blob: a62bea8a43320aa3c5dea98a2d1addf878ac4064 [file] [log] [blame]
Willy Tarreaue6b98942007-10-29 01:09:36 +01001/*
2 * AF_INET/AF_INET6 SOCK_STREAM protocol layer (tcp)
3 *
Willy Tarreaue8c66af2008-01-13 18:40:14 +01004 * Copyright 2000-2008 Willy Tarreau <w@1wt.eu>
Willy Tarreaue6b98942007-10-29 01:09:36 +01005 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
12
13#include <ctype.h>
14#include <errno.h>
15#include <fcntl.h>
16#include <stdio.h>
17#include <stdlib.h>
18#include <string.h>
19#include <time.h>
20
21#include <sys/param.h>
22#include <sys/socket.h>
23#include <sys/stat.h>
24#include <sys/types.h>
25#include <sys/un.h>
26
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +040027#include <netinet/tcp.h>
28
Willy Tarreaub6866442008-07-14 23:54:42 +020029#include <common/cfgparse.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010030#include <common/compat.h>
31#include <common/config.h>
32#include <common/debug.h>
33#include <common/errors.h>
34#include <common/memory.h>
35#include <common/mini-clist.h>
36#include <common/standard.h>
37#include <common/time.h>
38#include <common/version.h>
39
Willy Tarreaue6b98942007-10-29 01:09:36 +010040#include <types/global.h>
Willy Tarreau9650f372009-08-16 14:02:45 +020041#include <types/server.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010042
43#include <proto/acl.h>
44#include <proto/backend.h>
45#include <proto/buffers.h>
Krzysztof Piotr Oledzki97f07b82009-12-15 22:31:24 +010046#include <proto/checks.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010047#include <proto/fd.h>
Willy Tarreau9650f372009-08-16 14:02:45 +020048#include <proto/log.h>
49#include <proto/port_range.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010050#include <proto/protocols.h>
51#include <proto/proto_tcp.h>
Willy Tarreaub6866442008-07-14 23:54:42 +020052#include <proto/proxy.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010053#include <proto/queue.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010054#include <proto/session.h>
55#include <proto/stream_sock.h>
56#include <proto/task.h>
57
Willy Tarreaue8c66af2008-01-13 18:40:14 +010058#ifdef CONFIG_HAP_CTTPROXY
59#include <import/ip_tproxy.h>
60#endif
61
Willy Tarreaue6b98942007-10-29 01:09:36 +010062static int tcp_bind_listeners(struct protocol *proto);
63
64/* Note: must not be declared <const> as its list will be overwritten */
65static struct protocol proto_tcpv4 = {
66 .name = "tcpv4",
67 .sock_domain = AF_INET,
68 .sock_type = SOCK_STREAM,
69 .sock_prot = IPPROTO_TCP,
70 .sock_family = AF_INET,
71 .sock_addrlen = sizeof(struct sockaddr_in),
72 .l3_addrlen = 32/8,
73 .read = &stream_sock_read,
74 .write = &stream_sock_write,
75 .bind_all = tcp_bind_listeners,
76 .unbind_all = unbind_all_listeners,
77 .enable_all = enable_all_listeners,
78 .listeners = LIST_HEAD_INIT(proto_tcpv4.listeners),
79 .nb_listeners = 0,
80};
81
82/* Note: must not be declared <const> as its list will be overwritten */
83static struct protocol proto_tcpv6 = {
84 .name = "tcpv6",
85 .sock_domain = AF_INET6,
86 .sock_type = SOCK_STREAM,
87 .sock_prot = IPPROTO_TCP,
88 .sock_family = AF_INET6,
89 .sock_addrlen = sizeof(struct sockaddr_in6),
90 .l3_addrlen = 128/8,
91 .read = &stream_sock_read,
92 .write = &stream_sock_write,
93 .bind_all = tcp_bind_listeners,
94 .unbind_all = unbind_all_listeners,
95 .enable_all = enable_all_listeners,
96 .listeners = LIST_HEAD_INIT(proto_tcpv6.listeners),
97 .nb_listeners = 0,
98};
99
Willy Tarreaue8c66af2008-01-13 18:40:14 +0100100
101/* Binds ipv4 address <local> to socket <fd>, unless <flags> is set, in which
102 * case we try to bind <remote>. <flags> is a 2-bit field consisting of :
103 * - 0 : ignore remote address (may even be a NULL pointer)
104 * - 1 : use provided address
105 * - 2 : use provided port
106 * - 3 : use both
107 *
108 * The function supports multiple foreign binding methods :
109 * - linux_tproxy: we directly bind to the foreign address
110 * - cttproxy: we bind to a local address then nat.
111 * The second one can be used as a fallback for the first one.
112 * This function returns 0 when everything's OK, 1 if it could not bind, to the
113 * local address, 2 if it could not bind to the foreign address.
114 */
115int tcpv4_bind_socket(int fd, int flags, struct sockaddr_in *local, struct sockaddr_in *remote)
116{
117 struct sockaddr_in bind_addr;
118 int foreign_ok = 0;
119 int ret;
120
121#ifdef CONFIG_HAP_LINUX_TPROXY
122 static int ip_transp_working = 1;
123 if (flags && ip_transp_working) {
124 if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == 0
125 || setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == 0)
126 foreign_ok = 1;
127 else
128 ip_transp_working = 0;
129 }
130#endif
131 if (flags) {
132 memset(&bind_addr, 0, sizeof(bind_addr));
133 if (flags & 1)
134 bind_addr.sin_addr = remote->sin_addr;
135 if (flags & 2)
136 bind_addr.sin_port = remote->sin_port;
137 }
138
139 setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *) &one, sizeof(one));
140 if (foreign_ok) {
141 ret = bind(fd, (struct sockaddr *)&bind_addr, sizeof(bind_addr));
142 if (ret < 0)
143 return 2;
144 }
145 else {
146 ret = bind(fd, (struct sockaddr *)local, sizeof(*local));
147 if (ret < 0)
148 return 1;
149 }
150
151 if (!flags)
152 return 0;
153
154#ifdef CONFIG_HAP_CTTPROXY
155 if (!foreign_ok) {
156 struct in_tproxy itp1, itp2;
157 memset(&itp1, 0, sizeof(itp1));
158
159 itp1.op = TPROXY_ASSIGN;
160 itp1.v.addr.faddr = bind_addr.sin_addr;
161 itp1.v.addr.fport = bind_addr.sin_port;
162
163 /* set connect flag on socket */
164 itp2.op = TPROXY_FLAGS;
165 itp2.v.flags = ITP_CONNECT | ITP_ONCE;
166
167 if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp1, sizeof(itp1)) != -1 &&
168 setsockopt(fd, SOL_IP, IP_TPROXY, &itp2, sizeof(itp2)) != -1) {
169 foreign_ok = 1;
170 }
171 }
172#endif
173 if (!foreign_ok)
174 /* we could not bind to a foreign address */
175 return 2;
176
177 return 0;
178}
Willy Tarreaue6b98942007-10-29 01:09:36 +0100179
Willy Tarreau9650f372009-08-16 14:02:45 +0200180
181/*
182 * This function initiates a connection to the server assigned to this session
183 * (s->srv, s->srv_addr). It will assign a server if none is assigned yet.
