Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 1 | /* |
| 2 | * AF_INET/AF_INET6 SOCK_STREAM protocol layer (tcp) |
| 3 | * |
| 4 | * Copyright 2000-2013 Willy Tarreau <w@1wt.eu> |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or |
| 7 | * modify it under the terms of the GNU General Public License |
| 8 | * as published by the Free Software Foundation; either version |
| 9 | * 2 of the License, or (at your option) any later version. |
| 10 | * |
| 11 | */ |
| 12 | |
| 13 | #include <ctype.h> |
| 14 | #include <errno.h> |
| 15 | #include <fcntl.h> |
| 16 | #include <stdio.h> |
| 17 | #include <stdlib.h> |
| 18 | #include <string.h> |
| 19 | #include <time.h> |
| 20 | |
| 21 | #include <sys/param.h> |
| 22 | #include <sys/socket.h> |
| 23 | #include <sys/types.h> |
| 24 | |
| 25 | #include <netinet/tcp.h> |
| 26 | #include <netinet/in.h> |
| 27 | |
| 28 | #include <haproxy/action-t.h> |
| 29 | #include <haproxy/api.h> |
| 30 | #include <haproxy/arg.h> |
| 31 | #include <haproxy/channel.h> |
| 32 | #include <haproxy/connection.h> |
Christopher Faulet | 8da67aa | 2022-03-29 17:53:09 +0200 | [diff] [blame] | 33 | #include <haproxy/cs_utils.h> |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 34 | #include <haproxy/global.h> |
| 35 | #include <haproxy/http_rules.h> |
| 36 | #include <haproxy/proto_tcp.h> |
| 37 | #include <haproxy/proxy-t.h> |
| 38 | #include <haproxy/sample.h> |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 39 | #include <haproxy/session.h> |
| 40 | #include <haproxy/stream_interface.h> |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 41 | #include <haproxy/tcp_rules.h> |
| 42 | #include <haproxy/tools.h> |
| 43 | |
| 44 | /* |
| 45 | * Execute the "set-src" action. May be called from {tcp,http}request. |
| 46 | * It only changes the address and tries to preserve the original port. If the |
| 47 | * previous family was neither AF_INET nor AF_INET6, the port is set to zero. |
| 48 | */ |
| 49 | static enum act_return tcp_action_req_set_src(struct act_rule *rule, struct proxy *px, |
| 50 | struct session *sess, struct stream *s, int flags) |
| 51 | { |
| 52 | struct connection *cli_conn; |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 53 | struct sockaddr_storage *src; |
| 54 | struct sample *smp; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 55 | |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 56 | switch (rule->from) { |
| 57 | case ACT_F_TCP_REQ_CON: |
| 58 | cli_conn = objt_conn(sess->origin); |
| 59 | if (!cli_conn || !conn_get_src(cli_conn)) |
| 60 | goto end; |
| 61 | src = cli_conn->src; |
| 62 | break; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 63 | |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 64 | case ACT_F_TCP_REQ_SES: |
| 65 | if (!sess_get_src(sess)) |
| 66 | goto end; |
| 67 | src = sess->src; |
| 68 | break; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 69 | |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 70 | case ACT_F_TCP_REQ_CNT: |
| 71 | case ACT_F_HTTP_REQ: |
Christopher Faulet | 8da67aa | 2022-03-29 17:53:09 +0200 | [diff] [blame] | 72 | if (!cs_get_src(s->csf)) |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 73 | goto end; |
Christopher Faulet | 8da67aa | 2022-03-29 17:53:09 +0200 | [diff] [blame] | 74 | src = s->csf->src; |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 75 | break; |
| 76 | |
| 77 | default: |
| 78 | goto end; |
| 79 | } |
| 80 | |
| 81 | smp = sample_fetch_as_type(px, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->arg.expr, SMP_T_ADDR); |
| 82 | if (smp) { |
