[squid-dev] [PATCH] Note ACL substrings matching
Alex Rousskov
rousskov at measurement-factory.com
Sun Dec 13 18:16:28 UTC 2015
On 12/13/2015 02:31 AM, Amos Jeffries wrote:
> On 9/12/2015 10:56 p.m., Christos Tsantilas wrote:
>> There are several use cases where an annotation may contain a list of
>> values for a single key. Today it is only possible to match the full
>> annotation value.
>> E.g. if an external ACL sets an annotation like:
>> "applications=http,facebook,facebook-chat"
>> the following ACLs can be used to block access to certain applications:
>>
>> acl fb_chat note -m applications facebook-chat
>> acl db_upload note -m applications dropbox-upload
>> http_access deny fb_chat
>> http_access deny db_upload
> Annotations from the helper are kv-pair. By definition that means
> singular value per key on helper responses.
You are mixing up two different concepts: value syntax and value
semantics. From the syntax point of view, the a key=value pair indeed
contains a singular value. However, the interpretation of what that
value _means_ is up to the admin. The opaque-to-kv-parser value may
actually contain a lot of things from the admin point of view.
Traditionally, Squid admins use ACLs to interpret opaque-to-Squid values.
> So where is the need for this coming from?
Very often, helper annotation values contain a list of flags such as
content classification tags or error IDs. Matching individual items in
such a list using existing [regular expression] ACLs is tedious and
error-prone(**). To support this common need better, we should accept
this new ACL flag. A detailed example included with the patch submission
illustrates one real-world use case.
Christos, please answer Amos' implementation-specific questions. My
response above only details the need for this new feature, not the
implementation details (which can be adjusted as needed, of course).
Thank you,
Alex.
P.S. (**) We could force helpers to emit multiple key=value pairs with
the same key to emulate a list, but that requirement forces a single
semantics onto a value that may be interpreted differently by different
ACLs.
More information about the squid-dev
mailing list