184 * It can return one of :
185 * - SN_ERR_NONE if everything's OK
186 * - SN_ERR_SRVTO if there are no more servers
187 * - SN_ERR_SRVCL if the connection was refused by the server
188 * - SN_ERR_PRXCOND if the connection has been limited by the proxy (maxconn)
189 * - SN_ERR_RESOURCE if a system resource is lacking (eg: fd limits, ports, ...)
190 * - SN_ERR_INTERNAL for any other purely internal errors
191 * Additionnally, in the case of SN_ERR_RESOURCE, an emergency log will be emitted.
192 */
193int tcpv4_connect_server(struct stream_interface *si,
194 struct proxy *be, struct server *srv,
195 struct sockaddr *srv_addr, struct sockaddr *cli_addr)
196{
197 int fd;
198
199 if ((fd = si->fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
200 qfprintf(stderr, "Cannot get a server socket.\n");
201
202 if (errno == ENFILE)
203 send_log(be, LOG_EMERG,
204 "Proxy %s reached system FD limit at %d. Please check system tunables.\n",
205 be->id, maxfd);
206 else if (errno == EMFILE)
207 send_log(be, LOG_EMERG,
208 "Proxy %s reached process FD limit at %d. Please check 'ulimit-n' and restart.\n",
209 be->id, maxfd);
210 else if (errno == ENOBUFS || errno == ENOMEM)
211 send_log(be, LOG_EMERG,
212 "Proxy %s reached system memory limit at %d sockets. Please check system tunables.\n",
213 be->id, maxfd);
214 /* this is a resource error */
215 return SN_ERR_RESOURCE;
216 }
217
218 if (fd >= global.maxsock) {
219 /* do not log anything there, it's a normal condition when this option
220 * is used to serialize connections to a server !
221 */
222 Alert("socket(): not enough free sockets. Raise -n argument. Giving up.\n");
223 close(fd);
224 return SN_ERR_PRXCOND; /* it is a configuration limit */
225 }
226
227 if ((fcntl(fd, F_SETFL, O_NONBLOCK)==-1) ||
228 (setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, (char *) &one, sizeof(one)) == -1)) {
229 qfprintf(stderr,"Cannot set client socket to non blocking mode.\n");
230 close(fd);
231 return SN_ERR_INTERNAL;
232 }
233
234 if (be->options & PR_O_TCP_SRV_KA)
235 setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (char *) &one, sizeof(one));
236
237 if (be->options & PR_O_TCP_NOLING)
238 setsockopt(fd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger));
239
240 /* allow specific binding :
241 * - server-specific at first
242 * - proxy-specific next
243 */
244 if (srv != NULL && srv->state & SRV_BIND_SRC) {
245 struct sockaddr_in *remote = NULL;
246 int ret, flags = 0;
247
248#if defined(CONFIG_HAP_CTTPROXY) || defined(CONFIG_HAP_LINUX_TPROXY)
249 switch (srv->state & SRV_TPROXY_MASK) {
250 case SRV_TPROXY_ADDR:
251 remote = (struct sockaddr_in *)&srv->tproxy_addr;
252 flags = 3;
253 break;
254 case SRV_TPROXY_CLI:
255 if (cli_addr)
256 flags |= 2;
257 /* fall through */
258 case SRV_TPROXY_CIP:
259 /* FIXME: what can we do if the client connects in IPv6 ? */
260 if (cli_addr)
261 flags |= 1;
262 remote = (struct sockaddr_in *)cli_addr;
263 break;
264 }
265#endif
266#ifdef SO_BINDTODEVICE
267 /* Note: this might fail if not CAP_NET_RAW */
268 if (srv->iface_name)
269 setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, srv->iface_name, srv->iface_len + 1);
270#endif
271
272 if (srv->sport_range) {
273 int attempts = 10; /* should be more than enough to find a spare port */
274 struct sockaddr_in src;
275
276 ret = 1;
277 src = srv->source_addr;
278
279 do {
280 /* note: in case of retry, we may have to release a previously
281 * allocated port, hence this loop's construct.
