blob: 99900e452c8bf6c1f521ba220b0caa0fc5293b38 [file] [log] [blame]
Willy Tarreaue6b98942007-10-29 01:09:36 +01001/*
2 * AF_INET/AF_INET6 SOCK_STREAM protocol layer (tcp)
3 *
Willy Tarreaue8c66af2008-01-13 18:40:14 +01004 * Copyright 2000-2008 Willy Tarreau <w@1wt.eu>
Willy Tarreaue6b98942007-10-29 01:09:36 +01005 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
12
13#include <ctype.h>
14#include <errno.h>
15#include <fcntl.h>
16#include <stdio.h>
17#include <stdlib.h>
18#include <string.h>
19#include <time.h>
20
Willy Tarreau9ea05a72009-06-14 12:07:01 +020021#include <netinet/tcp.h>
22
Willy Tarreaue6b98942007-10-29 01:09:36 +010023#include <sys/param.h>
24#include <sys/socket.h>
25#include <sys/stat.h>
26#include <sys/types.h>
27#include <sys/un.h>
28
Willy Tarreaub6866442008-07-14 23:54:42 +020029#include <common/cfgparse.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010030#include <common/compat.h>
31#include <common/config.h>
32#include <common/debug.h>
33#include <common/errors.h>
34#include <common/memory.h>
35#include <common/mini-clist.h>
36#include <common/standard.h>
37#include <common/time.h>
38#include <common/version.h>
39
Willy Tarreaue6b98942007-10-29 01:09:36 +010040#include <types/global.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010041
42#include <proto/acl.h>
43#include <proto/backend.h>
44#include <proto/buffers.h>
45#include <proto/fd.h>
46#include <proto/protocols.h>
47#include <proto/proto_tcp.h>
Willy Tarreaub6866442008-07-14 23:54:42 +020048#include <proto/proxy.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010049#include <proto/queue.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010050#include <proto/session.h>
51#include <proto/stream_sock.h>
52#include <proto/task.h>
53
Willy Tarreaue8c66af2008-01-13 18:40:14 +010054#ifdef CONFIG_HAP_CTTPROXY
55#include <import/ip_tproxy.h>
56#endif
57
Willy Tarreaue6b98942007-10-29 01:09:36 +010058static int tcp_bind_listeners(struct protocol *proto);
59
60/* Note: must not be declared <const> as its list will be overwritten */
61static struct protocol proto_tcpv4 = {
62 .name = "tcpv4",
63 .sock_domain = AF_INET,
64 .sock_type = SOCK_STREAM,
65 .sock_prot = IPPROTO_TCP,
66 .sock_family = AF_INET,
67 .sock_addrlen = sizeof(struct sockaddr_in),
68 .l3_addrlen = 32/8,
69 .read = &stream_sock_read,
70 .write = &stream_sock_write,
71 .bind_all = tcp_bind_listeners,
72 .unbind_all = unbind_all_listeners,
73 .enable_all = enable_all_listeners,
74 .listeners = LIST_HEAD_INIT(proto_tcpv4.listeners),
75 .nb_listeners = 0,
76};
77
78/* Note: must not be declared <const> as its list will be overwritten */
79static struct protocol proto_tcpv6 = {
80 .name = "tcpv6",
81 .sock_domain = AF_INET6,
82 .sock_type = SOCK_STREAM,
83 .sock_prot = IPPROTO_TCP,
84 .sock_family = AF_INET6,
85 .sock_addrlen = sizeof(struct sockaddr_in6),
86 .l3_addrlen = 128/8,
87 .read = &stream_sock_read,
88 .write = &stream_sock_write,
89 .bind_all = tcp_bind_listeners,
90 .unbind_all = unbind_all_listeners,
91 .enable_all = enable_all_listeners,
92 .listeners = LIST_HEAD_INIT(proto_tcpv6.listeners),
93 .nb_listeners = 0,
94};
95
Willy Tarreaue8c66af2008-01-13 18:40:14 +010096
97/* Binds ipv4 address <local> to socket <fd>, unless <flags> is set, in which
98 * case we try to bind <remote>. <flags> is a 2-bit field consisting of :
99 * - 0 : ignore remote address (may even be a NULL pointer)
100 * - 1 : use provided address
101 * - 2 : use provided port
102 * - 3 : use both
103 *
104 * The function supports multiple foreign binding methods :
105 * - linux_tproxy: we directly bind to the foreign address
106 * - cttproxy: we bind to a local address then nat.
107 * The second one can be used as a fallback for the first one.
108 * This function returns 0 when everything's OK, 1 if it could not bind, to the
109 * local address, 2 if it could not bind to the foreign address.
