2007-10-29 03:09:36 +03:00
/*
* AF_INET / AF_INET6 SOCK_STREAM protocol layer ( tcp )
*
2010-05-24 00:40:30 +04:00
* Copyright 2000 - 2010 Willy Tarreau < w @ 1 wt . eu >
2007-10-29 03:09:36 +03:00
*
* This program is free software ; you can redistribute it and / or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation ; either version
* 2 of the License , or ( at your option ) any later version .
*
*/
# include <ctype.h>
# include <errno.h>
# include <fcntl.h>
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
# include <time.h>
# include <sys/param.h>
# include <sys/socket.h>
# include <sys/stat.h>
# include <sys/types.h>
# include <sys/un.h>
2009-08-24 15:11:06 +04:00
# include <netinet/tcp.h>
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
# include <common/cfgparse.h>
2007-10-29 03:09:36 +03:00
# include <common/compat.h>
# include <common/config.h>
# include <common/debug.h>
# include <common/errors.h>
# include <common/mini-clist.h>
# include <common/standard.h>
# include <types/global.h>
2009-08-16 16:02:45 +04:00
# include <types/server.h>
2007-10-29 03:09:36 +03:00
# include <proto/acl.h>
2012-04-20 16:45:49 +04:00
# include <proto/arg.h>
2007-10-29 03:09:36 +03:00
# include <proto/buffers.h>
2010-05-24 23:02:37 +04:00
# include <proto/frontend.h>
2009-08-16 16:02:45 +04:00
# include <proto/log.h>
2010-05-24 22:55:15 +04:00
# include <proto/pattern.h>
2009-08-16 16:02:45 +04:00
# include <proto/port_range.h>
2007-10-29 03:09:36 +03:00
# include <proto/protocols.h>
# include <proto/proto_tcp.h>
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
# include <proto/proxy.h>
2010-06-14 23:04:55 +04:00
# include <proto/session.h>
2010-06-05 21:13:27 +04:00
# include <proto/stick_table.h>
2007-10-29 03:09:36 +03:00
# include <proto/stream_sock.h>
2010-06-05 21:13:27 +04:00
# include <proto/task.h>
2010-09-23 19:56:44 +04:00
# include <proto/buffers.h>
2007-10-29 03:09:36 +03:00
2008-01-13 20:40:14 +03:00
# ifdef CONFIG_HAP_CTTPROXY
# include <import/ip_tproxy.h>
# endif
2010-10-22 18:06:11 +04:00
static int tcp_bind_listeners ( struct protocol * proto , char * errmsg , int errlen ) ;
static int tcp_bind_listener ( struct listener * listener , char * errmsg , int errlen ) ;
2007-10-29 03:09:36 +03:00
/* Note: must not be declared <const> as its list will be overwritten */
static struct protocol proto_tcpv4 = {
. name = " tcpv4 " ,
. sock_domain = AF_INET ,
. sock_type = SOCK_STREAM ,
. sock_prot = IPPROTO_TCP ,
. sock_family = AF_INET ,
. sock_addrlen = sizeof ( struct sockaddr_in ) ,
. l3_addrlen = 32 / 8 ,
2010-05-28 20:46:57 +04:00
. accept = & stream_sock_accept ,
2007-10-29 03:09:36 +03:00
. read = & stream_sock_read ,
. write = & stream_sock_write ,
2010-10-22 18:06:11 +04:00
. bind = tcp_bind_listener ,
2007-10-29 03:09:36 +03:00
. bind_all = tcp_bind_listeners ,
. unbind_all = unbind_all_listeners ,
. enable_all = enable_all_listeners ,
. listeners = LIST_HEAD_INIT ( proto_tcpv4 . listeners ) ,
. nb_listeners = 0 ,
} ;
/* Note: must not be declared <const> as its list will be overwritten */
static struct protocol proto_tcpv6 = {
. name = " tcpv6 " ,
. sock_domain = AF_INET6 ,
. sock_type = SOCK_STREAM ,
. sock_prot = IPPROTO_TCP ,
. sock_family = AF_INET6 ,
. sock_addrlen = sizeof ( struct sockaddr_in6 ) ,
. l3_addrlen = 128 / 8 ,
2010-05-28 20:46:57 +04:00
. accept = & stream_sock_accept ,
2007-10-29 03:09:36 +03:00
. read = & stream_sock_read ,
. write = & stream_sock_write ,
2010-10-22 18:06:11 +04:00
. bind = tcp_bind_listener ,
2007-10-29 03:09:36 +03:00
. bind_all = tcp_bind_listeners ,
. unbind_all = unbind_all_listeners ,
. enable_all = enable_all_listeners ,
. listeners = LIST_HEAD_INIT ( proto_tcpv6 . listeners ) ,
. nb_listeners = 0 ,
} ;
2011-03-11 00:26:24 +03:00
/* Binds ipv4/ipv6 address <local> to socket <fd>, unless <flags> is set, in which
2008-01-13 20:40:14 +03:00
* case we try to bind < remote > . < flags > is a 2 - bit field consisting of :
* - 0 : ignore remote address ( may even be a NULL pointer )
* - 1 : use provided address
* - 2 : use provided port
* - 3 : use both
*
* The function supports multiple foreign binding methods :
* - linux_tproxy : we directly bind to the foreign address
* - cttproxy : we bind to a local address then nat .
* The second one can be used as a fallback for the first one .
* This function returns 0 when everything ' s OK , 1 if it could not bind , to the
* local address , 2 if it could not bind to the foreign address .
*/
2011-03-11 00:26:24 +03:00
int tcp_bind_socket ( int fd , int flags , struct sockaddr_storage * local , struct sockaddr_storage * remote )
2008-01-13 20:40:14 +03:00
{
2011-03-11 00:26:24 +03:00
struct sockaddr_storage bind_addr ;
2008-01-13 20:40:14 +03:00
int foreign_ok = 0 ;
int ret ;
# ifdef CONFIG_HAP_LINUX_TPROXY
static int ip_transp_working = 1 ;
if ( flags & & ip_transp_working ) {
2011-06-24 10:11:37 +04:00
if ( setsockopt ( fd , SOL_IP , IP_TRANSPARENT , & one , sizeof ( one ) ) = = 0
| | setsockopt ( fd , SOL_IP , IP_FREEBIND , & one , sizeof ( one ) ) = = 0 )
2008-01-13 20:40:14 +03:00
foreign_ok = 1 ;
else
ip_transp_working = 0 ;
}
# endif
if ( flags ) {
memset ( & bind_addr , 0 , sizeof ( bind_addr ) ) ;
2011-04-19 09:20:57 +04:00
bind_addr . ss_family = remote - > ss_family ;
2011-03-11 00:26:24 +03:00
switch ( remote - > ss_family ) {
case AF_INET :
if ( flags & 1 )
( ( struct sockaddr_in * ) & bind_addr ) - > sin_addr = ( ( struct sockaddr_in * ) remote ) - > sin_addr ;
if ( flags & 2 )
( ( struct sockaddr_in * ) & bind_addr ) - > sin_port = ( ( struct sockaddr_in * ) remote ) - > sin_port ;
break ;
case AF_INET6 :
if ( flags & 1 )
( ( struct sockaddr_in6 * ) & bind_addr ) - > sin6_addr = ( ( struct sockaddr_in6 * ) remote ) - > sin6_addr ;
if ( flags & 2 )
( ( struct sockaddr_in6 * ) & bind_addr ) - > sin6_port = ( ( struct sockaddr_in6 * ) remote ) - > sin6_port ;
break ;
2011-12-17 00:25:11 +04:00
default :
/* we don't want to try to bind to an unknown address family */
foreign_ok = 0 ;
2011-03-11 00:26:24 +03:00
}
2008-01-13 20:40:14 +03:00
}
2011-06-24 10:11:37 +04:00
setsockopt ( fd , SOL_SOCKET , SO_REUSEADDR , & one , sizeof ( one ) ) ;
2008-01-13 20:40:14 +03:00
if ( foreign_ok ) {
2011-04-05 18:56:50 +04:00
ret = bind ( fd , ( struct sockaddr * ) & bind_addr , get_addr_len ( & bind_addr ) ) ;
2008-01-13 20:40:14 +03:00
if ( ret < 0 )
return 2 ;
}
else {
2011-04-05 18:56:50 +04:00
ret = bind ( fd , ( struct sockaddr * ) local , get_addr_len ( local ) ) ;
2008-01-13 20:40:14 +03:00
if ( ret < 0 )
return 1 ;
}
if ( ! flags )
return 0 ;
# ifdef CONFIG_HAP_CTTPROXY
2011-03-20 16:03:54 +03:00
if ( ! foreign_ok & & remote - > ss_family = = AF_INET ) {
2008-01-13 20:40:14 +03:00
struct in_tproxy itp1 , itp2 ;
memset ( & itp1 , 0 , sizeof ( itp1 ) ) ;
itp1 . op = TPROXY_ASSIGN ;
2011-03-20 16:03:54 +03:00
itp1 . v . addr . faddr = ( ( struct sockaddr_in * ) & bind_addr ) - > sin_addr ;
itp1 . v . addr . fport = ( ( struct sockaddr_in * ) & bind_addr ) - > sin_port ;
2008-01-13 20:40:14 +03:00
/* set connect flag on socket */
itp2 . op = TPROXY_FLAGS ;
itp2 . v . flags = ITP_CONNECT | ITP_ONCE ;
if ( setsockopt ( fd , SOL_IP , IP_TPROXY , & itp1 , sizeof ( itp1 ) ) ! = - 1 & &
setsockopt ( fd , SOL_IP , IP_TPROXY , & itp2 , sizeof ( itp2 ) ) ! = - 1 ) {
foreign_ok = 1 ;
}
}
# endif
if ( ! foreign_ok )
/* we could not bind to a foreign address */
return 2 ;
return 0 ;
}
2009-08-16 16:02:45 +04:00
/*
2011-03-05 00:04:29 +03:00
* This function initiates a connection to the target assigned to this session
2011-09-23 12:54:59 +04:00
* ( si - > { target , addr . to } ) . A source address may be pointed to by si - > addr . from
2011-03-05 00:04:29 +03:00
* in case of transparent proxying . Normal source bind addresses are still
* determined locally ( due to the possible need of a source port ) .
* si - > target may point either to a valid server or to a backend , depending
* on si - > target . type . Only TARG_TYPE_PROXY and TARG_TYPE_SERVER are supported .
