blob: 7bb5d7e218fa527e34d71682aa644ee50151d71a [file] [log] [blame]
Willy Tarreaue6b98942007-10-29 01:09:36 +01001/*
2 * AF_INET/AF_INET6 SOCK_STREAM protocol layer (tcp)
3 *
Willy Tarreaue8c66af2008-01-13 18:40:14 +01004 * Copyright 2000-2008 Willy Tarreau <w@1wt.eu>
Willy Tarreaue6b98942007-10-29 01:09:36 +01005 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
12
13#include <ctype.h>
14#include <errno.h>
15#include <fcntl.h>
16#include <stdio.h>
17#include <stdlib.h>
18#include <string.h>
19#include <time.h>
20
21#include <sys/param.h>
22#include <sys/socket.h>
23#include <sys/stat.h>
24#include <sys/types.h>
25#include <sys/un.h>
26
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +040027#include <netinet/tcp.h>
28
Willy Tarreaub6866442008-07-14 23:54:42 +020029#include <common/cfgparse.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010030#include <common/compat.h>
31#include <common/config.h>
32#include <common/debug.h>
33#include <common/errors.h>
34#include <common/memory.h>
35#include <common/mini-clist.h>
36#include <common/standard.h>
37#include <common/time.h>
38#include <common/version.h>
39
Willy Tarreaue6b98942007-10-29 01:09:36 +010040#include <types/global.h>
Willy Tarreau9650f372009-08-16 14:02:45 +020041#include <types/server.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010042
43#include <proto/acl.h>
44#include <proto/backend.h>
45#include <proto/buffers.h>
46#include <proto/fd.h>
Willy Tarreau9650f372009-08-16 14:02:45 +020047#include <proto/log.h>
48#include <proto/port_range.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010049#include <proto/protocols.h>
50#include <proto/proto_tcp.h>
Willy Tarreaub6866442008-07-14 23:54:42 +020051#include <proto/proxy.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010052#include <proto/queue.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +010053#include <proto/session.h>
54#include <proto/stream_sock.h>
55#include <proto/task.h>
56
Willy Tarreaue8c66af2008-01-13 18:40:14 +010057#ifdef CONFIG_HAP_CTTPROXY
58#include <import/ip_tproxy.h>
59#endif
60
Willy Tarreaue6b98942007-10-29 01:09:36 +010061static int tcp_bind_listeners(struct protocol *proto);
62
63/* Note: must not be declared <const> as its list will be overwritten */
64static struct protocol proto_tcpv4 = {
65 .name = "tcpv4",
66 .sock_domain = AF_INET,
67 .sock_type = SOCK_STREAM,
68 .sock_prot = IPPROTO_TCP,
69 .sock_family = AF_INET,
70 .sock_addrlen = sizeof(struct sockaddr_in),
71 .l3_addrlen = 32/8,
72 .read = &stream_sock_read,
73 .write = &stream_sock_write,
74 .bind_all = tcp_bind_listeners,
75 .unbind_all = unbind_all_listeners,
76 .enable_all = enable_all_listeners,
77 .listeners = LIST_HEAD_INIT(proto_tcpv4.listeners),
78 .nb_listeners = 0,
79};
80
81/* Note: must not be declared <const> as its list will be overwritten */
82static struct protocol proto_tcpv6 = {
83 .name = "tcpv6",
84 .sock_domain = AF_INET6,
85 .sock_type = SOCK_STREAM,
86 .sock_prot = IPPROTO_TCP,
87 .sock_family = AF_INET6,
88 .sock_addrlen = sizeof(struct sockaddr_in6),
89 .l3_addrlen = 128/8,
90 .read = &stream_sock_read,
91 .write = &stream_sock_write,
92 .bind_all = tcp_bind_listeners,
93 .unbind_all = unbind_all_listeners,
94 .enable_all = enable_all_listeners,
95 .listeners = LIST_HEAD_INIT(proto_tcpv6.listeners),
96 .nb_listeners = 0,
97};
98
Willy Tarreaue8c66af2008-01-13 18:40:14 +010099
100/* Binds ipv4 address <local> to socket <fd>, unless <flags> is set, in which
101 * case we try to bind <remote>. <flags> is a 2-bit field consisting of :
102 * - 0 : ignore remote address (may even be a NULL pointer)
103 * - 1 : use provided address
104 * - 2 : use provided port
105 * - 3 : use both
106 *
107 * The function supports multiple foreign binding methods :
108 * - linux_tproxy: we directly bind to the foreign address
109 * - cttproxy: we bind to a local address then nat.
110 * The second one can be used as a fallback for the first one.
111 * This function returns 0 when everything's OK, 1 if it could not bind, to the
112 * local address, 2 if it could not bind to the foreign address.
113 */
114int tcpv4_bind_socket(int fd, int flags, struct sockaddr_in *local, struct sockaddr_in *remote)
115{
116 struct sockaddr_in bind_addr;
117 int foreign_ok = 0;
118 int ret;
119
120#ifdef CONFIG_HAP_LINUX_TPROXY
121 static int ip_transp_working = 1;
122 if (flags && ip_transp_working) {
123 if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == 0
124 || setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == 0)
125 foreign_ok = 1;
126 else
127 ip_transp_working = 0;
128 }
129#endif
130 if (flags) {
131 memset(&bind_addr, 0, sizeof(bind_addr));
132 if (flags & 1)
133 bind_addr.sin_addr = remote->sin_addr;
134 if (flags & 2)
135 bind_addr.sin_port = remote->sin_port;
136 }
137
138 setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *) &one, sizeof(one));
139 if (foreign_ok) {
140 ret = bind(fd, (struct sockaddr *)&bind_addr, sizeof(bind_addr));
141 if (ret < 0)
142 return 2;
143 }
144 else {
145 ret = bind(fd, (struct sockaddr *)local, sizeof(*local));
146 if (ret < 0)
147 return 1;
148 }
149
150 if (!flags)
151 return 0;
152
153#ifdef CONFIG_HAP_CTTPROXY
154 if (!foreign_ok) {
155 struct in_tproxy itp1, itp2;
156 memset(&itp1, 0, sizeof(itp1));
157
158 itp1.op = TPROXY_ASSIGN;
159 itp1.v.addr.faddr = bind_addr.sin_addr;
160 itp1.v.addr.fport = bind_addr.sin_port;
161
162 /* set connect flag on socket */
163 itp2.op = TPROXY_FLAGS;
164 itp2.v.flags = ITP_CONNECT | ITP_ONCE;
165
166 if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp1, sizeof(itp1)) != -1 &&
167 setsockopt(fd, SOL_IP, IP_TPROXY, &itp2, sizeof(itp2)) != -1) {
168 foreign_ok = 1;
169 }
170 }
171#endif
172 if (!foreign_ok)
173 /* we could not bind to a foreign address */
174 return 2;
175
176 return 0;
177}
Willy Tarreaue6b98942007-10-29 01:09:36 +0100178
Willy Tarreau9650f372009-08-16 14:02:45 +0200179
180/*
181 * This function initiates a connection to the server assigned to this session
182 * (s->srv, s->srv_addr). It will assign a server if none is assigned yet.