282 */
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200283 port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
284 fdinfo[fd].port_range = NULL;
Willy Tarreau9650f372009-08-16 14:02:45 +0200285
286 if (!attempts)
287 break;
288 attempts--;
289
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200290 fdinfo[fd].local_port = port_range_alloc_port(srv->sport_range);
291 if (!fdinfo[fd].local_port)
Willy Tarreau9650f372009-08-16 14:02:45 +0200292 break;
293
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200294 fdinfo[fd].port_range = srv->sport_range;
295 src.sin_port = htons(fdinfo[fd].local_port);
Willy Tarreau9650f372009-08-16 14:02:45 +0200296
297 ret = tcpv4_bind_socket(fd, flags, &src, remote);
298 } while (ret != 0); /* binding NOK */
299 }
300 else {
301 ret = tcpv4_bind_socket(fd, flags, &srv->source_addr, remote);
302 }
303
304 if (ret) {
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200305 port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
306 fdinfo[fd].port_range = NULL;
Willy Tarreau9650f372009-08-16 14:02:45 +0200307 close(fd);
308
309 if (ret == 1) {
310 Alert("Cannot bind to source address before connect() for server %s/%s. Aborting.\n",
311 be->id, srv->id);
312 send_log(be, LOG_EMERG,
313 "Cannot bind to source address before connect() for server %s/%s.\n",
314 be->id, srv->id);
315 } else {
316 Alert("Cannot bind to tproxy source address before connect() for server %s/%s. Aborting.\n",
317 be->id, srv->id);
318 send_log(be, LOG_EMERG,
319 "Cannot bind to tproxy source address before connect() for server %s/%s.\n",
320 be->id, srv->id);
321 }
322 return SN_ERR_RESOURCE;
323 }
324 }
325 else if (be->options & PR_O_BIND_SRC) {
326 struct sockaddr_in *remote = NULL;
327 int ret, flags = 0;
328
329#if defined(CONFIG_HAP_CTTPROXY) || defined(CONFIG_HAP_LINUX_TPROXY)
330 switch (be->options & PR_O_TPXY_MASK) {
331 case PR_O_TPXY_ADDR:
332 remote = (struct sockaddr_in *)&be->tproxy_addr;
333 flags = 3;
334 break;
335 case PR_O_TPXY_CLI:
336 if (cli_addr)
337 flags |= 2;
338 /* fall through */
339 case PR_O_TPXY_CIP:
340 /* FIXME: what can we do if the client connects in IPv6 ? */
341 if (cli_addr)
342 flags |= 1;
343 remote = (struct sockaddr_in *)cli_addr;
344 break;
345 }
346#endif
347#ifdef SO_BINDTODEVICE
348 /* Note: this might fail if not CAP_NET_RAW */
349 if (be->iface_name)
350 setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, be->iface_name, be->iface_len + 1);
351#endif
352 ret = tcpv4_bind_socket(fd, flags, &be->source_addr, remote);
353 if (ret) {
354 close(fd);
355 if (ret == 1) {
356 Alert("Cannot bind to source address before connect() for proxy %s. Aborting.\n",
357 be->id);
358 send_log(be, LOG_EMERG,
359 "Cannot bind to source address before connect() for proxy %s.\n",
360 be->id);
361 } else {
362 Alert("Cannot bind to tproxy source address before connect() for proxy %s. Aborting.\n",
363 be->id);
364 send_log(be, LOG_EMERG,
365 "Cannot bind to tproxy source address before connect() for proxy %s.\n",
366 be->id);
367 }
368 return SN_ERR_RESOURCE;
369 }
370 }
371
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400372#if defined(TCP_QUICKACK)
Willy Tarreau9650f372009-08-16 14:02:45 +0200373 /* disabling tcp quick ack now allows the first request to leave the
374 * machine with the first ACK. We only do this if there are pending
375 * data in the buffer.
376 */
377 if ((be->options2 & PR_O2_SMARTCON) && si->ob->send_max)
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400378 setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, (char *) &zero, sizeof(zero));
Willy Tarreau9650f372009-08-16 14:02:45 +0200379#endif
380
Willy Tarreaue803de22010-01-21 17:43:04 +0100381 if (global.tune.server_sndbuf)
382 setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &global.tune.server_sndbuf, sizeof(global.tune.server_sndbuf));
383
384 if (global.tune.server_rcvbuf)
385 setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &global.tune.server_rcvbuf, sizeof(global.tune.server_rcvbuf));
386
Willy Tarreau9650f372009-08-16 14:02:45 +0200387 if ((connect(fd, (struct sockaddr *)srv_addr, sizeof(struct sockaddr_in)) == -1) &&
388 (errno != EINPROGRESS) && (errno != EALREADY) && (errno != EISCONN)) {
389
390 if (errno == EAGAIN || errno == EADDRINUSE) {
391 char *msg;
392 if (errno == EAGAIN) /* no free ports left, try again later */
393 msg = "no free ports";
394 else
395 msg = "local address already in use";
396
397 qfprintf(stderr,"Cannot connect: %s.\n",msg);
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200398 port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
399 fdinfo[fd].port_range = NULL;
Willy Tarreau9650f372009-08-16 14:02:45 +0200400 close(fd);
401 send_log(be, LOG_EMERG,
402 "Connect() failed for server %s/%s: %s.\n",
403 be->id, srv->id, msg);
404 return SN_ERR_RESOURCE;
405 } else if (errno == ETIMEDOUT) {
406 //qfprintf(stderr,"Connect(): ETIMEDOUT");
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200407 port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
408 fdinfo[fd].port_range = NULL;
Willy Tarreau9650f372009-08-16 14:02:45 +0200409 close(fd);
410 return SN_ERR_SRVTO;
411 } else {
412 // (errno == ECONNREFUSED || errno == ENETUNREACH || errno == EACCES || errno == EPERM)
413 //qfprintf(stderr,"Connect(): %d", errno);
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200414 port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
415 fdinfo[fd].port_range = NULL;
Willy Tarreau9650f372009-08-16 14:02:45 +0200416 close(fd);
417 return SN_ERR_SRVCL;
418 }
419 }
420
421 fdtab[fd].owner = si;
422 fdtab[fd].state = FD_STCONN; /* connection in progress */
423 fdtab[fd].flags = FD_FL_TCP | FD_FL_TCP_NODELAY;
424 fdtab[fd].cb[DIR_RD].f = &stream_sock_read;
425 fdtab[fd].cb[DIR_RD].b = si->ib;
426 fdtab[fd].cb[DIR_WR].f = &stream_sock_write;
427 fdtab[fd].cb[DIR_WR].b = si->ob;
428
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200429 fdinfo[fd].peeraddr = (struct sockaddr *)srv_addr;
430 fdinfo[fd].peerlen = sizeof(struct sockaddr_in);
Willy Tarreau9650f372009-08-16 14:02:45 +0200431
432 fd_insert(fd);
433 EV_FD_SET(fd, DIR_WR); /* for connect status */
434
435 si->state = SI_ST_CON;
436 si->flags |= SI_FL_CAP_SPLTCP; /* TCP supports splicing */
437 si->exp = tick_add_ifset(now_ms, be->timeout.connect);
438
439 return SN_ERR_NONE; /* connection is OK */
440}
441
442
Willy Tarreaue6b98942007-10-29 01:09:36 +0100443/* This function tries to bind a TCPv4/v6 listener. It may return a warning or
444 * an error message in <err> if the message is at most <errlen> bytes long
445 * (including '\0'). The return value is composed from ERR_ABORT, ERR_WARN,
446 * ERR_ALERT, ERR_RETRYABLE and ERR_FATAL. ERR_NONE indicates that everything
447 * was alright and that no message was returned. ERR_RETRYABLE means that an
448 * error occurred but that it may vanish after a retry (eg: port in use), and
449 * ERR_FATAL indicates a non-fixable error.ERR_WARN and ERR_ALERT do not alter
450 * the meaning of the error, but just indicate that a message is present which
451 * should be displayed with the respective level. Last, ERR_ABORT indicates
452 * that it's pointless to try to start other listeners. No error message is
453 * returned if errlen is NULL.