2010-03-29 21:36:59 +04:00
*
2009-08-16 16:02:45 +04:00
* It can return one of :
* - SN_ERR_NONE if everything ' s OK
* - SN_ERR_SRVTO if there are no more servers
* - SN_ERR_SRVCL if the connection was refused by the server
* - SN_ERR_PRXCOND if the connection has been limited by the proxy ( maxconn )
* - SN_ERR_RESOURCE if a system resource is lacking ( eg : fd limits , ports , . . . )
* - SN_ERR_INTERNAL for any other purely internal errors
* Additionnally , in the case of SN_ERR_RESOURCE , an emergency log will be emitted .
*/
2011-03-03 20:27:32 +03:00
2011-03-11 00:26:24 +03:00
int tcp_connect_server ( struct stream_interface * si )
2009-08-16 16:02:45 +04:00
{
int fd ;
2011-03-05 00:04:29 +03:00
struct server * srv ;
struct proxy * be ;
switch ( si - > target . type ) {
case TARG_TYPE_PROXY :
be = si - > target . ptr . p ;
srv = NULL ;
break ;
case TARG_TYPE_SERVER :
srv = si - > target . ptr . s ;
be = srv - > proxy ;
break ;
default :
return SN_ERR_INTERNAL ;
}
2009-08-16 16:02:45 +04:00
2011-09-23 12:54:59 +04:00
if ( ( fd = si - > fd = socket ( si - > addr . to . ss_family , SOCK_STREAM , IPPROTO_TCP ) ) = = - 1 ) {
2009-08-16 16:02:45 +04:00
qfprintf ( stderr , " Cannot get a server socket. \n " ) ;
if ( errno = = ENFILE )
send_log ( be , LOG_EMERG ,
" Proxy %s reached system FD limit at %d. Please check system tunables. \n " ,
be - > id , maxfd ) ;
else if ( errno = = EMFILE )
send_log ( be , LOG_EMERG ,
" Proxy %s reached process FD limit at %d. Please check 'ulimit-n' and restart. \n " ,
be - > id , maxfd ) ;
else if ( errno = = ENOBUFS | | errno = = ENOMEM )
send_log ( be , LOG_EMERG ,
" Proxy %s reached system memory limit at %d sockets. Please check system tunables. \n " ,
be - > id , maxfd ) ;
/* this is a resource error */
return SN_ERR_RESOURCE ;
}
if ( fd > = global . maxsock ) {
/* do not log anything there, it's a normal condition when this option
* is used to serialize connections to a server !
*/
Alert ( " socket(): not enough free sockets. Raise -n argument. Giving up. \n " ) ;
close ( fd ) ;
return SN_ERR_PRXCOND ; /* it is a configuration limit */
}
if ( ( fcntl ( fd , F_SETFL , O_NONBLOCK ) = = - 1 ) | |
2011-06-24 10:11:37 +04:00
( setsockopt ( fd , IPPROTO_TCP , TCP_NODELAY , & one , sizeof ( one ) ) = = - 1 ) ) {
2009-08-16 16:02:45 +04:00
qfprintf ( stderr , " Cannot set client socket to non blocking mode. \n " ) ;
close ( fd ) ;
return SN_ERR_INTERNAL ;
}
if ( be - > options & PR_O_TCP_SRV_KA )
2011-06-24 10:11:37 +04:00
setsockopt ( fd , SOL_SOCKET , SO_KEEPALIVE , & one , sizeof ( one ) ) ;
2009-08-16 16:02:45 +04:00
if ( be - > options & PR_O_TCP_NOLING )
2011-11-30 21:02:24 +04:00
si - > flags | = SI_FL_NOLINGER ;
2009-08-16 16:02:45 +04:00
/* allow specific binding :
* - server - specific at first
* - proxy - specific next
*/
if ( srv ! = NULL & & srv - > state & SRV_BIND_SRC ) {
int ret , flags = 0 ;
switch ( srv - > state & SRV_TPROXY_MASK ) {
case SRV_TPROXY_ADDR :
case SRV_TPROXY_CLI :
2010-03-29 21:36:59 +04:00
flags = 3 ;
break ;
2009-08-16 16:02:45 +04:00
case SRV_TPROXY_CIP :
2009-09-07 13:51:47 +04:00
case SRV_TPROXY_DYN :
2010-03-29 21:36:59 +04:00
flags = 1 ;
2009-08-16 16:02:45 +04:00
break ;
}
2010-03-29 21:36:59 +04:00
2009-08-16 16:02:45 +04:00
# ifdef SO_BINDTODEVICE
/* Note: this might fail if not CAP_NET_RAW */
if ( srv - > iface_name )
setsockopt ( fd , SOL_SOCKET , SO_BINDTODEVICE , srv - > iface_name , srv - > iface_len + 1 ) ;
# endif
if ( srv - > sport_range ) {
int attempts = 10 ; /* should be more than enough to find a spare port */
2011-03-11 00:26:24 +03:00
struct sockaddr_storage src ;
2009-08-16 16:02:45 +04:00
ret = 1 ;
src = srv - > source_addr ;
do {
/* note: in case of retry, we may have to release a previously
* allocated port , hence this loop ' s construct .
*/
2009-10-18 09:25:52 +04:00
port_range_release_port ( fdinfo [ fd ] . port_range , fdinfo [ fd ] . local_port ) ;
fdinfo [ fd ] . port_range = NULL ;
2009-08-16 16:02:45 +04:00
if ( ! attempts )
break ;
attempts - - ;
2009-10-18 09:25:52 +04:00
fdinfo [ fd ] . local_port = port_range_alloc_port ( srv - > sport_range ) ;
if ( ! fdinfo [ fd ] . local_port )
2009-08-16 16:02:45 +04:00
break ;
2009-10-18 09:25:52 +04:00
fdinfo [ fd ] . port_range = srv - > sport_range ;
2011-08-27 14:29:07 +04:00
set_host_port ( & src , fdinfo [ fd ] . local_port ) ;
2009-08-16 16:02:45 +04:00
2011-09-23 12:54:59 +04:00
ret = tcp_bind_socket ( fd , flags , & src , & si - > addr . from ) ;
2009-08-16 16:02:45 +04:00
} while ( ret ! = 0 ) ; /* binding NOK */
}
else {
2011-09-23 12:54:59 +04:00
ret = tcp_bind_socket ( fd , flags , & srv - > source_addr , & si - > addr . from ) ;
2009-08-16 16:02:45 +04:00
}
if ( ret ) {
2009-10-18 09:25:52 +04:00
port_range_release_port ( fdinfo [ fd ] . port_range , fdinfo [ fd ] . local_port ) ;
fdinfo [ fd ] . port_range = NULL ;
2009-08-16 16:02:45 +04:00
close ( fd ) ;
if ( ret = = 1 ) {
Alert ( " Cannot bind to source address before connect() for server %s/%s. Aborting. \n " ,
be - > id , srv - > id ) ;
send_log ( be , LOG_EMERG ,
" Cannot bind to source address before connect() for server %s/%s. \n " ,
be - > id , srv - > id ) ;
} else {
Alert ( " Cannot bind to tproxy source address before connect() for server %s/%s. Aborting. \n " ,
be - > id , srv - > id ) ;
send_log ( be , LOG_EMERG ,
" Cannot bind to tproxy source address before connect() for server %s/%s. \n " ,
be - > id , srv - > id ) ;
}
return SN_ERR_RESOURCE ;
}
}
else if ( be - > options & PR_O_BIND_SRC ) {
int ret , flags = 0 ;
switch ( be - > options & PR_O_TPXY_MASK ) {
case PR_O_TPXY_ADDR :
case PR_O_TPXY_CLI :
2010-03-29 21:36:59 +04:00
flags = 3 ;
break ;
2009-08-16 16:02:45 +04:00
case PR_O_TPXY_CIP :
2009-09-07 13:51:47 +04:00
case PR_O_TPXY_DYN :
2010-03-29 21:36:59 +04:00
flags = 1 ;
2009-08-16 16:02:45 +04:00
break ;
}
2010-03-29 21:36:59 +04:00
2009-08-16 16:02:45 +04:00
# ifdef SO_BINDTODEVICE
/* Note: this might fail if not CAP_NET_RAW */
if ( be - > iface_name )
setsockopt ( fd , SOL_SOCKET , SO_BINDTODEVICE , be - > iface_name , be - > iface_len + 1 ) ;
# endif
2011-09-23 12:54:59 +04:00
ret = tcp_bind_socket ( fd , flags , & be - > source_addr , & si - > addr . from ) ;
2009-08-16 16:02:45 +04:00
if ( ret ) {
close ( fd ) ;
if ( ret = = 1 ) {
Alert ( " Cannot bind to source address before connect() for proxy %s. Aborting. \n " ,
be - > id ) ;
send_log ( be , LOG_EMERG ,
" Cannot bind to source address before connect() for proxy %s. \n " ,
be - > id ) ;
} else {
Alert ( " Cannot bind to tproxy source address before connect() for proxy %s. Aborting. \n " ,
be - > id ) ;
send_log ( be , LOG_EMERG ,
" Cannot bind to tproxy source address before connect() for proxy %s. \n " ,
be - > id ) ;
}
return SN_ERR_RESOURCE ;
}
}
2009-08-24 15:11:06 +04:00
# if defined(TCP_QUICKACK)
2009-08-16 16:02:45 +04:00
/* disabling tcp quick ack now allows the first request to leave the
* machine with the first ACK . We only do this if there are pending
* data in the buffer .
