From: phk <phk@d4fa192b-c00b-0410-8231-f00ffab90ce4>
Date: Wed, 9 May 2007 08:39:50 +0000 (+0000)
Subject: Add support for checking "server.ip" in addition to "client.ip".
X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0823583900e2c7c6a4ba91ae6a19f14e5c30abdb;p=varnish

Add support for checking "server.ip" in addition to "client.ip".

The definition of "server.ip" is what getsockname(2) returns
for our end of the connection.

Don't report ACL matches for acls created as a result of '==' or
'!=' usage on IP number variables.

Move storage for sess->sockaddr away from sessmem and expose
more code to <sys/socket.h>.  This is a network application
after all.

XXX: somebody with IPv6 connectivity needs to look at
ACLs in IPv6 context.



git-svn-id: svn+ssh://projects.linpro.no/svn/varnish/trunk@1390 d4fa192b-c00b-0410-8231-f00ffab90ce4
---

diff --git a/varnish-cache/bin/varnishd/cache.h b/varnish-cache/bin/varnishd/cache.h
index 13ee72a3..1b86bfc1 100644
--- a/varnish-cache/bin/varnishd/cache.h
+++ b/varnish-cache/bin/varnishd/cache.h
@@ -31,6 +31,7 @@
 
 #include <sys/time.h>
 #include <sys/uio.h>
+#include <sys/socket.h>
 
 #include <pthread.h>
 #include <stdint.h>
@@ -255,7 +256,8 @@ struct sess {
 	struct worker		*wrk;
 
 	unsigned		sockaddrlen;
-	struct sockaddr		*sockaddr;
+	struct sockaddr		sockaddr[2];
+	struct sockaddr		mysockaddr[2];
 
 	/* formatted ascii client address */
 	char			addr[TCP_ADDRBUFSIZE];
diff --git a/varnish-cache/bin/varnishd/cache_session.c b/varnish-cache/bin/varnishd/cache_session.c
index 942a61b1..0a765ec4 100644
--- a/varnish-cache/bin/varnishd/cache_session.c
+++ b/varnish-cache/bin/varnishd/cache_session.c
@@ -65,7 +65,6 @@ struct sessmem {
 
 	struct sess		sess;
 	struct http		http;
-	struct sockaddr		sockaddr[2];	/* INET6 hack */
 	unsigned		workspace;
 	TAILQ_ENTRY(sessmem)	list;
 };
@@ -298,8 +297,7 @@ SES_New(struct sockaddr *addr, unsigned len)
 	sm->sess.mem = sm;
 	sm->sess.http = &sm->http;
 
-	sm->sess.sockaddr = sm->sockaddr;
-	assert(len < sizeof(sm->sockaddr));
+	assert(len < sizeof(sm->sess.sockaddr));
 	if (addr != NULL) {
 		memcpy(sm->sess.sockaddr, addr, len);
 		sm->sess.sockaddrlen = len;
diff --git a/varnish-cache/bin/varnishd/cache_vrt.c b/varnish-cache/bin/varnishd/cache_vrt.c
index 11b2c5d7..46c101e9 100644
--- a/varnish-cache/bin/varnishd/cache_vrt.c
+++ b/varnish-cache/bin/varnishd/cache_vrt.c
@@ -250,3 +250,25 @@ VRT_r_req_##n1(struct sess *sp)				\
 VREQ(request, HTTP_HDR_REQ)
 VREQ(url, HTTP_HDR_URL)
 VREQ(proto, HTTP_HDR_PROTO)
+
+/*--------------------------------------------------------------------*/
+
+struct sockaddr *
+VRT_r_client_ip(struct sess *sp)
+{
+	return (sp->sockaddr);
+}
+
+struct sockaddr *
+VRT_r_server_ip(struct sess *sp)
+{
+	socklen_t l;
+
+	if (sp->mysockaddr->sa_len == 0) {
+		l = sizeof sp->mysockaddr;
+		AZ(getsockname(sp->fd, sp->mysockaddr, &l));
+		assert(l == sp->mysockaddr->sa_len);
+	}
+
+	return (sp->mysockaddr);
+}
diff --git a/varnish-cache/bin/varnishd/cache_vrt_acl.c b/varnish-cache/bin/varnishd/cache_vrt_acl.c
index ad26b1dd..1d13b38c 100644
--- a/varnish-cache/bin/varnishd/cache_vrt_acl.c
+++ b/varnish-cache/bin/varnishd/cache_vrt_acl.c
@@ -60,35 +60,37 @@ static uint32_t ipv4mask[] = {
 };
 