| 83 | int port = get_net_port(src); |
| 84 | |
| 85 | if (smp->data.type == SMP_T_IPV4) { |
| 86 | ((struct sockaddr_in *)src)->sin_family = AF_INET; |
| 87 | ((struct sockaddr_in *)src)->sin_addr.s_addr = smp->data.u.ipv4.s_addr; |
| 88 | ((struct sockaddr_in *)src)->sin_port = port; |
| 89 | } else if (smp->data.type == SMP_T_IPV6) { |
| 90 | ((struct sockaddr_in6 *)src)->sin6_family = AF_INET6; |
| 91 | memcpy(&((struct sockaddr_in6 *)src)->sin6_addr, &smp->data.u.ipv6, sizeof(struct in6_addr)); |
| 92 | ((struct sockaddr_in6 *)src)->sin6_port = port; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 93 | } |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 94 | } |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 95 | |
| 96 | end: |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 97 | return ACT_RET_CONT; |
| 98 | } |
| 99 | |
| 100 | /* |
| 101 | * Execute the "set-dst" action. May be called from {tcp,http}request. |
| 102 | * It only changes the address and tries to preserve the original port. If the |
| 103 | * previous family was neither AF_INET nor AF_INET6, the port is set to zero. |
| 104 | */ |
| 105 | static enum act_return tcp_action_req_set_dst(struct act_rule *rule, struct proxy *px, |
| 106 | struct session *sess, struct stream *s, int flags) |
| 107 | { |
| 108 | struct connection *cli_conn; |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 109 | struct sockaddr_storage *dst; |
| 110 | struct sample *smp; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 111 | |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 112 | switch (rule->from) { |
| 113 | case ACT_F_TCP_REQ_CON: |
| 114 | cli_conn = objt_conn(sess->origin); |
| 115 | if (!cli_conn || !conn_get_dst(cli_conn)) |
| 116 | goto end; |
| 117 | dst = cli_conn->dst; |
| 118 | break; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 119 | |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 120 | case ACT_F_TCP_REQ_SES: |
| 121 | if (!sess_get_dst(sess)) |
| 122 | goto end; |
| 123 | dst = sess->dst; |
| 124 | break; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 125 | |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 126 | case ACT_F_TCP_REQ_CNT: |
| 127 | case ACT_F_HTTP_REQ: |
Christopher Faulet | 8da67aa | 2022-03-29 17:53:09 +0200 | [diff] [blame] | 128 | if (!cs_get_dst(s->csf)) |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 129 | goto end; |
Christopher Faulet | 8da67aa | 2022-03-29 17:53:09 +0200 | [diff] [blame] | 130 | dst = s->csf->dst; |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 131 | break; |
| 132 | |
| 133 | default: |
| 134 | goto end; |
| 135 | } |
| 136 | |
| 137 | smp = sample_fetch_as_type(px, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->arg.expr, SMP_T_ADDR); |
| 138 | if (smp) { |
| 139 | int port = get_net_port(dst); |
| 140 | |
| 141 | if (smp->data.type == SMP_T_IPV4) { |
| 142 | ((struct sockaddr_in *)dst)->sin_family = AF_INET; |
| 143 | ((struct sockaddr_in *)dst)->sin_addr.s_addr = smp->data.u.ipv4.s_addr; |
| 144 | ((struct sockaddr_in *)dst)->sin_port = port; |
| 145 | } else if (smp->data.type == SMP_T_IPV6) { |
| 146 | ((struct sockaddr_in6 *)dst)->sin6_family = AF_INET6; |
| 147 | memcpy(&((struct sockaddr_in6 *)dst)->sin6_addr, &smp->data.u.ipv6, sizeof(struct in6_addr)); |
| 148 | ((struct sockaddr_in6 *)dst)->sin6_port = port; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 149 | } |
| 150 | } |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 151 | |
| 152 | end: |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 153 | return ACT_RET_CONT; |