*/
2012-03-01 19:08:30 +04:00
if ( ( be - > options2 & PR_O2_SMARTCON ) & & si - > ob - > o )
2011-06-24 10:11:37 +04:00
setsockopt ( fd , IPPROTO_TCP , TCP_QUICKACK , & zero , sizeof ( zero ) ) ;
2009-08-16 16:02:45 +04:00
# endif
2010-01-21 19:43:04 +03:00
if ( global . tune . server_sndbuf )
setsockopt ( fd , SOL_SOCKET , SO_SNDBUF , & global . tune . server_sndbuf , sizeof ( global . tune . server_sndbuf ) ) ;
if ( global . tune . server_rcvbuf )
setsockopt ( fd , SOL_SOCKET , SO_RCVBUF , & global . tune . server_rcvbuf , sizeof ( global . tune . server_rcvbuf ) ) ;
2012-04-07 20:03:52 +04:00
si - > flags & = ~ SI_FL_FROM_SET ;
2011-09-23 12:54:59 +04:00
if ( ( connect ( fd , ( struct sockaddr * ) & si - > addr . to , get_addr_len ( & si - > addr . to ) ) = = - 1 ) & &
2009-08-16 16:02:45 +04:00
( errno ! = EINPROGRESS ) & & ( errno ! = EALREADY ) & & ( errno ! = EISCONN ) ) {
if ( errno = = EAGAIN | | errno = = EADDRINUSE ) {
char * msg ;
if ( errno = = EAGAIN ) /* no free ports left, try again later */
msg = " no free ports " ;
else
msg = " local address already in use " ;
qfprintf ( stderr , " Cannot connect: %s. \n " , msg ) ;
2009-10-18 09:25:52 +04:00
port_range_release_port ( fdinfo [ fd ] . port_range , fdinfo [ fd ] . local_port ) ;
fdinfo [ fd ] . port_range = NULL ;
2009-08-16 16:02:45 +04:00
close ( fd ) ;
send_log ( be , LOG_EMERG ,
" Connect() failed for server %s/%s: %s. \n " ,
be - > id , srv - > id , msg ) ;
return SN_ERR_RESOURCE ;
} else if ( errno = = ETIMEDOUT ) {
//qfprintf(stderr,"Connect(): ETIMEDOUT");
2009-10-18 09:25:52 +04:00
port_range_release_port ( fdinfo [ fd ] . port_range , fdinfo [ fd ] . local_port ) ;
fdinfo [ fd ] . port_range = NULL ;
2009-08-16 16:02:45 +04:00
close ( fd ) ;
return SN_ERR_SRVTO ;
} else {
// (errno == ECONNREFUSED || errno == ENETUNREACH || errno == EACCES || errno == EPERM)
//qfprintf(stderr,"Connect(): %d", errno);
2009-10-18 09:25:52 +04:00
port_range_release_port ( fdinfo [ fd ] . port_range , fdinfo [ fd ] . local_port ) ;
fdinfo [ fd ] . port_range = NULL ;
2009-08-16 16:02:45 +04:00
close ( fd ) ;
return SN_ERR_SRVCL ;
}
}
2012-03-02 17:35:21 +04:00
/* needs src ip/port for logging */
2012-04-07 20:03:52 +04:00
if ( si - > flags & SI_FL_SRC_ADDR )
stream_sock_get_from_addr ( si ) ;
2012-03-02 17:35:21 +04:00
2009-08-16 16:02:45 +04:00
fdtab [ fd ] . owner = si ;
fdtab [ fd ] . state = FD_STCONN ; /* connection in progress */
fdtab [ fd ] . flags = FD_FL_TCP | FD_FL_TCP_NODELAY ;
fdtab [ fd ] . cb [ DIR_RD ] . f = & stream_sock_read ;
fdtab [ fd ] . cb [ DIR_RD ] . b = si - > ib ;
fdtab [ fd ] . cb [ DIR_WR ] . f = & stream_sock_write ;
fdtab [ fd ] . cb [ DIR_WR ] . b = si - > ob ;
2011-09-23 12:54:59 +04:00
fdinfo [ fd ] . peeraddr = ( struct sockaddr * ) & si - > addr . to ;
fdinfo [ fd ] . peerlen = get_addr_len ( & si - > addr . to ) ;
2009-08-16 16:02:45 +04:00
fd_insert ( fd ) ;
EV_FD_SET ( fd , DIR_WR ) ; /* for connect status */
si - > state = SI_ST_CON ;
si - > flags | = SI_FL_CAP_SPLTCP ; /* TCP supports splicing */
si - > exp = tick_add_ifset ( now_ms , be - > timeout . connect ) ;
return SN_ERR_NONE ; /* connection is OK */
}
2007-10-29 03:09:36 +03:00
/* This function tries to bind a TCPv4/v6 listener. It may return a warning or
* an error message in < err > if the message is at most < errlen > bytes long
* ( including ' \0 ' ) . The return value is composed from ERR_ABORT , ERR_WARN ,
* ERR_ALERT , ERR_RETRYABLE and ERR_FATAL . ERR_NONE indicates that everything
* was alright and that no message was returned . ERR_RETRYABLE means that an
* error occurred but that it may vanish after a retry ( eg : port in use ) , and
2012-04-07 04:39:26 +04:00
* ERR_FATAL indicates a non - fixable error . ERR_WARN and ERR_ALERT do not alter
2007-10-29 03:09:36 +03:00
* the meaning of the error , but just indicate that a message is present which
* should be displayed with the respective level . Last , ERR_ABORT indicates
* that it ' s pointless to try to start other listeners . No error message is
* returned if errlen is NULL .
*/
int tcp_bind_listener ( struct listener * listener , char * errmsg , int errlen )
{
__label__ tcp_return , tcp_close_return ;
int fd , err ;
const char * msg = NULL ;
/* ensure we never return garbage */
if ( errmsg & & errlen )
* errmsg = 0 ;
if ( listener - > state ! = LI_ASSIGNED )
return ERR_NONE ; /* already bound */
err = ERR_NONE ;
if ( ( fd = socket ( listener - > addr . ss_family , SOCK_STREAM , IPPROTO_TCP ) ) = = - 1 ) {
err | = ERR_RETRYABLE | ERR_ALERT ;
msg = " cannot create listening socket " ;
goto tcp_return ;
}
2008-12-01 01:15:34 +03:00
2007-10-29 03:09:36 +03:00
if ( fd > = global . maxsock ) {
err | = ERR_FATAL | ERR_ABORT | ERR_ALERT ;
msg = " not enough free sockets (raise '-n' parameter) " ;
goto tcp_close_return ;
}
2009-06-14 17:24:37 +04:00
if ( fcntl ( fd , F_SETFL , O_NONBLOCK ) = = - 1 ) {
2007-10-29 03:09:36 +03:00
err | = ERR_FATAL | ERR_ALERT ;
msg = " cannot make socket non-blocking " ;
goto tcp_close_return ;
}
2011-06-24 10:11:37 +04:00
if ( setsockopt ( fd , SOL_SOCKET , SO_REUSEADDR , & one , sizeof ( one ) ) = = - 1 ) {
2007-10-29 03:09:36 +03:00
/* not fatal but should be reported */
msg = " cannot do so_reuseaddr " ;
err | = ERR_ALERT ;
}
if ( listener - > options & LI_O_NOLINGER )
2011-06-24 10:11:37 +04:00
setsockopt ( fd , SOL_SOCKET , SO_LINGER , & nolinger , sizeof ( struct linger ) ) ;
2008-12-01 01:15:34 +03:00
2007-10-29 03:09:36 +03:00
# ifdef SO_REUSEPORT
/* OpenBSD supports this. As it's present in old libc versions of Linux,
* it might return an error that we will silently ignore .
*/
2011-06-24 10:11:37 +04:00
setsockopt ( fd , SOL_SOCKET , SO_REUSEPORT , & one , sizeof ( one ) ) ;
2008-01-13 16:49:51 +03:00
# endif
# ifdef CONFIG_HAP_LINUX_TPROXY
2008-12-01 01:15:34 +03:00
if ( ( listener - > options & LI_O_FOREIGN )
2011-06-24 10:11:37 +04:00
& & ( setsockopt ( fd , SOL_IP , IP_TRANSPARENT , & one , sizeof ( one ) ) = = - 1 )
& & ( setsockopt ( fd , SOL_IP , IP_FREEBIND , & one , sizeof ( one ) ) = = - 1 ) ) {
2008-01-13 16:49:51 +03:00
msg = " cannot make listening socket transparent " ;
err | = ERR_ALERT ;
}
2009-02-04 19:19:29 +03:00
# endif
# ifdef SO_BINDTODEVICE
/* Note: this might fail if not CAP_NET_RAW */
if ( listener - > interface ) {
if ( setsockopt ( fd , SOL_SOCKET , SO_BINDTODEVICE ,
2009-03-06 02:48:23 +03:00
listener - > interface , strlen ( listener - > interface ) + 1 ) = = - 1 ) {
2009-02-04 19:19:29 +03:00
msg = " cannot bind listener to device " ;
err | = ERR_WARN ;
}
}
2009-06-14 20:48:19 +04:00
# endif
2009-08-24 15:11:06 +04:00
# if defined(TCP_MAXSEG)
2010-12-24 17:26:39 +03:00
if ( listener - > maxseg > 0 ) {
2009-08-24 15:11:06 +04:00
if ( setsockopt ( fd , IPPROTO_TCP , TCP_MAXSEG ,
2009-06-14 20:48:19 +04:00
& listener - > maxseg , sizeof ( listener - > maxseg ) ) = = - 1 ) {
msg = " cannot set MSS " ;
err | = ERR_WARN ;
}
}
2009-10-13 09:34:14 +04:00
# endif
# if defined(TCP_DEFER_ACCEPT)
if ( listener - > options & LI_O_DEF_ACCEPT ) {
/* defer accept by up to one second */
int accept_delay = 1 ;
if ( setsockopt ( fd , IPPROTO_TCP , TCP_DEFER_ACCEPT , & accept_delay , sizeof ( accept_delay ) ) = = - 1 ) {
msg = " cannot enable DEFER_ACCEPT " ;
err | = ERR_WARN ;
}
}
2007-10-29 03:09:36 +03:00
# endif
if ( bind ( fd , ( struct sockaddr * ) & listener - > addr , listener - > proto - > sock_addrlen ) = = - 1 ) {
err | = ERR_RETRYABLE | ERR_ALERT ;
msg = " cannot bind socket " ;
goto tcp_close_return ;
}
2008-12-01 01:15:34 +03:00
2008-01-06 12:55:10 +03:00
if ( listen ( fd , listener - > backlog ? listener - > backlog : listener - > maxconn ) = = - 1 ) {
2007-10-29 03:09:36 +03:00
err | = ERR_RETRYABLE | ERR_ALERT ;
msg = " cannot listen to socket " ;
goto tcp_close_return ;
}
2008-12-01 01:15:34 +03:00
2009-08-24 15:11:06 +04:00
# if defined(TCP_QUICKACK)
2009-06-14 14:07:01 +04:00
if ( listener - > options & LI_O_NOQUICKACK )
2011-06-24 10:11:37 +04:00
setsockopt ( fd , IPPROTO_TCP , TCP_QUICKACK , & zero , sizeof ( zero ) ) ;
2009-06-14 14:07:01 +04:00
# endif
2007-10-29 03:09:36 +03:00
/* the socket is ready */
listener - > fd = fd ;
listener - > state = LI_LISTEN ;
2008-08-30 01:36:51 +04:00
fdtab [ fd ] . owner = listener ; /* reference the listener instead of a task */
2007-10-29 03:09:36 +03:00
fdtab [ fd ] . state = FD_STLISTEN ;
2010-05-28 20:46:57 +04:00
fdtab [ fd ] . flags = FD_FL_TCP | ( ( listener - > options & LI_O_NOLINGER ) ? FD_FL_TCP_NOLING : 0 ) ;
fdtab [ fd ] . cb [ DIR_RD ] . f = listener - > proto - > accept ;
fdtab [ fd ] . cb [ DIR_WR ] . f = NULL ; /* never called */
fdtab [ fd ] . cb [ DIR_RD ] . b = fdtab [ fd ] . cb [ DIR_WR ] . b = NULL ;
2009-06-28 13:09:07 +04:00
2009-10-18 09:25:52 +04:00
fdinfo [ fd ] . peeraddr = NULL ;
fdinfo [ fd ] . peerlen = 0 ;
2010-05-28 20:46:57 +04:00
fd_insert ( fd ) ;
2007-10-29 03:09:36 +03:00
tcp_return :
2010-11-01 21:26:01 +03:00
if ( msg & & errlen ) {
char pn [ INET6_ADDRSTRLEN ] ;
2011-09-05 02:36:48 +04:00
addr_to_str ( & listener - > addr , pn , sizeof ( pn ) ) ;
snprintf ( errmsg , errlen , " %s [%s:%d] " , msg , pn , get_host_port ( & listener - > addr ) ) ;
2010-11-01 21:26:01 +03:00
}
2007-10-29 03:09:36 +03:00
return err ;
tcp_close_return :
close ( fd ) ;
goto tcp_return ;
}
/* This function creates all TCP sockets bound to the protocol entry <proto>.