183 * It can return one of :
184 * - SN_ERR_NONE if everything's OK
185 * - SN_ERR_SRVTO if there are no more servers
186 * - SN_ERR_SRVCL if the connection was refused by the server
187 * - SN_ERR_PRXCOND if the connection has been limited by the proxy (maxconn)
188 * - SN_ERR_RESOURCE if a system resource is lacking (eg: fd limits, ports, ...)
189 * - SN_ERR_INTERNAL for any other purely internal errors
190 * Additionnally, in the case of SN_ERR_RESOURCE, an emergency log will be emitted.
191 */
192int tcpv4_connect_server(struct stream_interface *si,
193 struct proxy *be, struct server *srv,
194 struct sockaddr *srv_addr, struct sockaddr *cli_addr)
195{
196 int fd;
197
198 if ((fd = si->fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
199 qfprintf(stderr, "Cannot get a server socket.\n");
200
201 if (errno == ENFILE)
202 send_log(be, LOG_EMERG,
203 "Proxy %s reached system FD limit at %d. Please check system tunables.\n",
204 be->id, maxfd);
205 else if (errno == EMFILE)
206 send_log(be, LOG_EMERG,
207 "Proxy %s reached process FD limit at %d. Please check 'ulimit-n' and restart.\n",
208 be->id, maxfd);
209 else if (errno == ENOBUFS || errno == ENOMEM)
210 send_log(be, LOG_EMERG,
211 "Proxy %s reached system memory limit at %d sockets. Please check system tunables.\n",
212 be->id, maxfd);
213 /* this is a resource error */
214 return SN_ERR_RESOURCE;
215 }
216
217 if (fd >= global.maxsock) {
218 /* do not log anything there, it's a normal condition when this option
219 * is used to serialize connections to a server !
220 */
221 Alert("socket(): not enough free sockets. Raise -n argument. Giving up.\n");
222 close(fd);
223 return SN_ERR_PRXCOND; /* it is a configuration limit */
224 }
225
226 if ((fcntl(fd, F_SETFL, O_NONBLOCK)==-1) ||
227 (setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, (char *) &one, sizeof(one)) == -1)) {
228 qfprintf(stderr,"Cannot set client socket to non blocking mode.\n");
229 close(fd);
230 return SN_ERR_INTERNAL;
231 }
232
233 if (be->options & PR_O_TCP_SRV_KA)
234 setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (char *) &one, sizeof(one));
235
236 if (be->options & PR_O_TCP_NOLING)
237 setsockopt(fd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger));
238
239 /* allow specific binding :
240 * - server-specific at first
241 * - proxy-specific next
242 */
243 if (srv != NULL && srv->state & SRV_BIND_SRC) {
244 struct sockaddr_in *remote = NULL;
245 int ret, flags = 0;
246
247#if defined(CONFIG_HAP_CTTPROXY) || defined(CONFIG_HAP_LINUX_TPROXY)
248 switch (srv->state & SRV_TPROXY_MASK) {
249 case SRV_TPROXY_ADDR:
250 remote = (struct sockaddr_in *)&srv->tproxy_addr;
251 flags = 3;
252 break;
253 case SRV_TPROXY_CLI:
254 if (cli_addr)
255 flags |= 2;
256 /* fall through */
257 case SRV_TPROXY_CIP:
258 /* FIXME: what can we do if the client connects in IPv6 ? */
259 if (cli_addr)
260 flags |= 1;
261 remote = (struct sockaddr_in *)cli_addr;
262 break;
263 }
264#endif
265#ifdef SO_BINDTODEVICE
266 /* Note: this might fail if not CAP_NET_RAW */
267 if (srv->iface_name)
268 setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, srv->iface_name, srv->iface_len + 1);
269#endif
270
271 if (srv->sport_range) {
272 int attempts = 10; /* should be more than enough to find a spare port */
273 struct sockaddr_in src;
274
275 ret = 1;
276 src = srv->source_addr;
277
278 do {
279 /* note: in case of retry, we may have to release a previously
280 * allocated port, hence this loop's construct.