110 */
111int tcpv4_bind_socket(int fd, int flags, struct sockaddr_in *local, struct sockaddr_in *remote)
112{
113 struct sockaddr_in bind_addr;
114 int foreign_ok = 0;
115 int ret;
116
117#ifdef CONFIG_HAP_LINUX_TPROXY
118 static int ip_transp_working = 1;
119 if (flags && ip_transp_working) {
120 if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == 0
121 || setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == 0)
122 foreign_ok = 1;
123 else
124 ip_transp_working = 0;
125 }
126#endif
127 if (flags) {
128 memset(&bind_addr, 0, sizeof(bind_addr));
129 if (flags & 1)
130 bind_addr.sin_addr = remote->sin_addr;
131 if (flags & 2)
132 bind_addr.sin_port = remote->sin_port;
133 }
134
135 setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *) &one, sizeof(one));
136 if (foreign_ok) {
137 ret = bind(fd, (struct sockaddr *)&bind_addr, sizeof(bind_addr));
138 if (ret < 0)
139 return 2;
140 }
141 else {
142 ret = bind(fd, (struct sockaddr *)local, sizeof(*local));
143 if (ret < 0)
144 return 1;
145 }
146
147 if (!flags)
148 return 0;
149
150#ifdef CONFIG_HAP_CTTPROXY
151 if (!foreign_ok) {
152 struct in_tproxy itp1, itp2;
153 memset(&itp1, 0, sizeof(itp1));
154
155 itp1.op = TPROXY_ASSIGN;
156 itp1.v.addr.faddr = bind_addr.sin_addr;
157 itp1.v.addr.fport = bind_addr.sin_port;
158
159 /* set connect flag on socket */
160 itp2.op = TPROXY_FLAGS;
161 itp2.v.flags = ITP_CONNECT | ITP_ONCE;
162
163 if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp1, sizeof(itp1)) != -1 &&
164 setsockopt(fd, SOL_IP, IP_TPROXY, &itp2, sizeof(itp2)) != -1) {
165 foreign_ok = 1;
166 }
167 }
168#endif
169 if (!foreign_ok)
170 /* we could not bind to a foreign address */
171 return 2;
172
173 return 0;
174}
Willy Tarreaue6b98942007-10-29 01:09:36 +0100175
176/* This function tries to bind a TCPv4/v6 listener. It may return a warning or
177 * an error message in <err> if the message is at most <errlen> bytes long
178 * (including '\0'). The return value is composed from ERR_ABORT, ERR_WARN,
179 * ERR_ALERT, ERR_RETRYABLE and ERR_FATAL. ERR_NONE indicates that everything
180 * was alright and that no message was returned. ERR_RETRYABLE means that an
181 * error occurred but that it may vanish after a retry (eg: port in use), and
182 * ERR_FATAL indicates a non-fixable error.ERR_WARN and ERR_ALERT do not alter
183 * the meaning of the error, but just indicate that a message is present which
184 * should be displayed with the respective level. Last, ERR_ABORT indicates
185 * that it's pointless to try to start other listeners. No error message is
186 * returned if errlen is NULL.
187 */
188int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen)
189{
190 __label__ tcp_return, tcp_close_return;
191 int fd, err;
192 const char *msg = NULL;
193
194 /* ensure we never return garbage */
195 if (errmsg && errlen)
196 *errmsg = 0;
197
198 if (listener->state != LI_ASSIGNED)
199 return ERR_NONE; /* already bound */
200
201 err = ERR_NONE;
202
203 if ((fd = socket(listener->addr.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
204 err |= ERR_RETRYABLE | ERR_ALERT;
205 msg = "cannot create listening socket";
206 goto tcp_return;
207 }
Willy Tarreauedcf6682008-11-30 23:15:34 +0100208
Willy Tarreaue6b98942007-10-29 01:09:36 +0100209 if (fd >= global.maxsock) {
210 err |= ERR_FATAL | ERR_ABORT | ERR_ALERT;
211 msg = "not enough free sockets (raise '-n' parameter)";
212 goto tcp_close_return;
213 }
214
Willy Tarreaufb14edc2009-06-14 15:24:37 +0200215 if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1) {
Willy Tarreaue6b98942007-10-29 01:09:36 +0100216 err |= ERR_FATAL | ERR_ALERT;
217 msg = "cannot make socket non-blocking";
218 goto tcp_close_return;
219 }
220
221 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *) &one, sizeof(one)) == -1) {
222 /* not fatal but should be reported */
223 msg = "cannot do so_reuseaddr";
224 err |= ERR_ALERT;
225 }
226
227 if (listener->options & LI_O_NOLINGER)
228 setsockopt(fd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger));
Willy Tarreauedcf6682008-11-30 23:15:34 +0100229
Willy Tarreaue6b98942007-10-29 01:09:36 +0100230#ifdef SO_REUSEPORT
231 /* OpenBSD supports this. As it's present in old libc versions of Linux,
232 * it might return an error that we will silently ignore.
