Make `pedantic` a per-acl feature flag, default to true.

Also document `table` and `log` feature flags. Fixes #3269

Make `pedantic` a per-acl feature flag, default to true.
Also document `table` and `log` feature flags. Fixes #3269
65c9d447 · Poul-Henning Kamp · 5bd17b74 · 65c9d447 · 65c9d447 · 65c9d447
Commit 65c9d447 authored May 04, 2021 by Poul-Henning Kamp
8 changed files
--- a/bin/varnishtest/tests/c00005.vtc
+++ b/bin/varnishtest/tests/c00005.vtc
@@ -72,7 +72,7 @@ varnish v1 -vcl {

 	backend dummy None;

-	acl acl1 +log {
+	acl acl1 +log -pedantic {
 		# bad notation (confusing)
 		"1.2.3.4"/24;
 		"1.2.3.66"/26;
@@ -149,14 +149,12 @@ client c1 {

 logexpect l1 -wait

-varnish v1 -cliok "param.set vcc_acl_pedantic on"
-
-varnish v1 -errvcl {Address/Netmask mismatch, need be 1.2.3.0/24} {
+varnish v1 -errvcl {Non-zero bits in masked part} {
 	import std;

 	backend dummy None;

-	acl acl1 {
+	acl acl1 +pedantic {
 		"1.2.3.4"/24;
 	}


--- a/bin/varnishtest/tests/m00023.vtc
+++ b/bin/varnishtest/tests/m00023.vtc
@@ -12,7 +12,7 @@ varnish v1 -vcl+backend {
 		"127"/24;
 	}

-	acl locals {
+	acl locals -pedantic {
 		// We assume c1 and s1 comes from same address
 		"${s1_addr}"/24;
 	}

--- a/bin/varnishtest/tests/r01312.vtc
+++ b/bin/varnishtest/tests/r01312.vtc
@@ -40,11 +40,11 @@ varnish v1 -vcl+backend {
 	import std;
 	import debug;

-	acl foo {
+	acl foo -pedantic {
 		"127.0.0.2";
 		"127.0.1"/19;
 	}
-	acl bar {
+	acl bar -pedantic {
 		"127.0.1.2";
 		"127.0.1"/19;
 	}

--- a/doc/changes.rst
+++ b/doc/changes.rst
@@ -38,6 +38,11 @@ Varnish Cache 7.x.x (2021-09-15)
 * ACLs no longer produce VSL `VCL_acl` records by default, this must be
  explicitly enabled with `vcl <name> +log { ... }`.

+* ACLs can be compiled into a table format, which runs a little bit
+  slower, but compiles much faster for large ACLs.
+
+* ACLs default to `pedantic` which is no a per-ACL feature flag.
+
 ================================
 Varnish Cache 6.6.0 (2021-03-15)
 ================================

--- a/doc/sphinx/reference/vcl.rst
+++ b/doc/sphinx/reference/vcl.rst
@@ -264,7 +264,8 @@ If an ACL entry specifies a host name which Varnish is unable to
 resolve, it will match any address it is compared to. Consequently,
 if it is preceded by a negation mark, it will reject any address it is
 compared to, which may not be what you intended. If the entry is
-enclosed in parentheses, however, it will simply be ignored.
+enclosed in parentheses, however, it will simply be ignored if the
+host name cannot be resolved.

 To match an IP address against an ACL, simply use the match operator::

@@ -272,6 +273,24 @@ To match an IP address against an ACL, simply use the match operator::
        return (pipe);
    }

+ACLs have feature flags which can be set or cleared for each ACL
+individually:
+
+* `+log` - Emit a `Acl` record in VSL to tell if a match was found
+  or not.
+
+* `+table` - Implement the ACL with a table instead of compiled code.
+  This runs a little bit slower, but compiles large ACLs much faster.
+
+* `-pedantic` - Allow masks to cover non-zero host-bits.
+  This allows the following to work::
+
+    acl foo -pedantic +log {
+        "firewall.example.com" / 24;
+    }
+
+  However, if the name resolves to both IPv4 and IPv6 you will still
+  get an error.