281 */
282 port_range_release_port(fdtab[fd].port_range, fdtab[fd].local_port);
283 fdtab[fd].port_range = NULL;
284
285 if (!attempts)
286 break;
287 attempts--;
288
289 fdtab[fd].local_port = port_range_alloc_port(srv->sport_range);
290 if (!fdtab[fd].local_port)
291 break;
292
293 fdtab[fd].port_range = srv->sport_range;
294 src.sin_port = htons(fdtab[fd].local_port);
295
296 ret = tcpv4_bind_socket(fd, flags, &src, remote);
297 } while (ret != 0); /* binding NOK */
298 }
299 else {
300 ret = tcpv4_bind_socket(fd, flags, &srv->source_addr, remote);
301 }
302
303 if (ret) {
304 port_range_release_port(fdtab[fd].port_range, fdtab[fd].local_port);
305 fdtab[fd].port_range = NULL;
306 close(fd);
307
308 if (ret == 1) {
309 Alert("Cannot bind to source address before connect() for server %s/%s. Aborting.\n",
310 be->id, srv->id);
311 send_log(be, LOG_EMERG,
312 "Cannot bind to source address before connect() for server %s/%s.\n",
313 be->id, srv->id);
314 } else {
315 Alert("Cannot bind to tproxy source address before connect() for server %s/%s. Aborting.\n",
316 be->id, srv->id);
317 send_log(be, LOG_EMERG,
318 "Cannot bind to tproxy source address before connect() for server %s/%s.\n",
319 be->id, srv->id);
320 }
321 return SN_ERR_RESOURCE;
322 }
323 }
324 else if (be->options & PR_O_BIND_SRC) {
325 struct sockaddr_in *remote = NULL;
326 int ret, flags = 0;
327
328#if defined(CONFIG_HAP_CTTPROXY) || defined(CONFIG_HAP_LINUX_TPROXY)
329 switch (be->options & PR_O_TPXY_MASK) {
330 case PR_O_TPXY_ADDR:
331 remote = (struct sockaddr_in *)&be->tproxy_addr;
332 flags = 3;
333 break;
334 case PR_O_TPXY_CLI:
335 if (cli_addr)
336 flags |= 2;
337 /* fall through */
338 case PR_O_TPXY_CIP:
339 /* FIXME: what can we do if the client connects in IPv6 ? */
340 if (cli_addr)
341 flags |= 1;
342 remote = (struct sockaddr_in *)cli_addr;
343 break;
344 }
345#endif
346#ifdef SO_BINDTODEVICE
347 /* Note: this might fail if not CAP_NET_RAW */
348 if (be->iface_name)
349 setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, be->iface_name, be->iface_len + 1);
350#endif
351 ret = tcpv4_bind_socket(fd, flags, &be->source_addr, remote);
352 if (ret) {
353 close(fd);
354 if (ret == 1) {
355 Alert("Cannot bind to source address before connect() for proxy %s. Aborting.\n",
356 be->id);
357 send_log(be, LOG_EMERG,
358 "Cannot bind to source address before connect() for proxy %s.\n",
359 be->id);
360 } else {
361 Alert("Cannot bind to tproxy source address before connect() for proxy %s. Aborting.\n",
362 be->id);
363 send_log(be, LOG_EMERG,
364 "Cannot bind to tproxy source address before connect() for proxy %s.\n",
365 be->id);
366 }
367 return SN_ERR_RESOURCE;
368 }
369 }
370
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400371#if defined(TCP_QUICKACK)
Willy Tarreau9650f372009-08-16 14:02:45 +0200372 /* disabling tcp quick ack now allows the first request to leave the
373 * machine with the first ACK. We only do this if there are pending
374 * data in the buffer.
375 */
376 if ((be->options2 & PR_O2_SMARTCON) && si->ob->send_max)
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400377 setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, (char *) &zero, sizeof(zero));
Willy Tarreau9650f372009-08-16 14:02:45 +0200378#endif
379
380 if ((connect(fd, (struct sockaddr *)srv_addr, sizeof(struct sockaddr_in)) == -1) &&
381 (errno != EINPROGRESS) && (errno != EALREADY) && (errno != EISCONN)) {
382
383 if (errno == EAGAIN || errno == EADDRINUSE) {
384 char *msg;
385 if (errno == EAGAIN) /* no free ports left, try again later */
386 msg = "no free ports";
387 else
388 msg = "local address already in use";
389
390 qfprintf(stderr,"Cannot connect: %s.\n",msg);
391 port_range_release_port(fdtab[fd].port_range, fdtab[fd].local_port);
392 fdtab[fd].port_range = NULL;
393 close(fd);
394 send_log(be, LOG_EMERG,
395 "Connect() failed for server %s/%s: %s.\n",
396 be->id, srv->id, msg);
397 return SN_ERR_RESOURCE;
398 } else if (errno == ETIMEDOUT) {
399 //qfprintf(stderr,"Connect(): ETIMEDOUT");
400 port_range_release_port(fdtab[fd].port_range, fdtab[fd].local_port);
401 fdtab[fd].port_range = NULL;
402 close(fd);
403 return SN_ERR_SRVTO;
404 } else {
405 // (errno == ECONNREFUSED || errno == ENETUNREACH || errno == EACCES || errno == EPERM)
406 //qfprintf(stderr,"Connect(): %d", errno);
407 port_range_release_port(fdtab[fd].port_range, fdtab[fd].local_port);
408 fdtab[fd].port_range = NULL;
409 close(fd);
410 return SN_ERR_SRVCL;
411 }
412 }
413
414 fdtab[fd].owner = si;
415 fdtab[fd].state = FD_STCONN; /* connection in progress */
416 fdtab[fd].flags = FD_FL_TCP | FD_FL_TCP_NODELAY;
417 fdtab[fd].cb[DIR_RD].f = &stream_sock_read;
418 fdtab[fd].cb[DIR_RD].b = si->ib;
419 fdtab[fd].cb[DIR_WR].f = &stream_sock_write;
420 fdtab[fd].cb[DIR_WR].b = si->ob;
421
422 fdtab[fd].peeraddr = (struct sockaddr *)srv_addr;
423 fdtab[fd].peerlen = sizeof(struct sockaddr_in);
424
425 fd_insert(fd);
426 EV_FD_SET(fd, DIR_WR); /* for connect status */
427
428 si->state = SI_ST_CON;
429 si->flags |= SI_FL_CAP_SPLTCP; /* TCP supports splicing */
430 si->exp = tick_add_ifset(now_ms, be->timeout.connect);
431
432 return SN_ERR_NONE; /* connection is OK */
433}
434
435
Willy Tarreaue6b98942007-10-29 01:09:36 +0100436/* This function tries to bind a TCPv4/v6 listener. It may return a warning or
437 * an error message in <err> if the message is at most <errlen> bytes long
438 * (including '\0'). The return value is composed from ERR_ABORT, ERR_WARN,
439 * ERR_ALERT, ERR_RETRYABLE and ERR_FATAL. ERR_NONE indicates that everything
440 * was alright and that no message was returned. ERR_RETRYABLE means that an
441 * error occurred but that it may vanish after a retry (eg: port in use), and
442 * ERR_FATAL indicates a non-fixable error.ERR_WARN and ERR_ALERT do not alter
443 * the meaning of the error, but just indicate that a message is present which
444 * should be displayed with the respective level. Last, ERR_ABORT indicates
445 * that it's pointless to try to start other listeners. No error message is
446 * returned if errlen is NULL.