* It is intended to be used as the protocol ' s bind_all ( ) function .
* The sockets will be registered but not added to any fd_set , in order not to
* loose them across the fork ( ) . A call to enable_all_listeners ( ) is needed
* to complete initialization . The return value is composed from ERR_ * .
*/
2010-10-22 18:06:11 +04:00
static int tcp_bind_listeners ( struct protocol * proto , char * errmsg , int errlen )
2007-10-29 03:09:36 +03:00
{
struct listener * listener ;
int err = ERR_NONE ;
list_for_each_entry ( listener , & proto - > listeners , proto_list ) {
2010-10-22 18:06:11 +04:00
err | = tcp_bind_listener ( listener , errmsg , errlen ) ;
if ( err & ERR_ABORT )
2007-10-29 03:09:36 +03:00
break ;
}
return err ;
}
/* Add listener to the list of tcpv4 listeners. The listener's state
* is automatically updated from LI_INIT to LI_ASSIGNED . The number of
* listeners is updated . This is the function to use to add a new listener .
*/
void tcpv4_add_listener ( struct listener * listener )
{
if ( listener - > state ! = LI_INIT )
return ;
listener - > state = LI_ASSIGNED ;
listener - > proto = & proto_tcpv4 ;
LIST_ADDQ ( & proto_tcpv4 . listeners , & listener - > proto_list ) ;
proto_tcpv4 . nb_listeners + + ;
}
/* Add listener to the list of tcpv4 listeners. The listener's state
* is automatically updated from LI_INIT to LI_ASSIGNED . The number of
* listeners is updated . This is the function to use to add a new listener .
*/
void tcpv6_add_listener ( struct listener * listener )
{
if ( listener - > state ! = LI_INIT )
return ;
listener - > state = LI_ASSIGNED ;
listener - > proto = & proto_tcpv6 ;
LIST_ADDQ ( & proto_tcpv6 . listeners , & listener - > proto_list ) ;
proto_tcpv6 . nb_listeners + + ;
}
2008-12-01 01:15:34 +03:00
/* This function performs the TCP request analysis on the current request. It
* returns 1 if the processing can continue on next analysers , or zero if it
* needs more data , encounters an error , or wants to immediately abort the
2010-08-03 16:02:05 +04:00
* request . It relies on buffers flags , and updates s - > req - > analysers . The
* function may be called for frontend rules and backend rules . It only relies
* on the backend pointer so this works for both cases .
2008-12-01 01:15:34 +03:00
*/
2009-07-07 12:55:49 +04:00
int tcp_inspect_request ( struct session * s , struct buffer * req , int an_bit )
2008-12-01 01:15:34 +03:00
{
struct tcp_rule * rule ;
2010-08-03 21:34:32 +04:00
struct stksess * ts ;
struct stktable * t ;
2008-12-01 01:15:34 +03:00
int partial ;
2012-03-01 21:19:58 +04:00
DPRINTF ( stderr , " [%u] %s: session=%p b=%p, exp(r,w)=%u,%u bf=%08x bh=%d analysers=%02x \n " ,
2008-12-01 01:15:34 +03:00
now_ms , __FUNCTION__ ,
s ,
req ,
req - > rex , req - > wex ,
req - > flags ,
2012-03-01 21:19:58 +04:00
req - > i ,
2008-12-01 01:15:34 +03:00
req - > analysers ) ;
/* We don't know whether we have enough data, so must proceed
* this way :
* - iterate through all rules in their declaration order
* - if one rule returns MISS , it means the inspect delay is
* not over yet , then return immediately , otherwise consider
* it as a non - match .
* - if one rule returns OK , then return OK
* - if one rule returns KO , then return KO
*/
2010-09-29 18:36:16 +04:00
if ( req - > flags & ( BF_SHUTR | BF_FULL ) | | ! s - > be - > tcp_req . inspect_delay | | tick_is_expired ( req - > analyse_exp , now_ms ) )
2008-12-01 01:15:34 +03:00
partial = 0 ;
else
partial = ACL_PARTIAL ;
2010-08-03 16:02:05 +04:00
list_for_each_entry ( rule , & s - > be - > tcp_req . inspect_rules , list ) {
2008-12-01 01:15:34 +03:00
int ret = ACL_PAT_PASS ;
if ( rule - > cond ) {
2010-08-03 16:02:05 +04:00
ret = acl_exec_cond ( rule - > cond , s - > be , s , & s - > txn , ACL_DIR_REQ | partial ) ;
2008-12-01 01:15:34 +03:00
if ( ret = = ACL_PAT_MISS ) {
2009-09-19 23:04:57 +04:00
buffer_dont_connect ( req ) ;
2008-12-01 01:15:34 +03:00
/* just set the request timeout once at the beginning of the request */
2010-08-03 16:02:05 +04:00
if ( ! tick_isset ( req - > analyse_exp ) & & s - > be - > tcp_req . inspect_delay )
req - > analyse_exp = tick_add_ifset ( now_ms , s - > be - > tcp_req . inspect_delay ) ;
2008-12-01 01:15:34 +03:00
return 0 ;
}
ret = acl_pass ( ret ) ;
if ( rule - > cond - > pol = = ACL_COND_UNLESS )
ret = ! ret ;
}
if ( ret ) {
/* we have a matching rule. */
if ( rule - > action = = TCP_ACT_REJECT ) {
buffer_abort ( req ) ;
buffer_abort ( s - > rep ) ;
req - > analysers = 0 ;
2009-10-04 17:43:17 +04:00
2011-03-11 01:25:56 +03:00
s - > be - > be_counters . denied_req + + ;
s - > fe - > fe_counters . denied_req + + ;
2009-10-04 17:43:17 +04:00
if ( s - > listener - > counters )
2010-05-24 01:50:44 +04:00
s - > listener - > counters - > denied_req + + ;
2009-10-04 17:43:17 +04:00
2008-12-01 01:15:34 +03:00
if ( ! ( s - > flags & SN_ERR_MASK ) )
s - > flags | = SN_ERR_PRXCOND ;
if ( ! ( s - > flags & SN_FINST_MASK ) )
s - > flags | = SN_FINST_R ;
return 0 ;
}
2010-08-06 21:06:56 +04:00
else if ( rule - > action = = TCP_ACT_TRK_SC1 ) {
if ( ! s - > stkctr1_entry ) {
/* only the first valid track-sc1 directive applies.
2010-08-03 21:34:32 +04:00
* Also , note that right now we can only track SRC so we
* don ' t check how to get the key , but later we may need
* to consider rule - > act_prm - > trk_ctr . type .
*/
t = rule - > act_prm . trk_ctr . table . t ;
2011-03-24 13:09:31 +03:00
ts = stktable_get_entry ( t , tcp_src_to_stktable_key ( s ) ) ;
2010-08-06 22:11:05 +04:00
if ( ts ) {
2010-08-06 21:06:56 +04:00
session_track_stkctr1 ( s , t , ts ) ;
2010-08-06 22:11:05 +04:00
if ( s - > fe ! = s - > be )
s - > flags | = SN_BE_TRACK_SC1 ;
}
2010-08-03 21:34:32 +04:00
}
}
2010-08-06 21:06:56 +04:00
else if ( rule - > action = = TCP_ACT_TRK_SC2 ) {
if ( ! s - > stkctr2_entry ) {
/* only the first valid track-sc2 directive applies.
2010-08-03 21:34:32 +04:00
* Also , note that right now we can only track SRC so we
* don ' t check how to get the key , but later we may need
* to consider rule - > act_prm - > trk_ctr . type .
*/
t = rule - > act_prm . trk_ctr . table . t ;
2011-03-24 13:09:31 +03:00
ts = stktable_get_entry ( t , tcp_src_to_stktable_key ( s ) ) ;
2010-08-06 22:11:05 +04:00
if ( ts ) {
2010-08-06 21:06:56 +04:00
session_track_stkctr2 ( s , t , ts ) ;
2010-08-06 22:11:05 +04:00
if ( s - > fe ! = s - > be )
s - > flags | = SN_BE_TRACK_SC2 ;
}
2010-08-03 21:34:32 +04:00
}
}
else {
2008-12-01 01:15:34 +03:00
/* otherwise accept */
2010-08-03 21:34:32 +04:00
break ;
}
2008-12-01 01:15:34 +03:00
}
}
/* if we get there, it means we have no rule which matches, or
* we have an explicit accept , so we apply the default accept .
*/
2009-07-07 12:55:49 +04:00
req - > analysers & = ~ an_bit ;
2008-12-01 01:15:34 +03:00
req - > analyse_exp = TICK_ETERNITY ;
return 1 ;
}
2010-09-23 19:56:44 +04:00
/* This function performs the TCP response analysis on the current response. It
* returns 1 if the processing can continue on next analysers , or zero if it
* needs more data , encounters an error , or wants to immediately abort the
* response . It relies on buffers flags , and updates s - > rep - > analysers . The
* function may be called for backend rules .