 static int
-vrt_acl_vsl(struct sess *sp, const char *acl, struct vrt_acl *ap, int r)
+vrt_acl_vsl(struct sess *sp, const char *acln, struct vrt_acl *ap, int r)
 {
 
 	AN(ap);
-	if (ap->name == NULL) {
-		assert(r == 0);
-		VSL(SLT_VCL_acl, sp->fd, "NO_MATCH %s", acl);
-		return (r);
-	}
-	if (ap->priv == NULL) {
-		assert(r == 0);
-		VSL(SLT_VCL_acl, sp->fd, "FAIL %s %s", acl, ap->desc);
-		return (r);
-	}
+	if (acln != NULL) {
+		if (ap->name == NULL) {
+			assert(r == 0);
+			VSL(SLT_VCL_acl, sp->fd, "NO_MATCH %s", acln);
+			return (r);
+		}
+		if (ap->priv == NULL) {
+			assert(r == 0);
+			VSL(SLT_VCL_acl, sp->fd, "FAIL %s %s", acln, ap->desc);
+			return (r);
+		}
 
-	VSL(SLT_VCL_acl, sp->fd, "%s %s %s",
-		r ? "MATCH" : "NEG_MATCH", acl, ap->desc);
+		VSL(SLT_VCL_acl, sp->fd, "%s %s %s",
+			r ? "MATCH" : "NEG_MATCH", acln, ap->desc);
+	}
 	return (r);
 }
 
 int
-VRT_acl_match(struct sess *sp, const char *acl, struct vrt_acl *ap)
+VRT_acl_match(struct sess *sp, struct sockaddr *sa, const char *acln, struct vrt_acl *ap)
 {
 	struct addrinfo *a1;
 	struct sockaddr_in *sin1, *sin2;
 
-	if (sp->sockaddr->sa_family == AF_INET) {
-		assert(sp->sockaddrlen >= sizeof *sin1);
-		sin1 = (void*)sp->sockaddr;
+	if (sa->sa_family == AF_INET) {
+		assert(sa->sa_len >= sizeof *sin1);
+		sin1 = (void*)sa;
 	} else {
 		sin1 = NULL;
 	}
@@ -97,7 +99,7 @@ VRT_acl_match(struct sess *sp, const char *acl, struct vrt_acl *ap)
 		if (ap->priv == NULL && ap->paren)
 			continue;
 		if (ap->priv == NULL && ap->not) {
-			return (vrt_acl_vsl(sp, acl, ap, 0));
+			return (vrt_acl_vsl(sp, acln, ap, 0));
 		}
 		if (ap->priv == NULL)
 			continue;
@@ -116,16 +118,16 @@ VRT_acl_match(struct sess *sp, const char *acl, struct vrt_acl *ap)
 				    htonl(sin2->sin_addr.s_addr)) &
 				    ipv4mask[ap->mask > 32 ? 32 : ap->mask]))
 					return (
-					    vrt_acl_vsl(sp, acl, ap, !ap->not));
+					    vrt_acl_vsl(sp, acln, ap, !ap->not));
 				continue;
 			}
 
 			/* Not rules for unknown protos match */
 			if (ap->not)
-				return (vrt_acl_vsl(sp, acl, ap, 0));
+				return (vrt_acl_vsl(sp, acln, ap, 0));
 		}
 	}
-	return (vrt_acl_vsl(sp, acl, ap, 0));
+	return (vrt_acl_vsl(sp, acln, ap, 0));
 }
 
 void
@@ -164,5 +166,3 @@ VRT_acl_fini(struct vrt_acl *ap)
 		freeaddrinfo(a1);
 	}
 }
-
-
diff --git a/varnish-cache/include/vrt.h b/varnish-cache/include/vrt.h
index 07c90eb1..43bfb0f2 100644
--- a/varnish-cache/include/vrt.h
+++ b/varnish-cache/include/vrt.h
@@ -38,6 +38,7 @@ struct sess;
 struct vsb;
 struct backend;
 struct VCL_conf;
+struct sockaddr;
 
 struct vrt_ref {
 	unsigned	source;
@@ -58,7 +59,7 @@ struct vrt_acl {
 };
 