447 */
448int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen)
449{
450 __label__ tcp_return, tcp_close_return;
451 int fd, err;
452 const char *msg = NULL;
453
454 /* ensure we never return garbage */
455 if (errmsg && errlen)
456 *errmsg = 0;
457
458 if (listener->state != LI_ASSIGNED)
459 return ERR_NONE; /* already bound */
460
461 err = ERR_NONE;
462
463 if ((fd = socket(listener->addr.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
464 err |= ERR_RETRYABLE | ERR_ALERT;
465 msg = "cannot create listening socket";
466 goto tcp_return;
467 }
Willy Tarreauedcf6682008-11-30 23:15:34 +0100468
Willy Tarreaue6b98942007-10-29 01:09:36 +0100469 if (fd >= global.maxsock) {
470 err |= ERR_FATAL | ERR_ABORT | ERR_ALERT;
471 msg = "not enough free sockets (raise '-n' parameter)";
472 goto tcp_close_return;
473 }
474
Willy Tarreaufb14edc2009-06-14 15:24:37 +0200475 if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1) {
Willy Tarreaue6b98942007-10-29 01:09:36 +0100476 err |= ERR_FATAL | ERR_ALERT;
477 msg = "cannot make socket non-blocking";
478 goto tcp_close_return;
479 }
480
481 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *) &one, sizeof(one)) == -1) {
482 /* not fatal but should be reported */
483 msg = "cannot do so_reuseaddr";
484 err |= ERR_ALERT;
485 }
486
487 if (listener->options & LI_O_NOLINGER)
488 setsockopt(fd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger));
Willy Tarreauedcf6682008-11-30 23:15:34 +0100489
Willy Tarreaue6b98942007-10-29 01:09:36 +0100490#ifdef SO_REUSEPORT
491 /* OpenBSD supports this. As it's present in old libc versions of Linux,
492 * it might return an error that we will silently ignore.
493 */
494 setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (char *) &one, sizeof(one));
495#endif
Willy Tarreaub1e52e82008-01-13 14:49:51 +0100496#ifdef CONFIG_HAP_LINUX_TPROXY
Willy Tarreauedcf6682008-11-30 23:15:34 +0100497 if ((listener->options & LI_O_FOREIGN)
Willy Tarreau0a459892008-01-13 17:37:16 +0100498 && (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == -1)
499 && (setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == -1)) {
Willy Tarreaub1e52e82008-01-13 14:49:51 +0100500 msg = "cannot make listening socket transparent";
501 err |= ERR_ALERT;
502 }
503#endif
Willy Tarreau5e6e2042009-02-04 17:19:29 +0100504#ifdef SO_BINDTODEVICE
505 /* Note: this might fail if not CAP_NET_RAW */
506 if (listener->interface) {
507 if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE,
Willy Tarreau604e8302009-03-06 00:48:23 +0100508 listener->interface, strlen(listener->interface) + 1) == -1) {
Willy Tarreau5e6e2042009-02-04 17:19:29 +0100509 msg = "cannot bind listener to device";
510 err |= ERR_WARN;
511 }
512 }
513#endif
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400514#if defined(TCP_MAXSEG)
Willy Tarreaube1b9182009-06-14 18:48:19 +0200515 if (listener->maxseg) {
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400516 if (setsockopt(fd, IPPROTO_TCP, TCP_MAXSEG,
Willy Tarreaube1b9182009-06-14 18:48:19 +0200517 &listener->maxseg, sizeof(listener->maxseg)) == -1) {
518 msg = "cannot set MSS";
519 err |= ERR_WARN;
520 }
521 }
522#endif
Willy Tarreaue6b98942007-10-29 01:09:36 +0100523 if (bind(fd, (struct sockaddr *)&listener->addr, listener->proto->sock_addrlen) == -1) {
524 err |= ERR_RETRYABLE | ERR_ALERT;
525 msg = "cannot bind socket";
526 goto tcp_close_return;
527 }
Willy Tarreauedcf6682008-11-30 23:15:34 +0100528
Willy Tarreauc73ce2b2008-01-06 10:55:10 +0100529 if (listen(fd, listener->backlog ? listener->backlog : listener->maxconn) == -1) {
Willy Tarreaue6b98942007-10-29 01:09:36 +0100530 err |= ERR_RETRYABLE | ERR_ALERT;
531 msg = "cannot listen to socket";
532 goto tcp_close_return;
533 }
Willy Tarreauedcf6682008-11-30 23:15:34 +0100534
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400535#if defined(TCP_QUICKACK)
Willy Tarreau9ea05a72009-06-14 12:07:01 +0200536 if (listener->options & LI_O_NOQUICKACK)
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400537 setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, (char *) &zero, sizeof(zero));
Willy Tarreau9ea05a72009-06-14 12:07:01 +0200538#endif
539
Willy Tarreaue6b98942007-10-29 01:09:36 +0100540 /* the socket is ready */
541 listener->fd = fd;
542 listener->state = LI_LISTEN;
543
544 /* the function for the accept() event */
545 fd_insert(fd);
546 fdtab[fd].cb[DIR_RD].f = listener->accept;
547 fdtab[fd].cb[DIR_WR].f = NULL; /* never called */
548 fdtab[fd].cb[DIR_RD].b = fdtab[fd].cb[DIR_WR].b = NULL;
Willy Tarreaueabf3132008-08-29 23:36:51 +0200549 fdtab[fd].owner = listener; /* reference the listener instead of a task */
Willy Tarreaue6b98942007-10-29 01:09:36 +0100550 fdtab[fd].state = FD_STLISTEN;
Willy Tarreaufb14edc2009-06-14 15:24:37 +0200551 fdtab[fd].flags = FD_FL_TCP;
Willy Tarreau5d707e12009-06-28 11:09:07 +0200552 if (listener->options & LI_O_NOLINGER)
553 fdtab[fd].flags |= FD_FL_TCP_NOLING;
554
Willy Tarreaue6b98942007-10-29 01:09:36 +0100555 fdtab[fd].peeraddr = NULL;
556 fdtab[fd].peerlen = 0;
Willy Tarreaue6b98942007-10-29 01:09:36 +0100557 tcp_return:
558 if (msg && errlen)
559 strlcpy2(errmsg, msg, errlen);
560 return err;
561
562 tcp_close_return:
563 close(fd);
564 goto tcp_return;
565}
566
567/* This function creates all TCP sockets bound to the protocol entry <proto>.
568 * It is intended to be used as the protocol's bind_all() function.
569 * The sockets will be registered but not added to any fd_set, in order not to
570 * loose them across the fork(). A call to enable_all_listeners() is needed
571 * to complete initialization. The return value is composed from ERR_*.
