Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 1 | /* |
| 2 | * Action management functions. |
| 3 | * |
| 4 | * Copyright 2017 HAProxy Technologies, Christopher Faulet <cfaulet@haproxy.com> |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or |
| 7 | * modify it under the terms of the GNU General Public License |
| 8 | * as published by the Free Software Foundation; either version |
| 9 | * 2 of the License, or (at your option) any later version. |
| 10 | * |
| 11 | */ |
| 12 | |
Amaury Denoyelle | 68fd7e4 | 2021-03-25 17:15:52 +0100 | [diff] [blame] | 13 | #include <haproxy/acl.h> |
Willy Tarreau | 122eba9 | 2020-06-04 10:15:32 +0200 | [diff] [blame] | 14 | #include <haproxy/action.h> |
Willy Tarreau | 4c7e4b7 | 2020-05-27 12:58:42 +0200 | [diff] [blame] | 15 | #include <haproxy/api.h> |
Christopher Faulet | 581db2b | 2021-03-26 10:02:46 +0100 | [diff] [blame] | 16 | #include <haproxy/cfgparse.h> |
Willy Tarreau | 36979d9 | 2020-06-05 17:27:29 +0200 | [diff] [blame] | 17 | #include <haproxy/errors.h> |
Willy Tarreau | b255105 | 2020-06-09 09:07:15 +0200 | [diff] [blame] | 18 | #include <haproxy/list.h> |
Willy Tarreau | 8efbdfb | 2020-06-04 11:29:21 +0200 | [diff] [blame] | 19 | #include <haproxy/obj_type.h> |
Willy Tarreau | d0ef439 | 2020-06-02 09:38:52 +0200 | [diff] [blame] | 20 | #include <haproxy/pool.h> |
Willy Tarreau | a264d96 | 2020-06-04 22:29:18 +0200 | [diff] [blame] | 21 | #include <haproxy/proxy.h> |
Willy Tarreau | b255105 | 2020-06-09 09:07:15 +0200 | [diff] [blame] | 22 | #include <haproxy/stick_table.h> |
Willy Tarreau | cea0e1b | 2020-06-04 17:25:40 +0200 | [diff] [blame] | 23 | #include <haproxy/task.h> |
Willy Tarreau | 48fbcae | 2020-06-03 18:09:46 +0200 | [diff] [blame] | 24 | #include <haproxy/tools.h> |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 25 | |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 26 | |
Christopher Faulet | 42c6cf9 | 2021-03-25 17:19:04 +0100 | [diff] [blame] | 27 | /* Check an action ruleset validity. It returns the number of error encountered |
Ilya Shipitsin | b2be9a1 | 2021-04-24 13:25:42 +0500 | [diff] [blame] | 28 | * and err_code is updated if a warning is emitted. |
Christopher Faulet | 42c6cf9 | 2021-03-25 17:19:04 +0100 | [diff] [blame] | 29 | */ |
| 30 | int check_action_rules(struct list *rules, struct proxy *px, int *err_code) |
| 31 | { |
| 32 | struct act_rule *rule; |
| 33 | char *errmsg = NULL; |
| 34 | int err = 0; |
| 35 | |
| 36 | list_for_each_entry(rule, rules, list) { |
| 37 | if (rule->check_ptr && !rule->check_ptr(rule, px, &errmsg)) { |
| 38 | ha_alert("Proxy '%s': %s.\n", px->id, errmsg); |
| 39 | err++; |
| 40 | } |
Christopher Faulet | 581db2b | 2021-03-26 10:02:46 +0100 | [diff] [blame] | 41 | *err_code |= warnif_tcp_http_cond(px, rule->cond); |
Christopher Faulet | 42c6cf9 | 2021-03-25 17:19:04 +0100 | [diff] [blame] | 42 | free(errmsg); |
| 43 | errmsg = NULL; |
| 44 | } |
| 45 | |
| 46 | return err; |
| 47 | } |
| 48 | |
Christopher Faulet | ac98d81 | 2019-12-18 09:20:16 +0100 | [diff] [blame] | 49 | /* Find and check the target table used by an action track-sc*. This |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 50 | * function should be called during the configuration validity check. |
| 51 | * |
| 52 | * The function returns 1 in success case, otherwise, it returns 0 and err is |
| 53 | * filled. |
| 54 | */ |
| 55 | int check_trk_action(struct act_rule *rule, struct proxy *px, char **err) |
| 56 | { |
