Add support for checking "server.ip" in addition to "client.ip".

The definition of "server.ip" is what getsockname(2) returns
for our end of the connection.

Don't report ACL matches for acls created as a result of '==' or
'!=' usage on IP number variables.

Move storage for sess->sockaddr away from sessmem and expose
more code to <sys/socket.h>.  This is a network application
after all.

XXX: somebody with IPv6 connectivity needs to look at
ACLs in IPv6 context.

git-svn-id: svn+ssh://projects.linpro.no/svn/varnish/trunk@1390 d4fa192b-c00b-0410-8231-f00ffab90ce4

diff --git a/varnish-cache/bin/varnishd/cache.h b/varnish-cache/bin/varnishd/cache.h
index 13ee72a3ecc6d1e90b36d7f3aff5a23c205b9e7a..1b86bfc1787722d82dcfcf34b8f905ffd8967511 100644 (file)
--- a/varnish-cache/bin/varnishd/cache.h
+++ b/varnish-cache/bin/varnishd/cache.h
@@ -31,6 +31,7 @@
 
 #include <sys/time.h>
 #include <sys/uio.h>
+#include <sys/socket.h>
 
 #include <pthread.h>
 #include <stdint.h>
@@ -255,7 +256,8 @@ struct sess {
        struct worker           *wrk;
 
        unsigned                sockaddrlen;
-       struct sockaddr         *sockaddr;
+       struct sockaddr         sockaddr[2];
+       struct sockaddr         mysockaddr[2];
 
        /* formatted ascii client address */
        char                    addr[TCP_ADDRBUFSIZE];

diff --git a/varnish-cache/bin/varnishd/cache_session.c b/varnish-cache/bin/varnishd/cache_session.c
index 942a61b1e130dad3a084ddba5bcf6d0cdaa109da..0a765ec44a5bf87eccb87a4b3fad264a704812f9 100644 (file)
--- a/varnish-cache/bin/varnishd/cache_session.c
+++ b/varnish-cache/bin/varnishd/cache_session.c
@@ -65,7 +65,6 @@ struct sessmem {
 
        struct sess             sess;
        struct http             http;
-       struct sockaddr         sockaddr[2];    /* INET6 hack */
        unsigned                workspace;
        TAILQ_ENTRY(sessmem)    list;
 };
@@ -298,8 +297,7 @@ SES_New(struct sockaddr *addr, unsigned len)
        sm->sess.mem = sm;
        sm->sess.http = &sm->http;
 
-       sm->sess.sockaddr = sm->sockaddr;
-       assert(len < sizeof(sm->sockaddr));
+       assert(len < sizeof(sm->sess.sockaddr));
        if (addr != NULL) {
                memcpy(sm->sess.sockaddr, addr, len);
                sm->sess.sockaddrlen = len;

diff --git a/varnish-cache/bin/varnishd/cache_vrt.c b/varnish-cache/bin/varnishd/cache_vrt.c
index 11b2c5d723b56c8cbfb467a66d58afa2310fe7e3..46c101e9be034737ab7da018e44021d3073a88d8 100644 (file)
--- a/varnish-cache/bin/varnishd/cache_vrt.c
+++ b/varnish-cache/bin/varnishd/cache_vrt.c
@@ -250,3 +250,25 @@ VRT_r_req_##n1(struct sess *sp)                            \
 VREQ(request, HTTP_HDR_REQ)
 VREQ(url, HTTP_HDR_URL)
 VREQ(proto, HTTP_HDR_PROTO)
+
+/*--------------------------------------------------------------------*/
+
+struct sockaddr *
+VRT_r_client_ip(struct sess *sp)
+{
+       return (sp->sockaddr);
+}
+
+struct sockaddr *
+VRT_r_server_ip(struct sess *sp)
+{
+       socklen_t l;
+
+       if (sp->mysockaddr->sa_len == 0) {
+               l = sizeof sp->mysockaddr;
+               AZ(getsockname(sp->fd, sp->mysockaddr, &l));
+               assert(l == sp->mysockaddr->sa_len);
+       }
+
+       return (sp->mysockaddr);
+}

diff --git a/varnish-cache/bin/varnishd/cache_vrt_acl.c b/varnish-cache/bin/varnishd/cache_vrt_acl.c
index ad26b1dd1069e66c7ab462986fd2a2f1783a8b91..1d13b38c924399c03e55bb827789d1da3c51d272 100644 (file)
--- a/varnish-cache/bin/varnishd/cache_vrt_acl.c
+++ b/varnish-cache/bin/varnishd/cache_vrt_acl.c
@@ -60,35 +60,37 @@ static uint32_t ipv4mask[] = {
 };
 
 static int
-vrt_acl_vsl(struct sess *sp, const char *acl, struct vrt_acl *ap, int r)
+vrt_acl_vsl(struct sess *sp, const char *acln, struct vrt_acl *ap, int r)
 {
 