*/
int tcp_inspect_response ( struct session * s , struct buffer * rep , int an_bit )
{
struct tcp_rule * rule ;
int partial ;
2012-03-01 21:19:58 +04:00
DPRINTF ( stderr , " [%u] %s: session=%p b=%p, exp(r,w)=%u,%u bf=%08x bh=%d analysers=%02x \n " ,
2010-09-23 19:56:44 +04:00
now_ms , __FUNCTION__ ,
s ,
rep ,
rep - > rex , rep - > wex ,
rep - > flags ,
2012-03-01 21:19:58 +04:00
rep - > i ,
2010-09-23 19:56:44 +04:00
rep - > analysers ) ;
/* We don't know whether we have enough data, so must proceed
* this way :
* - iterate through all rules in their declaration order
* - if one rule returns MISS , it means the inspect delay is
* not over yet , then return immediately , otherwise consider
* it as a non - match .
* - if one rule returns OK , then return OK
* - if one rule returns KO , then return KO
*/
if ( rep - > flags & BF_SHUTR | | tick_is_expired ( rep - > analyse_exp , now_ms ) )
partial = 0 ;
else
partial = ACL_PARTIAL ;
list_for_each_entry ( rule , & s - > be - > tcp_rep . inspect_rules , list ) {
int ret = ACL_PAT_PASS ;
if ( rule - > cond ) {
ret = acl_exec_cond ( rule - > cond , s - > be , s , & s - > txn , ACL_DIR_RTR | partial ) ;
if ( ret = = ACL_PAT_MISS ) {
/* just set the analyser timeout once at the beginning of the response */
if ( ! tick_isset ( rep - > analyse_exp ) & & s - > be - > tcp_rep . inspect_delay )
rep - > analyse_exp = tick_add_ifset ( now_ms , s - > be - > tcp_rep . inspect_delay ) ;
return 0 ;
}
ret = acl_pass ( ret ) ;
if ( rule - > cond - > pol = = ACL_COND_UNLESS )
ret = ! ret ;
}
if ( ret ) {
/* we have a matching rule. */
if ( rule - > action = = TCP_ACT_REJECT ) {
buffer_abort ( rep ) ;
buffer_abort ( s - > req ) ;
rep - > analysers = 0 ;
2011-03-11 01:25:56 +03:00
s - > be - > be_counters . denied_resp + + ;
s - > fe - > fe_counters . denied_resp + + ;
2010-09-23 19:56:44 +04:00
if ( s - > listener - > counters )
s - > listener - > counters - > denied_resp + + ;
if ( ! ( s - > flags & SN_ERR_MASK ) )
s - > flags | = SN_ERR_PRXCOND ;
if ( ! ( s - > flags & SN_FINST_MASK ) )
s - > flags | = SN_FINST_D ;
return 0 ;
}
else {
/* otherwise accept */
break ;
}
}
}
/* if we get there, it means we have no rule which matches, or
* we have an explicit accept , so we apply the default accept .
*/
rep - > analysers & = ~ an_bit ;
rep - > analyse_exp = TICK_ETERNITY ;
return 1 ;
}
2010-05-31 12:30:33 +04:00
/* This function performs the TCP layer4 analysis on the current request. It
* returns 0 if a reject rule matches , otherwise 1 if either an accept rule
* matches or if no more rule matches . It can only use rules which don ' t need
* any data .
*/
int tcp_exec_req_rules ( struct session * s )
{
struct tcp_rule * rule ;
2010-08-03 18:29:52 +04:00
struct stksess * ts ;
2010-06-14 23:04:55 +04:00
struct stktable * t = NULL ;
int result = 1 ;
2010-05-31 12:30:33 +04:00
int ret ;
list_for_each_entry ( rule , & s - > fe - > tcp_req . l4_rules , list ) {
ret = ACL_PAT_PASS ;
if ( rule - > cond ) {
ret = acl_exec_cond ( rule - > cond , s - > fe , s , NULL , ACL_DIR_REQ ) ;
ret = acl_pass ( ret ) ;
if ( rule - > cond - > pol = = ACL_COND_UNLESS )
ret = ! ret ;
}
if ( ret ) {
/* we have a matching rule. */
if ( rule - > action = = TCP_ACT_REJECT ) {
2011-03-11 01:25:56 +03:00
s - > fe - > fe_counters . denied_conn + + ;
2010-05-31 12:30:33 +04:00
if ( s - > listener - > counters )
2010-06-05 17:43:21 +04:00
s - > listener - > counters - > denied_conn + + ;
2010-05-31 12:30:33 +04:00
if ( ! ( s - > flags & SN_ERR_MASK ) )
s - > flags | = SN_ERR_PRXCOND ;
if ( ! ( s - > flags & SN_FINST_MASK ) )
s - > flags | = SN_FINST_R ;
2010-06-14 23:04:55 +04:00
result = 0 ;
break ;
}
2010-08-06 21:06:56 +04:00
else if ( rule - > action = = TCP_ACT_TRK_SC1 ) {
if ( ! s - > stkctr1_entry ) {
/* only the first valid track-sc1 directive applies.
2010-06-14 23:04:55 +04:00
* Also , note that right now we can only track SRC so we
* don ' t check how to get the key , but later we may need
* to consider rule - > act_prm - > trk_ctr . type .
*/
t = rule - > act_prm . trk_ctr . table . t ;
2011-03-24 13:09:31 +03:00
ts = stktable_get_entry ( t , tcp_src_to_stktable_key ( s ) ) ;
2010-06-14 23:04:55 +04:00
if ( ts )
2010-08-06 21:06:56 +04:00
session_track_stkctr1 ( s , t , ts ) ;
2010-08-03 18:29:52 +04:00
}
}
2010-08-06 21:06:56 +04:00
else if ( rule - > action = = TCP_ACT_TRK_SC2 ) {
if ( ! s - > stkctr2_entry ) {
/* only the first valid track-sc2 directive applies.
2010-08-03 18:29:52 +04:00
* Also , note that right now we can only track SRC so we
* don ' t check how to get the key , but later we may need
* to consider rule - > act_prm - > trk_ctr . type .
*/
t = rule - > act_prm . trk_ctr . table . t ;
2011-03-24 13:09:31 +03:00
ts = stktable_get_entry ( t , tcp_src_to_stktable_key ( s ) ) ;
2010-08-03 18:29:52 +04:00
if ( ts )
2010-08-06 21:06:56 +04:00
session_track_stkctr2 ( s , t , ts ) ;
2010-06-14 23:04:55 +04:00
}
}
else {
/* otherwise it's an accept */
break ;
2010-05-31 12:30:33 +04:00
}
}
}
2010-06-14 23:04:55 +04:00
return result ;
2010-05-31 12:30:33 +04:00
}
2010-09-23 19:56:44 +04:00
/* Parse a tcp-response rule. Return a negative value in case of failure */
static int tcp_parse_response_rule ( char * * args , int arg , int section_type ,
struct proxy * curpx , struct proxy * defpx ,
struct tcp_rule * rule , char * err , int errlen )
{
if ( curpx = = defpx | | ! ( curpx - > cap & PR_CAP_BE ) ) {
snprintf ( err , errlen , " %s %s is only allowed in 'backend' sections " ,
args [ 0 ] , args [ 1 ] ) ;
return - 1 ;
}
if ( strcmp ( args [ arg ] , " accept " ) = = 0 ) {
arg + + ;
rule - > action = TCP_ACT_ACCEPT ;
}
else if ( strcmp ( args [ arg ] , " reject " ) = = 0 ) {
arg + + ;
rule - > action = TCP_ACT_REJECT ;
}
else {
snprintf ( err , errlen ,
" '%s %s' expects 'accept' or 'reject' in %s '%s' (was '%s') " ,
args [ 0 ] , args [ 1 ] , proxy_type_str ( curpx ) , curpx - > id , args [ arg ] ) ;
return - 1 ;
}
if ( strcmp ( args [ arg ] , " if " ) = = 0 | | strcmp ( args [ arg ] , " unless " ) = = 0 ) {
if ( ( rule - > cond = build_acl_cond ( NULL , 0 , curpx , ( const char * * ) args + arg ) ) = = NULL ) {
snprintf ( err , errlen ,
" error detected in %s '%s' while parsing '%s' condition " ,
proxy_type_str ( curpx ) , curpx - > id , args [ arg ] ) ;
return - 1 ;
}
}
else if ( * args [ arg ] ) {
snprintf ( err , errlen ,
" '%s %s %s' only accepts 'if' or 'unless', in %s '%s' (was '%s') " ,
args [ 0 ] , args [ 1 ] , args [ 2 ] , proxy_type_str ( curpx ) , curpx - > id , args [ arg ] ) ;
return - 1 ;
}
return 0 ;
}
2010-08-06 17:08:45 +04:00
/* Parse a tcp-request rule. Return a negative value in case of failure */
static int tcp_parse_request_rule ( char * * args , int arg , int section_type ,
struct proxy * curpx , struct proxy * defpx ,
struct tcp_rule * rule , char * err , int errlen )
{
if ( curpx = = defpx ) {
snprintf ( err , errlen , " %s %s is not allowed in 'defaults' sections " ,
args [ 0 ] , args [ 1 ] ) ;
return - 1 ;
}
if ( ! strcmp ( args [ arg ] , " accept " ) ) {
arg + + ;
rule - > action = TCP_ACT_ACCEPT ;
}
else if ( ! strcmp ( args [ arg ] , " reject " ) ) {
arg + + ;
rule - > action = TCP_ACT_REJECT ;
}
2010-08-06 21:06:56 +04:00
else if ( strcmp ( args [ arg ] , " track-sc1 " ) = = 0 ) {
2010-08-06 17:08:45 +04:00
int ret ;
arg + + ;
ret = parse_track_counters ( args , & arg , section_type , curpx ,
& rule - > act_prm . trk_ctr , defpx , err , errlen ) ;
if ( ret < 0 ) /* nb: warnings are not handled yet */
return - 1 ;
2010-08-06 21:06:56 +04:00
rule - > action = TCP_ACT_TRK_SC1 ;
2010-08-06 17:08:45 +04:00
}
2010-08-06 21:06:56 +04:00
else if ( strcmp ( args [ arg ] , " track-sc2 " ) = = 0 ) {
2010-08-06 17:08:45 +04:00
int ret ;
arg + + ;
ret = parse_track_counters ( args , & arg , section_type , curpx ,
& rule - > act_prm . trk_ctr , defpx , err , errlen ) ;
if ( ret < 0 ) /* nb: warnings are not handled yet */
return - 1 ;
2010-08-06 21:06:56 +04:00
rule - > action = TCP_ACT_TRK_SC2 ;
2010-08-06 17:08:45 +04:00
}
else {
snprintf ( err , errlen ,
2010-08-06 21:06:56 +04:00
" '%s %s' expects 'accept', 'reject', 'track-sc1' "
" or 'track-sc2' in %s '%s' (was '%s') " ,
2010-08-06 17:08:45 +04:00
args [ 0 ] , args [ 1 ] , proxy_type_str ( curpx ) , curpx - > id , args [ arg ] ) ;
return - 1 ;
}
if ( strcmp ( args [ arg ] , " if " ) = = 0 | | strcmp ( args [ arg ] , " unless " ) = = 0 ) {
if ( ( rule - > cond = build_acl_cond ( NULL , 0 , curpx , ( const char * * ) args + arg ) ) = = NULL ) {
snprintf ( err , errlen ,
" error detected in %s '%s' while parsing '%s' condition " ,
proxy_type_str ( curpx ) , curpx - > id , args [ arg ] ) ;
return - 1 ;
}
}
else if ( * args [ arg ] ) {
snprintf ( err , errlen ,
" '%s %s %s' only accepts 'if' or 'unless', in %s '%s' (was '%s') " ,
args [ 0 ] , args [ 1 ] , args [ 2 ] , proxy_type_str ( curpx ) , curpx - > id , args [ arg ] ) ;
return - 1 ;
}
return 0 ;
}
2010-09-23 19:56:44 +04:00
/* This function should be called to parse a line starting with the "tcp-response"
* keyword .
