experimental Varnish ACL revision (IPv6 able ?)

Poul-Henning Kamp phk at phk.freebsd.dk
Wed Jul 23 00:43:15 CEST 2008


I have reworked the varnish ACL code, but am not done testing.

There's a patch here:

	http://phk.freebsd.dk/patch/varnish_acl.patch

If any of you feel like beating it up, feel free to.

The changes are:

  * Do DNS lookups at compile time instead of child load time.  This
    makes restarts (much) faster (for long ACLS) and reports the
    DNS errors where & when they are needed.

  * Support IPv6 filtering.

The ACL rules still have the same syntax, but the sematics have
expanded to handle IPv6 also:

    acl foo {

	"foohost";		// Match, if the address is one of the 
				// ipv4 or ipv6 addresses of "foohost"

	! "foohost";		// Fail, if...

	"192.168.1.7" / 24;	// Use mask for comparison:  The '7' is
				// ignored

	"www.freebsd.org" / 24;	// This will give compile error, because
				// the "www.freebsd.org" has both ipv4 
				// and ipv6 addresses, and using the same
				// mask for both kinds do not make sense.

	( ... );		// Ignore this rule if DNS lookup fails.

	( ! "idiot.net" );	// If we can resolve "idiot.net", then
				// return Failure to match, if we see them.
    }

Please notice that DNS lookup happens *only* on VCL compilation, if a
DNS record changes you need to recompile (ie: vcl.load or vcl.inline)
your VCL code again, it is not enough to just switch vcl (vcl.use).

(This is the same as with backend DNS lookups)

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.



More information about the varnish-misc mailing list