Re: ACL proposal

From: Florian Lohoff <>
Date: Fri, 19 Jul 1996 18:48:38 +0200 (MET DST) typed this originally:
> For various reasons (some security, some political), we have a need for ACLs
> that can do the following:
> Match based on User-Agent header
> Deny a group, redirecting them to a URL that explains why they were denied
> Allow a group, but require HTML parsing to filter out java a/o javascript
> a/o ActiveX
> None of these are difficult to write, but the current code structure for
> ACLs only passes a minimal amount of pre-parsed information to the ACL
> code. I could implement the changes in a number of ways:
> 1) Add additional pre-parsed info
> Good if more than one ACL needs the same piece of info, as it avoids per-ACL
> parsing overhead. Unfortuatey, it increases the function call overhead, and
> eventually leads to calling the ACL functions with 50 arguments.
> 2) Pass the MIME header pointer
> allows more flexibility, but at the expense of parsing time for every ACL
> lookup.
> 3) Add additional pre-parsed info in a structure, which is passed by
> reference rather than by value
> Same pre-parsing advantages of (1), but avoids the ever-expanding arg-list
> syndrom. Also allows easy code modification as the function prototypes don't
> need to be hacked for every ACL code addition.
> (3)'s the best I've come up with so far for generalizing the ACL calling
> convention. Any other ideas?

Why not checking the ACL's for which infos you need (Once on startup) and
then only extract those informations, pass the structure by reference to
the ACL routine.

Or do an intelligent ACL sorting algorythm that prevents parsing complicated
things if the URL or whatever already has been denied on simpler information.
(Read: Sort ACL by difficulty/CPU intense of information parsing)


Florian Lohoff      Phone:+49-5241-340796
Privates Internet Ostwestfalen-Lippe, Guetersloh -
Received on Fri Jul 19 1996 - 09:50:11 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:32:41 MST