233 */
234 setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (char *) &one, sizeof(one));
235#endif
Willy Tarreaub1e52e82008-01-13 14:49:51 +0100236#ifdef CONFIG_HAP_LINUX_TPROXY
Willy Tarreauedcf6682008-11-30 23:15:34 +0100237 if ((listener->options & LI_O_FOREIGN)
Willy Tarreau0a459892008-01-13 17:37:16 +0100238 && (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == -1)
239 && (setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == -1)) {
Willy Tarreaub1e52e82008-01-13 14:49:51 +0100240 msg = "cannot make listening socket transparent";
241 err |= ERR_ALERT;
242 }
243#endif
Willy Tarreau5e6e2042009-02-04 17:19:29 +0100244#ifdef SO_BINDTODEVICE
245 /* Note: this might fail if not CAP_NET_RAW */
246 if (listener->interface) {
247 if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE,
Willy Tarreau604e8302009-03-06 00:48:23 +0100248 listener->interface, strlen(listener->interface) + 1) == -1) {
Willy Tarreau5e6e2042009-02-04 17:19:29 +0100249 msg = "cannot bind listener to device";
250 err |= ERR_WARN;
251 }
252 }
253#endif
Willy Tarreaube1b9182009-06-14 18:48:19 +0200254#ifdef TCP_MAXSEG
255 if (listener->maxseg) {
256 if (setsockopt(fd, SOL_TCP, TCP_MAXSEG,
257 &listener->maxseg, sizeof(listener->maxseg)) == -1) {
258 msg = "cannot set MSS";
259 err |= ERR_WARN;
260 }
261 }
262#endif
Willy Tarreaue6b98942007-10-29 01:09:36 +0100263 if (bind(fd, (struct sockaddr *)&listener->addr, listener->proto->sock_addrlen) == -1) {
264 err |= ERR_RETRYABLE | ERR_ALERT;
265 msg = "cannot bind socket";
266 goto tcp_close_return;
267 }
Willy Tarreauedcf6682008-11-30 23:15:34 +0100268
Willy Tarreauc73ce2b2008-01-06 10:55:10 +0100269 if (listen(fd, listener->backlog ? listener->backlog : listener->maxconn) == -1) {
Willy Tarreaue6b98942007-10-29 01:09:36 +0100270 err |= ERR_RETRYABLE | ERR_ALERT;
271 msg = "cannot listen to socket";
272 goto tcp_close_return;
273 }
Willy Tarreauedcf6682008-11-30 23:15:34 +0100274
Willy Tarreau9ea05a72009-06-14 12:07:01 +0200275#ifdef TCP_QUICKACK
276 if (listener->options & LI_O_NOQUICKACK)
277 setsockopt(fd, SOL_TCP, TCP_QUICKACK, (char *) &zero, sizeof(zero));
278#endif
279
Willy Tarreaue6b98942007-10-29 01:09:36 +0100280 /* the socket is ready */
281 listener->fd = fd;
282 listener->state = LI_LISTEN;
283
284 /* the function for the accept() event */
285 fd_insert(fd);
286 fdtab[fd].cb[DIR_RD].f = listener->accept;
287 fdtab[fd].cb[DIR_WR].f = NULL; /* never called */
288 fdtab[fd].cb[DIR_RD].b = fdtab[fd].cb[DIR_WR].b = NULL;
Willy Tarreaueabf3132008-08-29 23:36:51 +0200289 fdtab[fd].owner = listener; /* reference the listener instead of a task */
Willy Tarreaue6b98942007-10-29 01:09:36 +0100290 fdtab[fd].state = FD_STLISTEN;
Willy Tarreaufb14edc2009-06-14 15:24:37 +0200291 fdtab[fd].flags = FD_FL_TCP;
Willy Tarreau5d707e12009-06-28 11:09:07 +0200292 if (listener->options & LI_O_NOLINGER)
293 fdtab[fd].flags |= FD_FL_TCP_NOLING;
294
Willy Tarreaue6b98942007-10-29 01:09:36 +0100295 fdtab[fd].peeraddr = NULL;
296 fdtab[fd].peerlen = 0;
Willy Tarreaue6b98942007-10-29 01:09:36 +0100297 tcp_return:
298 if (msg && errlen)
299 strlcpy2(errmsg, msg, errlen);
300 return err;
301
302 tcp_close_return:
303 close(fd);
304 goto tcp_return;
305}
306
307/* This function creates all TCP sockets bound to the protocol entry <proto>.
308 * It is intended to be used as the protocol's bind_all() function.
309 * The sockets will be registered but not added to any fd_set, in order not to
310 * loose them across the fork(). A call to enable_all_listeners() is needed
311 * to complete initialization. The return value is composed from ERR_*.
312 */
313static int tcp_bind_listeners(struct protocol *proto)
314{
315 struct listener *listener;
316 int err = ERR_NONE;
317
318 list_for_each_entry(listener, &proto->listeners, proto_list) {
319 err |= tcp_bind_listener(listener, NULL, 0);
320 if ((err & ERR_CODE) == ERR_ABORT)
321 break;
322 }
323
324 return err;
325}
326
327/* Add listener to the list of tcpv4 listeners. The listener's state
328 * is automatically updated from LI_INIT to LI_ASSIGNED. The number of
329 * listeners is updated. This is the function to use to add a new listener.