Frédéric Lécaille | 1b8e68e | 2019-03-14 07:07:41 +0100 | [diff] [blame] | 57 | struct stktable *target; |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 58 | |
| 59 | if (rule->arg.trk_ctr.table.n) |
Frédéric Lécaille | 1b8e68e | 2019-03-14 07:07:41 +0100 | [diff] [blame] | 60 | target = stktable_find_by_name(rule->arg.trk_ctr.table.n); |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 61 | else |
Frédéric Lécaille | 1b8e68e | 2019-03-14 07:07:41 +0100 | [diff] [blame] | 62 | target = px->table; |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 63 | |
| 64 | if (!target) { |
| 65 | memprintf(err, "unable to find table '%s' referenced by track-sc%d", |
Frédéric Lécaille | 1b8e68e | 2019-03-14 07:07:41 +0100 | [diff] [blame] | 66 | rule->arg.trk_ctr.table.n ? rule->arg.trk_ctr.table.n : px->id, |
Christopher Faulet | ac98d81 | 2019-12-18 09:20:16 +0100 | [diff] [blame] | 67 | rule->action); |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 68 | return 0; |
| 69 | } |
Frédéric Lécaille | 1b8e68e | 2019-03-14 07:07:41 +0100 | [diff] [blame] | 70 | |
| 71 | if (!stktable_compatible_sample(rule->arg.trk_ctr.expr, target->type)) { |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 72 | memprintf(err, "stick-table '%s' uses a type incompatible with the 'track-sc%d' rule", |
| 73 | rule->arg.trk_ctr.table.n ? rule->arg.trk_ctr.table.n : px->id, |
Christopher Faulet | ac98d81 | 2019-12-18 09:20:16 +0100 | [diff] [blame] | 74 | rule->action); |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 75 | return 0; |
| 76 | } |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 77 | else { |
Frédéric Lécaille | be36793 | 2019-08-07 09:28:39 +0200 | [diff] [blame] | 78 | if (!in_proxies_list(target->proxies_list, px)) { |
Frédéric Lécaille | 015e4d7 | 2019-03-19 14:55:01 +0100 | [diff] [blame] | 79 | px->next_stkt_ref = target->proxies_list; |
| 80 | target->proxies_list = px; |
| 81 | } |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 82 | free(rule->arg.trk_ctr.table.n); |
Frédéric Lécaille | 1b8e68e | 2019-03-14 07:07:41 +0100 | [diff] [blame] | 83 | rule->arg.trk_ctr.table.t = target; |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 84 | /* Note: if we decide to enhance the track-sc syntax, we may be |
| 85 | * able to pass a list of counters to track and allocate them |
| 86 | * right here using stktable_alloc_data_type(). |
| 87 | */ |
| 88 | } |
Christopher Faulet | ac98d81 | 2019-12-18 09:20:16 +0100 | [diff] [blame] | 89 | |
Christopher Faulet | 2079a4a | 2020-10-02 11:48:57 +0200 | [diff] [blame] | 90 | if (rule->from == ACT_F_TCP_REQ_CNT && (px->cap & PR_CAP_FE)) { |
| 91 | if (!px->tcp_req.inspect_delay && !(rule->arg.trk_ctr.expr->fetch->val & SMP_VAL_FE_SES_ACC)) { |
Amaury Denoyelle | 1112430 | 2021-06-04 18:22:08 +0200 | [diff] [blame] | 92 | ha_warning("%s '%s' : a 'tcp-request content track-sc*' rule explicitly depending on request" |
Christopher Faulet | 2079a4a | 2020-10-02 11:48:57 +0200 | [diff] [blame] | 93 | " contents without any 'tcp-request inspect-delay' setting." |
| 94 | " This means that this rule will randomly find its contents. This can be fixed by" |
| 95 | " setting the tcp-request inspect-delay.\n", |
| 96 | proxy_type_str(px), px->id); |
| 97 | } |
| 98 | |
| 99 | /* The following warning is emitted because HTTP multiplexers are able to catch errors |
| 100 | * or timeouts at the session level, before instantiating any stream. |
| 101 | * Thus the tcp-request content ruleset will not be evaluated in such case. It means, |