454 */
455int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen)
456{
457 __label__ tcp_return, tcp_close_return;
458 int fd, err;
459 const char *msg = NULL;
460
461 /* ensure we never return garbage */
462 if (errmsg && errlen)
463 *errmsg = 0;
464
465 if (listener->state != LI_ASSIGNED)
466 return ERR_NONE; /* already bound */
467
468 err = ERR_NONE;
469
470 if ((fd = socket(listener->addr.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
471 err |= ERR_RETRYABLE | ERR_ALERT;
472 msg = "cannot create listening socket";
473 goto tcp_return;
474 }
Willy Tarreauedcf6682008-11-30 23:15:34 +0100475
Willy Tarreaue6b98942007-10-29 01:09:36 +0100476 if (fd >= global.maxsock) {
477 err |= ERR_FATAL | ERR_ABORT | ERR_ALERT;
478 msg = "not enough free sockets (raise '-n' parameter)";
479 goto tcp_close_return;
480 }
481
Willy Tarreaufb14edc2009-06-14 15:24:37 +0200482 if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1) {
Willy Tarreaue6b98942007-10-29 01:09:36 +0100483 err |= ERR_FATAL | ERR_ALERT;
484 msg = "cannot make socket non-blocking";
485 goto tcp_close_return;
486 }
487
488 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *) &one, sizeof(one)) == -1) {
489 /* not fatal but should be reported */
490 msg = "cannot do so_reuseaddr";
491 err |= ERR_ALERT;
492 }
493
494 if (listener->options & LI_O_NOLINGER)
495 setsockopt(fd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger));
Willy Tarreauedcf6682008-11-30 23:15:34 +0100496
Willy Tarreaue6b98942007-10-29 01:09:36 +0100497#ifdef SO_REUSEPORT
498 /* OpenBSD supports this. As it's present in old libc versions of Linux,
499 * it might return an error that we will silently ignore.
500 */
501 setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (char *) &one, sizeof(one));
502#endif
Willy Tarreaub1e52e82008-01-13 14:49:51 +0100503#ifdef CONFIG_HAP_LINUX_TPROXY
Willy Tarreauedcf6682008-11-30 23:15:34 +0100504 if ((listener->options & LI_O_FOREIGN)
Willy Tarreau0a459892008-01-13 17:37:16 +0100505 && (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == -1)
506 && (setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == -1)) {
Willy Tarreaub1e52e82008-01-13 14:49:51 +0100507 msg = "cannot make listening socket transparent";
508 err |= ERR_ALERT;
509 }
510#endif
Willy Tarreau5e6e2042009-02-04 17:19:29 +0100511#ifdef SO_BINDTODEVICE
512 /* Note: this might fail if not CAP_NET_RAW */
513 if (listener->interface) {
514 if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE,
Willy Tarreau604e8302009-03-06 00:48:23 +0100515 listener->interface, strlen(listener->interface) + 1) == -1) {
Willy Tarreau5e6e2042009-02-04 17:19:29 +0100516 msg = "cannot bind listener to device";
517 err |= ERR_WARN;
518 }
519 }
520#endif
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400521#if defined(TCP_MAXSEG)
Willy Tarreaube1b9182009-06-14 18:48:19 +0200522 if (listener->maxseg) {
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400523 if (setsockopt(fd, IPPROTO_TCP, TCP_MAXSEG,
Willy Tarreaube1b9182009-06-14 18:48:19 +0200524 &listener->maxseg, sizeof(listener->maxseg)) == -1) {
525 msg = "cannot set MSS";
526 err |= ERR_WARN;
527 }
528 }
529#endif
Willy Tarreaucb6cd432009-10-13 07:34:14 +0200530#if defined(TCP_DEFER_ACCEPT)
531 if (listener->options & LI_O_DEF_ACCEPT) {
532 /* defer accept by up to one second */
533 int accept_delay = 1;
534 if (setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &accept_delay, sizeof(accept_delay)) == -1) {
535 msg = "cannot enable DEFER_ACCEPT";
536 err |= ERR_WARN;
537 }
538 }
539#endif
Willy Tarreaue6b98942007-10-29 01:09:36 +0100540 if (bind(fd, (struct sockaddr *)&listener->addr, listener->proto->sock_addrlen) == -1) {
541 err |= ERR_RETRYABLE | ERR_ALERT;
542 msg = "cannot bind socket";
543 goto tcp_close_return;
544 }
Willy Tarreauedcf6682008-11-30 23:15:34 +0100545
Willy Tarreauc73ce2b2008-01-06 10:55:10 +0100546 if (listen(fd, listener->backlog ? listener->backlog : listener->maxconn) == -1) {
Willy Tarreaue6b98942007-10-29 01:09:36 +0100547 err |= ERR_RETRYABLE | ERR_ALERT;
548 msg = "cannot listen to socket";
549 goto tcp_close_return;
550 }
Willy Tarreauedcf6682008-11-30 23:15:34 +0100551
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400552#if defined(TCP_QUICKACK)
Willy Tarreau9ea05a72009-06-14 12:07:01 +0200553 if (listener->options & LI_O_NOQUICKACK)
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400554 setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, (char *) &zero, sizeof(zero));
Willy Tarreau9ea05a72009-06-14 12:07:01 +0200555#endif
556
Willy Tarreaue6b98942007-10-29 01:09:36 +0100557 /* the socket is ready */
558 listener->fd = fd;
559 listener->state = LI_LISTEN;
560
561 /* the function for the accept() event */
562 fd_insert(fd);
563 fdtab[fd].cb[DIR_RD].f = listener->accept;
564 fdtab[fd].cb[DIR_WR].f = NULL; /* never called */
565 fdtab[fd].cb[DIR_RD].b = fdtab[fd].cb[DIR_WR].b = NULL;
Willy Tarreaueabf3132008-08-29 23:36:51 +0200566 fdtab[fd].owner = listener; /* reference the listener instead of a task */
Willy Tarreaue6b98942007-10-29 01:09:36 +0100567 fdtab[fd].state = FD_STLISTEN;
Willy Tarreaufb14edc2009-06-14 15:24:37 +0200568 fdtab[fd].flags = FD_FL_TCP;
Willy Tarreau5d707e12009-06-28 11:09:07 +0200569 if (listener->options & LI_O_NOLINGER)
570 fdtab[fd].flags |= FD_FL_TCP_NOLING;
571
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200572 fdinfo[fd].peeraddr = NULL;
573 fdinfo[fd].peerlen = 0;
Willy Tarreaue6b98942007-10-29 01:09:36 +0100574 tcp_return:
575 if (msg && errlen)
576 strlcpy2(errmsg, msg, errlen);
577 return err;
578
579 tcp_close_return:
580 close(fd);
581 goto tcp_return;
582}
583
584/* This function creates all TCP sockets bound to the protocol entry <proto>.