330 */
331void tcpv4_add_listener(struct listener *listener)
332{
333 if (listener->state != LI_INIT)
334 return;
335 listener->state = LI_ASSIGNED;
336 listener->proto = &proto_tcpv4;
337 LIST_ADDQ(&proto_tcpv4.listeners, &listener->proto_list);
338 proto_tcpv4.nb_listeners++;
339}
340
341/* Add listener to the list of tcpv4 listeners. The listener's state
342 * is automatically updated from LI_INIT to LI_ASSIGNED. The number of
343 * listeners is updated. This is the function to use to add a new listener.
344 */
345void tcpv6_add_listener(struct listener *listener)
346{
347 if (listener->state != LI_INIT)
348 return;
349 listener->state = LI_ASSIGNED;
350 listener->proto = &proto_tcpv6;
351 LIST_ADDQ(&proto_tcpv6.listeners, &listener->proto_list);
352 proto_tcpv6.nb_listeners++;
353}
354
Willy Tarreauedcf6682008-11-30 23:15:34 +0100355/* This function performs the TCP request analysis on the current request. It
356 * returns 1 if the processing can continue on next analysers, or zero if it
357 * needs more data, encounters an error, or wants to immediately abort the
358 * request. It relies on buffers flags, and updates s->req->analysers. Its
359 * behaviour is rather simple:
Willy Tarreau86ef7dc2009-03-15 22:55:47 +0100360 * - the analyser should check for errors and timeouts, and react as expected.
361 * It does not have to close anything upon error, the caller will. Note that
362 * the caller also knows how to report errors and timeouts.
363 * - if the analyser does not have enough data, it must return 0 without calling
Willy Tarreauedcf6682008-11-30 23:15:34 +0100364 * other ones. It should also probably do a buffer_write_dis() to ensure
365 * that unprocessed data will not be forwarded. But that probably depends on
366 * the protocol.
367 * - if an analyser has enough data, it just has to pass on to the next
368 * analyser without using buffer_write_dis() (enabled by default).
369 * - if an analyser thinks it has no added value anymore staying here, it must
370 * reset its bit from the analysers flags in order not to be called anymore.
371 *
372 * In the future, analysers should be able to indicate that they want to be
373 * called after XXX bytes have been received (or transfered), and the min of
374 * all's wishes will be used to ring back (unless a special condition occurs).
375 */
Willy Tarreau3a816292009-07-07 10:55:49 +0200376int tcp_inspect_request(struct session *s, struct buffer *req, int an_bit)
Willy Tarreauedcf6682008-11-30 23:15:34 +0100377{
378 struct tcp_rule *rule;
379 int partial;
380
381 DPRINTF(stderr,"[%u] %s: session=%p b=%p, exp(r,w)=%u,%u bf=%08x bl=%d analysers=%02x\n",
382 now_ms, __FUNCTION__,
383 s,
384 req,
385 req->rex, req->wex,
386 req->flags,
387 req->l,
388 req->analysers);
389
Willy Tarreauedcf6682008-11-30 23:15:34 +0100390 /* We don't know whether we have enough data, so must proceed
391 * this way :
392 * - iterate through all rules in their declaration order
393 * - if one rule returns MISS, it means the inspect delay is
394 * not over yet, then return immediately, otherwise consider
395 * it as a non-match.
396 * - if one rule returns OK, then return OK
397 * - if one rule returns KO, then return KO
398 */
399
Willy Tarreaud869b242009-03-15 14:43:58 +0100400 if (req->flags & BF_SHUTR || !s->fe->tcp_req.inspect_delay || tick_is_expired(req->analyse_exp, now_ms))
Willy Tarreauedcf6682008-11-30 23:15:34 +0100401 partial = 0;
402 else
403 partial = ACL_PARTIAL;
404
405 list_for_each_entry(rule, &s->fe->tcp_req.inspect_rules, list) {
406 int ret = ACL_PAT_PASS;
407
408 if (rule->cond) {
Willy Tarreau51d5dad2009-07-12 10:10:05 +0200409 ret = acl_exec_cond(rule->cond, s->fe, s, &s->txn, ACL_DIR_REQ | partial);
Willy Tarreauedcf6682008-11-30 23:15:34 +0100410 if (ret == ACL_PAT_MISS) {
411 buffer_write_dis(req);
412 /* just set the request timeout once at the beginning of the request */
Willy Tarreaud869b242009-03-15 14:43:58 +0100413 if (!tick_isset(req->analyse_exp) && s->fe->tcp_req.inspect_delay)
Willy Tarreauedcf6682008-11-30 23:15:34 +0100414 req->analyse_exp = tick_add_ifset(now_ms, s->fe->tcp_req.inspect_delay);
415 return 0;
416 }
417
418 ret = acl_pass(ret);
419 if (rule->cond->pol == ACL_COND_UNLESS)
420 ret = !ret;
421 }
422
423 if (ret) {
424 /* we have a matching rule. */
425 if (rule->action == TCP_ACT_REJECT) {
426 buffer_abort(req);
427 buffer_abort(s->rep);
428 req->analysers = 0;
429 s->fe->failed_req++;
430 if (!(s->flags & SN_ERR_MASK))
431 s->flags |= SN_ERR_PRXCOND;
432 if (!(s->flags & SN_FINST_MASK))
433 s->flags |= SN_FINST_R;
434 return 0;
435 }
436 /* otherwise accept */
437 break;
438 }
439 }
440
441 /* if we get there, it means we have no rule which matches, or
442 * we have an explicit accept, so we apply the default accept.