572 */
573static int tcp_bind_listeners(struct protocol *proto)
574{
575 struct listener *listener;
576 int err = ERR_NONE;
577
578 list_for_each_entry(listener, &proto->listeners, proto_list) {
579 err |= tcp_bind_listener(listener, NULL, 0);
580 if ((err & ERR_CODE) == ERR_ABORT)
581 break;
582 }
583
584 return err;
585}
586
587/* Add listener to the list of tcpv4 listeners. The listener's state
588 * is automatically updated from LI_INIT to LI_ASSIGNED. The number of
589 * listeners is updated. This is the function to use to add a new listener.
590 */
591void tcpv4_add_listener(struct listener *listener)
592{
593 if (listener->state != LI_INIT)
594 return;
595 listener->state = LI_ASSIGNED;
596 listener->proto = &proto_tcpv4;
597 LIST_ADDQ(&proto_tcpv4.listeners, &listener->proto_list);
598 proto_tcpv4.nb_listeners++;
599}
600
601/* Add listener to the list of tcpv4 listeners. The listener's state
602 * is automatically updated from LI_INIT to LI_ASSIGNED. The number of
603 * listeners is updated. This is the function to use to add a new listener.
604 */
605void tcpv6_add_listener(struct listener *listener)
606{
607 if (listener->state != LI_INIT)
608 return;
609 listener->state = LI_ASSIGNED;
610 listener->proto = &proto_tcpv6;
611 LIST_ADDQ(&proto_tcpv6.listeners, &listener->proto_list);
612 proto_tcpv6.nb_listeners++;
613}
614
Willy Tarreauedcf6682008-11-30 23:15:34 +0100615/* This function performs the TCP request analysis on the current request. It
616 * returns 1 if the processing can continue on next analysers, or zero if it
617 * needs more data, encounters an error, or wants to immediately abort the
618 * request. It relies on buffers flags, and updates s->req->analysers. Its
619 * behaviour is rather simple:
Willy Tarreau86ef7dc2009-03-15 22:55:47 +0100620 * - the analyser should check for errors and timeouts, and react as expected.
621 * It does not have to close anything upon error, the caller will. Note that
622 * the caller also knows how to report errors and timeouts.
623 * - if the analyser does not have enough data, it must return 0 without calling
Willy Tarreauedcf6682008-11-30 23:15:34 +0100624 * other ones. It should also probably do a buffer_write_dis() to ensure
625 * that unprocessed data will not be forwarded. But that probably depends on
626 * the protocol.
627 * - if an analyser has enough data, it just has to pass on to the next
628 * analyser without using buffer_write_dis() (enabled by default).
629 * - if an analyser thinks it has no added value anymore staying here, it must
630 * reset its bit from the analysers flags in order not to be called anymore.
631 *
632 * In the future, analysers should be able to indicate that they want to be
633 * called after XXX bytes have been received (or transfered), and the min of
634 * all's wishes will be used to ring back (unless a special condition occurs).
635 */
Willy Tarreau3a816292009-07-07 10:55:49 +0200636int tcp_inspect_request(struct session *s, struct buffer *req, int an_bit)
Willy Tarreauedcf6682008-11-30 23:15:34 +0100637{
638 struct tcp_rule *rule;
639 int partial;
640
641 DPRINTF(stderr,"[%u] %s: session=%p b=%p, exp(r,w)=%u,%u bf=%08x bl=%d analysers=%02x\n",
642 now_ms, __FUNCTION__,
643 s,
644 req,
645 req->rex, req->wex,
646 req->flags,
647 req->l,
648 req->analysers);
649
Willy Tarreauedcf6682008-11-30 23:15:34 +0100650 /* We don't know whether we have enough data, so must proceed
651 * this way :
652 * - iterate through all rules in their declaration order
653 * - if one rule returns MISS, it means the inspect delay is
654 * not over yet, then return immediately, otherwise consider
655 * it as a non-match.
656 * - if one rule returns OK, then return OK
657 * - if one rule returns KO, then return KO
658 */
659
Willy Tarreaud869b242009-03-15 14:43:58 +0100660 if (req->flags & BF_SHUTR || !s->fe->tcp_req.inspect_delay || tick_is_expired(req->analyse_exp, now_ms))
Willy Tarreauedcf6682008-11-30 23:15:34 +0100661 partial = 0;
662 else
663 partial = ACL_PARTIAL;
664
665 list_for_each_entry(rule, &s->fe->tcp_req.inspect_rules, list) {
666 int ret = ACL_PAT_PASS;
667
668 if (rule->cond) {
Willy Tarreau51d5dad2009-07-12 10:10:05 +0200669 ret = acl_exec_cond(rule->cond, s->fe, s, &s->txn, ACL_DIR_REQ | partial);
Willy Tarreauedcf6682008-11-30 23:15:34 +0100670 if (ret == ACL_PAT_MISS) {
Willy Tarreau520d95e2009-09-19 21:04:57 +0200671 buffer_dont_connect(req);
Willy Tarreauedcf6682008-11-30 23:15:34 +0100672 /* just set the request timeout once at the beginning of the request */
Willy Tarreaud869b242009-03-15 14:43:58 +0100673 if (!tick_isset(req->analyse_exp) && s->fe->tcp_req.inspect_delay)
Willy Tarreauedcf6682008-11-30 23:15:34 +0100674 req->analyse_exp = tick_add_ifset(now_ms, s->fe->tcp_req.inspect_delay);
675 return 0;
676 }
677
678 ret = acl_pass(ret);
679 if (rule->cond->pol == ACL_COND_UNLESS)
680 ret = !ret;
681 }
682
683 if (ret) {
684 /* we have a matching rule. */
685 if (rule->action == TCP_ACT_REJECT) {
686 buffer_abort(req);
687 buffer_abort(s->rep);
688 req->analysers = 0;
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +0200689
Krzysztof Piotr Oledzki052d4fd2009-10-04 14:52:57 +0200690 s->fe->counters.failed_req++;
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +0200691 if (s->listener->counters)
692 s->listener->counters->failed_req++;
693
Willy Tarreauedcf6682008-11-30 23:15:34 +0100694 if (!(s->flags & SN_ERR_MASK))
695 s->flags |= SN_ERR_PRXCOND;
696 if (!(s->flags & SN_FINST_MASK))
697 s->flags |= SN_FINST_R;
698 return 0;
699 }
700 /* otherwise accept */
701 break;
702 }
703 }
704
705 /* if we get there, it means we have no rule which matches, or
706 * we have an explicit accept, so we apply the default accept.
