• Nils Goroll's avatar
    Warn about ACL entries with non-zero host bits · b9756475
    Nils Goroll authored
    Summary:
    
    ACL entries with netmasks shorter than the maximum for the respective
    protocol represent network addresses and as such, by convention,
    should be written with all zero bits in the host part to avoid
    confusion.
    
    This patch adds VCL compile warnings and improved logging if they are
    not.
    
    Discussion:
    
    For example, while 1.2.3.0/24 and 1.2.3.255/24, in CIDR notation, both
    specify all addresses with the first three octets matching 1, 2 and 3,
    using the latter can be a source of subtle confusion.
    
    This becomes particularly apparent with netmasks outside byte
    boundaries: 1.2.6.0/22 specifies addresses 1.2.4.0 - 1.2.7.255, but
    not so experienced administrators might be tempted to think that it
    specified 1.2.6.0 - 1.2.9.255.
    
    To summarize, denoting network addresses in non-canonical form is
    confusing, a possible source of error and additionally complicates
    analyses.
    
    This patch makes sure that such mishaps do not remain unnoticed by
    
    - issuing warnings during VCL compilation about non-canonical network
      addresses
    
    - Logging ACL matches together with the canonical address
    
    The actual matching code is not touched, but a minor simplification
    can be applied later.
    b9756475
Name
Last commit
Last update
..
libvarnish Loading commit data...
libvarnishapi Loading commit data...
libvcc Loading commit data...
libvgz Loading commit data...
libvmod_blob Loading commit data...
libvmod_cookie Loading commit data...
libvmod_debug Loading commit data...
libvmod_directors Loading commit data...
libvmod_proxy Loading commit data...
libvmod_purge Loading commit data...
libvmod_std Loading commit data...
libvmod_unix Loading commit data...
libvmod_vtc Loading commit data...
Makefile.am Loading commit data...
flint.lnt Loading commit data...