443 */
Willy Tarreau3a816292009-07-07 10:55:49 +0200444 req->analysers &= ~an_bit;
Willy Tarreauedcf6682008-11-30 23:15:34 +0100445 req->analyse_exp = TICK_ETERNITY;
446 return 1;
447}
448
Emeric Brun647caf12009-06-30 17:57:00 +0200449/* Apply RDP cookie persistence to the current session. For this, the function
450 * tries to extract an RDP cookie from the request buffer, and look for the
451 * matching server in the list. If the server is found, it is assigned to the
452 * session. This always returns 1, and the analyser removes itself from the
453 * list. Nothing is performed if a server was already assigned.
454 */
455int tcp_persist_rdp_cookie(struct session *s, struct buffer *req, int an_bit)
456{
457 struct proxy *px = s->be;
458 int ret;
459 struct acl_expr expr;
460 struct acl_test test;
461 struct server *srv = px->srv;
462 struct sockaddr_in addr;
463 char *p;
464
465 DPRINTF(stderr,"[%u] %s: session=%p b=%p, exp(r,w)=%u,%u bf=%08x bl=%d analysers=%02x\n",
466 now_ms, __FUNCTION__,
467 s,
468 req,
469 req->rex, req->wex,
470 req->flags,
471 req->l,
472 req->analysers);
473
474 if (s->flags & SN_ASSIGNED)
475 goto no_cookie;
476
477 memset(&expr, 0, sizeof(expr));
478 memset(&test, 0, sizeof(test));
479
480 expr.arg.str = s->be->rdp_cookie_name;
481 expr.arg_len = s->be->rdp_cookie_len;
482
483 ret = acl_fetch_rdp_cookie(px, s, NULL, ACL_DIR_REQ, &expr, &test);
484 if (ret == 0 || (test.flags & ACL_TEST_F_MAY_CHANGE) || test.len == 0)
485 goto no_cookie;
486
487 memset(&addr, 0, sizeof(addr));
488 addr.sin_family = AF_INET;
489
490 /* Considering an rdp cookie detected using acl, test.ptr ended with <cr><lf> and should return */
491 addr.sin_addr.s_addr = strtoul(test.ptr, &p, 10);
492 if (*p != '.')
493 goto no_cookie;
494 p++;
495 addr.sin_port = (unsigned short)strtoul(p, &p, 10);
496 if (*p != '.')
497 goto no_cookie;
498
499 while (srv) {
500 if (memcmp(&addr, &(srv->addr), sizeof(addr)) == 0) {
501 if ((srv->state & SRV_RUNNING) || (px->options & PR_O_PERSIST)) {
502 /* we found the server and it is usable */
503 s->flags |= SN_DIRECT | SN_ASSIGNED;
504 s->srv = srv;
505 break;
506 }
507 }
508 srv = srv->next;
509 }
510
511no_cookie:
512 req->analysers &= ~an_bit;
513 req->analyse_exp = TICK_ETERNITY;
514 return 1;
515}
516
Willy Tarreauedcf6682008-11-30 23:15:34 +0100517
Willy Tarreaub6866442008-07-14 23:54:42 +0200518/* This function should be called to parse a line starting with the "tcp-request"
519 * keyword.
