On Wed, Feb 24, 2016 at 11:14 AM, Poul-Henning Kamp <[email protected]> wrote: > -------- <snip>
Done!
From 8f31132f8d0f78c70d4a6e086d2a0460ee87a391 Mon Sep 17 00:00:00 2001 From: Dridi Boukelmoune <[email protected]> Date: Wed, 24 Feb 2016 11:35:16 +0100 Subject: [PATCH 1/6] Don't capture function typedefs in generate.py --- lib/libvcc/generate.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/libvcc/generate.py b/lib/libvcc/generate.py index 2f9dd10..44b8b2b 100755 --- a/lib/libvcc/generate.py +++ b/lib/libvcc/generate.py @@ -763,6 +763,8 @@ for i in fi: continue if j[-1][-1] != ";": continue + if j[-1][-2] == ")": + continue if j[-1][:4] != "VCL_": continue d = " ".join(j[1:-1]) -- 2.5.0
From d2b3bc8b3edb1ed08c7634acc3ac23398fb1e3a1 Mon Sep 17 00:00:00 2001 From: Dridi Boukelmoune <[email protected]> Date: Tue, 23 Feb 2016 16:22:34 +0100 Subject: [PATCH 2/6] Allow ACLs to be used outside of transactions --- bin/varnishd/cache/cache_vrt.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/bin/varnishd/cache/cache_vrt.c b/bin/varnishd/cache/cache_vrt.c index 50a7232..2bb697c 100644 --- a/bin/varnishd/cache/cache_vrt.c +++ b/bin/varnishd/cache/cache_vrt.c @@ -67,7 +67,11 @@ VRT_acl_log(VRT_CTX, const char *msg) { CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC); - VSLb(ctx->vsl, SLT_VCL_acl, "%s", msg); + AN(msg); + if (ctx->vsl != NULL) + VSLb(ctx->vsl, SLT_VCL_acl, "%s", msg); + else + VSL(SLT_VCL_acl, 0, "%s", msg); } /*--------------------------------------------------------------------*/ -- 2.5.0
From 52f3e37520025f79677a8ea2cbb4efb5fac7e7f0 Mon Sep 17 00:00:00 2001 From: Dridi Boukelmoune <[email protected]> Date: Tue, 23 Feb 2016 16:39:24 +0100 Subject: [PATCH 3/6] Introduce a new ACL type for VMODs --- include/vrt.h | 10 ++++++++++ lib/libvcc/vcc_acl.c | 11 ++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/include/vrt.h b/include/vrt.h index c38fc59..ccebea0 100644 --- a/include/vrt.h +++ b/include/vrt.h @@ -53,6 +53,7 @@ /***********************************************************************/ struct VCL_conf; +struct vrt_acl; struct busyobj; struct director; struct http; @@ -70,6 +71,7 @@ struct ws; * (alphabetic order) */ +typedef const struct vrt_acl * VCL_ACL; typedef const struct director * VCL_BACKEND; typedef const struct vmod_priv * VCL_BLOB; typedef unsigned VCL_BOOL; @@ -240,6 +242,14 @@ struct vrt_ref { /* ACL related */ #define VRT_ACL_MAXADDR 16 /* max(IPv4, IPv6) */ +typedef int acl_f (VRT_CTX, VCL_IP); + +struct vrt_acl { + unsigned magic; +#define VRT_ACL_MAGIC 0x78329d96 + acl_f *match; +}; + void VRT_acl_log(VRT_CTX, const char *msg); /* req related */ diff --git a/lib/libvcc/vcc_acl.c b/lib/libvcc/vcc_acl.c index 78d9ec5..98f24d8 100644 --- a/lib/libvcc/vcc_acl.c +++ b/lib/libvcc/vcc_acl.c @@ -351,7 +351,7 @@ vcc_acl_emit(struct vcc *tl, const char *acln, int anon) struct token *t; struct inifin *ifp; - Fh(tl, 0, "\nstatic int\n"); + Fh(tl, 0, "\nstatic int __match_proto__(acl_f)\n"); Fh(tl, 0, "match_acl_%s_%s(VRT_CTX, const VCL_IP p)\n", anon ? "anon" : "named", acln); @@ -443,6 +443,15 @@ vcc_acl_emit(struct vcc *tl, const char *acln, int anon) if (!anon) Fh(tl, 0, "\tVRT_acl_log(ctx, \"NO_MATCH %s\");\n", acln); Fh(tl, 0, "\treturn (0);\n}\n"); + + if (anon) + return; + + /* Emit the struct that will be referenced */ + Fh(tl, 0, "\nconst struct vrt_acl vrt_acl_named_%s = {\n", acln); + Fh(tl, 0, "\t.magic = VRT_ACL_MAGIC,\n"); + Fh(tl, 0, "\t.match = &match_acl_named_%s,\n", acln); + Fh(tl, 0, "};\n\n"); } void -- 2.5.0
From afa6165fe68caf7756ec9ed126fb6700caf54400 Mon Sep 17 00:00:00 2001 From: Dridi Boukelmoune <[email protected]> Date: Tue, 23 Feb 2016 17:55:13 +0100 Subject: [PATCH 4/6] Make named ACLs available to VMODs --- doc/sphinx/reference/vmod.rst | 5 ++++- lib/libvcc/vcc_acl.c | 15 +++++++++++---- lib/libvcc/vcc_compile.h | 1 + lib/libvcc/vcc_expr.c | 32 ++++++++++++++++++++++++++++---- lib/libvcc/vmodtool.py | 1 + 5 files changed, 45 insertions(+), 9 deletions(-) diff --git a/doc/sphinx/reference/vmod.rst b/doc/sphinx/reference/vmod.rst index 40b7bf7..3020b5d 100644 --- a/doc/sphinx/reference/vmod.rst +++ b/doc/sphinx/reference/vmod.rst @@ -115,7 +115,10 @@ language representation. Here is a description of them. All but the PRIV and STRING_LIST types have typedefs: VCL_INT, VCL_REAL, etc. -.. TODO document ACL if patchwork #314 is merged +ACL + C-type: ``const struct vrt_acl *`` + + A type for named ACLs declared in VCL. BACKEND C-type: ``const struct director *`` diff --git a/lib/libvcc/vcc_acl.c b/lib/libvcc/vcc_acl.c index 98f24d8..2fc5fa4 100644 --- a/lib/libvcc/vcc_acl.c +++ b/lib/libvcc/vcc_acl.c @@ -474,7 +474,7 @@ void vcc_ParseAcl(struct vcc *tl) { struct token *an; - int i; + struct symbol *sym; char acln[1024]; vcc_NextToken(tl); @@ -490,13 +490,20 @@ vcc_ParseAcl(struct vcc *tl) an = tl->t; vcc_NextToken(tl); - i = vcc_AddDef(tl, an, SYM_ACL); - if (i > 1) { + bprintf(acln, "%.*s", PF(an)); + + sym = VCC_GetSymbolTok(tl, an, SYM_ACL); + AN(sym); + if (sym->ndef > 0) { VSB_printf(tl->sb, "ACL %.*s redefined\n", PF(an)); vcc_ErrWhere(tl, an); return; } - bprintf(acln, "%.*s", PF(an)); + sym->fmt = ACL; + sym->eval = vcc_Eval_Acl; + sym->eval_priv = TlDup(tl, acln); + sym->ndef++; + ERRCHK(tl); SkipToken(tl, '{'); diff --git a/lib/libvcc/vcc_compile.h b/lib/libvcc/vcc_compile.h index 7816a3e..20bc18c 100644 --- a/lib/libvcc/vcc_compile.h +++ b/lib/libvcc/vcc_compile.h @@ -286,6 +286,7 @@ sym_expr_t vcc_Eval_Var; sym_expr_t vcc_Eval_SymFunc; void vcc_Eval_Func(struct vcc *tl, const char *cfunc, const char *extra, const char *name, const char *args); +sym_expr_t vcc_Eval_Acl; sym_expr_t vcc_Eval_Backend; sym_expr_t vcc_Eval_Probe; diff --git a/lib/libvcc/vcc_expr.c b/lib/libvcc/vcc_expr.c index af3b3e7..a2dfb5b 100644 --- a/lib/libvcc/vcc_expr.c +++ b/lib/libvcc/vcc_expr.c @@ -494,10 +494,28 @@ vcc_Eval_BoolConst(struct vcc *tl, struct expr **e, const struct symbol *sym) */ void +vcc_Eval_Acl(struct vcc *tl, struct expr **e, const struct symbol *sym) +{ + + assert(sym->kind == SYM_ACL); + AN(sym->eval_priv); + + vcc_ExpectCid(tl); + vcc_AddRef(tl, tl->t, SYM_ACL); + *e = vcc_mk_expr(ACL, "&vrt_acl_named_%s", + (const char *)sym->eval_priv); + (*e)->constant = EXPR_VAR; /* XXX ? */ + vcc_NextToken(tl); +} +/*-------------------------------------------------------------------- + */ + +void vcc_Eval_Backend(struct vcc *tl, struct expr **e, const struct symbol *sym) { assert(sym->kind == SYM_BACKEND); + AN(sym->eval_priv); vcc_ExpectCid(tl); vcc_AddRef(tl, tl->t, SYM_BACKEND); @@ -800,6 +818,7 @@ vcc_expr4(struct vcc *tl, struct expr **e, enum var_type fmt) struct expr *e1, *e2; const char *ip; const struct symbol *sym; + enum symkind kind; double d; int i; @@ -819,10 +838,14 @@ vcc_expr4(struct vcc *tl, struct expr **e, enum var_type fmt) * XXX: look for SYM_VAR first for consistency ? */ sym = NULL; - if (fmt == BACKEND) - sym = VCC_FindSymbol(tl, tl->t, SYM_BACKEND); - if (fmt == PROBE) - sym = VCC_FindSymbol(tl, tl->t, SYM_PROBE); + switch (fmt) { + case ACL: kind = SYM_ACL; break; + case BACKEND: kind = SYM_BACKEND; break; + case PROBE: kind = SYM_PROBE; break; + default: kind = SYM_NONE; + } + if (kind != SYM_NONE) + sym = VCC_FindSymbol(tl, tl->t, kind); if (sym == NULL) sym = VCC_FindSymbol(tl, tl->t, SYM_VAR); if (sym == NULL) @@ -841,6 +864,7 @@ vcc_expr4(struct vcc *tl, struct expr **e, enum var_type fmt) switch(sym->kind) { case SYM_VAR: case SYM_FUNC: + case SYM_ACL: case SYM_BACKEND: case SYM_PROBE: AN(sym->eval); diff --git a/lib/libvcc/vmodtool.py b/lib/libvcc/vmodtool.py index bb29bd4..024d78a 100755 --- a/lib/libvcc/vmodtool.py +++ b/lib/libvcc/vmodtool.py @@ -46,6 +46,7 @@ from os.path import dirname, exists, join, realpath from pprint import pprint, pformat ctypes = { + 'ACL': "VCL_ACL", 'BACKEND': "VCL_BACKEND", 'BLOB': "VCL_BLOB", 'BOOL': "VCL_BOOL", -- 2.5.0
From 34277aae5ec4e4ce89dc793cc22be3640e1bd161 Mon Sep 17 00:00:00 2001 From: Dridi Boukelmoune <[email protected]> Date: Tue, 23 Feb 2016 18:26:08 +0100 Subject: [PATCH 5/6] Add a new VRT_acl_match function to the VMODs ABI VRT_MINOR_VERSION needs to be incremented for the 4.1 branch. --- bin/varnishd/cache/cache_vrt.c | 11 +++++++++++ include/vrt.h | 1 + 2 files changed, 12 insertions(+) diff --git a/bin/varnishd/cache/cache_vrt.c b/bin/varnishd/cache/cache_vrt.c index 2bb697c..a82b1e4 100644 --- a/bin/varnishd/cache/cache_vrt.c +++ b/bin/varnishd/cache/cache_vrt.c @@ -39,6 +39,7 @@ #include "vcl.h" #include "vrt.h" #include "vrt_obj.h" +#include "vsa.h" #include "vtcp.h" #include "vtim.h" @@ -74,6 +75,16 @@ VRT_acl_log(VRT_CTX, const char *msg) VSL(SLT_VCL_acl, 0, "%s", msg); } +int +VRT_acl_match(VRT_CTX, VCL_ACL acl, VCL_IP ip) +{ + + CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC); + CHECK_OBJ_NOTNULL(acl, VRT_ACL_MAGIC); + assert(VSA_Sane(ip)); + return (acl->match(ctx, ip)); +} + /*--------------------------------------------------------------------*/ struct http * diff --git a/include/vrt.h b/include/vrt.h index ccebea0..ae30ee4 100644 --- a/include/vrt.h +++ b/include/vrt.h @@ -251,6 +251,7 @@ struct vrt_acl { }; void VRT_acl_log(VRT_CTX, const char *msg); +int VRT_acl_match(VRT_CTX, VCL_ACL, VCL_IP); /* req related */ -- 2.5.0
From 9e8a3cc6271828e2538f7c529b0123d5f97eb7e1 Mon Sep 17 00:00:00 2001 From: Dridi Boukelmoune <[email protected]> Date: Tue, 23 Feb 2016 18:44:14 +0100 Subject: [PATCH 6/6] Test VMOD ACLs using vmod-debug --- bin/varnishtest/tests/m00023.vtc | 32 ++++++++++++++++++++++++++++++++ lib/libvmod_debug/vmod.vcc | 4 ++++ lib/libvmod_debug/vmod_debug.c | 12 ++++++++++++ 3 files changed, 48 insertions(+) create mode 100644 bin/varnishtest/tests/m00023.vtc diff --git a/bin/varnishtest/tests/m00023.vtc b/bin/varnishtest/tests/m00023.vtc new file mode 100644 index 0000000..b45d5bf --- /dev/null +++ b/bin/varnishtest/tests/m00023.vtc @@ -0,0 +1,32 @@ +varnishtest "Test VMOD ACLs" + +varnish v1 -vcl { + import debug; + + backend dummy { + .host = "${bad_ip}"; + } + + acl loopback { + "127"/24; + } + + sub vcl_init { + if (!debug.match_acl(loopback, "127.0.0.127")) { + debug.init_fail(); + } + } + + sub vcl_recv { + if (debug.match_acl(loopback, client.ip)) { + return (synth(200)); + } + return (synth(500)); + } +} -start + +client c1 { + txreq + rxresp + expect resp.status == 200 +} -run diff --git a/lib/libvmod_debug/vmod.vcc b/lib/libvmod_debug/vmod.vcc index d0ebe1c..1725689 100644 --- a/lib/libvmod_debug/vmod.vcc +++ b/lib/libvmod_debug/vmod.vcc @@ -150,3 +150,7 @@ Reset to the previous snapshot of a workspace, taken from debug.workspace_snap. $Function VOID vcl_release_delay(DURATION) Hold a reference to the VCL when it goes cold for the given delay. + +$Function BOOL match_acl(ACL acl, IP ip) + +Perform an IP match against a named ACL. diff --git a/lib/libvmod_debug/vmod_debug.c b/lib/libvmod_debug/vmod_debug.c index 1e1b71f..d1e79ed 100644 --- a/lib/libvmod_debug/vmod_debug.c +++ b/lib/libvmod_debug/vmod_debug.c @@ -36,6 +36,7 @@ #include "vcl.h" #include "vrt.h" +#include "vsa.h" #include "vsb.h" #include "vtim.h" #include "vcc_if.h" @@ -466,3 +467,14 @@ vmod_vcl_release_delay(VRT_CTX, VCL_DURATION delay) assert(delay > 0.0); vcl_release_delay = delay; } + +VCL_BOOL +vmod_match_acl(VRT_CTX, VCL_ACL acl, VCL_IP ip) +{ + + CHECK_OBJ_ORNULL(ctx, VRT_CTX_MAGIC); + CHECK_OBJ_ORNULL(acl, VRT_ACL_MAGIC); + assert(VSA_Sane(ip)); + + return (VRT_acl_match(ctx, acl, ip)); +} -- 2.5.0
_______________________________________________ varnish-dev mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