585 * It is intended to be used as the protocol's bind_all() function.
586 * The sockets will be registered but not added to any fd_set, in order not to
587 * loose them across the fork(). A call to enable_all_listeners() is needed
588 * to complete initialization. The return value is composed from ERR_*.
589 */
590static int tcp_bind_listeners(struct protocol *proto)
591{
592 struct listener *listener;
593 int err = ERR_NONE;
594
595 list_for_each_entry(listener, &proto->listeners, proto_list) {
596 err |= tcp_bind_listener(listener, NULL, 0);
597 if ((err & ERR_CODE) == ERR_ABORT)
598 break;
599 }
600
601 return err;
602}
603
604/* Add listener to the list of tcpv4 listeners. The listener's state
605 * is automatically updated from LI_INIT to LI_ASSIGNED. The number of
606 * listeners is updated. This is the function to use to add a new listener.
607 */
608void tcpv4_add_listener(struct listener *listener)
609{
610 if (listener->state != LI_INIT)
611 return;
612 listener->state = LI_ASSIGNED;
613 listener->proto = &proto_tcpv4;
614 LIST_ADDQ(&proto_tcpv4.listeners, &listener->proto_list);
615 proto_tcpv4.nb_listeners++;
616}
617
618/* Add listener to the list of tcpv4 listeners. The listener's state
619 * is automatically updated from LI_INIT to LI_ASSIGNED. The number of
620 * listeners is updated. This is the function to use to add a new listener.
621 */
622void tcpv6_add_listener(struct listener *listener)
623{
624 if (listener->state != LI_INIT)
625 return;
626 listener->state = LI_ASSIGNED;
627 listener->proto = &proto_tcpv6;
628 LIST_ADDQ(&proto_tcpv6.listeners, &listener->proto_list);
629 proto_tcpv6.nb_listeners++;
630}
631
Willy Tarreauedcf6682008-11-30 23:15:34 +0100632/* This function performs the TCP request analysis on the current request. It
633 * returns 1 if the processing can continue on next analysers, or zero if it
634 * needs more data, encounters an error, or wants to immediately abort the
635 * request. It relies on buffers flags, and updates s->req->analysers. Its
636 * behaviour is rather simple:
Willy Tarreau86ef7dc2009-03-15 22:55:47 +0100637 * - the analyser should check for errors and timeouts, and react as expected.
638 * It does not have to close anything upon error, the caller will. Note that
639 * the caller also knows how to report errors and timeouts.
640 * - if the analyser does not have enough data, it must return 0 without calling
Willy Tarreauedcf6682008-11-30 23:15:34 +0100641 * other ones. It should also probably do a buffer_write_dis() to ensure
642 * that unprocessed data will not be forwarded. But that probably depends on
643 * the protocol.
644 * - if an analyser has enough data, it just has to pass on to the next
645 * analyser without using buffer_write_dis() (enabled by default).
646 * - if an analyser thinks it has no added value anymore staying here, it must
647 * reset its bit from the analysers flags in order not to be called anymore.
648 *
649 * In the future, analysers should be able to indicate that they want to be
650 * called after XXX bytes have been received (or transfered), and the min of
651 * all's wishes will be used to ring back (unless a special condition occurs).
652 */
Willy Tarreau3a816292009-07-07 10:55:49 +0200653int tcp_inspect_request(struct session *s, struct buffer *req, int an_bit)
Willy Tarreauedcf6682008-11-30 23:15:34 +0100654{
655 struct tcp_rule *rule;
656 int partial;
657
658 DPRINTF(stderr,"[%u] %s: session=%p b=%p, exp(r,w)=%u,%u bf=%08x bl=%d analysers=%02x\n",
659 now_ms, __FUNCTION__,
660 s,
661 req,
662 req->rex, req->wex,
663 req->flags,
664 req->l,
665 req->analysers);
666
Willy Tarreauedcf6682008-11-30 23:15:34 +0100667 /* We don't know whether we have enough data, so must proceed
668 * this way :
669 * - iterate through all rules in their declaration order
670 * - if one rule returns MISS, it means the inspect delay is
671 * not over yet, then return immediately, otherwise consider
672 * it as a non-match.
673 * - if one rule returns OK, then return OK
674 * - if one rule returns KO, then return KO
675 */
676
Willy Tarreaud869b242009-03-15 14:43:58 +0100677 if (req->flags & BF_SHUTR || !s->fe->tcp_req.inspect_delay || tick_is_expired(req->analyse_exp, now_ms))
Willy Tarreauedcf6682008-11-30 23:15:34 +0100678 partial = 0;
679 else
680 partial = ACL_PARTIAL;
681
682 list_for_each_entry(rule, &s->fe->tcp_req.inspect_rules, list) {
683 int ret = ACL_PAT_PASS;
684
685 if (rule->cond) {
Willy Tarreau51d5dad2009-07-12 10:10:05 +0200686 ret = acl_exec_cond(rule->cond, s->fe, s, &s->txn, ACL_DIR_REQ | partial);
Willy Tarreauedcf6682008-11-30 23:15:34 +0100687 if (ret == ACL_PAT_MISS) {
Willy Tarreau520d95e2009-09-19 21:04:57 +0200688 buffer_dont_connect(req);
Willy Tarreauedcf6682008-11-30 23:15:34 +0100689 /* just set the request timeout once at the beginning of the request */
Willy Tarreaud869b242009-03-15 14:43:58 +0100690 if (!tick_isset(req->analyse_exp) && s->fe->tcp_req.inspect_delay)
Willy Tarreauedcf6682008-11-30 23:15:34 +0100691 req->analyse_exp = tick_add_ifset(now_ms, s->fe->tcp_req.inspect_delay);
692 return 0;
693 }
694
695 ret = acl_pass(ret);
696 if (rule->cond->pol == ACL_COND_UNLESS)
697 ret = !ret;
698 }
699
700 if (ret) {
701 /* we have a matching rule. */
702 if (rule->action == TCP_ACT_REJECT) {
703 buffer_abort(req);
704 buffer_abort(s->rep);
705 req->analysers = 0;
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +0200706
Krzysztof Piotr Oledzki052d4fd2009-10-04 14:52:57 +0200707 s->fe->counters.failed_req++;
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +0200708 if (s->listener->counters)
709 s->listener->counters->failed_req++;
710
Willy Tarreauedcf6682008-11-30 23:15:34 +0100711 if (!(s->flags & SN_ERR_MASK))
712 s->flags |= SN_ERR_PRXCOND;
713 if (!(s->flags & SN_FINST_MASK))
714 s->flags |= SN_FINST_R;
715 return 0;
716 }
717 /* otherwise accept */
718 break;
719 }
720 }
721
722 /* if we get there, it means we have no rule which matches, or
723 * we have an explicit accept, so we apply the default accept.