520 */
521static int tcp_parse_tcp_req(char **args, int section_type, struct proxy *curpx,
522 struct proxy *defpx, char *err, int errlen)
523{
524 const char *ptr = NULL;
Willy Tarreauc7e961e2008-08-17 17:13:47 +0200525 unsigned int val;
Willy Tarreaub6866442008-07-14 23:54:42 +0200526 int retlen;
527
528 if (!*args[1]) {
529 snprintf(err, errlen, "missing argument for '%s' in %s '%s'",
530 args[0], proxy_type_str(proxy), curpx->id);
531 return -1;
532 }
533
534 if (!strcmp(args[1], "inspect-delay")) {
535 if (curpx == defpx) {
536 snprintf(err, errlen, "%s %s is not allowed in 'defaults' sections",
537 args[0], args[1]);
538 return -1;
539 }
540
541 if (!(curpx->cap & PR_CAP_FE)) {
542 snprintf(err, errlen, "%s %s will be ignored because %s '%s' has no %s capability",
543 args[0], args[1], proxy_type_str(proxy), curpx->id,
544 "frontend");
545 return 1;
546 }
547
548 if (!*args[2] || (ptr = parse_time_err(args[2], &val, TIME_UNIT_MS))) {
549 retlen = snprintf(err, errlen,
550 "'%s %s' expects a positive delay in milliseconds, in %s '%s'",
551 args[0], args[1], proxy_type_str(proxy), curpx->id);
552 if (ptr && retlen < errlen)
553 retlen += snprintf(err+retlen, errlen - retlen,
554 " (unexpected character '%c')", *ptr);
555 return -1;
556 }
557
558 if (curpx->tcp_req.inspect_delay) {
559 snprintf(err, errlen, "ignoring %s %s (was already defined) in %s '%s'",
560 args[0], args[1], proxy_type_str(proxy), curpx->id);
561 return 1;
562 }
563 curpx->tcp_req.inspect_delay = val;
564 return 0;
565 }
566
567 if (!strcmp(args[1], "content")) {
568 int action;
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200569 int warn = 0;
Willy Tarreaub6866442008-07-14 23:54:42 +0200570 int pol = ACL_COND_NONE;
571 struct acl_cond *cond;
572 struct tcp_rule *rule;
573
574 if (curpx == defpx) {
575 snprintf(err, errlen, "%s %s is not allowed in 'defaults' sections",
576 args[0], args[1]);
577 return -1;
578 }
579
580 if (!strcmp(args[2], "accept"))
581 action = TCP_ACT_ACCEPT;
582 else if (!strcmp(args[2], "reject"))
583 action = TCP_ACT_REJECT;
584 else {
585 retlen = snprintf(err, errlen,
586 "'%s %s' expects 'accept' or 'reject', in %s '%s' (was '%s')",
587 args[0], args[1], proxy_type_str(curpx), curpx->id, args[2]);
588 return -1;
589 }
590
591 pol = ACL_COND_NONE;
592 cond = NULL;
593
Willy Tarreau606ad732009-07-14 21:17:05 +0200594 if (!*args[3])
595 pol = ACL_COND_NONE;
596 else if (!strcmp(args[3], "if"))
Willy Tarreaub6866442008-07-14 23:54:42 +0200597 pol = ACL_COND_IF;
598 else if (!strcmp(args[3], "unless"))
599 pol = ACL_COND_UNLESS;
Willy Tarreau606ad732009-07-14 21:17:05 +0200600 else {
601 retlen = snprintf(err, errlen,
602 "'%s %s %s' only accepts 'if' or 'unless', in %s '%s' (was '%s')",
603 args[0], args[1], args[2], proxy_type_str(curpx), curpx->id, args[3]);
604 return -1;
605 }
Willy Tarreaub6866442008-07-14 23:54:42 +0200606
607 /* Note: we consider "if TRUE" when there is no condition */
608 if (pol != ACL_COND_NONE &&
609 (cond = parse_acl_cond((const char **)args+4, &curpx->acl, pol)) == NULL) {
610 retlen = snprintf(err, errlen,
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200611 "error detected in %s '%s' while parsing '%s' condition",
Willy Tarreaub6866442008-07-14 23:54:42 +0200612 proxy_type_str(curpx), curpx->id, args[3]);
613 return -1;
614 }
615
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200616 // FIXME: how to set this ?
617 // cond->line = linenum;
Willy Tarreaua9fb0832009-07-10 20:53:53 +0200618 if (cond)
619 curpx->acl_requires |= cond->requires;
Willy Tarreau1a211942009-07-14 13:53:17 +0200620 if (cond && (cond->requires & ACL_USE_RTR_ANY)) {
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200621 struct acl *acl;
622 const char *name;
623
Willy Tarreau1a211942009-07-14 13:53:17 +0200624 acl = cond_find_require(cond, ACL_USE_RTR_ANY);
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200625 name = acl ? acl->name : "(unknown)";
626
627 retlen = snprintf(err, errlen,
Willy Tarreau1a211942009-07-14 13:53:17 +0200628 "acl '%s' involves some response-only criteria which will be ignored.",
629 name);
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200630 warn++;
631 }
Willy Tarreaub6866442008-07-14 23:54:42 +0200632 rule = (struct tcp_rule *)calloc(1, sizeof(*rule));
633 rule->cond = cond;
634 rule->action = action;
635 LIST_INIT(&rule->list);
636 LIST_ADDQ(&curpx->tcp_req.inspect_rules, &rule->list);
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200637 return warn;
Willy Tarreaub6866442008-07-14 23:54:42 +0200638 }
639
640 snprintf(err, errlen, "unknown argument '%s' after '%s' in %s '%s'",
641 args[1], args[0], proxy_type_str(proxy), curpx->id);
642 return -1;
643}
644
645/* return the number of bytes in the request buffer */
646static int
647acl_fetch_req_len(struct proxy *px, struct session *l4, void *l7, int dir,
648 struct acl_expr *expr, struct acl_test *test)
649{
650 if (!l4 || !l4->req)
651 return 0;
652
653 test->i = l4->req->l;
654 test->flags = ACL_TEST_F_VOLATILE | ACL_TEST_F_MAY_CHANGE;
655 return 1;
656}
657
Willy Tarreau655e26a2008-07-15 18:58:05 +0200658/* Return the version of the SSL protocol in the request. It supports both
659 * SSLv3 (TLSv1) header format for any message, and SSLv2 header format for
660 * the hello message. The SSLv3 format is described in RFC 2246 p49, and the
661 * SSLv2 format is described here, and completed p67 of RFC 2246 :
662 * http://wp.netscape.com/eng/security/SSL_2.html
663 *
664 * Note: this decoder only works with non-wrapping data.
