[squid-dev] [PATCH] Note ACL substrings matching
Amos Jeffries
squid3 at treenet.co.nz
Sun Dec 13 09:31:10 UTC 2015
On 9/12/2015 10:56 p.m., Christos Tsantilas wrote:
> There are several use cases where an annotation may contain a list of
> values for a single key. Today it is only possible to match the full
> annotation value.
>
> This patch investigates the -m flag which can be used to enable
> delimiter separated substrings matching on annotations:
>
> acl aclname note [-m[=delimiters]] name value ...
>
> The '-m' flag by default matches comma separated substrings. The
> optional "delimiters" parameter is a list of non-alphanumeric
> characters, which can be used as alternate delimiters.
>
> E.g. if an external ACL sets an annotation like:
> "applications=http,facebook,facebook-chat"
> the following ACLs can be used to block access to certain applications:
>
> acl fb_chat note -m applications facebook-chat
> acl db_upload note -m applications dropbox-upload
> http_access deny fb_chat
> http_access deny db_upload
>
> This is a Measurement Factory project
Annotations from the helper are kv-pair. By definition that means
singular value per key on helper responses. Values are also stored
internally separate, and matched individually agaist the ACL values.
Any concatenation of values that would need this delimiting is solely an
artifact of the reporting method (logformat, header sets, etc).
So where is the need for this coming from?
Also;
How does this interact with helpers that return multiple kv-pairs ?
eg. OK user=foo group=Group1 group=Group2 group=group3
How does it interact with kv-pair which contain the delimiter characters
internally?
eg OK group=Group,1 group=Group2
What about when those delimiters are escaped?
eg. OK group="Group\,One" group=Group%2cTwo
Amos
More information about the squid-dev
mailing list