| 154 | } |
| 155 | |
| 156 | /* |
| 157 | * Execute the "set-src-port" action. May be called from {tcp,http}request. |
| 158 | * We must test the sin_family before setting the port. If the address family |
| 159 | * is neither AF_INET nor AF_INET6, the address is forced to AF_INET "0.0.0.0" |
| 160 | * and the port is assigned. |
| 161 | */ |
| 162 | static enum act_return tcp_action_req_set_src_port(struct act_rule *rule, struct proxy *px, |
| 163 | struct session *sess, struct stream *s, int flags) |
| 164 | { |
| 165 | struct connection *cli_conn; |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 166 | struct sockaddr_storage *src; |
| 167 | struct sample *smp; |
| 168 | |
| 169 | switch (rule->from) { |
| 170 | case ACT_F_TCP_REQ_CON: |
| 171 | cli_conn = objt_conn(sess->origin); |
| 172 | if (!cli_conn || !conn_get_src(cli_conn)) |
| 173 | goto end; |
| 174 | src = cli_conn->src; |
| 175 | break; |
| 176 | |
| 177 | case ACT_F_TCP_REQ_SES: |
| 178 | if (!sess_get_src(sess)) |
| 179 | goto end; |
| 180 | src = sess->src; |
| 181 | break; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 182 | |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 183 | case ACT_F_TCP_REQ_CNT: |
| 184 | case ACT_F_HTTP_REQ: |
Christopher Faulet | 8da67aa | 2022-03-29 17:53:09 +0200 | [diff] [blame] | 185 | if (!cs_get_src(s->csf)) |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 186 | goto end; |
Christopher Faulet | 8da67aa | 2022-03-29 17:53:09 +0200 | [diff] [blame] | 187 | src = s->csf->src; |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 188 | break; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 189 | |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 190 | default: |
| 191 | goto end; |
| 192 | } |
| 193 | |
| 194 | smp = sample_fetch_as_type(px, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->arg.expr, SMP_T_SINT); |
| 195 | if (smp) { |
| 196 | if (src->ss_family == AF_INET6) { |
| 197 | ((struct sockaddr_in6 *)src)->sin6_port = htons(smp->data.u.sint); |
| 198 | } else { |
| 199 | if (src->ss_family != AF_INET) { |
| 200 | src->ss_family = AF_INET; |
| 201 | ((struct sockaddr_in *)src)->sin_addr.s_addr = 0; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 202 | } |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 203 | ((struct sockaddr_in *)src)->sin_port = htons(smp->data.u.sint); |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 204 | } |
| 205 | } |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 206 | |
| 207 | end: |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 208 | return ACT_RET_CONT; |
| 209 | } |
| 210 | |
| 211 | /* |
| 212 | * Execute the "set-dst-port" action. May be called from {tcp,http}request. |
| 213 | * We must test the sin_family before setting the port. If the address family |
| 214 | * is neither AF_INET nor AF_INET6, the address is forced to AF_INET "0.0.0.0" |
| 215 | * and the port is assigned. |
| 216 | */ |
| 217 | static enum act_return tcp_action_req_set_dst_port(struct act_rule *rule, struct proxy *px, |
| 218 | struct session *sess, struct stream *s, int flags) |
| 219 | { |
| 220 | struct connection *cli_conn; |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 221 | struct sockaddr_storage *dst; |
| 222 | struct sample *smp; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 223 | |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 224 | switch (rule->from) { |
| 225 | case ACT_F_TCP_REQ_CON: |
| 226 | cli_conn = objt_conn(sess->origin); |
| 227 | if (!cli_conn || !conn_get_dst(cli_conn)) |
| 228 | goto end; |