| 102 | * http_req and http_err counters will not be incremented as expected, even if the tracked |
| 103 | * counter does not use the request content. To track invalid requests it should be |
| 104 | * performed at the session level using a tcp-request session rule. |
| 105 | */ |
| 106 | if (px->mode == PR_MODE_HTTP && |
| 107 | !(rule->arg.trk_ctr.expr->fetch->use & (SMP_USE_L6REQ|SMP_USE_HRQHV|SMP_USE_HRQHP|SMP_USE_HRQBO)) && |
| 108 | (!rule->cond || !(rule->cond->use & (SMP_USE_L6REQ|SMP_USE_HRQHV|SMP_USE_HRQHP|SMP_USE_HRQBO)))) { |
Amaury Denoyelle | 1112430 | 2021-06-04 18:22:08 +0200 | [diff] [blame] | 109 | ha_warning("%s '%s' : a 'tcp-request content track-sc*' rule not depending on request" |
Christopher Faulet | 2079a4a | 2020-10-02 11:48:57 +0200 | [diff] [blame] | 110 | " contents for an HTTP frontend should be executed at the session level, using a" |
| 111 | " 'tcp-request session' rule (mandatory to track invalid HTTP requests).\n", |
| 112 | proxy_type_str(px), px->id); |
| 113 | } |
Christopher Faulet | ac98d81 | 2019-12-18 09:20:16 +0100 | [diff] [blame] | 114 | } |
| 115 | |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 116 | return 1; |
| 117 | } |
| 118 | |
Christopher Faulet | d73b96d | 2019-12-19 17:27:03 +0100 | [diff] [blame] | 119 | /* check a capture rule. This function should be called during the configuration |
| 120 | * validity check. |
| 121 | * |
| 122 | * The function returns 1 in success case, otherwise, it returns 0 and err is |
| 123 | * filled. |
| 124 | */ |
| 125 | int check_capture(struct act_rule *rule, struct proxy *px, char **err) |
| 126 | { |
| 127 | if (rule->from == ACT_F_TCP_REQ_CNT && (px->cap & PR_CAP_FE) && !px->tcp_req.inspect_delay && |
| 128 | !(rule->arg.trk_ctr.expr->fetch->val & SMP_VAL_FE_SES_ACC)) { |
Amaury Denoyelle | 1112430 | 2021-06-04 18:22:08 +0200 | [diff] [blame] | 129 | ha_warning("%s '%s' : a 'tcp-request capture' rule explicitly depending on request" |
Christopher Faulet | d73b96d | 2019-12-19 17:27:03 +0100 | [diff] [blame] | 130 | " contents without any 'tcp-request inspect-delay' setting." |
| 131 | " This means that this rule will randomly find its contents. This can be fixed by" |
| 132 | " setting the tcp-request inspect-delay.\n", |
| 133 | proxy_type_str(px), px->id); |
| 134 | } |
| 135 | |
| 136 | return 1; |
| 137 | } |
| 138 | |
Emeric Brun | 08622d3 | 2020-12-23 17:41:43 +0100 | [diff] [blame] | 139 | int act_resolution_cb(struct resolv_requester *requester, struct dns_counters *counters) |
Baptiste Assmann | 333939c | 2019-01-21 08:34:50 +0100 | [diff] [blame] | 140 | { |
| 141 | struct stream *stream; |
| 142 | |
| 143 | if (requester->resolution == NULL) |
| 144 | return 0; |
| 145 | |
| 146 | stream = objt_stream(requester->owner); |
| 147 | if (stream == NULL) |
| 148 | return 0; |
| 149 | |
| 150 | task_wakeup(stream->task, TASK_WOKEN_MSG); |
| 151 | |
| 152 | return 0; |
| 153 | } |
| 154 | |
Emeric Brun | 12ca658 | 2021-06-10 15:25:25 +0200 | [diff] [blame] | 155 | /* |
| 156 | * Do resolve error management callback |
| 157 | * returns: |
| 158 | * 0 if we can trash answser items. |
| 159 | * 1 when safely ignored and we must kept answer items |
| 160 | */ |
Emeric Brun | 08622d3 | 2020-12-23 17:41:43 +0100 | [diff] [blame] | 161 | int act_resolution_error_cb(struct resolv_requester *requester, int error_code) |
Baptiste Assmann | 333939c | 2019-01-21 08:34:50 +0100 | [diff] [blame] | 162 | { |