724 */
Willy Tarreau3a816292009-07-07 10:55:49 +0200725 req->analysers &= ~an_bit;
Willy Tarreauedcf6682008-11-30 23:15:34 +0100726 req->analyse_exp = TICK_ETERNITY;
727 return 1;
728}
729
Emeric Brun647caf12009-06-30 17:57:00 +0200730/* Apply RDP cookie persistence to the current session. For this, the function
731 * tries to extract an RDP cookie from the request buffer, and look for the
732 * matching server in the list. If the server is found, it is assigned to the
733 * session. This always returns 1, and the analyser removes itself from the
734 * list. Nothing is performed if a server was already assigned.
735 */
736int tcp_persist_rdp_cookie(struct session *s, struct buffer *req, int an_bit)
737{
738 struct proxy *px = s->be;
739 int ret;
740 struct acl_expr expr;
741 struct acl_test test;
742 struct server *srv = px->srv;
743 struct sockaddr_in addr;
744 char *p;
745
746 DPRINTF(stderr,"[%u] %s: session=%p b=%p, exp(r,w)=%u,%u bf=%08x bl=%d analysers=%02x\n",
747 now_ms, __FUNCTION__,
748 s,
749 req,
750 req->rex, req->wex,
751 req->flags,
752 req->l,
753 req->analysers);
754
755 if (s->flags & SN_ASSIGNED)
756 goto no_cookie;
757
758 memset(&expr, 0, sizeof(expr));
759 memset(&test, 0, sizeof(test));
760
761 expr.arg.str = s->be->rdp_cookie_name;
762 expr.arg_len = s->be->rdp_cookie_len;
763
764 ret = acl_fetch_rdp_cookie(px, s, NULL, ACL_DIR_REQ, &expr, &test);
765 if (ret == 0 || (test.flags & ACL_TEST_F_MAY_CHANGE) || test.len == 0)
766 goto no_cookie;
767
768 memset(&addr, 0, sizeof(addr));
769 addr.sin_family = AF_INET;
770
771 /* Considering an rdp cookie detected using acl, test.ptr ended with <cr><lf> and should return */
772 addr.sin_addr.s_addr = strtoul(test.ptr, &p, 10);
773 if (*p != '.')
774 goto no_cookie;
775 p++;
776 addr.sin_port = (unsigned short)strtoul(p, &p, 10);
777 if (*p != '.')
778 goto no_cookie;
779
780 while (srv) {
781 if (memcmp(&addr, &(srv->addr), sizeof(addr)) == 0) {
782 if ((srv->state & SRV_RUNNING) || (px->options & PR_O_PERSIST)) {
783 /* we found the server and it is usable */
784 s->flags |= SN_DIRECT | SN_ASSIGNED;
785 s->srv = srv;
786 break;
787 }
788 }
789 srv = srv->next;
790 }
791
792no_cookie:
793 req->analysers &= ~an_bit;
794 req->analyse_exp = TICK_ETERNITY;
795 return 1;
796}
797
Willy Tarreauedcf6682008-11-30 23:15:34 +0100798
Willy Tarreaub6866442008-07-14 23:54:42 +0200799/* This function should be called to parse a line starting with the "tcp-request"
800 * keyword.
801 */
802static int tcp_parse_tcp_req(char **args, int section_type, struct proxy *curpx,
803 struct proxy *defpx, char *err, int errlen)
804{
805 const char *ptr = NULL;
Willy Tarreauc7e961e2008-08-17 17:13:47 +0200806 unsigned int val;
Willy Tarreaub6866442008-07-14 23:54:42 +0200807 int retlen;
808
809 if (!*args[1]) {
810 snprintf(err, errlen, "missing argument for '%s' in %s '%s'",
811 args[0], proxy_type_str(proxy), curpx->id);
812 return -1;
813 }
814
815 if (!strcmp(args[1], "inspect-delay")) {
816 if (curpx == defpx) {
817 snprintf(err, errlen, "%s %s is not allowed in 'defaults' sections",
818 args[0], args[1]);
819 return -1;
820 }
821
822 if (!(curpx->cap & PR_CAP_FE)) {
823 snprintf(err, errlen, "%s %s will be ignored because %s '%s' has no %s capability",
824 args[0], args[1], proxy_type_str(proxy), curpx->id,
825 "frontend");
826 return 1;
827 }
828
829 if (!*args[2] || (ptr = parse_time_err(args[2], &val, TIME_UNIT_MS))) {
830 retlen = snprintf(err, errlen,
831 "'%s %s' expects a positive delay in milliseconds, in %s '%s'",
832 args[0], args[1], proxy_type_str(proxy), curpx->id);
833 if (ptr && retlen < errlen)
834 retlen += snprintf(err+retlen, errlen - retlen,
835 " (unexpected character '%c')", *ptr);
836 return -1;
837 }
838
839 if (curpx->tcp_req.inspect_delay) {
840 snprintf(err, errlen, "ignoring %s %s (was already defined) in %s '%s'",
841 args[0], args[1], proxy_type_str(proxy), curpx->id);
842 return 1;
843 }
844 curpx->tcp_req.inspect_delay = val;
845 return 0;
846 }
847
848 if (!strcmp(args[1], "content")) {
849 int action;
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200850 int warn = 0;
Willy Tarreaub6866442008-07-14 23:54:42 +0200851 int pol = ACL_COND_NONE;
852 struct acl_cond *cond;
853 struct tcp_rule *rule;
854
855 if (curpx == defpx) {
856 snprintf(err, errlen, "%s %s is not allowed in 'defaults' sections",
857 args[0], args[1]);
858 return -1;
859 }
860
861 if (!strcmp(args[2], "accept"))
862 action = TCP_ACT_ACCEPT;
863 else if (!strcmp(args[2], "reject"))
864 action = TCP_ACT_REJECT;
865 else {
866 retlen = snprintf(err, errlen,
867 "'%s %s' expects 'accept' or 'reject', in %s '%s' (was '%s')",
868 args[0], args[1], proxy_type_str(curpx), curpx->id, args[2]);
869 return -1;
870 }
871
872 pol = ACL_COND_NONE;
873 cond = NULL;
874
Willy Tarreauef6494c2010-01-28 17:12:36 +0100875 if (strcmp(args[3], "if") == 0 || strcmp(args[3], "unless") == 0) {
876 if ((cond = build_acl_cond(NULL, 0, curpx, (const char **)args+3)) == NULL) {
877 retlen = snprintf(err, errlen,
