Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
V
varnish-cache
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
varnish-cache
Commits
1e45d97c
Commit
1e45d97c
authored
Apr 12, 2021
by
Poul-Henning Kamp
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Introduce 'acl <name> +log {...}' flag and disable VSL logging by default.
parent
ff20fdbb
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
67 additions
and
9 deletions
+67
-9
c00005.vtc
bin/varnishtest/tests/c00005.vtc
+1
-1
c00087.vtc
bin/varnishtest/tests/c00087.vtc
+1
-1
v00017.vtc
bin/varnishtest/tests/v00017.vtc
+16
-0
changes.rst
doc/changes.rst
+7
-0
vcl-syntax.rst
doc/sphinx/users-guide/vcl-syntax.rst
+10
-0
vsl_tags.h
include/tbl/vsl_tags.h
+1
-1
vcc_acl.c
lib/libvcc/vcc_acl.c
+31
-6
No files found.
bin/varnishtest/tests/c00005.vtc
View file @
1e45d97c
...
...
@@ -72,7 +72,7 @@ varnish v1 -vcl {
backend dummy None;
acl acl1 {
acl acl1
+log
{
# bad notation (confusing)
"1.2.3.4"/24;
"1.2.3.66"/26;
...
...
bin/varnishtest/tests/c00087.vtc
View file @
1e45d97c
...
...
@@ -6,7 +6,7 @@ server s1 -listen "${tmpdir}/s1.sock" {
} -start
varnish v1 -syntax 4.1 -arg "-a foo=${tmpdir}/v1.sock" -vcl+backend {
acl acl1 {
acl acl1
+log
{
"${localhost}";
}
...
...
bin/varnishtest/tests/v00017.vtc
View file @
1e45d97c
...
...
@@ -100,3 +100,19 @@ varnish v1 -errvcl {/mask only allowed once} {
}
sub vcl_recv { if (client.ip ~ a) { return(pass); } }
}
varnish v1 -errvcl {Expected ACL flag after:} {
backend b { .host = "${localhost}"; }
acl a + foobar {
"10.0.1.0/22" / 22;
}
sub vcl_recv { if (client.ip ~ a) { return(pass); } }
}
varnish v1 -errvcl {Unknown ACL flag:} {
backend b { .host = "${localhost}"; }
acl a +foobar {
"10.0.1.0/22" / 22;
}
sub vcl_recv { if (client.ip ~ a) { return(pass); } }
}
doc/changes.rst
View file @
1e45d97c
...
...
@@ -31,6 +31,13 @@ http://varnish-cache.org/docs/trunk/whats-new/index.html and via
individual releases. These documents are updated as part of the
release process.
================================
Varnish Cache 7.x.x (2021-09-15)
================================
* ACLs no longer produce VSL `VCL_acl` records by default, this must be
explicitly enabled with `vcl <name> +log { ... }`.
================================
Varnish Cache 6.6.0 (2021-03-15)
================================
...
...
doc/sphinx/users-guide/vcl-syntax.rst
View file @
1e45d97c
...
...
@@ -59,6 +59,16 @@ To match an IP address against an ACL, simply use the match operator::
return (pipe);
}
In Varnish versions before 7.0, ACLs would always emit a `VCL_acl`
record in the VSL log, from 7.0 and forward, this must be explicitly
enabled by specifying the `+log` flag::
acl local +log {
"localhost"; // myself
"192.0.2.0"/24; // and everyone on the local network
! "192.0.2.23"; // except for the dialin router
}
Operators
~~~~~~~~~
...
...
include/tbl/vsl_tags.h
View file @
1e45d97c
...
...
@@ -287,7 +287,7 @@ SLTM(Fetch_Body, 0, "Body fetched from backend",
)
SLTM
(
VCL_acl
,
0
,
"VCL ACL check results"
,
"
Logs VCL ACL evaluation results
.
\n\n
"
"
ACLs with the `+log` flag emits this record with the result
.
\n\n
"
"The format is::
\n\n
"
"
\t
%s [%s [%s [fixed: %s]]]
\n
"
"
\t
| | | |
\n
"
...
...
lib/libvcc/vcc_acl.c
View file @
1e45d97c
...
...
@@ -52,6 +52,8 @@ struct acl {
unsigned
magic
;
#define VCC_ACL_MAGIC 0xb9fb3cd0
int
flag_log
;
struct
acl_tree
acl_tree
;
};
...