*/
static int tcp_parse_tcp_rep ( char * * args , int section_type , struct proxy * curpx ,
struct proxy * defpx , char * err , int errlen )
{
const char * ptr = NULL ;
unsigned int val ;
int retlen ;
int warn = 0 ;
int arg ;
struct tcp_rule * rule ;
if ( ! * args [ 1 ] ) {
snprintf ( err , errlen , " missing argument for '%s' in %s '%s' " ,
args [ 0 ] , proxy_type_str ( curpx ) , curpx - > id ) ;
return - 1 ;
}
if ( strcmp ( args [ 1 ] , " inspect-delay " ) = = 0 ) {
if ( curpx = = defpx | | ! ( curpx - > cap & PR_CAP_BE ) ) {
snprintf ( err , errlen , " %s %s is only allowed in 'backend' sections " ,
args [ 0 ] , args [ 1 ] ) ;
return - 1 ;
}
if ( ! * args [ 2 ] | | ( ptr = parse_time_err ( args [ 2 ] , & val , TIME_UNIT_MS ) ) ) {
retlen = snprintf ( err , errlen ,
" '%s %s' expects a positive delay in milliseconds, in %s '%s' " ,
args [ 0 ] , args [ 1 ] , proxy_type_str ( curpx ) , curpx - > id ) ;
if ( ptr & & retlen < errlen )
retlen + = snprintf ( err + retlen , errlen - retlen ,
" (unexpected character '%c') " , * ptr ) ;
return - 1 ;
}
if ( curpx - > tcp_rep . inspect_delay ) {
snprintf ( err , errlen , " ignoring %s %s (was already defined) in %s '%s' " ,
args [ 0 ] , args [ 1 ] , proxy_type_str ( curpx ) , curpx - > id ) ;
return 1 ;
}
curpx - > tcp_rep . inspect_delay = val ;
return 0 ;
}
2011-06-24 10:11:37 +04:00
rule = calloc ( 1 , sizeof ( * rule ) ) ;
2010-09-23 19:56:44 +04:00
LIST_INIT ( & rule - > list ) ;
arg = 1 ;
if ( strcmp ( args [ 1 ] , " content " ) = = 0 ) {
arg + + ;
if ( tcp_parse_response_rule ( args , arg , section_type , curpx , defpx , rule , err , errlen ) < 0 )
goto error ;
if ( rule - > cond & & ( rule - > cond - > requires & ACL_USE_L6REQ_VOLATILE ) ) {
struct acl * acl ;
const char * name ;
acl = cond_find_require ( rule - > cond , ACL_USE_L6REQ_VOLATILE ) ;
name = acl ? acl - > name : " (unknown) " ;
retlen = snprintf ( err , errlen ,
" acl '%s' involves some request-only criteria which will be ignored. " ,
name ) ;
warn + + ;
}
LIST_ADDQ ( & curpx - > tcp_rep . inspect_rules , & rule - > list ) ;
}
else {
retlen = snprintf ( err , errlen ,
" '%s' expects 'inspect-delay' or 'content' in %s '%s' (was '%s') " ,
args [ 0 ] , proxy_type_str ( curpx ) , curpx - > id , args [ 1 ] ) ;
goto error ;
}
return warn ;
error :
free ( rule ) ;
return - 1 ;
}
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
/* This function should be called to parse a line starting with the "tcp-request"
* keyword .
*/
static int tcp_parse_tcp_req ( char * * args , int section_type , struct proxy * curpx ,
struct proxy * defpx , char * err , int errlen )
{
const char * ptr = NULL ;
2008-08-17 19:13:47 +04:00
unsigned int val ;
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
int retlen ;
2010-05-24 00:40:30 +04:00
int warn = 0 ;
2010-06-14 18:44:27 +04:00
int arg ;
2010-05-24 00:40:30 +04:00
struct tcp_rule * rule ;
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
if ( ! * args [ 1 ] ) {
snprintf ( err , errlen , " missing argument for '%s' in %s '%s' " ,
2010-06-14 20:40:26 +04:00
args [ 0 ] , proxy_type_str ( curpx ) , curpx - > id ) ;
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
return - 1 ;
}
if ( ! strcmp ( args [ 1 ] , " inspect-delay " ) ) {
if ( curpx = = defpx ) {
snprintf ( err , errlen , " %s %s is not allowed in 'defaults' sections " ,
args [ 0 ] , args [ 1 ] ) ;
return - 1 ;
}
if ( ! * args [ 2 ] | | ( ptr = parse_time_err ( args [ 2 ] , & val , TIME_UNIT_MS ) ) ) {
retlen = snprintf ( err , errlen ,
" '%s %s' expects a positive delay in milliseconds, in %s '%s' " ,
2010-06-14 20:40:26 +04:00
args [ 0 ] , args [ 1 ] , proxy_type_str ( curpx ) , curpx - > id ) ;
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
if ( ptr & & retlen < errlen )
retlen + = snprintf ( err + retlen , errlen - retlen ,
" (unexpected character '%c') " , * ptr ) ;
return - 1 ;
}
if ( curpx - > tcp_req . inspect_delay ) {
snprintf ( err , errlen , " ignoring %s %s (was already defined) in %s '%s' " ,
2010-06-14 20:40:26 +04:00
args [ 0 ] , args [ 1 ] , proxy_type_str ( curpx ) , curpx - > id ) ;
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
return 1 ;
}
curpx - > tcp_req . inspect_delay = val ;
return 0 ;
}
2011-06-24 10:11:37 +04:00
rule = calloc ( 1 , sizeof ( * rule ) ) ;
2010-08-20 15:35:41 +04:00
LIST_INIT ( & rule - > list ) ;
2010-06-14 18:44:27 +04:00
arg = 1 ;
2010-08-06 17:08:45 +04:00
if ( strcmp ( args [ 1 ] , " content " ) = = 0 ) {
2010-08-03 21:34:32 +04:00
arg + + ;
2010-08-06 17:08:45 +04:00
if ( tcp_parse_request_rule ( args , arg , section_type , curpx , defpx , rule , err , errlen ) < 0 )
2010-06-14 18:44:27 +04:00
goto error ;
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
2010-06-14 18:44:27 +04:00
if ( rule - > cond & & ( rule - > cond - > requires & ACL_USE_RTR_ANY ) ) {
2008-07-28 00:02:32 +04:00
struct acl * acl ;
const char * name ;
2010-06-14 18:44:27 +04:00
acl = cond_find_require ( rule - > cond , ACL_USE_RTR_ANY ) ;
2008-07-28 00:02:32 +04:00
name = acl ? acl - > name : " (unknown) " ;
retlen = snprintf ( err , errlen ,
2009-07-14 15:53:17 +04:00
" acl '%s' involves some response-only criteria which will be ignored. " ,
name ) ;
2008-07-28 00:02:32 +04:00
warn + + ;
}
2010-08-20 15:35:41 +04:00
LIST_ADDQ ( & curpx - > tcp_req . inspect_rules , & rule - > list ) ;
2010-06-14 23:04:55 +04:00
}
2010-08-06 17:08:45 +04:00
else if ( strcmp ( args [ 1 ] , " connection " ) = = 0 ) {
2010-06-14 23:04:55 +04:00
arg + + ;
2010-08-03 18:29:52 +04:00
2010-08-06 17:08:45 +04:00
if ( ! ( curpx - > cap & PR_CAP_FE ) ) {
snprintf ( err , errlen , " %s %s is not allowed because %s %s is not a frontend " ,
args [ 0 ] , args [ 1 ] , proxy_type_str ( curpx ) , curpx - > id ) ;
2011-07-15 08:14:06 +04:00
goto error ;
2010-08-06 17:08:45 +04:00
}
2010-08-03 18:29:52 +04:00
2010-08-06 17:08:45 +04:00
if ( tcp_parse_request_rule ( args , arg , section_type , curpx , defpx , rule , err , errlen ) < 0 )
2010-08-03 18:29:52 +04:00
goto error ;
2010-08-06 17:08:45 +04:00
if ( rule - > cond & & ( rule - > cond - > requires & ( ACL_USE_RTR_ANY | ACL_USE_L6_ANY | ACL_USE_L7_ANY ) ) ) {
struct acl * acl ;
const char * name ;
2010-06-14 23:04:55 +04:00
2010-08-06 17:08:45 +04:00
acl = cond_find_require ( rule - > cond , ACL_USE_RTR_ANY | ACL_USE_L6_ANY | ACL_USE_L7_ANY ) ;
name = acl ? acl - > name : " (unknown) " ;
2010-06-14 23:04:55 +04:00
2010-08-06 17:08:45 +04:00
if ( acl - > requires & ( ACL_USE_L6_ANY | ACL_USE_L7_ANY ) ) {
retlen = snprintf ( err , errlen ,
" '%s %s' may not reference acl '%s' which makes use of "
" payload in %s '%s'. Please use '%s content' for this. " ,
args [ 0 ] , args [ 1 ] , name , proxy_type_str ( curpx ) , curpx - > id , args [ 0 ] ) ;
goto error ;
}
if ( acl - > requires & ACL_USE_RTR_ANY )
retlen = snprintf ( err , errlen ,
" acl '%s' involves some response-only criteria which will be ignored. " ,
name ) ;
warn + + ;
}
2010-08-20 15:35:41 +04:00
LIST_ADDQ ( & curpx - > tcp_req . l4_rules , & rule - > list ) ;
2010-06-14 23:04:55 +04:00
}
2010-05-24 00:40:30 +04:00
else {
retlen = snprintf ( err , errlen ,
2010-08-06 17:08:45 +04:00
" '%s' expects 'inspect-delay', 'connection', or 'content' in %s '%s' (was '%s') " ,
2010-05-24 00:40:30 +04:00
args [ 0 ] , proxy_type_str ( curpx ) , curpx - > id , args [ 1 ] ) ;
2010-06-14 18:44:27 +04:00
goto error ;
2010-05-24 00:40:30 +04:00
}
return warn ;
2010-06-14 18:44:27 +04:00
error :
free ( rule ) ;