| 229 | dst = cli_conn->dst; |
| 230 | break; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 231 | |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 232 | case ACT_F_TCP_REQ_SES: |
| 233 | if (!sess_get_dst(sess)) |
| 234 | goto end; |
| 235 | dst = sess->dst; |
| 236 | break; |
| 237 | |
| 238 | case ACT_F_TCP_REQ_CNT: |
| 239 | case ACT_F_HTTP_REQ: |
Christopher Faulet | 8da67aa | 2022-03-29 17:53:09 +0200 | [diff] [blame] | 240 | if (!cs_get_dst(s->csf)) |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 241 | goto end; |
Christopher Faulet | 8da67aa | 2022-03-29 17:53:09 +0200 | [diff] [blame] | 242 | dst = s->csf->dst; |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 243 | break; |
| 244 | |
| 245 | default: |
| 246 | goto end; |
| 247 | } |
| 248 | |
| 249 | smp = sample_fetch_as_type(px, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->arg.expr, SMP_T_SINT); |
| 250 | if (smp) { |
| 251 | if (dst->ss_family == AF_INET6) { |
| 252 | ((struct sockaddr_in6 *)dst)->sin6_port = htons(smp->data.u.sint); |
| 253 | } else { |
| 254 | if (dst->ss_family != AF_INET) { |
| 255 | dst->ss_family = AF_INET; |
| 256 | ((struct sockaddr_in *)dst)->sin_addr.s_addr = 0; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 257 | } |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 258 | ((struct sockaddr_in *)dst)->sin_port = htons(smp->data.u.sint); |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 259 | } |
| 260 | } |
Christopher Faulet | d69377e | 2021-10-25 08:26:34 +0200 | [diff] [blame] | 261 | |
| 262 | end: |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 263 | return ACT_RET_CONT; |
| 264 | } |
| 265 | |
| 266 | /* Executes the "silent-drop" action. May be called from {tcp,http}{request,response} */ |
| 267 | static enum act_return tcp_exec_action_silent_drop(struct act_rule *rule, struct proxy *px, |
| 268 | struct session *sess, struct stream *strm, int flags) |
| 269 | { |
| 270 | struct connection *conn = objt_conn(sess->origin); |
| 271 | |
| 272 | if (!conn) |
| 273 | goto out; |
| 274 | |
| 275 | if (!conn_ctrl_ready(conn)) |
| 276 | goto out; |
| 277 | |
| 278 | #ifdef TCP_QUICKACK |
| 279 | /* drain is needed only to send the quick ACK */ |
Willy Tarreau | 2ded48d | 2020-12-11 16:20:34 +0100 | [diff] [blame] | 280 | conn_ctrl_drain(conn); |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 281 | |
| 282 | /* re-enable quickack if it was disabled to ack all data and avoid |
| 283 | * retransmits from the client that might trigger a real reset. |
| 284 | */ |
Willy Tarreau | 4bfc663 | 2021-03-31 08:45:47 +0200 | [diff] [blame] | 285 | setsockopt(conn->handle.fd, IPPROTO_TCP, TCP_QUICKACK, &one, sizeof(one)); |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 286 | #endif |
| 287 | /* lingering must absolutely be disabled so that we don't send a |
| 288 | * shutdown(), this is critical to the TCP_REPAIR trick. When no stream |
| 289 | * is present, returning with ERR will cause lingering to be disabled. |
| 290 | */ |
| 291 | if (strm) |
Christopher Faulet | 8abe712 | 2022-03-30 15:10:18 +0200 | [diff] [blame] | 292 | strm->csf->flags |= CS_FL_NOLINGER; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 293 | |
Willy Tarreau | e222679 | 2022-04-11 18:04:33 +0200 | [diff] [blame] | 294 | if (conn->flags & CO_FL_FDLESS) |
| 295 | goto out; |
| 296 | |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 297 | /* We're on the client-facing side, we must force to disable lingering to |
| 298 | * ensure we will use an RST exclusively and kill any pending data. |