878 "error detected in %s '%s' while parsing '%s' condition",
879 proxy_type_str(curpx), curpx->id, args[3]);
880 return -1;
881 }
882 }
883 else if (*args[3]) {
Willy Tarreau606ad732009-07-14 21:17:05 +0200884 retlen = snprintf(err, errlen,
885 "'%s %s %s' only accepts 'if' or 'unless', in %s '%s' (was '%s')",
886 args[0], args[1], args[2], proxy_type_str(curpx), curpx->id, args[3]);
887 return -1;
888 }
Willy Tarreaub6866442008-07-14 23:54:42 +0200889
Willy Tarreau1a211942009-07-14 13:53:17 +0200890 if (cond && (cond->requires & ACL_USE_RTR_ANY)) {
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200891 struct acl *acl;
892 const char *name;
893
Willy Tarreau1a211942009-07-14 13:53:17 +0200894 acl = cond_find_require(cond, ACL_USE_RTR_ANY);
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200895 name = acl ? acl->name : "(unknown)";
896
897 retlen = snprintf(err, errlen,
Willy Tarreau1a211942009-07-14 13:53:17 +0200898 "acl '%s' involves some response-only criteria which will be ignored.",
899 name);
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200900 warn++;
901 }
Willy Tarreaub6866442008-07-14 23:54:42 +0200902 rule = (struct tcp_rule *)calloc(1, sizeof(*rule));
903 rule->cond = cond;
904 rule->action = action;
905 LIST_INIT(&rule->list);
906 LIST_ADDQ(&curpx->tcp_req.inspect_rules, &rule->list);
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200907 return warn;
Willy Tarreaub6866442008-07-14 23:54:42 +0200908 }
909
910 snprintf(err, errlen, "unknown argument '%s' after '%s' in %s '%s'",
911 args[1], args[0], proxy_type_str(proxy), curpx->id);
912 return -1;
913}
914
915/* return the number of bytes in the request buffer */
916static int
917acl_fetch_req_len(struct proxy *px, struct session *l4, void *l7, int dir,
918 struct acl_expr *expr, struct acl_test *test)
919{
920 if (!l4 || !l4->req)
921 return 0;
922
923 test->i = l4->req->l;
924 test->flags = ACL_TEST_F_VOLATILE | ACL_TEST_F_MAY_CHANGE;
925 return 1;
926}
927
Willy Tarreau655e26a2008-07-15 18:58:05 +0200928/* Return the version of the SSL protocol in the request. It supports both
929 * SSLv3 (TLSv1) header format for any message, and SSLv2 header format for
930 * the hello message. The SSLv3 format is described in RFC 2246 p49, and the
931 * SSLv2 format is described here, and completed p67 of RFC 2246 :
932 * http://wp.netscape.com/eng/security/SSL_2.html
933 *
934 * Note: this decoder only works with non-wrapping data.
935 */
936static int
937acl_fetch_req_ssl_ver(struct proxy *px, struct session *l4, void *l7, int dir,
938 struct acl_expr *expr, struct acl_test *test)
939{
940 int version, bleft, msg_len;
941 const unsigned char *data;
942
943 if (!l4 || !l4->req)
944 return 0;
945
946 msg_len = 0;
947 bleft = l4->req->l;
948 if (!bleft)
949 goto too_short;
950
Willy Tarreauc7e961e2008-08-17 17:13:47 +0200951 data = (const unsigned char *)l4->req->w;
Willy Tarreau655e26a2008-07-15 18:58:05 +0200952 if ((*data >= 0x14 && *data <= 0x17) || (*data == 0xFF)) {
953 /* SSLv3 header format */
954 if (bleft < 5)
955 goto too_short;
956
957 version = (data[1] << 16) + data[2]; /* version: major, minor */
958 msg_len = (data[3] << 8) + data[4]; /* record length */
959
960 /* format introduced with SSLv3 */
961 if (version < 0x00030000)
962 goto not_ssl;
963
964 /* message length between 1 and 2^14 + 2048 */
965 if (msg_len < 1 || msg_len > ((1<<14) + 2048))
966 goto not_ssl;
967
968 bleft -= 5; data += 5;
969 } else {
970 /* SSLv2 header format, only supported for hello (msg type 1) */
971 int rlen, plen, cilen, silen, chlen;
972
973 if (*data & 0x80) {
974 if (bleft < 3)
975 goto too_short;
976 /* short header format : 15 bits for length */
977 rlen = ((data[0] & 0x7F) << 8) | data[1];
978 plen = 0;
979 bleft -= 2; data += 2;
980 } else {
981 if (bleft < 4)
982 goto too_short;
983 /* long header format : 14 bits for length + pad length */
984 rlen = ((data[0] & 0x3F) << 8) | data[1];
985 plen = data[2];
986 bleft -= 3; data += 2;
987 }
988
989 if (*data != 0x01)
990 goto not_ssl;
991 bleft--; data++;
992
993 if (bleft < 8)
994 goto too_short;
995 version = (data[0] << 16) + data[1]; /* version: major, minor */
996 cilen = (data[2] << 8) + data[3]; /* cipher len, multiple of 3 */
997 silen = (data[4] << 8) + data[5]; /* session_id_len: 0 or 16 */
998 chlen = (data[6] << 8) + data[7]; /* 16<=challenge length<=32 */
999
1000 bleft -= 8; data += 8;
1001 if (cilen % 3 != 0)
1002 goto not_ssl;
1003 if (silen && silen != 16)
1004 goto not_ssl;
1005 if (chlen < 16 || chlen > 32)
1006 goto not_ssl;
1007 if (rlen != 9 + cilen + silen + chlen)
1008 goto not_ssl;
1009
1010 /* focus on the remaining data length */
1011 msg_len = cilen + silen + chlen + plen;
1012 }
1013 /* We could recursively check that the buffer ends exactly on an SSL
1014 * fragment boundary and that a possible next segment is still SSL,
1015 * but that's a bit pointless. However, we could still check that
1016 * all the part of the request which fits in a buffer is already
1017 * there.
