commit 9075968356738583a33fe8f9862c6fa248dceb7b
author Bertrand Jacquin <jacquinb@amazon.com> Mon Jun 06 15:35:39 2016 +0100
committer Willy Tarreau <w@1wt.eu> Mon Jun 20 23:02:47 2016 +0200
tree a80c7da899b383e1585971e4c163e7ee3654bbf0
parent 93b227db9502f72f894c83708cd49c41925158b2

MINOR: tcp: add "tcp-request connection expect-netscaler-cip layer4"

This configures the client-facing connection to receive a NetScaler
Client IP insertion protocol header before any byte is read from the
socket. This is equivalent to having the "accept-netscaler-cip" keyword
on the "bind" line, except that using the TCP rule allows the PROXY
protocol to be accepted only for certain IP address ranges using an ACL.
This is convenient when multiple layers of load balancers are passed
through by traffic coming from public hosts.

src/proto_tcp.c

diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 5344703..83bdff8 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -1399,6 +1399,10 @@
 				conn->flags |= CO_FL_ACCEPT_PROXY;
 				conn_sock_want_recv(conn);
 			}
+			else if (rule->action == ACT_TCP_EXPECT_CIP) {
+				conn->flags |= CO_FL_ACCEPT_CIP;
+				conn_sock_want_recv(conn);
+			}
 			else {
 				/* Custom keywords. */
 				if (!rule->action_ptr)
@@ -1828,6 +1832,24 @@
 		arg += 2;
 		rule->action = ACT_TCP_EXPECT_PX;
 	}
+	else if (strcmp(args[arg], "expect-netscaler-cip") == 0) {
+		if (strcmp(args[arg+1], "layer4") != 0) {
+			memprintf(err,
+				  "'%s %s %s' only supports 'layer4' in %s '%s' (got '%s')",
+				  args[0], args[1], args[arg], proxy_type_str(curpx), curpx->id, args[arg+1]);
+			return -1;
+		}
+
+		if (!(where & SMP_VAL_FE_CON_ACC)) {
+			memprintf(err,
+				  "'%s %s' is not allowed in '%s %s' rules in %s '%s'",
+				  args[arg], args[arg+1], args[0], args[1], proxy_type_str(curpx), curpx->id);
+			return -1;
+		}
+
+		arg += 2;
+		rule->action = ACT_TCP_EXPECT_CIP;
+	}
 	else {
 		struct action_kw *kw;
 		if (where & SMP_VAL_FE_CON_ACC) {