Introduce 'acl <name> +log {...}' flag and disable VSL logging by default.

1e45d97c · Poul-Henning Kamp · ff20fdbb · 1e45d97c · 1e45d97c · 1e45d97c
Commit 1e45d97c authored Apr 12, 2021 by Poul-Henning Kamp
7 changed files
--- a/bin/varnishtest/tests/c00005.vtc
+++ b/bin/varnishtest/tests/c00005.vtc
@@ -72,7 +72,7 @@ varnish v1 -vcl {

 	backend dummy None;

-	acl acl1 {
+	acl acl1 +log {
 		# bad notation (confusing)
 		"1.2.3.4"/24;
 		"1.2.3.66"/26;

--- a/bin/varnishtest/tests/c00087.vtc
+++ b/bin/varnishtest/tests/c00087.vtc
@@ -6,7 +6,7 @@ server s1 -listen "${tmpdir}/s1.sock" {
 } -start

 varnish v1 -syntax 4.1 -arg "-a foo=${tmpdir}/v1.sock" -vcl+backend {
-	acl acl1 {
+	acl acl1 +log {
 		"${localhost}";
 	}


--- a/bin/varnishtest/tests/v00017.vtc
+++ b/bin/varnishtest/tests/v00017.vtc
@@ -100,3 +100,19 @@ varnish v1 -errvcl {/mask only allowed once} {
 	}
 	sub vcl_recv { if (client.ip ~ a) { return(pass); } }
 }
+
+varnish v1 -errvcl {Expected ACL flag after:} {
+	backend b { .host = "${localhost}"; }
+	acl a + foobar {
+		"10.0.1.0/22" / 22;
+	}
+	sub vcl_recv { if (client.ip ~ a) { return(pass); } }
+}
+
+varnish v1 -errvcl {Unknown ACL flag:} {
+	backend b { .host = "${localhost}"; }
+	acl a +foobar {
+		"10.0.1.0/22" / 22;
+	}
+	sub vcl_recv { if (client.ip ~ a) { return(pass); } }
+}
--- a/doc/changes.rst
+++ b/doc/changes.rst
@@ -31,6 +31,13 @@ http://varnish-cache.org/docs/trunk/whats-new/index.html and via
 individual releases. These documents are updated as part of the
 release process.

+================================
+Varnish Cache 7.x.x (2021-09-15)
+================================
+
+* ACLs no longer produce VSL `VCL_acl` records by default, this must be
+  explicitly enabled with `vcl <name> +log { ... }`.
+
 ================================
 Varnish Cache 6.6.0 (2021-03-15)
 ================================

--- a/doc/sphinx/users-guide/vcl-syntax.rst
+++ b/doc/sphinx/users-guide/vcl-syntax.rst
@@ -59,6 +59,16 @@ To match an IP address against an ACL, simply use the match operator::
         return (pipe);
       }

+In Varnish versions before 7.0, ACLs would always emit a `VCL_acl`
+record in the VSL log, from 7.0 and forward, this must be explicitly
+enabled by specifying the `+log` flag::
+
+       acl local +log {
+         "localhost";         // myself
+         "192.0.2.0"/24;      // and everyone on the local network
+         ! "192.0.2.23";      // except for the dialin router
+       }
+
 Operators
 ~~~~~~~~~


--- a/include/tbl/vsl_tags.h
+++ b/include/tbl/vsl_tags.h
@@ -287,7 +287,7 @@ SLTM(Fetch_Body, 0, "Body fetched from backend",
 )

 SLTM(VCL_acl, 0, "VCL ACL check results",
-	"Logs VCL ACL evaluation results.\n\n"
+	"ACLs with the `+log` flag emits this record with the result.\n\n"
 	"The format is::\n\n"
 	"\t%s [%s [%s [fixed: %s]]]\n"
 	"\t|   |   |          |\n"

--- a/lib/libvcc/vcc_acl.c
+++ b/lib/libvcc/vcc_acl.c
@@ -52,6 +52,8 @@ struct acl {
 	unsigned		magic;
 #define VCC_ACL_MAGIC		0xb9fb3cd0

+	int			flag_log;
+
 	struct acl_tree		acl_tree;
 };

@@ -493,7 +495,8 @@ vcc_acl_emit(struct vcc *tl, const struct symbol *sym)
 	Fh(tl, 0, "\n");
 	Fh(tl, 0, "\tfam = VRT_VSA_GetPtr(ctx, p, &a);\n");
 	Fh(tl, 0, "\tif (fam < 0) {\n");
-	Fh(tl, 0, "\t\tVPI_acl_log(ctx, \"NO_FAM %s\");\n", sym->name);
+	if (tl->acl->flag_log)
+		Fh(tl, 0, "\t\tVPI_acl_log(ctx, \"NO_FAM %s\");\n", sym->name);
 	Fh(tl, 0, "\t\treturn(0);\n");
 	Fh(tl, 0, "\t}\n\n");
 	if (!tl->err_unref) {
@@ -546,10 +549,12 @@ vcc_acl_emit(struct vcc *tl, const struct symbol *sym)

 		i = ((int)ae->mask + 7) / 8;

-		Fh(tl, 0, "\t%*sVPI_acl_log(ctx, \"%sMATCH %s \" ",
-		    -i, "", ae->not ? "NEG_" : "", sym->name);
-		vcc_acl_emit_tokens(tl, ae);
-		Fh(tl, 0, ");\n");
+		if (tl->acl->flag_log) {
+			Fh(tl, 0, "\t%*sVPI_acl_log(ctx, \"%sMATCH %s \" ",
+			    -i, "", ae->not ? "NEG_" : "", sym->name);
+			vcc_acl_emit_tokens(tl, ae);
+			Fh(tl, 0, ");\n");
+		}

 		Fh(tl, 0, "\t%*sreturn (%d);\n", -i, "", ae->not ? 0 : 1);
 	}
@@ -559,7 +564,8 @@ vcc_acl_emit(struct vcc *tl, const struct symbol *sym)
 		Fh(tl, 0, "\t%*.*s}\n", depth, depth, "");

 	/* Deny by default */
-	Fh(tl, 0, "\tVPI_acl_log(ctx, \"NO_MATCH %s\");\n", sym->name);
+	if (tl->acl->flag_log)
+		Fh(tl, 0, "\tVPI_acl_log(ctx, \"NO_MATCH %s\");\n", sym->name);
 	Fh(tl, 0, "\treturn (0);\n}\n");

 	/* Emit the struct that will be referenced */
@@ -579,6 +585,7 @@ void
 vcc_ParseAcl(struct vcc *tl)
 {
 	struct symbol *sym;
+	struct token *sign;
 	struct acl acl[1];

 	INIT_OBJ(acl, VCC_ACL_MAGIC);
@@ -592,6 +599,24 @@ vcc_ParseAcl(struct vcc *tl)
 	ERRCHK(tl);
 	AN(sym);

+        while (tl->t->tok == '-' || tl->t->tok == '+') {
+		sign = tl->t;
+		vcc_NextToken(tl);
+		if (tl->t->b != sign->e) {
+			VSB_cat(tl->sb, "Expected ACL flag after:\n");
+			vcc_ErrWhere(tl, sign);
+			return;
+		}
+		if (vcc_IdIs(tl->t, "log")) {
+			acl->flag_log = sign->tok == '+';
+			vcc_NextToken(tl);
+		} else {
+			VSB_cat(tl->sb, "Unknown ACL flag:\n");
+			vcc_ErrWhere(tl, tl->t);
+			return;
+		}
+	}
+
 	SkipToken(tl, '{');

 	while (tl->t->tok != '}') {