MINOR: tcp: add "tcp-request connection expect-netscaler-cip layer4"

This configures the client-facing connection to receive a NetScaler
Client IP insertion protocol header before any byte is read from the
socket. This is equivalent to having the "accept-netscaler-cip" keyword
on the "bind" line, except that using the TCP rule allows the PROXY
protocol to be accepted only for certain IP address ranges using an ACL.
This is convenient when multiple layers of load balancers are passed
through by traffic coming from public hosts.
This commit is contained in:
Bertrand Jacquin 2016-06-06 15:35:39 +01:00 committed by Willy Tarreau
parent 93b227db95
commit 9075968356
3 changed files with 35 additions and 1 deletions

View File

@ -8652,6 +8652,15 @@ tcp-request connection <action> [{if | unless} <condition>]
of load balancers are passed through by traffic coming from public of load balancers are passed through by traffic coming from public
hosts. hosts.
- expect-netscaler-cip layer4 :
configures the client-facing connection to receive a NetScaler Client
IP insertion protocol header before any byte is read from the socket.
This is equivalent to having the "accept-netscaler-cip" keyword on the
"bind" line, except that using the TCP rule allows the PROXY protocol
to be accepted only for certain IP address ranges using an ACL. This
is convenient when multiple layers of load balancers are passed
through by traffic coming from public hosts.
- capture <sample> len <length> : - capture <sample> len <length> :
This only applies to "tcp-request content" rules. It captures sample This only applies to "tcp-request content" rules. It captures sample
expression <sample> from the request buffer, and converts it to a expression <sample> from the request buffer, and converts it to a
@ -9746,7 +9755,9 @@ accept-netscaler-cip <magic number>
protocol, unless it is violated, in which case the real address will still protocol, unless it is violated, in which case the real address will still
be used. This keyword combined with support from external components can be be used. This keyword combined with support from external components can be
used as an efficient and reliable alternative to the X-Forwarded-For used as an efficient and reliable alternative to the X-Forwarded-For
mechanism which is not always reliable and not even always usable. mechanism which is not always reliable and not even always usable. See also
"tcp-request connection expect-netscaler-cip" for a finer-grained setting of
which client is allowed to use the protocol.
accept-proxy accept-proxy
Enforces the use of the PROXY protocol over any connection accepted by any of Enforces the use of the PROXY protocol over any connection accepted by any of

View File

@ -83,6 +83,7 @@ enum act_name {
/* tcp actions */ /* tcp actions */
ACT_TCP_EXPECT_PX, ACT_TCP_EXPECT_PX,
ACT_TCP_EXPECT_CIP,
ACT_TCP_CLOSE, /* close at the sender's */ ACT_TCP_CLOSE, /* close at the sender's */
ACT_TCP_CAPTURE, /* capture a fetched sample */ ACT_TCP_CAPTURE, /* capture a fetched sample */

View File

@ -1399,6 +1399,10 @@ int tcp_exec_req_rules(struct session *sess)
conn->flags |= CO_FL_ACCEPT_PROXY; conn->flags |= CO_FL_ACCEPT_PROXY;
conn_sock_want_recv(conn); conn_sock_want_recv(conn);
} }
else if (rule->action == ACT_TCP_EXPECT_CIP) {
conn->flags |= CO_FL_ACCEPT_CIP;
conn_sock_want_recv(conn);
}
else { else {
/* Custom keywords. */ /* Custom keywords. */
if (!rule->action_ptr) if (!rule->action_ptr)
@ -1828,6 +1832,24 @@ static int tcp_parse_request_rule(char **args, int arg, int section_type,
arg += 2; arg += 2;
rule->action = ACT_TCP_EXPECT_PX; rule->action = ACT_TCP_EXPECT_PX;
} }
else if (strcmp(args[arg], "expect-netscaler-cip") == 0) {
if (strcmp(args[arg+1], "layer4") != 0) {
memprintf(err,
"'%s %s %s' only supports 'layer4' in %s '%s' (got '%s')",
args[0], args[1], args[arg], proxy_type_str(curpx), curpx->id, args[arg+1]);
return -1;
}
if (!(where & SMP_VAL_FE_CON_ACC)) {
memprintf(err,
"'%s %s' is not allowed in '%s %s' rules in %s '%s'",
args[arg], args[arg+1], args[0], args[1], proxy_type_str(curpx), curpx->id);
return -1;
}
arg += 2;
rule->action = ACT_TCP_EXPECT_CIP;
}
else { else {
struct action_kw *kw; struct action_kw *kw;
if (where & SMP_VAL_FE_CON_ACC) { if (where & SMP_VAL_FE_CON_ACC) {