• Nils Goroll's avatar
    Warn about ACL entries with non-zero host bits · b9756475
    Nils Goroll authored
    Summary:
    
    ACL entries with netmasks shorter than the maximum for the respective
    protocol represent network addresses and as such, by convention,
    should be written with all zero bits in the host part to avoid
    confusion.
    
    This patch adds VCL compile warnings and improved logging if they are
    not.
    
    Discussion:
    
    For example, while 1.2.3.0/24 and 1.2.3.255/24, in CIDR notation, both
    specify all addresses with the first three octets matching 1, 2 and 3,
    using the latter can be a source of subtle confusion.
    
    This becomes particularly apparent with netmasks outside byte
    boundaries: 1.2.6.0/22 specifies addresses 1.2.4.0 - 1.2.7.255, but
    not so experienced administrators might be tempted to think that it
    specified 1.2.6.0 - 1.2.9.255.
    
    To summarize, denoting network addresses in non-canonical form is
    confusing, a possible source of error and additionally complicates
    analyses.
    
    This patch makes sure that such mishaps do not remain unnoticed by
    
    - issuing warnings during VCL compilation about non-canonical network
      addresses
    
    - Logging ACL matches together with the canonical address
    
    The actual matching code is not touched, but a minor simplification
    can be applied later.
    b9756475
Name
Last commit
Last update
..
varnishadm Loading commit data...
varnishd Loading commit data...
varnishhist Loading commit data...
varnishlog Loading commit data...
varnishncsa Loading commit data...
varnishstat Loading commit data...
varnishtest Loading commit data...
varnishtop Loading commit data...
Makefile.am Loading commit data...
flint.lnt Loading commit data...