| 299 | */ |
Willy Tarreau | b41a6e9 | 2021-04-06 17:49:19 +0200 | [diff] [blame] | 300 | HA_ATOMIC_OR(&fdtab[conn->handle.fd].state, FD_LINGER_RISK); |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 301 | |
| 302 | #ifdef TCP_REPAIR |
Willy Tarreau | 4bfc663 | 2021-03-31 08:45:47 +0200 | [diff] [blame] | 303 | if (setsockopt(conn->handle.fd, IPPROTO_TCP, TCP_REPAIR, &one, sizeof(one)) == 0) { |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 304 | /* socket will be quiet now */ |
| 305 | goto out; |
| 306 | } |
| 307 | #endif |
| 308 | /* either TCP_REPAIR is not defined or it failed (eg: permissions). |
| 309 | * Let's fall back on the TTL trick, though it only works for routed |
| 310 | * network and has no effect on local net. |
| 311 | */ |
| 312 | #ifdef IP_TTL |
Willy Tarreau | ab79ee8 | 2021-03-30 17:23:50 +0200 | [diff] [blame] | 313 | if (conn->src && conn->src->ss_family == AF_INET) |
Willy Tarreau | 4bfc663 | 2021-03-31 08:45:47 +0200 | [diff] [blame] | 314 | setsockopt(conn->handle.fd, IPPROTO_IP, IP_TTL, &one, sizeof(one)); |
Willy Tarreau | ab79ee8 | 2021-03-30 17:23:50 +0200 | [diff] [blame] | 315 | #endif |
| 316 | #ifdef IPV6_UNICAST_HOPS |
Willy Tarreau | da23195 | 2021-03-31 08:29:27 +0200 | [diff] [blame] | 317 | if (conn->src && conn->src->ss_family == AF_INET6) |
| 318 | setsockopt(conn->handle.fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one)); |
| 319 | #endif |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 320 | out: |
| 321 | /* kill the stream if any */ |
| 322 | if (strm) { |
| 323 | channel_abort(&strm->req); |
| 324 | channel_abort(&strm->res); |
| 325 | strm->req.analysers &= AN_REQ_FLT_END; |
| 326 | strm->res.analysers &= AN_RES_FLT_END; |
| 327 | if (strm->flags & SF_BE_ASSIGNED) |
Willy Tarreau | 4781b15 | 2021-04-06 13:53:36 +0200 | [diff] [blame] | 328 | _HA_ATOMIC_INC(&strm->be->be_counters.denied_req); |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 329 | if (!(strm->flags & SF_ERR_MASK)) |
| 330 | strm->flags |= SF_ERR_PRXCOND; |
| 331 | if (!(strm->flags & SF_FINST_MASK)) |
| 332 | strm->flags |= SF_FINST_R; |
| 333 | } |
| 334 | |
Willy Tarreau | 4781b15 | 2021-04-06 13:53:36 +0200 | [diff] [blame] | 335 | _HA_ATOMIC_INC(&sess->fe->fe_counters.denied_req); |
William Lallemand | 36119de | 2021-03-08 15:26:48 +0100 | [diff] [blame] | 336 | if (sess->listener && sess->listener->counters) |
Willy Tarreau | 4781b15 | 2021-04-06 13:53:36 +0200 | [diff] [blame] | 337 | _HA_ATOMIC_INC(&sess->listener->counters->denied_req); |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 338 | |
| 339 | return ACT_RET_ABRT; |
| 340 | } |
| 341 | |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 342 | |
David Carlier | bae4cb2 | 2021-07-03 10:15:15 +0100 | [diff] [blame] | 343 | #if defined(SO_MARK) || defined(SO_USER_COOKIE) || defined(SO_RTABLE) |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 344 | static enum act_return tcp_action_set_mark(struct act_rule *rule, struct proxy *px, |
| 345 | struct session *sess, struct stream *s, int flags) |
| 346 | { |
| 347 | conn_set_mark(objt_conn(sess->origin), (uintptr_t)rule->arg.act.p[0]); |
| 348 | return ACT_RET_CONT; |
| 349 | } |
Willy Tarreau | 5bbfff1 | 2021-06-28 07:12:22 +0200 | [diff] [blame] | 350 | #endif |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 351 | |
Willy Tarreau | 5bbfff1 | 2021-06-28 07:12:22 +0200 | [diff] [blame] | 352 | #ifdef IP_TOS |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 353 | static enum act_return tcp_action_set_tos(struct act_rule *rule, struct proxy *px, |