return - 1 ;
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
}
2010-05-24 22:55:15 +04:00
/************************************************************************/
/* All supported ACL keywords must be declared here. */
/************************************************************************/
2011-12-16 20:49:52 +04:00
/* copy the source IPv4/v6 address into temp_pattern */
2010-05-24 22:55:15 +04:00
static int
acl_fetch_src ( struct proxy * px , struct session * l4 , void * l7 , int dir ,
2012-04-23 18:16:37 +04:00
struct acl_expr * expr , struct sample * smp )
2010-05-24 22:55:15 +04:00
{
2011-12-16 20:49:52 +04:00
switch ( l4 - > si [ 0 ] . addr . from . ss_family ) {
case AF_INET :
2012-04-23 20:53:56 +04:00
smp - > data . ipv4 = ( ( struct sockaddr_in * ) & l4 - > si [ 0 ] . addr . from ) - > sin_addr ;
smp - > type = SMP_T_IPV4 ;
2011-12-16 20:49:52 +04:00
break ;
case AF_INET6 :
2012-04-23 20:53:56 +04:00
smp - > data . ipv6 = ( ( struct sockaddr_in6 * ) ( & l4 - > si [ 0 ] . addr . from ) ) - > sin6_addr ;
smp - > type = SMP_T_IPV6 ;
2011-12-16 20:49:52 +04:00
break ;
default :
2010-10-22 19:14:01 +04:00
return 0 ;
2011-12-16 20:49:52 +04:00
}
2010-10-22 19:14:01 +04:00
2012-04-23 18:16:37 +04:00
smp - > flags = 0 ;
2010-05-24 22:55:15 +04:00
return 1 ;
}
2011-03-24 13:09:31 +03:00
/* extract the connection's source ipv4 address */
2010-05-24 22:55:15 +04:00
static int
pattern_fetch_src ( struct proxy * px , struct session * l4 , void * l7 , int dir ,
2012-04-24 00:03:39 +04:00
const struct arg * arg_p , struct sample * smp )
2010-05-24 22:55:15 +04:00
{
2011-09-23 12:54:59 +04:00
if ( l4 - > si [ 0 ] . addr . from . ss_family ! = AF_INET )
2010-10-22 19:14:01 +04:00
return 0 ;
2012-04-24 00:03:39 +04:00
smp - > data . ipv4 . s_addr = ( ( struct sockaddr_in * ) & l4 - > si [ 0 ] . addr . from ) - > sin_addr . s_addr ;
2010-05-24 22:55:15 +04:00
return 1 ;
}
2011-03-24 13:09:31 +03:00
/* extract the connection's source ipv6 address */
static int
pattern_fetch_src6 ( struct proxy * px , struct session * l4 , void * l7 , int dir ,
2012-04-24 00:03:39 +04:00
const struct arg * arg_p , struct sample * smp )
2011-03-24 13:09:31 +03:00
{
2011-09-23 12:54:59 +04:00
if ( l4 - > si [ 0 ] . addr . from . ss_family ! = AF_INET6 )
2011-03-24 13:09:31 +03:00
return 0 ;
2012-04-24 00:03:39 +04:00
memcpy ( smp - > data . ipv6 . s6_addr , ( ( struct sockaddr_in6 * ) & l4 - > si [ 0 ] . addr . from ) - > sin6_addr . s6_addr , sizeof ( smp - > data . ipv6 . s6_addr ) ) ;
2011-03-24 13:09:31 +03:00
return 1 ;
}
2010-05-24 22:55:15 +04:00
2011-12-16 20:06:15 +04:00
/* set temp integer to the connection's source port */
2010-05-24 22:55:15 +04:00
static int
acl_fetch_sport ( struct proxy * px , struct session * l4 , void * l7 , int dir ,
2012-04-23 18:16:37 +04:00
struct acl_expr * expr , struct sample * smp )
2010-05-24 22:55:15 +04:00
{
2012-04-23 20:53:56 +04:00
smp - > type = SMP_T_UINT ;
if ( ! ( smp - > data . uint = get_host_port ( & l4 - > si [ 0 ] . addr . from ) ) )
2010-10-22 19:14:01 +04:00
return 0 ;
2012-04-23 18:16:37 +04:00
smp - > flags = 0 ;
2010-05-24 22:55:15 +04:00
return 1 ;
}
/* set test->ptr to point to the frontend's IPv4/IPv6 address and test->i to the family */
static int
acl_fetch_dst ( struct proxy * px , struct session * l4 , void * l7 , int dir ,
2012-04-23 18:16:37 +04:00
struct acl_expr * expr , struct sample * smp )
2010-05-24 22:55:15 +04:00
{
2012-04-07 20:03:52 +04:00
stream_sock_get_to_addr ( & l4 - > si [ 0 ] ) ;
2010-05-24 22:55:15 +04:00
2011-12-16 20:49:52 +04:00
switch ( l4 - > si [ 0 ] . addr . to . ss_family ) {
case AF_INET :
2012-04-23 20:53:56 +04:00
smp - > data . ipv4 = ( ( struct sockaddr_in * ) & l4 - > si [ 0 ] . addr . to ) - > sin_addr ;
smp - > type = SMP_T_IPV4 ;
2011-12-16 20:49:52 +04:00
break ;
case AF_INET6 :
2012-04-23 20:53:56 +04:00
smp - > data . ipv6 = ( ( struct sockaddr_in6 * ) ( & l4 - > si [ 0 ] . addr . to ) ) - > sin6_addr ;
smp - > type = SMP_T_IPV6 ;
2011-12-16 20:49:52 +04:00
break ;
default :
2010-10-22 19:14:01 +04:00
return 0 ;
2011-12-16 20:49:52 +04:00
}
2010-10-22 19:14:01 +04:00
2012-04-23 18:16:37 +04:00
smp - > flags = 0 ;
2010-05-24 22:55:15 +04:00
return 1 ;
}
2011-03-24 13:09:31 +03:00
/* extract the connection's destination ipv4 address */
2010-05-24 22:55:15 +04:00
static int
pattern_fetch_dst ( struct proxy * px , struct session * l4 , void * l7 , int dir ,
2012-04-24 00:03:39 +04:00
const struct arg * arg_p , struct sample * smp )
2010-05-24 22:55:15 +04:00
{
2012-04-07 20:03:52 +04:00
stream_sock_get_to_addr ( & l4 - > si [ 0 ] ) ;
2010-10-22 19:06:26 +04:00
2011-09-23 12:54:59 +04:00
if ( l4 - > si [ 0 ] . addr . to . ss_family ! = AF_INET )
2010-10-22 19:14:01 +04:00
return 0 ;
2012-04-24 00:03:39 +04:00
smp - > data . ipv4 . s_addr = ( ( struct sockaddr_in * ) & l4 - > si [ 0 ] . addr . to ) - > sin_addr . s_addr ;
2010-05-24 22:55:15 +04:00
return 1 ;
}
2011-03-24 13:09:31 +03:00
/* extract the connection's destination ipv6 address */
static int
pattern_fetch_dst6 ( struct proxy * px , struct session * l4 , void * l7 , int dir ,
2012-04-24 00:03:39 +04:00
const struct arg * arg_p , struct sample * smp )
2011-03-24 13:09:31 +03:00
{
2012-04-07 20:03:52 +04:00
stream_sock_get_to_addr ( & l4 - > si [ 0 ] ) ;
2011-03-24 13:09:31 +03:00
2011-09-23 12:54:59 +04:00
if ( l4 - > si [ 0 ] . addr . to . ss_family ! = AF_INET6 )
2011-03-24 13:09:31 +03:00
return 0 ;
2012-04-24 00:03:39 +04:00
memcpy ( smp - > data . ipv6 . s6_addr , ( ( struct sockaddr_in6 * ) & l4 - > si [ 0 ] . addr . to ) - > sin6_addr . s6_addr , sizeof ( smp - > data . ipv6 . s6_addr ) ) ;
2011-03-24 13:09:31 +03:00
return 1 ;
}
2011-12-16 20:06:15 +04:00
/* set temp integer to the frontend connexion's destination port */
2010-05-24 22:55:15 +04:00
static int
acl_fetch_dport ( struct proxy * px , struct session * l4 , void * l7 , int dir ,
2012-04-23 18:16:37 +04:00
struct acl_expr * expr , struct sample * smp )
2010-05-24 22:55:15 +04:00
{
2012-04-07 20:03:52 +04:00
stream_sock_get_to_addr ( & l4 - > si [ 0 ] ) ;
2010-05-24 22:55:15 +04:00
2012-04-23 20:53:56 +04:00
smp - > type = SMP_T_UINT ;
if ( ! ( smp - > data . uint = get_host_port ( & l4 - > si [ 0 ] . addr . to ) ) )
2010-10-22 19:14:01 +04:00
return 0 ;
2012-04-23 18:16:37 +04:00
smp - > flags = 0 ;
2010-05-24 22:55:15 +04:00
return 1 ;
}
static int
pattern_fetch_dport ( struct proxy * px , struct session * l4 , void * l7 , int dir ,
2012-04-24 00:03:39 +04:00
const struct arg * arg , struct sample * smp )
2010-05-24 22:55:15 +04:00
{
2012-04-07 20:03:52 +04:00
stream_sock_get_to_addr ( & l4 - > si [ 0 ] ) ;
2010-10-22 19:06:26 +04:00
2012-04-24 00:03:39 +04:00
if ( ! ( smp - > data . uint = get_host_port ( & l4 - > si [ 0 ] . addr . to ) ) )
2010-10-22 19:14:01 +04:00
return 0 ;
2010-05-24 22:55:15 +04:00
return 1 ;
}
2010-11-05 20:13:50 +03:00
static int
pattern_fetch_payloadlv ( struct proxy * px , struct session * l4 , void * l7 , int dir ,
2012-04-24 00:03:39 +04:00
const struct arg * arg_p , struct sample * smp )
2010-11-05 20:13:50 +03:00
{
2012-04-20 14:29:52 +04:00
int len_offset = arg_p [ 0 ] . data . uint ;
int len_size = arg_p [ 1 ] . data . uint ;
int buf_offset = arg_p [ 2 ] . data . uint ;
2010-11-05 20:13:50 +03:00
int buf_size = 0 ;
struct buffer * b ;
int i ;
/* Format is (len offset, len size, buf offset) or (len offset, len size) */
/* by default buf offset == len offset + len size */
