cannot be resolved.
 
 To match an IP address against an ACL, simply use the match operator::
 
@@ -272,6 +273,24 @@ To match an IP address against an ACL, simply use the match operator::
         return (pipe);
     }
 
+ACLs have feature flags which can be set or cleared for each ACL
+individually:
+
+* `+log` - Emit a `Acl` record in VSL to tell if a match was found
+  or not.
+
+* `+table` - Implement the ACL with a table instead of compiled code.
+  This runs a little bit slower, but compiles large ACLs much faster.
+
+* `-pedantic` - Allow masks to cover non-zero host-bits.
+  This allows the following to work::
+
+    acl foo -pedantic +log {
+        "firewall.example.com" / 24;
+    }
+
+  However, if the name resolves to both IPv4 and IPv6 you will still
+  get an error.
 
 VCL objects
 -----------
diff --git a/include/tbl/mgt_vcc.h b/include/tbl/mgt_vcc.h
index 9f828679a..908938367 100644
--- a/include/tbl/mgt_vcc.h
+++ b/include/tbl/mgt_vcc.h
@@ -3,7 +3,6 @@
  *
  */
 
-MGT_VCC(unsigned, acl_pedantic,   Acl_Pedantic)
 MGT_VCC(unsigned, allow_inline_c, Allow_InlineC)
 MGT_VCC(unsigned, err_unref,      Err_Unref)
 MGT_VCC(unsigned, unsafe_path,    Unsafe_Path)
diff --git a/include/tbl/params.h b/include/tbl/params.h
index cca420cb8..763920984 100644
--- a/include/tbl/params.h
+++ b/include/tbl/params.h
@@ -1588,22 +1588,6 @@ PARAM_VCC(
 	"Unreferenced VCL objects result in error."
 )
 
-PARAM_VCC(
-	/* name */	vcc_acl_pedantic,
-	/* def */	"off",
-	/* descr */
-	"Insist that network numbers used in ACLs have an "
-	"all-zero host part, e.g. make 1.2.3.4/24 an error.\n"
-	"With this option set to off (the default), the host "
-	"part of network numbers is being fixed to all-zeroes "
-	"(e.g. the above changed to 1.2.3.0/24), a warning is "
-	"output during VCL compilation and any ACL entry hits "
-	"are logged with the fixed address as \"fixed: ...\" "
-	"after the original VCL entry.\n"
-	"With this option set to on, any ACL entries with non-zero "
-	"host parts cause VCL compilation to fail."
-)
-
 PARAM_VCC(
 	/* name */	vcc_allow_inline_c,
 	/* def */	"off",
diff --git a/lib/libvcc/vcc_acl.c b/lib/libvcc/vcc_acl.c
index 6f455ad5a..64dcc03ab 100644
--- a/lib/libvcc/vcc_acl.c
+++ b/lib/libvcc/vcc_acl.c
@@ -53,6 +53,7 @@ struct acl {
 #define VCC_ACL_MAGIC		0xb9fb3cd0
 
 	int			flag_log;
+	int			flag_pedantic;
 	int			flag_table;
 
 	struct acl_tree		acl_tree;
@@ -201,14 +202,11 @@ vcc_acl_chk(struct vcc *tl, const struct acl_e *ae, const int l,
 	AN(sa);
 	VTCP_name(sa, h, sizeof h, NULL, 0);
 	bprintf(t, "%s/%d", h, ae->mask);
-	VSB_cat(tl->sb, "Address/Netmask mismatch, ");
-	if (tl->acl_pedantic != 0)
-		VSB_printf(tl->sb, "need be %s\n", t);
-	else
-		VSB_printf(tl->sb, "changed to %s\n", t);
-	vcc_ErrWhere(tl, ae->t_addr);
-	if (tl->acl_pedantic == 0)
-		vcc_Warn(tl);
+	if (tl->acl->flag_pedantic != 0) {
+		VSB_cat(tl->sb, "Non-zero bits in masked part, ");
+		VSB_printf(tl->sb, "(maybe use %s ?)\n", t);
+		vcc_ErrWhere(tl, ae->t_addr);
+	}
 	REPLACE(r, t);
 	return (r);
 }
@@ -697,6 +695,7 @@ vcc_ParseAcl(struct vcc *tl)
 
 	INIT_OBJ(acl, VCC_ACL_MAGIC);
 	tl->acl = acl;
+	acl->flag_pedantic = 1;
 	vcc_NextToken(tl);
 	VRBT_INIT(&acl->acl_tree);
 
@@ -718,6 +717,9 @@ vcc_ParseAcl(struct vcc *tl)
 		if (vcc_IdIs(tl->t, "log")) {
 			acl->flag_log = sign;
 			vcc_NextToken(tl);
+		} else if (vcc_IdIs(tl->t, "pedantic")) {
+			acl->flag_pedantic = sign;
+			vcc_NextToken(tl);
 		} else if (vcc_IdIs(tl->t, "table")) {
 			acl->flag_table = sign;
 			vcc_NextToken(tl);

More information about the varnish-commit mailing list