...
@@ -493,7 +495,8 @@ vcc_acl_emit(struct vcc *tl, const struct symbol *sym)
Fh
(
tl
,
0
,
"
\n
"
);
Fh
(
tl
,
0
,
"
\t
fam = VRT_VSA_GetPtr(ctx, p, &a);
\n
"
);
Fh
(
tl
,
0
,
"
\t
if (fam < 0) {
\n
"
);
Fh
(
tl
,
0
,
"
\t\t
VPI_acl_log(ctx,
\"
NO_FAM %s
\"
);
\n
"
,
sym
->
name
);
if
(
tl
->
acl
->
flag_log
)
Fh
(
tl
,
0
,
"
\t\t
VPI_acl_log(ctx,
\"
NO_FAM %s
\"
);
\n
"
,
sym
->
name
);
Fh
(
tl
,
0
,
"
\t\t
return(0);
\n
"
);
Fh
(
tl
,
0
,
"
\t
}
\n\n
"
);
if
(
!
tl
->
err_unref
)
{
...
...
@@ -546,10 +549,12 @@ vcc_acl_emit(struct vcc *tl, const struct symbol *sym)
i = ((int)ae->mask + 7) / 8;
Fh(tl, 0, "
\
t
%*
sVPI_acl_log
(
ctx
,
\
"%sMATCH %s
\"
"
,
-
i
,
""
,
ae
->
not
?
"NEG_"
:
""
,
sym
->
name
);
vcc_acl_emit_tokens
(
tl
,
ae
);
Fh
(
tl
,
0
,
");
\n
"
);
if (tl->acl->flag_log) {
Fh(tl, 0, "
\
t
%*
sVPI_acl_log
(
ctx
,
\
"%sMATCH %s
\"
"
,
-
i
,
""
,
ae
->
not
?
"NEG_"
:
""
,
sym
->
name
);
vcc_acl_emit_tokens
(
tl
,
ae
);
Fh
(
tl
,
0
,
");
\n
"
);
}
Fh
(
tl
,
0
,
"
\t
%*sreturn (%d);
\n
"
,
-
i
,
""
,
ae
->
not
?
0
:
1
);
}
...
...
@@ -559,7 +564,8 @@ vcc_acl_emit(struct vcc *tl, const struct symbol *sym)
Fh
(
tl
,
0
,
"
\t
%*.*s}
\n
"
,
depth
,
depth
,
""
);
/* Deny by default */
Fh
(
tl
,
0
,
"
\t
VPI_acl_log(ctx,
\"
NO_MATCH %s
\"
);
\n
"
,
sym
->
name
);
if
(
tl
->
acl
->
flag_log
)
Fh
(
tl
,
0
,
"
\t
VPI_acl_log(ctx,
\"
NO_MATCH %s
\"
);
\n
"
,
sym
->
name
);
Fh
(
tl
,
0
,
"
\t
return (0);
\n
}
\n
"
);
/* Emit the struct that will be referenced */
...
...
@@ -579,6 +585,7 @@ void
vcc_ParseAcl
(
struct
vcc
*
tl
)
{
struct
symbol
*
sym
;
struct
token
*
sign
;
struct
acl
acl
[
1
];
INIT_OBJ
(
acl
,
VCC_ACL_MAGIC
);
...
...
@@ -592,6 +599,24 @@ vcc_ParseAcl(struct vcc *tl)
ERRCHK
(
tl
);
AN
(
sym
);
while
(
tl
->
t
->
tok
==
'-'
||
tl
->
t
->
tok
==
'+'
)
{
sign
=
tl
->
t
;
vcc_NextToken
(
tl
);
if
(
tl
->
t
->
b
!=
sign
->
e
)
{
VSB_cat
(
tl
->
sb
,
"Expected ACL flag after:
\n
"
);
vcc_ErrWhere
(
tl
,
sign
);
return
;
}
if
(
vcc_IdIs
(
tl
->
t
,
"log"
))
{
acl
->
flag_log
=
sign
->
tok
==
'+'
;
vcc_NextToken
(
tl
);
}
else
{
VSB_cat
(
tl
->
sb
,
"Unknown ACL flag:
\n
"
);
vcc_ErrWhere
(
tl
,
tl
->
t
);
return
;
}
}
SkipToken
(
tl
,
'{'
);
while
(
tl
->
t
->
tok
!=
'}'
)
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment