[PATCH] Allow ACL references in VMODs

Dridi Boukelmoune dridi at varni.sh
Fri Jun 19 00:43:31 CEST 2015


Once again related to my work on dynamic backends, but also probably
useful in other cases, checking ACLs in VMODs. Unlike my similar patch
for probes[1], this one is already tested. I'll first give some background,
then the rationale, and finally the caveats.

The DNS director from Varnish 3 used to take IP addresses and ranges
to generate static backends, and would enable/disable the backends
after DNS lookups. The director would also ignore DNS entries that
don't match the static list of IP addresses. DNS director backends
don't have probes, probably because the backends always exist, and
that they'd be marked as sick when no DNS entry match them.

Please correct me if I'm wrong, I'm basing my DNS director for Varnish
4.1 on this understanding.

In Varnish 4.1, provided that we introduce dynamic backends, we don't
need that at all. We can simply create/destroy backends after lookups.
However, I see two reasons for keeping IP addresses around:
- it's familiar to Varnish 3 users
- it may mitigate DNS spoofing (I am no security expert)

I don't want to rewrite this logic, especially since we already have a
good "data structure" in Varnish for that. So I thought it could benefit
VMOD writers to have access to the named ACLs.

The ACL declaration ends up being a function, so that would be the
first VCL type exposed as a function to VMODs (I don't see that as a
problem). Because of the way code is generated, I had to move things
around and put an ugly comment to circumvent spurious code generation.
With this patch, its "probe" sibling[1] and the existing backend
handling, code duplication is emerging in libvcc.

This email is probably^W bigger than the patch, comments ?

Best Regards,

[1] https://www.varnish-cache.org/lists/pipermail/varnish-dev/2015-June/008357.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Allow-ACL-references-in-VMODs.patch
Type: text/x-patch
Size: 6518 bytes
Desc: not available
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-dev/attachments/20150619/28c667da/attachment.bin>

More information about the varnish-dev mailing list