        AN(ap);
-       if (ap->name == NULL) {
-               assert(r == 0);
-               VSL(SLT_VCL_acl, sp->fd, "NO_MATCH %s", acl);
-               return (r);
-       }
-       if (ap->priv == NULL) {
-               assert(r == 0);
-               VSL(SLT_VCL_acl, sp->fd, "FAIL %s %s", acl, ap->desc);
-               return (r);
-       }
+       if (acln != NULL) {
+               if (ap->name == NULL) {
+                       assert(r == 0);
+                       VSL(SLT_VCL_acl, sp->fd, "NO_MATCH %s", acln);
+                       return (r);
+               }
+               if (ap->priv == NULL) {
+                       assert(r == 0);
+                       VSL(SLT_VCL_acl, sp->fd, "FAIL %s %s", acln, ap->desc);
+                       return (r);
+               }
 
-       VSL(SLT_VCL_acl, sp->fd, "%s %s %s",
-               r ? "MATCH" : "NEG_MATCH", acl, ap->desc);
+               VSL(SLT_VCL_acl, sp->fd, "%s %s %s",
+                       r ? "MATCH" : "NEG_MATCH", acln, ap->desc);
+       }
        return (r);
 }
 
 int
-VRT_acl_match(struct sess *sp, const char *acl, struct vrt_acl *ap)
+VRT_acl_match(struct sess *sp, struct sockaddr *sa, const char *acln, struct vrt_acl *ap)
 {
        struct addrinfo *a1;
        struct sockaddr_in *sin1, *sin2;
 
-       if (sp->sockaddr->sa_family == AF_INET) {
-               assert(sp->sockaddrlen >= sizeof *sin1);
-               sin1 = (void*)sp->sockaddr;
+       if (sa->sa_family == AF_INET) {
+               assert(sa->sa_len >= sizeof *sin1);
+               sin1 = (void*)sa;
        } else {
                sin1 = NULL;
        }
@@ -97,7 +99,7 @@ VRT_acl_match(struct sess *sp, const char *acl, struct vrt_acl *ap)
                if (ap->priv == NULL && ap->paren)
                        continue;
                if (ap->priv == NULL && ap->not) {
-                       return (vrt_acl_vsl(sp, acl, ap, 0));
+                       return (vrt_acl_vsl(sp, acln, ap, 0));
                }
                if (ap->priv == NULL)
                        continue;
@@ -116,16 +118,16 @@ VRT_acl_match(struct sess *sp, const char *acl, struct vrt_acl *ap)
                                    htonl(sin2->sin_addr.s_addr)) &
                                    ipv4mask[ap->mask > 32 ? 32 : ap->mask]))
                                        return (
-                                           vrt_acl_vsl(sp, acl, ap, !ap->not));
+                                           vrt_acl_vsl(sp, acln, ap, !ap->not));
                                continue;
                        }
 
                        /* Not rules for unknown protos match */
                        if (ap->not)
-                               return (vrt_acl_vsl(sp, acl, ap, 0));
+                               return (vrt_acl_vsl(sp, acln, ap, 0));
                }
        }
-       return (vrt_acl_vsl(sp, acl, ap, 0));
+       return (vrt_acl_vsl(sp, acln, ap, 0));
 }
 
 void
@@ -164,5 +166,3 @@ VRT_acl_fini(struct vrt_acl *ap)
                freeaddrinfo(a1);
        }
 }
-
-

diff --git a/varnish-cache/include/vrt.h b/varnish-cache/include/vrt.h
index 07c90eb15f743058cffbd93272e342268b866689..43bfb0f2c9dc97c574a7fac45d3b66c86c7ee649 100644 (file)
--- a/varnish-cache/include/vrt.h
+++ b/varnish-cache/include/vrt.h
@@ -38,6 +38,7 @@ struct sess;
 struct vsb;
 struct backend;
 struct VCL_conf;
+struct sockaddr;
 
 struct vrt_ref {
        unsigned        source;
@@ -58,7 +59,7 @@ struct vrt_acl {
 };
 