707 */
Willy Tarreau3a816292009-07-07 10:55:49 +0200708 req->analysers &= ~an_bit;
Willy Tarreauedcf6682008-11-30 23:15:34 +0100709 req->analyse_exp = TICK_ETERNITY;
710 return 1;
711}
712
Emeric Brun647caf12009-06-30 17:57:00 +0200713/* Apply RDP cookie persistence to the current session. For this, the function
714 * tries to extract an RDP cookie from the request buffer, and look for the
715 * matching server in the list. If the server is found, it is assigned to the
716 * session. This always returns 1, and the analyser removes itself from the
717 * list. Nothing is performed if a server was already assigned.
718 */
719int tcp_persist_rdp_cookie(struct session *s, struct buffer *req, int an_bit)
720{
721 struct proxy *px = s->be;
722 int ret;
723 struct acl_expr expr;
724 struct acl_test test;
725 struct server *srv = px->srv;
726 struct sockaddr_in addr;
727 char *p;
728
729 DPRINTF(stderr,"[%u] %s: session=%p b=%p, exp(r,w)=%u,%u bf=%08x bl=%d analysers=%02x\n",
730 now_ms, __FUNCTION__,
731 s,
732 req,
733 req->rex, req->wex,
734 req->flags,
735 req->l,
736 req->analysers);
737
738 if (s->flags & SN_ASSIGNED)
739 goto no_cookie;
740
741 memset(&expr, 0, sizeof(expr));
742 memset(&test, 0, sizeof(test));
743
744 expr.arg.str = s->be->rdp_cookie_name;
745 expr.arg_len = s->be->rdp_cookie_len;
746
747 ret = acl_fetch_rdp_cookie(px, s, NULL, ACL_DIR_REQ, &expr, &test);
748 if (ret == 0 || (test.flags & ACL_TEST_F_MAY_CHANGE) || test.len == 0)
749 goto no_cookie;
750
751 memset(&addr, 0, sizeof(addr));
752 addr.sin_family = AF_INET;
753
754 /* Considering an rdp cookie detected using acl, test.ptr ended with <cr><lf> and should return */
755 addr.sin_addr.s_addr = strtoul(test.ptr, &p, 10);
756 if (*p != '.')
757 goto no_cookie;
758 p++;
759 addr.sin_port = (unsigned short)strtoul(p, &p, 10);
760 if (*p != '.')
761 goto no_cookie;
762
763 while (srv) {
764 if (memcmp(&addr, &(srv->addr), sizeof(addr)) == 0) {
765 if ((srv->state & SRV_RUNNING) || (px->options & PR_O_PERSIST)) {
766 /* we found the server and it is usable */
767 s->flags |= SN_DIRECT | SN_ASSIGNED;
768 s->srv = srv;
769 break;
770 }
771 }
772 srv = srv->next;
773 }
774
775no_cookie:
776 req->analysers &= ~an_bit;
777 req->analyse_exp = TICK_ETERNITY;
778 return 1;
779}
780
Willy Tarreauedcf6682008-11-30 23:15:34 +0100781
Willy Tarreaub6866442008-07-14 23:54:42 +0200782/* This function should be called to parse a line starting with the "tcp-request"
783 * keyword.
784 */
785static int tcp_parse_tcp_req(char **args, int section_type, struct proxy *curpx,
786 struct proxy *defpx, char *err, int errlen)
787{
788 const char *ptr = NULL;
Willy Tarreauc7e961e2008-08-17 17:13:47 +0200789 unsigned int val;
Willy Tarreaub6866442008-07-14 23:54:42 +0200790 int retlen;
791
792 if (!*args[1]) {
793 snprintf(err, errlen, "missing argument for '%s' in %s '%s'",
794 args[0], proxy_type_str(proxy), curpx->id);
795 return -1;
796 }
797
798 if (!strcmp(args[1], "inspect-delay")) {
799 if (curpx == defpx) {
800 snprintf(err, errlen, "%s %s is not allowed in 'defaults' sections",
801 args[0], args[1]);
802 return -1;
803 }
804
805 if (!(curpx->cap & PR_CAP_FE)) {
806 snprintf(err, errlen, "%s %s will be ignored because %s '%s' has no %s capability",
807 args[0], args[1], proxy_type_str(proxy), curpx->id,
808 "frontend");
809 return 1;
810 }
811
812 if (!*args[2] || (ptr = parse_time_err(args[2], &val, TIME_UNIT_MS))) {
813 retlen = snprintf(err, errlen,
814 "'%s %s' expects a positive delay in milliseconds, in %s '%s'",
815 args[0], args[1], proxy_type_str(proxy), curpx->id);
816 if (ptr && retlen < errlen)
817 retlen += snprintf(err+retlen, errlen - retlen,
818 " (unexpected character '%c')", *ptr);
819 return -1;
820 }
821
822 if (curpx->tcp_req.inspect_delay) {
823 snprintf(err, errlen, "ignoring %s %s (was already defined) in %s '%s'",
824 args[0], args[1], proxy_type_str(proxy), curpx->id);
825 return 1;
826 }
827 curpx->tcp_req.inspect_delay = val;
828 return 0;
829 }
830
831 if (!strcmp(args[1], "content")) {
832 int action;
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200833 int warn = 0;
Willy Tarreaub6866442008-07-14 23:54:42 +0200834 int pol = ACL_COND_NONE;
835 struct acl_cond *cond;
836 struct tcp_rule *rule;
837
838 if (curpx == defpx) {
839 snprintf(err, errlen, "%s %s is not allowed in 'defaults' sections",
840 args[0], args[1]);
841 return -1;
842 }
843
844 if (!strcmp(args[2], "accept"))
845 action = TCP_ACT_ACCEPT;
846 else if (!strcmp(args[2], "reject"))
847 action = TCP_ACT_REJECT;
848 else {
849 retlen = snprintf(err, errlen,
850 "'%s %s' expects 'accept' or 'reject', in %s '%s' (was '%s')",
851 args[0], args[1], proxy_type_str(curpx), curpx->id, args[2]);
852 return -1;
853 }
854
855 pol = ACL_COND_NONE;
856 cond = NULL;
857
Willy Tarreau606ad732009-07-14 21:17:05 +0200858 if (!*args[3])
859 pol = ACL_COND_NONE;
860 else if (!strcmp(args[3], "if"))
Willy Tarreaub6866442008-07-14 23:54:42 +0200861 pol = ACL_COND_IF;
862 else if (!strcmp(args[3], "unless"))
863 pol = ACL_COND_UNLESS;
Willy Tarreau606ad732009-07-14 21:17:05 +0200864 else {
865 retlen = snprintf(err, errlen,
866 "'%s %s %s' only accepts 'if' or 'unless', in %s '%s' (was '%s')",
867 args[0], args[1], args[2], proxy_type_str(curpx), curpx->id, args[3]);
868 return -1;
869 }
Willy Tarreaub6866442008-07-14 23:54:42 +0200870
871 /* Note: we consider "if TRUE" when there is no condition */
872 if (pol != ACL_COND_NONE &&
873 (cond = parse_acl_cond((const char **)args+4, &curpx->acl, pol)) == NULL) {
874 retlen = snprintf(err, errlen,
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200875 "error detected in %s '%s' while parsing '%s' condition",
Willy Tarreaub6866442008-07-14 23:54:42 +0200876 proxy_type_str(curpx), curpx->id, args[3]);
877 return -1;
878 }
879
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200880 // FIXME: how to set this ?