1018 */
Willy Tarreau7c3c5412009-12-13 15:53:05 +01001019 if (msg_len > buffer_max_len(l4->req) + l4->req->data - l4->req->w)
1020 msg_len = buffer_max_len(l4->req) + l4->req->data - l4->req->w;
Willy Tarreau655e26a2008-07-15 18:58:05 +02001021
1022 if (bleft < msg_len)
1023 goto too_short;
1024
1025 /* OK that's enough. We have at least the whole message, and we have
1026 * the protocol version.
1027 */
1028 test->i = version;
1029 test->flags = ACL_TEST_F_VOLATILE;
1030 return 1;
1031
1032 too_short:
1033 test->flags = ACL_TEST_F_MAY_CHANGE;
1034 not_ssl:
1035 return 0;
1036}
1037
Emeric Brunbede3d02009-06-30 17:54:00 +02001038int
1039acl_fetch_rdp_cookie(struct proxy *px, struct session *l4, void *l7, int dir,
1040 struct acl_expr *expr, struct acl_test *test)
1041{
1042 int bleft;
1043 const unsigned char *data;
1044
1045 if (!l4 || !l4->req)
1046 return 0;
1047
1048 test->flags = 0;
1049
1050 bleft = l4->req->l;
1051 if (bleft <= 11)
1052 goto too_short;
1053
1054 data = (const unsigned char *)l4->req->w + 11;
1055 bleft -= 11;
1056
1057 if (bleft <= 7)
1058 goto too_short;
1059
1060 if (strncasecmp((const char *)data, "Cookie:", 7) != 0)
1061 goto not_cookie;
1062
1063 data += 7;
1064 bleft -= 7;
1065
1066 while (bleft > 0 && *data == ' ') {
1067 data++;
1068 bleft--;
1069 }
1070
1071 if (expr->arg_len) {
1072
1073 if (bleft <= expr->arg_len)
1074 goto too_short;
1075
1076 if ((data[expr->arg_len] != '=') ||
1077 strncasecmp(expr->arg.str, (const char *)data, expr->arg_len) != 0)
1078 goto not_cookie;
1079
1080 data += expr->arg_len + 1;
1081 bleft -= expr->arg_len + 1;
1082 } else {
1083 while (bleft > 0 && *data != '=') {
1084 if (*data == '\r' || *data == '\n')
1085 goto not_cookie;
1086 data++;
1087 bleft--;
1088 }
1089
1090 if (bleft < 1)
1091 goto too_short;
1092
1093 if (*data != '=')
1094 goto not_cookie;
1095
1096 data++;
1097 bleft--;
1098 }
1099
1100 /* data points to cookie value */
1101 test->ptr = (char *)data;
1102 test->len = 0;
1103
1104 while (bleft > 0 && *data != '\r') {
1105 data++;
1106 bleft--;
1107 }
1108
1109 if (bleft < 2)
1110 goto too_short;
1111
1112 if (data[0] != '\r' || data[1] != '\n')
1113 goto not_cookie;
1114
1115 test->len = (char *)data - test->ptr;
1116 test->flags = ACL_TEST_F_VOLATILE;
1117 return 1;
1118
1119 too_short:
1120 test->flags = ACL_TEST_F_MAY_CHANGE;
1121 not_cookie:
1122 return 0;
1123}
1124
1125static int
1126acl_fetch_rdp_cookie_cnt(struct proxy *px, struct session *l4, void *l7, int dir,
1127 struct acl_expr *expr, struct acl_test *test)
1128{
1129 int ret;
1130
1131 ret = acl_fetch_rdp_cookie(px, l4, l7, dir, expr, test);
1132
1133 test->ptr = NULL;
1134 test->len = 0;
1135
1136 if (test->flags & ACL_TEST_F_MAY_CHANGE)
1137 return 0;
1138
1139 test->flags = ACL_TEST_F_VOLATILE;
1140 test->i = ret;
1141
1142 return 1;
1143}
Willy Tarreaub6866442008-07-14 23:54:42 +02001144
1145static struct cfg_kw_list cfg_kws = {{ },{
1146 { CFG_LISTEN, "tcp-request", tcp_parse_tcp_req },
1147 { 0, NULL, NULL },
1148}};
1149
1150static struct acl_kw_list acl_kws = {{ },{
Willy Tarreau0ceba5a2008-07-25 19:31:03 +02001151 { "req_len", acl_parse_int, acl_fetch_req_len, acl_match_int, ACL_USE_L4REQ_VOLATILE },
1152 { "req_ssl_ver", acl_parse_dotted_ver, acl_fetch_req_ssl_ver, acl_match_int, ACL_USE_L4REQ_VOLATILE },
Emeric Brunbede3d02009-06-30 17:54:00 +02001153 { "req_rdp_cookie", acl_parse_str, acl_fetch_rdp_cookie, acl_match_str, ACL_USE_L4REQ_VOLATILE },
1154 { "req_rdp_cookie_cnt", acl_parse_int, acl_fetch_rdp_cookie_cnt, acl_match_int, ACL_USE_L4REQ_VOLATILE },
Willy Tarreaub6866442008-07-14 23:54:42 +02001155 { NULL, NULL, NULL, NULL },
1156}};
1157
Willy Tarreaue6b98942007-10-29 01:09:36 +01001158__attribute__((constructor))
1159static void __tcp_protocol_init(void)
1160{
1161 protocol_register(&proto_tcpv4);
1162 protocol_register(&proto_tcpv6);
Willy Tarreaub6866442008-07-14 23:54:42 +02001163 cfg_register_keywords(&cfg_kws);
1164 acl_register_keywords(&acl_kws);
Willy Tarreaue6b98942007-10-29 01:09:36 +01001165}
1166
1167
1168/*
1169 * Local variables:
1170 * c-indent-level: 8
1171 * c-basic-offset: 8
1172 * End:
1173 */