| 163 | struct stream *stream; |
| 164 | |
| 165 | if (requester->resolution == NULL) |
| 166 | return 0; |
| 167 | |
| 168 | stream = objt_stream(requester->owner); |
| 169 | if (stream == NULL) |
| 170 | return 0; |
| 171 | |
| 172 | task_wakeup(stream->task, TASK_WOKEN_MSG); |
| 173 | |
| 174 | return 0; |
| 175 | } |
| 176 | |
Amaury Denoyelle | 8d22823 | 2020-12-10 13:43:54 +0100 | [diff] [blame] | 177 | /* Parse a set-timeout rule statement. It first checks if the timeout name is |
| 178 | * valid and returns it in <name>. Then the timeout is parsed as a plain value |
| 179 | * and * returned in <out_timeout>. If there is a parsing error, the value is |
| 180 | * reparsed as an expression and returned in <expr>. |
| 181 | * |
| 182 | * Returns -1 if the name is invalid or neither a time or an expression can be |
| 183 | * parsed, or if the timeout value is 0. |
| 184 | */ |
| 185 | int cfg_parse_rule_set_timeout(const char **args, int idx, int *out_timeout, |
| 186 | enum act_timeout_name *name, |
| 187 | struct sample_expr **expr, char **err, |
| 188 | const char *file, int line, struct arg_list *al) |
| 189 | { |
| 190 | const char *res; |
| 191 | const char *timeout_name = args[idx++]; |
| 192 | |
Tim Duesterhus | e5ff141 | 2021-01-02 22:31:53 +0100 | [diff] [blame] | 193 | if (strcmp(timeout_name, "server") == 0) { |
Amaury Denoyelle | 8d22823 | 2020-12-10 13:43:54 +0100 | [diff] [blame] | 194 | *name = ACT_TIMEOUT_SERVER; |
| 195 | } |
Tim Duesterhus | e5ff141 | 2021-01-02 22:31:53 +0100 | [diff] [blame] | 196 | else if (strcmp(timeout_name, "tunnel") == 0) { |
Amaury Denoyelle | 8d22823 | 2020-12-10 13:43:54 +0100 | [diff] [blame] | 197 | *name = ACT_TIMEOUT_TUNNEL; |
| 198 | } |
| 199 | else { |
| 200 | memprintf(err, |
| 201 | "'set-timeout' rule supports 'server'/'tunnel' (got '%s')", |
| 202 | timeout_name); |
| 203 | return -1; |
| 204 | } |
| 205 | |
| 206 | res = parse_time_err(args[idx], (unsigned int *)out_timeout, TIME_UNIT_MS); |
| 207 | if (res == PARSE_TIME_OVER) { |
| 208 | memprintf(err, "timer overflow in argument '%s' to rule 'set-timeout %s' (maximum value is 2147483647 ms or ~24.8 days)", |
| 209 | args[idx], timeout_name); |
| 210 | return -1; |
| 211 | } |
| 212 | else if (res == PARSE_TIME_UNDER) { |
| 213 | memprintf(err, "timer underflow in argument '%s' to rule 'set-timeout %s' (minimum value is 1 ms)", |
| 214 | args[idx], timeout_name); |
| 215 | return -1; |
| 216 | } |
| 217 | /* res not NULL, parsing error */ |
| 218 | else if (res) { |
| 219 | *expr = sample_parse_expr((char **)args, &idx, file, line, err, al, NULL); |
| 220 | if (!*expr) { |
| 221 | memprintf(err, "unexpected character '%c' in rule 'set-timeout %s'", *res, timeout_name); |
| 222 | return -1; |
| 223 | } |
| 224 | } |
| 225 | /* res NULL, parsing ok but value is 0 */ |
| 226 | else if (!(*out_timeout)) { |
| 227 | memprintf(err, "null value is not valid for a 'set-timeout %s' rule", |
| 228 | timeout_name); |
| 229 | return -1; |
| 230 | } |
| 231 | |
| 232 | return 0; |
| 233 | } |
Willy Tarreau | 99eb2cc | 2021-03-12 11:59:24 +0100 | [diff] [blame] | 234 | |
| 235 | /* tries to find in list <keywords> a similar looking action as the one in |
| 236 | * <word>, and returns it otherwise NULL. <word> may be NULL or empty. An |
| 237 | * optional array of extra words to compare may be passed in <extra>, but it |
| 238 | * must then be terminated by a NULL entry. If unused it may be NULL. |
| 239 | */ |