 /* ACL related */
-int VRT_acl_match(struct sess *, const char *, struct vrt_acl *);
+int VRT_acl_match(struct sess *, struct sockaddr *, const char *, struct vrt_acl *);
 void VRT_acl_init(struct vrt_acl *);
 void VRT_acl_fini(struct vrt_acl *);
 

diff --git a/varnish-cache/include/vrt_obj.h b/varnish-cache/include/vrt_obj.h
index f0d4fefc7a0e8818076519922003a99288f510b2..9eba3c0d5cffddf52fb83353daecf0c55b82e391 100644 (file)
--- a/varnish-cache/include/vrt_obj.h
+++ b/varnish-cache/include/vrt_obj.h
@@ -12,8 +12,10 @@ const char * VRT_r_backend_port(struct backend *);
 void VRT_l_backend_port(struct backend *, const char *);
 double VRT_r_backend_dnsttl(struct backend *);
 void VRT_l_backend_dnsttl(struct backend *, double);
-const unsigned char * VRT_r_client_ip(struct sess *);
-void VRT_l_client_ip(struct sess *, const unsigned char *);
+struct sockaddr * VRT_r_client_ip(struct sess *);
+void VRT_l_client_ip(struct sess *, struct sockaddr *);
+struct sockaddr * VRT_r_server_ip(struct sess *);
+void VRT_l_server_ip(struct sess *, struct sockaddr *);
 const char * VRT_r_req_request(struct sess *);
 void VRT_l_req_request(struct sess *, const char *);
 const char * VRT_r_req_host(struct sess *);

diff --git a/varnish-cache/lib/libvcl/vcc_acl.c b/varnish-cache/lib/libvcl/vcc_acl.c
index db0063b71df1e68199bdd5e488739739e14909f7..880cf3dd5e4de5653102a4314fa4a7b6bce75f37 100644 (file)
--- a/varnish-cache/lib/libvcl/vcc_acl.c
+++ b/varnish-cache/lib/libvcl/vcc_acl.c
@@ -113,15 +113,13 @@ vcc_Cond_Ip(struct var *vp, struct tokenlist *tl)
        unsigned tcond;
        char *acln;
 
-       (void)vp;       /* only client.ip at this time */
-
        switch (tl->t->tok) {
        case '~':
                vcc_NextToken(tl);
                ExpectErr(tl, ID);
                vcc_AddRef(tl, tl->t, R_ACL);
-               Fb(tl, 1, "VRT_acl_match(sp, \"%.*s\", acl_%.*s)\n",
-                   PF(tl->t), PF(tl->t));
+               Fb(tl, 1, "VRT_acl_match(sp, %s, \"%.*s\", acl_%.*s)\n",
+                   vp->rname, PF(tl->t), PF(tl->t));
                vcc_NextToken(tl);
                break;
        case T_EQ:
@@ -133,8 +131,8 @@ vcc_Cond_Ip(struct var *vp, struct tokenlist *tl)
                vcc_acl_top(tl, acln);
                vcc_acl_entry(tl);
                vcc_acl_bot(tl, acln);
-               Fb(tl, 1, "%sVRT_acl_match(sp, \"%s\", acl_%s)\n",
-                   (tcond == T_NEQ ? "!" : ""), acln, acln);
+               Fb(tl, 1, "%sVRT_acl_match(sp, %s, 0, acl_%s)\n",
+                   (tcond == T_NEQ ? "!" : ""), vp->rname, acln);
                free(acln);
                break;
        default:

diff --git a/varnish-cache/lib/libvcl/vcc_fixed_token.c b/varnish-cache/lib/libvcl/vcc_fixed_token.c
index 69e8a7782129087990292080c9b5c2069efd4e05..e78e01682bf7969f3f318afb24f50b8f8b2f310f 100644 (file)
--- a/varnish-cache/lib/libvcl/vcc_fixed_token.c
+++ b/varnish-cache/lib/libvcl/vcc_fixed_token.c
@@ -391,6 +391,7 @@ vcl_output_lang_h(struct vsb *sb)
        vsb_cat(sb, "struct vsb;\n");
        vsb_cat(sb, "struct backend;\n");
        vsb_cat(sb, "struct VCL_conf;\n");
+       vsb_cat(sb, "struct sockaddr;\n");
        vsb_cat(sb, "\n");
        vsb_cat(sb, "struct vrt_ref {\n");
        vsb_cat(sb, "   unsigned        source;\n");
@@ -411,7 +412,7 @@ vcl_output_lang_h(struct vsb *sb)
        vsb_cat(sb, "};\n");
        vsb_cat(sb, "\n");
        vsb_cat(sb, "/* ACL related */\n");
-       vsb_cat(sb, "int VRT_acl_match(struct sess *, const char *, struct vrt_acl *);\n");
+       vsb_cat(sb, "int VRT_acl_match(struct sess *, struct sockaddr *, const char *, struct vrt_acl *);\n");
        vsb_cat(sb, "void VRT_acl_init(struct vrt_acl *);\n");
        vsb_cat(sb, "void VRT_acl_fini(struct vrt_acl *);\n");
        vsb_cat(sb, "\n");
@@ -455,8 +456,10 @@ vcl_output_lang_h(struct vsb *sb)
        vsb_cat(sb, "void VRT_l_backend_port(struct backend *, const char *);\n");
        vsb_cat(sb, "double VRT_r_backend_dnsttl(struct backend *);\n");
        vsb_cat(sb, "void VRT_l_backend_dnsttl(struct backend *, double);\n");
-       vsb_cat(sb, "const unsigned char * VRT_r_client_ip(struct sess *);\n");
-       vsb_cat(sb, "void VRT_l_client_ip(struct sess *, const unsigned char *);\n");
+       vsb_cat(sb, "struct sockaddr * VRT_r_client_ip(struct sess *);\n");
+       vsb_cat(sb, "void VRT_l_client_ip(struct sess *, struct sockaddr *);\n");
+       vsb_cat(sb, "struct sockaddr * VRT_r_server_ip(struct sess *);\n");
+       vsb_cat(sb, "void VRT_l_server_ip(struct sess *, struct sockaddr *);\n");
        vsb_cat(sb, "const char * VRT_r_req_request(struct sess *);\n");
        vsb_cat(sb, "void VRT_l_req_request(struct sess *, const char *);\n");
        vsb_cat(sb, "const char * VRT_r_req_host(struct sess *);\n");

diff --git a/varnish-cache/lib/libvcl/vcc_gen_obj.tcl b/varnish-cache/lib/libvcl/vcc_gen_obj.tcl
index 2364bed1c4723ba822b552011568ccde1ab88945..b25116949bfc3d80218d05a5c479c29b96a8cfb4 100755 (executable)
--- a/varnish-cache/lib/libvcl/vcc_gen_obj.tcl
+++ b/varnish-cache/lib/libvcl/vcc_gen_obj.tcl
@@ -41,6 +41,7 @@ set beobj {
 
 set spobj {
        { client.ip             IP }
+       { server.ip             IP }
        { req.request           STRING }
        { req.host              STRING }
         { req.url              STRING }
@@ -53,7 +54,7 @@ set spobj {
         { resp.http.           HEADER }
 }
 
-set tt(IP)     "const unsigned char *"
+set tt(IP)     "struct sockaddr *"
 set tt(STRING) "const char *"
 set tt(BOOL)   "double"
 set tt(BACKEND)        "struct backend *"

diff --git a/varnish-cache/lib/libvcl/vcc_obj.c b/varnish-cache/lib/libvcl/vcc_obj.c
index bed7a67ff7d825512184318beb01afa9fcbeae4e..ce244d32b8ce7c51069a0f82b1faba9f4b2d7e11 100644 (file)
--- a/varnish-cache/lib/libvcl/vcc_obj.c
+++ b/varnish-cache/lib/libvcl/vcc_obj.c
@@ -30,6 +30,10 @@ struct var vcc_vars[] = {
            "VRT_r_client_ip(sp)",
            "VRT_l_client_ip(sp, ",
        },
+       { "server.ip", IP, 9,
+           "VRT_r_server_ip(sp)",
+           "VRT_l_server_ip(sp, ",
+       },
        { "req.request", STRING, 11,
            "VRT_r_req_request(sp)",
            "VRT_l_req_request(sp, ",