665 */
666static int
667acl_fetch_req_ssl_ver(struct proxy *px, struct session *l4, void *l7, int dir,
668 struct acl_expr *expr, struct acl_test *test)
669{
670 int version, bleft, msg_len;
671 const unsigned char *data;
672
673 if (!l4 || !l4->req)
674 return 0;
675
676 msg_len = 0;
677 bleft = l4->req->l;
678 if (!bleft)
679 goto too_short;
680
Willy Tarreauc7e961e2008-08-17 17:13:47 +0200681 data = (const unsigned char *)l4->req->w;
Willy Tarreau655e26a2008-07-15 18:58:05 +0200682 if ((*data >= 0x14 && *data <= 0x17) || (*data == 0xFF)) {
683 /* SSLv3 header format */
684 if (bleft < 5)
685 goto too_short;
686
687 version = (data[1] << 16) + data[2]; /* version: major, minor */
688 msg_len = (data[3] << 8) + data[4]; /* record length */
689
690 /* format introduced with SSLv3 */
691 if (version < 0x00030000)
692 goto not_ssl;
693
694 /* message length between 1 and 2^14 + 2048 */
695 if (msg_len < 1 || msg_len > ((1<<14) + 2048))
696 goto not_ssl;
697
698 bleft -= 5; data += 5;
699 } else {
700 /* SSLv2 header format, only supported for hello (msg type 1) */
701 int rlen, plen, cilen, silen, chlen;
702
703 if (*data & 0x80) {
704 if (bleft < 3)
705 goto too_short;
706 /* short header format : 15 bits for length */
707 rlen = ((data[0] & 0x7F) << 8) | data[1];
708 plen = 0;
709 bleft -= 2; data += 2;
710 } else {
711 if (bleft < 4)
712 goto too_short;
713 /* long header format : 14 bits for length + pad length */
714 rlen = ((data[0] & 0x3F) << 8) | data[1];
715 plen = data[2];
716 bleft -= 3; data += 2;
717 }
718
719 if (*data != 0x01)
720 goto not_ssl;
721 bleft--; data++;
722
723 if (bleft < 8)
724 goto too_short;
725 version = (data[0] << 16) + data[1]; /* version: major, minor */
726 cilen = (data[2] << 8) + data[3]; /* cipher len, multiple of 3 */
727 silen = (data[4] << 8) + data[5]; /* session_id_len: 0 or 16 */
728 chlen = (data[6] << 8) + data[7]; /* 16<=challenge length<=32 */
729
730 bleft -= 8; data += 8;
731 if (cilen % 3 != 0)
732 goto not_ssl;
733 if (silen && silen != 16)
734 goto not_ssl;
735 if (chlen < 16 || chlen > 32)
736 goto not_ssl;
737 if (rlen != 9 + cilen + silen + chlen)
738 goto not_ssl;
739
740 /* focus on the remaining data length */
741 msg_len = cilen + silen + chlen + plen;
742 }
743 /* We could recursively check that the buffer ends exactly on an SSL
744 * fragment boundary and that a possible next segment is still SSL,
745 * but that's a bit pointless. However, we could still check that
746 * all the part of the request which fits in a buffer is already
747 * there.
748 */
Willy Tarreau03d60bb2009-01-09 11:13:00 +0100749 if (msg_len > l4->req->max_len + l4->req->data - l4->req->w)
750 msg_len = l4->req->max_len + l4->req->data - l4->req->w;
Willy Tarreau655e26a2008-07-15 18:58:05 +0200751
752 if (bleft < msg_len)
753 goto too_short;
754
755 /* OK that's enough. We have at least the whole message, and we have
756 * the protocol version.