| 240 | const char *action_suggest(const char *word, const struct list *keywords, const char **extra) |
| 241 | { |
| 242 | uint8_t word_sig[1024]; |
| 243 | uint8_t list_sig[1024]; |
| 244 | const struct action_kw_list *kwl; |
| 245 | const struct action_kw *best_kw = NULL; |
| 246 | const char *best_ptr = NULL; |
| 247 | int dist, best_dist = INT_MAX; |
| 248 | int index; |
| 249 | |
| 250 | if (!word || !*word) |
| 251 | return NULL; |
| 252 | |
| 253 | make_word_fingerprint(word_sig, word); |
| 254 | list_for_each_entry(kwl, keywords, list) { |
| 255 | for (index = 0; kwl->kw[index].kw != NULL; index++) { |
| 256 | make_word_fingerprint(list_sig, kwl->kw[index].kw); |
| 257 | dist = word_fingerprint_distance(word_sig, list_sig); |
| 258 | if (dist < best_dist) { |
| 259 | best_dist = dist; |
| 260 | best_kw = &kwl->kw[index]; |
| 261 | best_ptr = best_kw->kw; |
| 262 | } |
| 263 | } |
| 264 | } |
| 265 | |
| 266 | while (extra && *extra) { |
| 267 | make_word_fingerprint(list_sig, *extra); |
| 268 | dist = word_fingerprint_distance(word_sig, list_sig); |
| 269 | if (dist < best_dist) { |
| 270 | best_dist = dist; |
| 271 | best_kw = NULL; |
| 272 | best_ptr = *extra; |
| 273 | } |
| 274 | extra++; |
| 275 | } |
| 276 | |
| 277 | /* eliminate too different ones, with more tolerance for prefixes |
| 278 | * when they're known to exist (not from extra list). |
| 279 | */ |
| 280 | if (best_ptr && |
Amaury Denoyelle | e4a617c | 2021-05-06 15:33:09 +0200 | [diff] [blame] | 281 | (best_dist > (2 + (best_kw && (best_kw->flags & KWF_MATCH_PREFIX))) * strlen(word) || |
| 282 | best_dist > (2 + (best_kw && (best_kw->flags & KWF_MATCH_PREFIX))) * strlen(best_ptr))) |
Willy Tarreau | 99eb2cc | 2021-03-12 11:59:24 +0100 | [diff] [blame] | 283 | best_ptr = NULL; |
| 284 | |
| 285 | return best_ptr; |
| 286 | } |
Amaury Denoyelle | 68fd7e4 | 2021-03-25 17:15:52 +0100 | [diff] [blame] | 287 | |
Willy Tarreau | d535f80 | 2021-10-11 08:49:26 +0200 | [diff] [blame] | 288 | /* allocates a rule for ruleset <from> (ACT_F_*), from file name <file> and |
| 289 | * line <linenum>. <file> and <linenum> may be zero if unknown. Returns the |
| 290 | * rule, otherwise NULL in case of memory allocation error. |
| 291 | */ |
| 292 | struct act_rule *new_act_rule(enum act_from from, const char *file, int linenum) |
| 293 | { |
| 294 | struct act_rule *rule; |
| 295 | |
| 296 | rule = calloc(1, sizeof(*rule)); |
| 297 | if (!rule) |
| 298 | return NULL; |
| 299 | rule->from = from; |
Willy Tarreau | c9e4868 | 2021-10-11 09:13:07 +0200 | [diff] [blame] | 300 | rule->conf.file = file ? strdup(file) : NULL; |
| 301 | rule->conf.line = linenum; |
Willy Tarreau | d535f80 | 2021-10-11 08:49:26 +0200 | [diff] [blame] | 302 | return rule; |
| 303 | } |
| 304 | |
Amaury Denoyelle | 68fd7e4 | 2021-03-25 17:15:52 +0100 | [diff] [blame] | 305 | void free_act_rules(struct list *rules) |
| 306 | { |
| 307 | struct act_rule *rule, *ruleb; |
| 308 | |
| 309 | list_for_each_entry_safe(rule, ruleb, rules, list) { |
Willy Tarreau | 2b71810 | 2021-04-21 07:32:39 +0200 | [diff] [blame] | 310 | LIST_DELETE(&rule->list); |
Amaury Denoyelle | 68fd7e4 | 2021-03-25 17:15:52 +0100 | [diff] [blame] | 311 | free_acl_cond(rule->cond); |
| 312 | if (rule->release_ptr) |
| 313 | rule->release_ptr(rule); |
Willy Tarreau | c9e4868 | 2021-10-11 09:13:07 +0200 | [diff] [blame] | 314 | free(rule->conf.file); |
Amaury Denoyelle | 68fd7e4 | 2021-03-25 17:15:52 +0100 | [diff] [blame] | 315 | free(rule); |
| 316 | } |
| 317 | } |