-
Nils Goroll authoredSummary: ACL entries with netmasks shorter than the maximum for the respective protocol represent network addresses and as such, by convention, should be written with all zero bits in the host part to avoid confusion. This patch adds VCL compile warnings and improved logging if they are not. Discussion: For example, while 1.2.3.0/24 and 1.2.3.255/24, in CIDR notation, both specify all addresses with the first three octets matching 1, 2 and 3, using the latter can be a source of subtle confusion. This becomes particularly apparent with netmasks outside byte boundaries: 1.2.6.0/22 specifies addresses 1.2.4.0 - 1.2.7.255, but not so experienced administrators might be tempted to think that it specified 1.2.6.0 - 1.2.9.255. To summarize, denoting network addresses in non-canonical form is confusing, a possible source of error and additionally complicates analyses. This patch makes sure that such mishaps do not remain unnoticed by - issuing warnings during VCL compilation about non-canonical network addresses - Logging ACL matches together with the canonical address The actual matching code is not touched, but a minor simplification can be applied later.