summaryrefslogtreecommitdiffstats
path: root/doc/internals/acl.txt
blob: 037933184dbff827719854b91d52aa05229407d4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
2011/12/16 - How ACLs work internally in haproxy - w@1wt.eu

An ACL is declared by the keyword "acl" followed by a name, followed by a
matching method, followed by one or multiple pattern values :

    acl internal  src  127.0.0.0/8 10.0.0.0/8 192.168.0.0/16

In the statement above, "internal" is the ACL's name (acl->name), "src" is the
ACL keyword defining the matching method (acl_expr->kw) and the IP addresses
are patterns of type acl_pattern to match against the source address.

The acl_pattern struct may define one single pattern, a range of values or a
tree of values to match against. The type of the patterns is implied by the
ACL keyword. For instance, the "src" keyword implies IPv4 patterns.

The line above constitutes an ACL expression (acl_expr). ACL expressions are
formed of a keyword, an optional argument for the keyword, and a list of
patterns (in fact, both a list and a root tree).

Dynamic values are extracted according to a fetch function defined by the ACL
keyword. This fetch function fills or updates a struct acl_test with all the
extracted information so that a match function can compare it against all the
patterns. The fetch function is called iteratively by the ACL engine until it
reports no more value. This makes sense for instance when checking IP addresses
found in HTTP headers, which can appear multiple times. The acl_test is kept
intact between calls and even holds a context so that the fetch function knows
where to start from for subsequent calls. The match function may also use the
context even though it was not designed for that purpose.

An ACL is defined only by its name and can be a series of ACL expressions. The
ACL is deemed true when any of its expressions is true. They are evaluated in
the declared order and can involve multiple matching methods.

So in summary :

  - an ACL is a series of tests to perform on a stream, any of which is enough
    to validate the result.

  - each test is defined by an expression associating a keyword and a series of
    patterns.

  - a keyword implies several things at once :
    - the type of the patterns and how to parse them
    - the method to fetch the required information from the stream
    - the method to match the fetched information against the patterns

  - a fetch function fills an acl_test struct which is passed to the match
    function defined by the keyword

  - the match function tries to match the value in the acl_test against the
    pattern list declared in the expression which involved its acl_keyword.


ACLs are used by conditional processing rules. A rule generally uses an "if" or
"unless" keyword followed by an ACL condition (acl_cond). This condition is a
series of term suites which are ORed together. Each term suite is a series of
terms which are ANDed together. Terms may be negated before being evaluated in
a suite. A term simply is a pointer to an ACL.

We could then represent a rule by the following BNF :

  rule = if-cond
       | unless-cond

  if-cond (struct acl_cond with ->pol = ACL_COND_IF)
      = "if" condition

  unless-cond (struct acl_cond with ->pol = ACL_COND_UNLESS)
      = "unless" condition

  condition
      = term-suite
      | term-suite "||" term-suite
      | term-suite "or" term-suite

  term-suite (struct acl_term_suite)
      = term
      | term term

  term = acl
       | "!" acl