| 354 | struct session *sess, struct stream *s, int flags) |
| 355 | { |
| 356 | conn_set_tos(objt_conn(sess->origin), (uintptr_t)rule->arg.act.p[0]); |
| 357 | return ACT_RET_CONT; |
| 358 | } |
Willy Tarreau | 5bbfff1 | 2021-06-28 07:12:22 +0200 | [diff] [blame] | 359 | #endif |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 360 | |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 361 | /* parse "set-{src,dst}[-port]" action */ |
| 362 | static enum act_parse_ret tcp_parse_set_src_dst(const char **args, int *orig_arg, struct proxy *px, |
| 363 | struct act_rule *rule, char **err) |
| 364 | { |
| 365 | int cur_arg; |
| 366 | struct sample_expr *expr; |
| 367 | unsigned int where; |
| 368 | |
| 369 | cur_arg = *orig_arg; |
| 370 | expr = sample_parse_expr((char **)args, &cur_arg, px->conf.args.file, px->conf.args.line, err, &px->conf.args, NULL); |
| 371 | if (!expr) |
| 372 | return ACT_RET_PRS_ERR; |
| 373 | |
| 374 | where = 0; |
| 375 | if (px->cap & PR_CAP_FE) |
| 376 | where |= SMP_VAL_FE_HRQ_HDR; |
| 377 | if (px->cap & PR_CAP_BE) |
| 378 | where |= SMP_VAL_BE_HRQ_HDR; |
| 379 | |
| 380 | if (!(expr->fetch->val & where)) { |
| 381 | memprintf(err, |
| 382 | "fetch method '%s' extracts information from '%s', none of which is available here", |
| 383 | args[cur_arg-1], sample_src_names(expr->fetch->use)); |
| 384 | free(expr); |
| 385 | return ACT_RET_PRS_ERR; |
| 386 | } |
| 387 | rule->arg.expr = expr; |
| 388 | rule->action = ACT_CUSTOM; |
| 389 | |
Tim Duesterhus | e5ff141 | 2021-01-02 22:31:53 +0100 | [diff] [blame] | 390 | if (strcmp(args[*orig_arg - 1], "set-src") == 0) { |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 391 | rule->action_ptr = tcp_action_req_set_src; |
Tim Duesterhus | e5ff141 | 2021-01-02 22:31:53 +0100 | [diff] [blame] | 392 | } else if (strcmp(args[*orig_arg - 1], "set-src-port") == 0) { |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 393 | rule->action_ptr = tcp_action_req_set_src_port; |
Tim Duesterhus | e5ff141 | 2021-01-02 22:31:53 +0100 | [diff] [blame] | 394 | } else if (strcmp(args[*orig_arg - 1], "set-dst") == 0) { |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 395 | rule->action_ptr = tcp_action_req_set_dst; |
Tim Duesterhus | e5ff141 | 2021-01-02 22:31:53 +0100 | [diff] [blame] | 396 | } else if (strcmp(args[*orig_arg - 1], "set-dst-port") == 0) { |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 397 | rule->action_ptr = tcp_action_req_set_dst_port; |
| 398 | } else { |
| 399 | return ACT_RET_PRS_ERR; |
| 400 | } |
| 401 | |
| 402 | (*orig_arg)++; |
| 403 | |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 404 | return ACT_RET_PRS_OK; |
| 405 | } |
| 406 | |
| 407 | |
| 408 | /* Parse a "set-mark" action. It takes the MARK value as argument. It returns |
| 409 | * ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error. |
| 410 | */ |
| 411 | static enum act_parse_ret tcp_parse_set_mark(const char **args, int *cur_arg, struct proxy *px, |
| 412 | struct act_rule *rule, char **err) |
| 413 | { |
David Carlier | bae4cb2 | 2021-07-03 10:15:15 +0100 | [diff] [blame] | 414 | #if defined(SO_MARK) || defined(SO_USER_COOKIE) || defined(SO_RTABLE) |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 415 | char *endp; |
| 416 | unsigned int mark; |
| 417 | |
| 418 | if (!*args[*cur_arg]) { |
| 419 | memprintf(err, "expects exactly 1 argument (integer/hex value)"); |
| 420 | return ACT_RET_PRS_ERR; |
| 421 | } |
| 422 | mark = strtoul(args[*cur_arg], &endp, 0); |
| 423 | if (endp && *endp != '\0') { |
