experimental Varnish ACL revision (IPv6 able ?)
Poul-Henning Kamp
phk at phk.freebsd.dk
Wed Jul 23 00:43:15 CEST 2008
I have reworked the varnish ACL code, but am not done testing.
There's a patch here:
http://phk.freebsd.dk/patch/varnish_acl.patch
If any of you feel like beating it up, feel free to.
The changes are:
* Do DNS lookups at compile time instead of child load time. This
makes restarts (much) faster (for long ACLS) and reports the
DNS errors where & when they are needed.
* Support IPv6 filtering.
The ACL rules still have the same syntax, but the sematics have
expanded to handle IPv6 also:
acl foo {
"foohost"; // Match, if the address is one of the
// ipv4 or ipv6 addresses of "foohost"
! "foohost"; // Fail, if...
"192.168.1.7" / 24; // Use mask for comparison: The '7' is
// ignored
"www.freebsd.org" / 24; // This will give compile error, because
// the "www.freebsd.org" has both ipv4
// and ipv6 addresses, and using the same
// mask for both kinds do not make sense.
( ... ); // Ignore this rule if DNS lookup fails.
( ! "idiot.net" ); // If we can resolve "idiot.net", then
// return Failure to match, if we see them.
}
Please notice that DNS lookup happens *only* on VCL compilation, if a
DNS record changes you need to recompile (ie: vcl.load or vcl.inline)
your VCL code again, it is not enough to just switch vcl (vcl.use).
(This is the same as with backend DNS lookups)
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
More information about the varnish-misc
mailing list