757 */
758 test->i = version;
759 test->flags = ACL_TEST_F_VOLATILE;
760 return 1;
761
762 too_short:
763 test->flags = ACL_TEST_F_MAY_CHANGE;
764 not_ssl:
765 return 0;
766}
767
Emeric Brunbede3d02009-06-30 17:54:00 +0200768int
769acl_fetch_rdp_cookie(struct proxy *px, struct session *l4, void *l7, int dir,
770 struct acl_expr *expr, struct acl_test *test)
771{
772 int bleft;
773 const unsigned char *data;
774
775 if (!l4 || !l4->req)
776 return 0;
777
778 test->flags = 0;
779
780 bleft = l4->req->l;
781 if (bleft <= 11)
782 goto too_short;
783
784 data = (const unsigned char *)l4->req->w + 11;
785 bleft -= 11;
786
787 if (bleft <= 7)
788 goto too_short;
789
790 if (strncasecmp((const char *)data, "Cookie:", 7) != 0)
791 goto not_cookie;
792
793 data += 7;
794 bleft -= 7;
795
796 while (bleft > 0 && *data == ' ') {
797 data++;
798 bleft--;
799 }
800
801 if (expr->arg_len) {
802
803 if (bleft <= expr->arg_len)
804 goto too_short;
805
806 if ((data[expr->arg_len] != '=') ||
807 strncasecmp(expr->arg.str, (const char *)data, expr->arg_len) != 0)
808 goto not_cookie;
809
810 data += expr->arg_len + 1;
811 bleft -= expr->arg_len + 1;
812 } else {
813 while (bleft > 0 && *data != '=') {
814 if (*data == '\r' || *data == '\n')
815 goto not_cookie;
816 data++;
817 bleft--;
818 }
819
820 if (bleft < 1)
821 goto too_short;
822
823 if (*data != '=')
824 goto not_cookie;
825
826 data++;
827 bleft--;
828 }
829
830 /* data points to cookie value */
831 test->ptr = (char *)data;
832 test->len = 0;
833
834 while (bleft > 0 && *data != '\r') {
835 data++;
836 bleft--;
837 }
838
839 if (bleft < 2)
840 goto too_short;
841
842 if (data[0] != '\r' || data[1] != '\n')
843 goto not_cookie;
844
845 test->len = (char *)data - test->ptr;
846 test->flags = ACL_TEST_F_VOLATILE;
847 return 1;
848
849 too_short:
850 test->flags = ACL_TEST_F_MAY_CHANGE;
851 not_cookie:
852 return 0;
853}
854
855static int
856acl_fetch_rdp_cookie_cnt(struct proxy *px, struct session *l4, void *l7, int dir,
857 struct acl_expr *expr, struct acl_test *test)
858{
859 int ret;
860
861 ret = acl_fetch_rdp_cookie(px, l4, l7, dir, expr, test);
862
863 test->ptr = NULL;
864 test->len = 0;
865
866 if (test->flags & ACL_TEST_F_MAY_CHANGE)
867 return 0;
868
869 test->flags = ACL_TEST_F_VOLATILE;
870 test->i = ret;
871
872 return 1;
873}
Willy Tarreaub6866442008-07-14 23:54:42 +0200874
875static struct cfg_kw_list cfg_kws = {{ },{
876 { CFG_LISTEN, "tcp-request", tcp_parse_tcp_req },
877 { 0, NULL, NULL },
878}};
879
880static struct acl_kw_list acl_kws = {{ },{
Willy Tarreau0ceba5a2008-07-25 19:31:03 +0200881 { "req_len", acl_parse_int, acl_fetch_req_len, acl_match_int, ACL_USE_L4REQ_VOLATILE },
882 { "req_ssl_ver", acl_parse_dotted_ver, acl_fetch_req_ssl_ver, acl_match_int, ACL_USE_L4REQ_VOLATILE },
Emeric Brunbede3d02009-06-30 17:54:00 +0200883 { "req_rdp_cookie", acl_parse_str, acl_fetch_rdp_cookie, acl_match_str, ACL_USE_L4REQ_VOLATILE },
884 { "req_rdp_cookie_cnt", acl_parse_int, acl_fetch_rdp_cookie_cnt, acl_match_int, ACL_USE_L4REQ_VOLATILE },
Willy Tarreaub6866442008-07-14 23:54:42 +0200885 { NULL, NULL, NULL, NULL },
886}};
887
Willy Tarreaue6b98942007-10-29 01:09:36 +0100888__attribute__((constructor))
889static void __tcp_protocol_init(void)
890{
891 protocol_register(&proto_tcpv4);
892 protocol_register(&proto_tcpv6);
Willy Tarreaub6866442008-07-14 23:54:42 +0200893 cfg_register_keywords(&cfg_kws);
894 acl_register_keywords(&acl_kws);
Willy Tarreaue6b98942007-10-29 01:09:36 +0100895}
896
897
898/*
899 * Local variables:
900 * c-indent-level: 8
901 * c-basic-offset: 8
902 * End:
903 */