881 // cond->line = linenum;
Willy Tarreaua9fb0832009-07-10 20:53:53 +0200882 if (cond)
883 curpx->acl_requires |= cond->requires;
Willy Tarreau1a211942009-07-14 13:53:17 +0200884 if (cond && (cond->requires & ACL_USE_RTR_ANY)) {
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200885 struct acl *acl;
886 const char *name;
887
Willy Tarreau1a211942009-07-14 13:53:17 +0200888 acl = cond_find_require(cond, ACL_USE_RTR_ANY);
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200889 name = acl ? acl->name : "(unknown)";
890
891 retlen = snprintf(err, errlen,
Willy Tarreau1a211942009-07-14 13:53:17 +0200892 "acl '%s' involves some response-only criteria which will be ignored.",
893 name);
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200894 warn++;
895 }
Willy Tarreaub6866442008-07-14 23:54:42 +0200896 rule = (struct tcp_rule *)calloc(1, sizeof(*rule));
897 rule->cond = cond;
898 rule->action = action;
899 LIST_INIT(&rule->list);
900 LIST_ADDQ(&curpx->tcp_req.inspect_rules, &rule->list);
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200901 return warn;
Willy Tarreaub6866442008-07-14 23:54:42 +0200902 }
903
904 snprintf(err, errlen, "unknown argument '%s' after '%s' in %s '%s'",
905 args[1], args[0], proxy_type_str(proxy), curpx->id);
906 return -1;
907}
908
909/* return the number of bytes in the request buffer */
910static int
911acl_fetch_req_len(struct proxy *px, struct session *l4, void *l7, int dir,
912 struct acl_expr *expr, struct acl_test *test)
913{
914 if (!l4 || !l4->req)
915 return 0;
916
917 test->i = l4->req->l;
918 test->flags = ACL_TEST_F_VOLATILE | ACL_TEST_F_MAY_CHANGE;
919 return 1;
920}
921
Willy Tarreau655e26a2008-07-15 18:58:05 +0200922/* Return the version of the SSL protocol in the request. It supports both
923 * SSLv3 (TLSv1) header format for any message, and SSLv2 header format for
924 * the hello message. The SSLv3 format is described in RFC 2246 p49, and the
925 * SSLv2 format is described here, and completed p67 of RFC 2246 :
926 * http://wp.netscape.com/eng/security/SSL_2.html
927 *
928 * Note: this decoder only works with non-wrapping data.
929 */
930static int
931acl_fetch_req_ssl_ver(struct proxy *px, struct session *l4, void *l7, int dir,
932 struct acl_expr *expr, struct acl_test *test)
933{
934 int version, bleft, msg_len;
935 const unsigned char *data;
936
937 if (!l4 || !l4->req)
938 return 0;
939
940 msg_len = 0;
941 bleft = l4->req->l;
942 if (!bleft)
943 goto too_short;
944
Willy Tarreauc7e961e2008-08-17 17:13:47 +0200945 data = (const unsigned char *)l4->req->w;
Willy Tarreau655e26a2008-07-15 18:58:05 +0200946 if ((*data >= 0x14 && *data <= 0x17) || (*data == 0xFF)) {
947 /* SSLv3 header format */
948 if (bleft < 5)
949 goto too_short;
950
951 version = (data[1] << 16) + data[2]; /* version: major, minor */
952 msg_len = (data[3] << 8) + data[4]; /* record length */
953
954 /* format introduced with SSLv3 */
955 if (version < 0x00030000)
956 goto not_ssl;
957
958 /* message length between 1 and 2^14 + 2048 */
959 if (msg_len < 1 || msg_len > ((1<<14) + 2048))
960 goto not_ssl;
961
962 bleft -= 5; data += 5;
963 } else {
964 /* SSLv2 header format, only supported for hello (msg type 1) */
965 int rlen, plen, cilen, silen, chlen;
966
967 if (*data & 0x80) {
968 if (bleft < 3)
969 goto too_short;
970 /* short header format : 15 bits for length */
971 rlen = ((data[0] & 0x7F) << 8) | data[1];
972 plen = 0;
973 bleft -= 2; data += 2;
974 } else {
975 if (bleft < 4)
976 goto too_short;
977 /* long header format : 14 bits for length + pad length */
978 rlen = ((data[0] & 0x3F) << 8) | data[1];
979 plen = data[2];
980 bleft -= 3; data += 2;
981 }
982
983 if (*data != 0x01)
984 goto not_ssl;
985 bleft--; data++;
986
987 if (bleft < 8)
988 goto too_short;
989 version = (data[0] << 16) + data[1]; /* version: major, minor */
990 cilen = (data[2] << 8) + data[3]; /* cipher len, multiple of 3 */
991 silen = (data[4] << 8) + data[5]; /* session_id_len: 0 or 16 */
992 chlen = (data[6] << 8) + data[7]; /* 16<=challenge length<=32 */
993
994 bleft -= 8; data += 8;
995 if (cilen % 3 != 0)
996 goto not_ssl;
997 if (silen && silen != 16)
998 goto not_ssl;
999 if (chlen < 16 || chlen > 32)
1000 goto not_ssl;
1001 if (rlen != 9 + cilen + silen + chlen)
1002 goto not_ssl;
1003
1004 /* focus on the remaining data length */
1005 msg_len = cilen + silen + chlen + plen;
1006 }
1007 /* We could recursively check that the buffer ends exactly on an SSL
1008 * fragment boundary and that a possible next segment is still SSL,
1009 * but that's a bit pointless. However, we could still check that
1010 * all the part of the request which fits in a buffer is already
1011 * there.