 /* ACL related */
-int VRT_acl_match(struct sess *, const char *, struct vrt_acl *);
+int VRT_acl_match(struct sess *, struct sockaddr *, const char *, struct vrt_acl *);
 void VRT_acl_init(struct vrt_acl *);
 void VRT_acl_fini(struct vrt_acl *);
 
diff --git a/varnish-cache/include/vrt_obj.h b/varnish-cache/include/vrt_obj.h
index f0d4fefc..9eba3c0d 100644
--- a/varnish-cache/include/vrt_obj.h
+++ b/varnish-cache/include/vrt_obj.h
@@ -12,8 +12,10 @@ const char * VRT_r_backend_port(struct backend *);
 void VRT_l_backend_port(struct backend *, const char *);
 double VRT_r_backend_dnsttl(struct backend *);
 void VRT_l_backend_dnsttl(struct backend *, double);
-const unsigned char * VRT_r_client_ip(struct sess *);
-void VRT_l_client_ip(struct sess *, const unsigned char *);
+struct sockaddr * VRT_r_client_ip(struct sess *);
+void VRT_l_client_ip(struct sess *, struct sockaddr *);
+struct sockaddr * VRT_r_server_ip(struct sess *);
+void VRT_l_server_ip(struct sess *, struct sockaddr *);
 const char * VRT_r_req_request(struct sess *);
 void VRT_l_req_request(struct sess *, const char *);
 const char * VRT_r_req_host(struct sess *);
diff --git a/varnish-cache/lib/libvcl/vcc_acl.c b/varnish-cache/lib/libvcl/vcc_acl.c
index db0063b7..880cf3dd 100644
--- a/varnish-cache/lib/libvcl/vcc_acl.c
+++ b/varnish-cache/lib/libvcl/vcc_acl.c
@@ -113,15 +113,13 @@ vcc_Cond_Ip(struct var *vp, struct tokenlist *tl)
 	unsigned tcond;
 	char *acln;
 
