Add a -r ("read-only") argument which can protect parameters from

subsequent changes.

bin/varnishd/mgt/mgt.h

@@ -69,6 +69,7 @@ const void *pick(const struct choice *cp, const char *which, const char *kind);
 /* mgt_param.c */
 void MCF_ParamInit(struct cli *);
 void MCF_ParamSet(struct cli *, const char *param, const char *val);
+void MCF_ParamProtect(struct cli *, const char *arg);
 void MCF_DumpRst(void);
 extern struct params mgt_param;
 

bin/varnishd/mgt/mgt_main.c

@@ -127,6 +127,7 @@ usage(void)
 	fprintf(stderr, FMT, "-n dir", "varnishd working directory");
 	fprintf(stderr, FMT, "-P file", "PID file");
 	fprintf(stderr, FMT, "-p param=value", "set parameter");
+	fprintf(stderr, FMT, "-r param[,param...]", "make parameter read-only");
 	fprintf(stderr, FMT,
 	    "-s kind[,storageoptions]", "Backend storage specification");
 	fprintf(stderr, FMT, "", "  -s malloc");
@@ -369,7 +370,7 @@ main(int argc, char * const *argv)
 	cli_check(cli);
 
 	while ((o = getopt(argc, argv,
-	    "a:b:Cdf:Fg:h:i:l:L:M:n:P:p:S:s:T:t:u:Vx:w:")) != -1)
+	    "a:b:Cdf:Fg:h:i:l:L:M:n:P:p:r:S:s:T:t:u:Vx:w:")) != -1)
 		switch (o) {
 		case 'a':
 			MCF_ParamSet(cli, "listen_address", optarg);
@@ -432,6 +433,10 @@ main(int argc, char * const *argv)
 			MCF_ParamSet(cli, optarg, p);
 			cli_check(cli);
 			break;
+		case 'r':
+			MCF_ParamProtect(cli, optarg);
+			cli_check(cli);
+			break;
 		case 's':
 			s_arg_given = 1;
 			STV_Config(optarg);

bin/varnishd/mgt/mgt_param.c

@@ -668,6 +668,9 @@ tweak_poolparam(struct cli *cli, const struct parspec *par, const char *arg)
 	"\nNB: Do not change this parameter, unless a developer tell " \
 	"you to do so."
 
+#define PROTECTED_TEXT \
+	"\nNB: This parameter is protected and can not be changed."
+
 #define MEMPOOL_TEXT							\
 	"The three numbers are:\n"					\
 	"   min_pool -- minimum size of free pool.\n"			\
@@ -1319,6 +1322,8 @@ mcf_param_show(struct cli *cli, const char * const *av, void *priv)
 				mcf_wrap(cli, MUST_RESTART_TEXT);
 			if (pp->flags & WIZARD)
 				mcf_wrap(cli, WIZARD_TEXT);
+			if (pp->flags & PROTECTED)
+				mcf_wrap(cli, PROTECTED_TEXT);
 			if (!lfmt)
 				return;
 			else
@@ -1331,6 +1336,43 @@ mcf_param_show(struct cli *cli, const char * const *av, void *priv)
 	}
 }
 
+/*--------------------------------------------------------------------
+ * Mark paramters as protected
+ */
+
+void
+MCF_ParamProtect(struct cli *cli, const char *args)
+{
+	char **av;
+	struct parspec *pp;
+	int i, j;
+
+	av = VAV_Parse(args, NULL, ARGV_COMMA);
+	if (av[0] != NULL) {
+		VCLI_Out(cli, "Parse error: %s", av[0]);
+		VCLI_SetResult(cli, CLIS_PARAM);
+		VAV_Free(av);
+		return;
+	}
+	for (i = 1; av[i] != NULL; i++) {
+		for (j = 0; j < nparspec; j++)
+			if (!strcmp(parspecs[j]->name, av[i]))
+				break;
+		if (j == nparspec) {
+			VCLI_Out(cli, "Unknown parameter %s", av[i]);
+			VCLI_SetResult(cli, CLIS_PARAM);
+			VAV_Free(av);
+			return;
+		}
+		pp = calloc(sizeof *pp, 1L);
+		XXXAN(pp);
+		memcpy(pp, parspecs[j], sizeof *pp);
+		pp->flags |= PROTECTED;
+		parspecs[j] = pp;
+	}
+	VAV_Free(av);
+}
+
 /*--------------------------------------------------------------------*/
 
 void
@@ -1344,6 +1386,11 @@ MCF_ParamSet(struct cli *cli, const char *param, const char *val)
 		VCLI_Out(cli, "Unknown parameter \"%s\".", param);
 		return;
 	}
+	if (pp->flags & PROTECTED) {
+		VCLI_SetResult(cli, CLIS_AUTH);
+		VCLI_Out(cli, "parameter \"%s\" is protected.", param);
+		return;
+	}
 	pp->func(cli, pp, val);
 
 	if (cli->result == CLIS_OK && heritage.param != NULL)

bin/varnishd/mgt/mgt_param.h

@@ -45,6 +45,7 @@ struct parspec {
 #define MUST_RESTART	(1<<2)
 #define MUST_RELOAD	(1<<3)
 #define WIZARD		(1<<4)
+#define PROTECTED	(1<<5)
 	const char	*def;
 	const char	*units;
 };

bin/varnishtest/tests/c00051.vtc

+varnishtest "test parameter protection"
+
+varnish v1 -arg "-r cli_timeout" 
+
+varnish v1 -cliok "param.show cli_timeout"
+varnish v1 -clierr 107 "param.set cli_timeout 1m"