 VCL objects
 -----------

--- a/include/tbl/mgt_vcc.h
+++ b/include/tbl/mgt_vcc.h
@@ -3,7 +3,6 @@
 *
 */

-MGT_VCC(unsigned, acl_pedantic,   Acl_Pedantic)
 MGT_VCC(unsigned, allow_inline_c, Allow_InlineC)
 MGT_VCC(unsigned, err_unref,      Err_Unref)
 MGT_VCC(unsigned, unsafe_path,    Unsafe_Path)

--- a/include/tbl/params.h
+++ b/include/tbl/params.h
@@ -1588,22 +1588,6 @@ PARAM_VCC(
 	"Unreferenced VCL objects result in error."
 )

-PARAM_VCC(
-	/* name */	vcc_acl_pedantic,
-	/* def */	"off",
-	/* descr */
-	"Insist that network numbers used in ACLs have an "
-	"all-zero host part, e.g. make 1.2.3.4/24 an error.\n"
-	"With this option set to off (the default), the host "
-	"part of network numbers is being fixed to all-zeroes "
-	"(e.g. the above changed to 1.2.3.0/24), a warning is "
-	"output during VCL compilation and any ACL entry hits "
-	"are logged with the fixed address as \"fixed: ...\" "
-	"after the original VCL entry.\n"
-	"With this option set to on, any ACL entries with non-zero "
-	"host parts cause VCL compilation to fail."
-)
-
 PARAM_VCC(
 	/* name */	vcc_allow_inline_c,
 	/* def */	"off",

--- a/lib/libvcc/vcc_acl.c
+++ b/lib/libvcc/vcc_acl.c
@@ -53,6 +53,7 @@ struct acl {
 #define VCC_ACL_MAGIC		0xb9fb3cd0

 	int			flag_log;
+	int			flag_pedantic;
 	int			flag_table;

 	struct acl_tree		acl_tree;
@@ -201,14 +202,11 @@ vcc_acl_chk(struct vcc *tl, const struct acl_e *ae, const int l,
 	AN(sa);
 	VTCP_name(sa, h, sizeof h, NULL, 0);
 	bprintf(t, "%s/%d", h, ae->mask);
-	VSB_cat(tl->sb, "Address/Netmask mismatch, ");
-	if (tl->acl_pedantic != 0)
-		VSB_printf(tl->sb, "need be %s\n", t);
-	else
-		VSB_printf(tl->sb, "changed to %s\n", t);
-	vcc_ErrWhere(tl, ae->t_addr);
-	if (tl->acl_pedantic == 0)
-		vcc_Warn(tl);
+	if (tl->acl->flag_pedantic != 0) {
+		VSB_cat(tl->sb, "Non-zero bits in masked part, ");
+		VSB_printf(tl->sb, "(maybe use %s ?)\n", t);
+		vcc_ErrWhere(tl, ae->t_addr);
+	}
 	REPLACE(r, t);
 	return (r);
 }
@@ -697,6 +695,7 @@ vcc_ParseAcl(struct vcc *tl)

 	INIT_OBJ(acl, VCC_ACL_MAGIC);
 	tl->acl = acl;
+	acl->flag_pedantic = 1;
 	vcc_NextToken(tl);
 	VRBT_INIT(&acl->acl_tree);

@@ -718,6 +717,9 @@ vcc_ParseAcl(struct vcc *tl)
 		if (vcc_IdIs(tl->t, "log")) {
 			acl->flag_log = sign;
 			vcc_NextToken(tl);
+		} else if (vcc_IdIs(tl->t, "pedantic")) {
+			acl->flag_pedantic = sign;
+			vcc_NextToken(tl);
 		} else if (vcc_IdIs(tl->t, "table")) {
 			acl->flag_table = sign;
 			vcc_NextToken(tl);