/* buf offset could be absolute or relative to len offset + len size if prefixed by + or - */
if ( ! l4 )
return 0 ;
b = ( dir & PATTERN_FETCH_RTR ) ? l4 - > rep : l4 - > req ;
2012-03-01 21:19:58 +04:00
if ( ! b | | ! b - > i )
2010-11-05 20:13:50 +03:00
return 0 ;
2012-03-01 21:19:58 +04:00
if ( len_offset + len_size > b - > i )
2010-11-05 20:13:50 +03:00
return 0 ;
for ( i = 0 ; i < len_size ; i + + ) {
2012-03-02 19:13:16 +04:00
buf_size = ( buf_size < < 8 ) + ( ( unsigned char * ) b - > p ) [ i + len_offset ] ;
2010-11-05 20:13:50 +03:00
}
if ( ! buf_size )
return 0 ;
2012-04-20 16:45:49 +04:00
/* buf offset may be implicit, absolute or relative */
buf_offset = len_offset + len_size ;
if ( arg_p [ 2 ] . type = = ARGT_UINT )
buf_offset = arg_p [ 2 ] . data . uint ;
else if ( arg_p [ 2 ] . type = = ARGT_SINT )
buf_offset + = arg_p [ 2 ] . data . sint ;
2012-03-01 21:19:58 +04:00
if ( buf_offset + buf_size > b - > i )
2010-11-05 20:13:50 +03:00
return 0 ;
/* init chunk as read only */
2012-04-24 00:03:39 +04:00
chunk_initlen ( & smp - > data . str , b - > p + buf_offset , 0 , buf_size ) ;
2010-11-05 20:13:50 +03:00
return 1 ;
}
static int
pattern_fetch_payload ( struct proxy * px , struct session * l4 , void * l7 , int dir ,
2012-04-24 00:03:39 +04:00
const struct arg * arg_p , struct sample * smp )
2010-11-05 20:13:50 +03:00
{
2012-04-20 14:29:52 +04:00
int buf_offset = arg_p [ 0 ] . data . uint ;
int buf_size = arg_p [ 1 ] . data . uint ;
2010-11-05 20:13:50 +03:00
struct buffer * b ;
if ( ! l4 )
return 0 ;
b = ( dir & PATTERN_FETCH_RTR ) ? l4 - > rep : l4 - > req ;
2012-03-01 21:19:58 +04:00
if ( ! b | | ! b - > i )
2010-11-05 20:13:50 +03:00
return 0 ;
2012-03-01 21:19:58 +04:00
if ( buf_offset + buf_size > b - > i )
2010-11-05 20:13:50 +03:00
return 0 ;
/* init chunk as read only */
2012-04-24 00:03:39 +04:00
chunk_initlen ( & smp - > data . str , b - > p + buf_offset , 0 , buf_size ) ;
2010-11-05 20:13:50 +03:00
return 1 ;
}
2011-06-24 09:50:20 +04:00
static int
pattern_fetch_rdp_cookie ( struct proxy * px , struct session * l4 , void * l7 , int dir ,
2012-04-24 00:03:39 +04:00
const struct arg * arg_p , struct sample * smp )
2011-06-24 09:50:20 +04:00
{
int ret ;
struct acl_expr expr ;
2012-04-19 19:16:54 +04:00
struct arg args [ 2 ] ;
2011-06-24 09:50:20 +04:00
if ( ! l4 )
return 0 ;
memset ( & expr , 0 , sizeof ( expr ) ) ;
2012-04-24 00:03:39 +04:00
memset ( smp , 0 , sizeof ( * smp ) ) ;
2011-06-24 09:50:20 +04:00
2012-04-19 19:16:54 +04:00
args [ 0 ] . type = ARGT_STR ;
args [ 0 ] . data . str . str = arg_p [ 0 ] . data . str . str ;
args [ 0 ] . data . str . len = arg_p [ 0 ] . data . str . len ;
args [ 1 ] . type = ARGT_STOP ;
expr . args = args ;
2011-06-24 09:50:20 +04:00
2012-04-24 00:03:39 +04:00
ret = acl_fetch_rdp_cookie ( px , l4 , NULL , ACL_DIR_REQ , & expr , smp ) ;
if ( ret = = 0 | | ( smp - > flags & SMP_F_MAY_CHANGE ) | | smp - > data . str . len = = 0 )
2011-06-24 09:50:20 +04:00
return 0 ;
return 1 ;
}
2012-04-20 17:52:36 +04:00
/* This function is used to validate the arguments passed to a "payload" fetch
* keyword . This keyword expects two positive integers , with the second one
* being strictly positive . It is assumed that the types are already the correct
* ones . Returns 0 on error , non - zero if OK . If < err_msg > is not NULL , it will be
* filled with a pointer to an error message in case of error , that the caller
* is responsible for freeing . The initial location must either be freeable or
* NULL .
*/
static int val_payload ( struct arg * arg , char * * err_msg )
{
if ( ! arg [ 1 ] . data . uint ) {
if ( err_msg )
memprintf ( err_msg , " payload length must be > 0 " ) ;
return 0 ;
}
return 1 ;
}
/* This function is used to validate the arguments passed to a "payload_lv" fetch
* keyword . This keyword allows two positive integers and an optional signed one ,
* with the second one being strictly positive and the third one being greater than
* the opposite of the two others if negative . It is assumed that the types are
* already the correct ones . Returns 0 on error , non - zero if OK . If < err_msg > is
* not NULL , it will be filled with a pointer to an error message in case of
* error , that the caller is responsible for freeing . The initial location must
* either be freeable or NULL .
*/
static int val_payload_lv ( struct arg * arg , char * * err_msg )
{
if ( ! arg [ 1 ] . data . uint ) {
if ( err_msg )
memprintf ( err_msg , " payload length must be > 0 " ) ;
return 0 ;
}
if ( arg [ 2 ] . type = = ARGT_SINT & &
( int ) ( arg [ 0 ] . data . uint + arg [ 1 ] . data . uint + arg [ 2 ] . data . sint ) < 0 ) {
if ( err_msg )
memprintf ( err_msg , " payload offset too negative " ) ;
return 0 ;
}
return 1 ;
}
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
static struct cfg_kw_list cfg_kws = { { } , {
{ CFG_LISTEN , " tcp-request " , tcp_parse_tcp_req } ,
2010-09-23 19:56:44 +04:00
{ CFG_LISTEN , " tcp-response " , tcp_parse_tcp_rep } ,
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
{ 0 , NULL , NULL } ,
} } ;
2012-04-19 20:42:05 +04:00
/* Note: must not be declared <const> as its list will be overwritten.
* Please take care of keeping this list alphabetically sorted .
*/
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
static struct acl_kw_list acl_kws = { { } , {
2012-04-19 20:42:05 +04:00
{ " dst " , acl_parse_ip , acl_fetch_dst , acl_match_ip , ACL_USE_TCP4_PERMANENT | ACL_MAY_LOOKUP , 0 } ,
{ " dst_port " , acl_parse_int , acl_fetch_dport , acl_match_int , ACL_USE_TCP_PERMANENT , 0 } ,
{ " src " , acl_parse_ip , acl_fetch_src , acl_match_ip , ACL_USE_TCP4_PERMANENT | ACL_MAY_LOOKUP , 0 } ,
{ " src_port " , acl_parse_int , acl_fetch_sport , acl_match_int , ACL_USE_TCP_PERMANENT , 0 } ,
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
{ NULL , NULL , NULL , NULL } ,
} } ;
2010-05-24 22:55:15 +04:00
/* Note: must not be declared <const> as its list will be overwritten */
static struct pattern_fetch_kw_list pattern_fetch_keywords = { { } , {
2012-04-20 22:49:27 +04:00
{ " src " , pattern_fetch_src , 0 , NULL , SMP_T_IPV4 , PATTERN_FETCH_REQ } ,
{ " src6 " , pattern_fetch_src6 , 0 , NULL , SMP_T_IPV6 , PATTERN_FETCH_REQ } ,
{ " dst " , pattern_fetch_dst , 0 , NULL , SMP_T_IPV4 , PATTERN_FETCH_REQ } ,
{ " dst6 " , pattern_fetch_dst6 , 0 , NULL , SMP_T_IPV6 , PATTERN_FETCH_REQ } ,
{ " dst_port " , pattern_fetch_dport , 0 , NULL , SMP_T_UINT , PATTERN_FETCH_REQ } ,
{ " payload " , pattern_fetch_payload , ARG2 ( 2 , UINT , UINT ) , val_payload , SMP_T_CBIN , PATTERN_FETCH_REQ | PATTERN_FETCH_RTR } ,
{ " payload_lv " , pattern_fetch_payloadlv , ARG3 ( 2 , UINT , UINT , SINT ) , val_payload_lv , SMP_T_CBIN , PATTERN_FETCH_REQ | PATTERN_FETCH_RTR } ,
{ " rdp_cookie " , pattern_fetch_rdp_cookie , ARG1 ( 1 , STR ) , NULL , SMP_T_CSTR , PATTERN_FETCH_REQ } ,
2012-04-20 16:45:49 +04:00
{ NULL , NULL , 0 , 0 , 0 } ,
2010-05-24 22:55:15 +04:00
} } ;
2007-10-29 03:09:36 +03:00
__attribute__ ( ( constructor ) )
static void __tcp_protocol_init ( void )
{
protocol_register ( & proto_tcpv4 ) ;
protocol_register ( & proto_tcpv6 ) ;
2010-05-24 22:55:15 +04:00
pattern_register_fetches ( & pattern_fetch_keywords ) ;
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-15 01:54:42 +04:00
cfg_register_keywords ( & cfg_kws ) ;
acl_register_keywords ( & acl_kws ) ;
2007-10-29 03:09:36 +03:00
}
/*
* Local variables :
* c - indent - level : 8
* c - basic - offset : 8
* End :
*/