| 424 | memprintf(err, "invalid character starting at '%s' (integer/hex value expected)", endp); |
| 425 | return ACT_RET_PRS_ERR; |
| 426 | } |
| 427 | |
| 428 | (*cur_arg)++; |
| 429 | |
| 430 | /* Register processing function. */ |
| 431 | rule->action_ptr = tcp_action_set_mark; |
| 432 | rule->action = ACT_CUSTOM; |
| 433 | rule->arg.act.p[0] = (void *)(uintptr_t)mark; |
| 434 | global.last_checks |= LSTCHK_NETADM; |
| 435 | return ACT_RET_PRS_OK; |
| 436 | #else |
David Carlier | bae4cb2 | 2021-07-03 10:15:15 +0100 | [diff] [blame] | 437 | memprintf(err, "not supported on this platform (SO_MARK|SO_USER_COOKIE|SO_RTABLE undefined)"); |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 438 | return ACT_RET_PRS_ERR; |
| 439 | #endif |
| 440 | } |
| 441 | |
| 442 | |
| 443 | /* Parse a "set-tos" action. It takes the TOS value as argument. It returns |
| 444 | * ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error. |
| 445 | */ |
| 446 | static enum act_parse_ret tcp_parse_set_tos(const char **args, int *cur_arg, struct proxy *px, |
| 447 | struct act_rule *rule, char **err) |
| 448 | { |
| 449 | #ifdef IP_TOS |
| 450 | char *endp; |
| 451 | int tos; |
| 452 | |
| 453 | if (!*args[*cur_arg]) { |
| 454 | memprintf(err, "expects exactly 1 argument (integer/hex value)"); |
| 455 | return ACT_RET_PRS_ERR; |
| 456 | } |
| 457 | tos = strtol(args[*cur_arg], &endp, 0); |
| 458 | if (endp && *endp != '\0') { |
| 459 | memprintf(err, "invalid character starting at '%s' (integer/hex value expected)", endp); |
| 460 | return ACT_RET_PRS_ERR; |
| 461 | } |
| 462 | |
| 463 | (*cur_arg)++; |
| 464 | |
| 465 | /* Register processing function. */ |
| 466 | rule->action_ptr = tcp_action_set_tos; |
| 467 | rule->action = ACT_CUSTOM; |
| 468 | rule->arg.act.p[0] = (void *)(uintptr_t)tos; |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 469 | return ACT_RET_PRS_OK; |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 470 | #else |
| 471 | memprintf(err, "not supported on this platform (IP_TOS undefined)"); |
| 472 | return ACT_RET_PRS_ERR; |
| 473 | #endif |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 474 | } |
| 475 | |
| 476 | |
| 477 | /* Parse a "silent-drop" action. It takes no argument. It returns ACT_RET_PRS_OK on |
| 478 | * success, ACT_RET_PRS_ERR on error. |
| 479 | */ |
| 480 | static enum act_parse_ret tcp_parse_silent_drop(const char **args, int *orig_arg, struct proxy *px, |
| 481 | struct act_rule *rule, char **err) |
| 482 | { |
| 483 | rule->action = ACT_CUSTOM; |
| 484 | rule->action_ptr = tcp_exec_action_silent_drop; |
| 485 | return ACT_RET_PRS_OK; |
| 486 | } |
| 487 | |
| 488 | |
| 489 | static struct action_kw_list tcp_req_conn_actions = {ILH, { |
Christopher Faulet | ee9c98d | 2021-06-25 15:18:33 +0200 | [diff] [blame] | 490 | { "set-dst" , tcp_parse_set_src_dst }, |
| 491 | { "set-dst-port", tcp_parse_set_src_dst }, |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 492 | { "set-mark", tcp_parse_set_mark }, |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 493 | { "set-src", tcp_parse_set_src_dst }, |
| 494 | { "set-src-port", tcp_parse_set_src_dst }, |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 495 | { "set-tos", tcp_parse_set_tos }, |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 496 | { "silent-drop", tcp_parse_silent_drop }, |
| 497 | { /* END */ } |
| 498 | }}; |
| 499 | |
| 500 | INITCALL1(STG_REGISTER, tcp_req_conn_keywords_register, &tcp_req_conn_actions); |
| 501 | |
| 502 | static struct action_kw_list tcp_req_sess_actions = {ILH, { |