1012 */
Willy Tarreau03d60bb2009-01-09 11:13:00 +01001013 if (msg_len > l4->req->max_len + l4->req->data - l4->req->w)
1014 msg_len = l4->req->max_len + l4->req->data - l4->req->w;
Willy Tarreau655e26a2008-07-15 18:58:05 +02001015
1016 if (bleft < msg_len)
1017 goto too_short;
1018
1019 /* OK that's enough. We have at least the whole message, and we have
1020 * the protocol version.
1021 */
1022 test->i = version;
1023 test->flags = ACL_TEST_F_VOLATILE;
1024 return 1;
1025
1026 too_short:
1027 test->flags = ACL_TEST_F_MAY_CHANGE;
1028 not_ssl:
1029 return 0;
1030}
1031
Emeric Brunbede3d02009-06-30 17:54:00 +02001032int
1033acl_fetch_rdp_cookie(struct proxy *px, struct session *l4, void *l7, int dir,
1034 struct acl_expr *expr, struct acl_test *test)
1035{
1036 int bleft;
1037 const unsigned char *data;
1038
1039 if (!l4 || !l4->req)
1040 return 0;
1041
1042 test->flags = 0;
1043
1044 bleft = l4->req->l;
1045 if (bleft <= 11)
1046 goto too_short;
1047
1048 data = (const unsigned char *)l4->req->w + 11;
1049 bleft -= 11;
1050
1051 if (bleft <= 7)
1052 goto too_short;
1053
1054 if (strncasecmp((const char *)data, "Cookie:", 7) != 0)
1055 goto not_cookie;
1056
1057 data += 7;
1058 bleft -= 7;
1059
1060 while (bleft > 0 && *data == ' ') {
1061 data++;
1062 bleft--;
1063 }
1064
1065 if (expr->arg_len) {
1066
1067 if (bleft <= expr->arg_len)
1068 goto too_short;
1069
1070 if ((data[expr->arg_len] != '=') ||
1071 strncasecmp(expr->arg.str, (const char *)data, expr->arg_len) != 0)
1072 goto not_cookie;
1073
1074 data += expr->arg_len + 1;
1075 bleft -= expr->arg_len + 1;
1076 } else {
1077 while (bleft > 0 && *data != '=') {
1078 if (*data == '\r' || *data == '\n')
1079 goto not_cookie;
1080 data++;
1081 bleft--;
1082 }
1083
1084 if (bleft < 1)
1085 goto too_short;
1086
1087 if (*data != '=')
1088 goto not_cookie;
1089
1090 data++;
1091 bleft--;
1092 }
1093
1094 /* data points to cookie value */
1095 test->ptr = (char *)data;
1096 test->len = 0;
1097
1098 while (bleft > 0 && *data != '\r') {
1099 data++;
1100 bleft--;
1101 }
1102
1103 if (bleft < 2)
1104 goto too_short;
1105
1106 if (data[0] != '\r' || data[1] != '\n')
1107 goto not_cookie;
1108
1109 test->len = (char *)data - test->ptr;
1110 test->flags = ACL_TEST_F_VOLATILE;
1111 return 1;
1112
1113 too_short:
1114 test->flags = ACL_TEST_F_MAY_CHANGE;
1115 not_cookie:
1116 return 0;
1117}
1118
1119static int
1120acl_fetch_rdp_cookie_cnt(struct proxy *px, struct session *l4, void *l7, int dir,
1121 struct acl_expr *expr, struct acl_test *test)
1122{
1123 int ret;
1124
1125 ret = acl_fetch_rdp_cookie(px, l4, l7, dir, expr, test);
1126
1127 test->ptr = NULL;
1128 test->len = 0;
1129
1130 if (test->flags & ACL_TEST_F_MAY_CHANGE)
1131 return 0;
1132
1133 test->flags = ACL_TEST_F_VOLATILE;
1134 test->i = ret;
1135
1136 return 1;
1137}
Willy Tarreaub6866442008-07-14 23:54:42 +02001138
1139static struct cfg_kw_list cfg_kws = {{ },{
1140 { CFG_LISTEN, "tcp-request", tcp_parse_tcp_req },
1141 { 0, NULL, NULL },
1142}};
1143
1144static struct acl_kw_list acl_kws = {{ },{
Willy Tarreau0ceba5a2008-07-25 19:31:03 +02001145 { "req_len", acl_parse_int, acl_fetch_req_len, acl_match_int, ACL_USE_L4REQ_VOLATILE },
1146 { "req_ssl_ver", acl_parse_dotted_ver, acl_fetch_req_ssl_ver, acl_match_int, ACL_USE_L4REQ_VOLATILE },
Emeric Brunbede3d02009-06-30 17:54:00 +02001147 { "req_rdp_cookie", acl_parse_str, acl_fetch_rdp_cookie, acl_match_str, ACL_USE_L4REQ_VOLATILE },
1148 { "req_rdp_cookie_cnt", acl_parse_int, acl_fetch_rdp_cookie_cnt, acl_match_int, ACL_USE_L4REQ_VOLATILE },
Willy Tarreaub6866442008-07-14 23:54:42 +02001149 { NULL, NULL, NULL, NULL },
1150}};
1151
Willy Tarreaue6b98942007-10-29 01:09:36 +01001152__attribute__((constructor))
1153static void __tcp_protocol_init(void)
1154{
1155 protocol_register(&proto_tcpv4);
1156 protocol_register(&proto_tcpv6);
Willy Tarreaub6866442008-07-14 23:54:42 +02001157 cfg_register_keywords(&cfg_kws);
1158 acl_register_keywords(&acl_kws);
Willy Tarreaue6b98942007-10-29 01:09:36 +01001159}
1160
1161
1162/*
1163 * Local variables:
1164 * c-indent-level: 8
1165 * c-basic-offset: 8
1166 * End:
1167 */