MEDIUM: tcp: add registration and processing of TCP L5 rules
This commit introduces "tcp-request session" rules. These are very
much like "tcp-request connection" rules except that they're processed
after the handshake, so it is possible to consider SSL information and
addresses rewritten by the proxy protocol header in actions. This is
particularly useful to track proxied sources as this was not possible
before, given that tcp-request content rules are processed after each
HTTP request. Similarly it is possible to assign the proxied source
address or the client's cert to a variable.
diff --git a/include/common/cfgparse.h b/include/common/cfgparse.h
index d785327..6dc6ad5 100644
--- a/include/common/cfgparse.h
+++ b/include/common/cfgparse.h
@@ -75,6 +75,7 @@
int (*section_parser)(const char *, int, char **, int));
void cfg_unregister_sections(void);
int warnif_misplaced_tcp_conn(struct proxy *proxy, const char *file, int line, const char *arg);
+int warnif_misplaced_tcp_sess(struct proxy *proxy, const char *file, int line, const char *arg);
int warnif_misplaced_tcp_cont(struct proxy *proxy, const char *file, int line, const char *arg);
/*
diff --git a/include/proto/proto_tcp.h b/include/proto/proto_tcp.h
index 05b6e02..f5b9e55 100644
--- a/include/proto/proto_tcp.h
+++ b/include/proto/proto_tcp.h
@@ -39,9 +39,11 @@
int tcp_inspect_request(struct stream *s, struct channel *req, int an_bit);
int tcp_inspect_response(struct stream *s, struct channel *rep, int an_bit);
int tcp_exec_l4_rules(struct session *sess);
+int tcp_exec_l5_rules(struct session *sess);
/* TCP keywords. */
void tcp_req_conn_keywords_register(struct action_kw_list *kw_list);
+void tcp_req_sess_keywords_register(struct action_kw_list *kw_list);
void tcp_req_cont_keywords_register(struct action_kw_list *kw_list);
void tcp_res_cont_keywords_register(struct action_kw_list *kw_list);
diff --git a/include/types/action.h b/include/types/action.h
index fce6bc8..5a70db0 100644
--- a/include/types/action.h
+++ b/include/types/action.h
@@ -29,6 +29,7 @@
enum act_from {
ACT_F_TCP_REQ_CON, /* tcp-request connection */
+ ACT_F_TCP_REQ_SES, /* tcp-request session */
ACT_F_TCP_REQ_CNT, /* tcp-request content */
ACT_F_TCP_RES_CNT, /* tcp-response content */
ACT_F_HTTP_REQ, /* http-request */
diff --git a/include/types/listener.h b/include/types/listener.h
index 8cfe40b..1f14cc0 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -86,6 +86,7 @@
#define LI_O_NOQUICKACK 0x0004 /* disable quick ack of immediate data (linux) */
#define LI_O_DEF_ACCEPT 0x0008 /* wait up to 1 second for data before accepting */
#define LI_O_TCP_L4_RULES 0x0010 /* run TCP L4 rules checks on the incoming connection */
+#define LI_O_TCP_L5_RULES 0x0020 /* run TCP L5 rules checks on the incoming session */
#define LI_O_CHK_MONNET 0x0040 /* check the source against a monitor-net rule */
#define LI_O_ACC_PROXY 0x0080 /* find the proxied address in the first request line */
#define LI_O_UNLIMITED 0x0100 /* listener not subject to global limits (peers & stats socket) */
diff --git a/include/types/proxy.h b/include/types/proxy.h
index e23b4e4..2f4f9b9 100644
--- a/include/types/proxy.h
+++ b/include/types/proxy.h
@@ -269,6 +269,7 @@
unsigned int inspect_delay; /* inspection delay */
struct list inspect_rules; /* inspection rules */
struct list l4_rules; /* layer4 rules */
+ struct list l5_rules; /* layer5 rules */
} tcp_req;
struct { /* TCP request processing */
unsigned int inspect_delay; /* inspection delay */