-	(void)vp;	/* only client.ip at this time */
-
 	switch (tl->t->tok) {
 	case '~':
 		vcc_NextToken(tl);
 		ExpectErr(tl, ID);
 		vcc_AddRef(tl, tl->t, R_ACL);
-		Fb(tl, 1, "VRT_acl_match(sp, \"%.*s\", acl_%.*s)\n",
-		    PF(tl->t), PF(tl->t));
+		Fb(tl, 1, "VRT_acl_match(sp, %s, \"%.*s\", acl_%.*s)\n",
+		    vp->rname, PF(tl->t), PF(tl->t));
 		vcc_NextToken(tl);
 		break;
 	case T_EQ:
@@ -133,8 +131,8 @@ vcc_Cond_Ip(struct var *vp, struct tokenlist *tl)
 		vcc_acl_top(tl, acln);
 		vcc_acl_entry(tl);
 		vcc_acl_bot(tl, acln);
-		Fb(tl, 1, "%sVRT_acl_match(sp, \"%s\", acl_%s)\n",
-		    (tcond == T_NEQ ? "!" : ""), acln, acln);
+		Fb(tl, 1, "%sVRT_acl_match(sp, %s, 0, acl_%s)\n",
+		    (tcond == T_NEQ ? "!" : ""), vp->rname, acln);
 		free(acln);
 		break;
 	default:
diff --git a/varnish-cache/lib/libvcl/vcc_fixed_token.c b/varnish-cache/lib/libvcl/vcc_fixed_token.c
index 69e8a778..e78e0168 100644
--- a/varnish-cache/lib/libvcl/vcc_fixed_token.c
+++ b/varnish-cache/lib/libvcl/vcc_fixed_token.c
@@ -391,6 +391,7 @@ vcl_output_lang_h(struct vsb *sb)
 	vsb_cat(sb, "struct vsb;\n");
 	vsb_cat(sb, "struct backend;\n");
 	vsb_cat(sb, "struct VCL_conf;\n");
+	vsb_cat(sb, "struct sockaddr;\n");
 	vsb_cat(sb, "\n");
 	vsb_cat(sb, "struct vrt_ref {\n");
 	vsb_cat(sb, "	unsigned	source;\n");
@@ -411,7 +412,7 @@ vcl_output_lang_h(struct vsb *sb)
 	vsb_cat(sb, "};\n");
 	vsb_cat(sb, "\n");
 	vsb_cat(sb, "/* ACL related */\n");
-	vsb_cat(sb, "int VRT_acl_match(struct sess *, const char *, struct vrt_acl *);\n");
+	vsb_cat(sb, "int VRT_acl_match(struct sess *, struct sockaddr *, const char *, struct vrt_acl *);\n");
 	vsb_cat(sb, "void VRT_acl_init(struct vrt_acl *);\n");
 	vsb_cat(sb, "void VRT_acl_fini(struct vrt_acl *);\n");
 	vsb_cat(sb, "\n");
@@ -455,8 +456,10 @@ vcl_output_lang_h(struct vsb *sb)
 	vsb_cat(sb, "void VRT_l_backend_port(struct backend *, const char *);\n");
 	vsb_cat(sb, "double VRT_r_backend_dnsttl(struct backend *);\n");
 	vsb_cat(sb, "void VRT_l_backend_dnsttl(struct backend *, double);\n");
-	vsb_cat(sb, "const unsigned char * VRT_r_client_ip(struct sess *);\n");
-	vsb_cat(sb, "void VRT_l_client_ip(struct sess *, const unsigned char *);\n");
+	vsb_cat(sb, "struct sockaddr * VRT_r_client_ip(struct sess *);\n");
+	vsb_cat(sb, "void VRT_l_client_ip(struct sess *, struct sockaddr *);\n");
+	vsb_cat(sb, "struct sockaddr * VRT_r_server_ip(struct sess *);\n");
+	vsb_cat(sb, "void VRT_l_server_ip(struct sess *, struct sockaddr *);\n");
 	vsb_cat(sb, "const char * VRT_r_req_request(struct sess *);\n");
 	vsb_cat(sb, "void VRT_l_req_request(struct sess *, const char *);\n");
 	vsb_cat(sb, "const char * VRT_r_req_host(struct sess *);\n");
diff --git a/varnish-cache/lib/libvcl/vcc_gen_obj.tcl b/varnish-cache/lib/libvcl/vcc_gen_obj.tcl
index 2364bed1..b2511694 100755
--- a/varnish-cache/lib/libvcl/vcc_gen_obj.tcl
+++ b/varnish-cache/lib/libvcl/vcc_gen_obj.tcl
@@ -41,6 +41,7 @@ set beobj {
 
 set spobj {
 	{ client.ip		IP }
+	{ server.ip		IP }
 	{ req.request		STRING }
 	{ req.host		STRING }
         { req.url		STRING }
@@ -53,7 +54,7 @@ set spobj {
         { resp.http.		HEADER }
 }
 
-set tt(IP)	"const unsigned char *"
+set tt(IP)	"struct sockaddr *"
 set tt(STRING)	"const char *"
 set tt(BOOL)	"double"
 set tt(BACKEND)	"struct backend *"
diff --git a/varnish-cache/lib/libvcl/vcc_obj.c b/varnish-cache/lib/libvcl/vcc_obj.c
index bed7a67f..ce244d32 100644
--- a/varnish-cache/lib/libvcl/vcc_obj.c
+++ b/varnish-cache/lib/libvcl/vcc_obj.c
@@ -30,6 +30,10 @@ struct var vcc_vars[] = {
 	    "VRT_r_client_ip(sp)",
 	    "VRT_l_client_ip(sp, ",
 	},
+	{ "server.ip", IP, 9,
+	    "VRT_r_server_ip(sp)",
+	    "VRT_l_server_ip(sp, ",
+	},
 	{ "req.request", STRING, 11,
 	    "VRT_r_req_request(sp)",
 	    "VRT_l_req_request(sp, ",