Christopher Faulet | ee9c98d | 2021-06-25 15:18:33 +0200 | [diff] [blame] | 503 | { "set-dst" , tcp_parse_set_src_dst }, |
| 504 | { "set-dst-port", tcp_parse_set_src_dst }, |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 505 | { "set-mark", tcp_parse_set_mark }, |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 506 | { "set-src", tcp_parse_set_src_dst }, |
| 507 | { "set-src-port", tcp_parse_set_src_dst }, |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 508 | { "set-tos", tcp_parse_set_tos }, |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 509 | { "silent-drop", tcp_parse_silent_drop }, |
| 510 | { /* END */ } |
| 511 | }}; |
| 512 | |
| 513 | INITCALL1(STG_REGISTER, tcp_req_sess_keywords_register, &tcp_req_sess_actions); |
| 514 | |
| 515 | static struct action_kw_list tcp_req_cont_actions = {ILH, { |
Christopher Faulet | 1e83b70 | 2021-06-23 12:07:21 +0200 | [diff] [blame] | 516 | { "set-src", tcp_parse_set_src_dst }, |
| 517 | { "set-src-port", tcp_parse_set_src_dst }, |
Christopher Faulet | ee9c98d | 2021-06-25 15:18:33 +0200 | [diff] [blame] | 518 | { "set-dst" , tcp_parse_set_src_dst }, |
| 519 | { "set-dst-port", tcp_parse_set_src_dst }, |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 520 | { "set-mark", tcp_parse_set_mark }, |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 521 | { "set-tos", tcp_parse_set_tos }, |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 522 | { "silent-drop", tcp_parse_silent_drop }, |
| 523 | { /* END */ } |
| 524 | }}; |
| 525 | |
| 526 | INITCALL1(STG_REGISTER, tcp_req_cont_keywords_register, &tcp_req_cont_actions); |
| 527 | |
| 528 | static struct action_kw_list tcp_res_cont_actions = {ILH, { |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 529 | { "set-mark", tcp_parse_set_mark }, |
| 530 | { "set-tos", tcp_parse_set_tos }, |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 531 | { "silent-drop", tcp_parse_silent_drop }, |
| 532 | { /* END */ } |
| 533 | }}; |
| 534 | |
| 535 | INITCALL1(STG_REGISTER, tcp_res_cont_keywords_register, &tcp_res_cont_actions); |
| 536 | |
| 537 | static struct action_kw_list http_req_actions = {ILH, { |
Christopher Faulet | ee9c98d | 2021-06-25 15:18:33 +0200 | [diff] [blame] | 538 | { "set-dst", tcp_parse_set_src_dst }, |
| 539 | { "set-dst-port", tcp_parse_set_src_dst }, |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 540 | { "set-mark", tcp_parse_set_mark }, |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 541 | { "set-src", tcp_parse_set_src_dst }, |
| 542 | { "set-src-port", tcp_parse_set_src_dst }, |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 543 | { "set-tos", tcp_parse_set_tos }, |
Christopher Faulet | ee9c98d | 2021-06-25 15:18:33 +0200 | [diff] [blame] | 544 | { "silent-drop", tcp_parse_silent_drop }, |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 545 | { /* END */ } |
| 546 | }}; |
| 547 | |
| 548 | INITCALL1(STG_REGISTER, http_req_keywords_register, &http_req_actions); |
| 549 | |
| 550 | static struct action_kw_list http_res_actions = {ILH, { |
Christopher Faulet | 469c06c | 2021-06-25 15:11:35 +0200 | [diff] [blame] | 551 | { "set-mark", tcp_parse_set_mark }, |
| 552 | { "set-tos", tcp_parse_set_tos }, |
Willy Tarreau | aeae66c | 2020-08-28 11:03:28 +0200 | [diff] [blame] | 553 | { "silent-drop", tcp_parse_silent_drop }, |
| 554 | { /* END */ } |
| 555 | }}; |
| 556 | |
| 557 | INITCALL1(STG_REGISTER, http_res_keywords_register, &http_res_actions); |
| 558 | |
| 559 | |
| 560 | /* |
| 561 | * Local variables: |
| 562 | * c-indent-level: 8 |
| 563 | * c-basic-offset: 8 |
| 564 | * End: |
| 565 | */ |