blob: 29eae81138d13b37b72ce47c3719e521a0fe9511 [file] [log] [blame]
Christopher Faulet78880fb2017-09-18 14:43:55 +02001/*
2 * Action management functions.
3 *
4 * Copyright 2017 HAProxy Technologies, Christopher Faulet <cfaulet@haproxy.com>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
12
Amaury Denoyelle68fd7e42021-03-25 17:15:52 +010013#include <haproxy/acl.h>
Willy Tarreau122eba92020-06-04 10:15:32 +020014#include <haproxy/action.h>
Willy Tarreau4c7e4b72020-05-27 12:58:42 +020015#include <haproxy/api.h>
Willy Tarreau36979d92020-06-05 17:27:29 +020016#include <haproxy/errors.h>
Willy Tarreaub2551052020-06-09 09:07:15 +020017#include <haproxy/list.h>
Willy Tarreau8efbdfb2020-06-04 11:29:21 +020018#include <haproxy/obj_type.h>
Willy Tarreaud0ef4392020-06-02 09:38:52 +020019#include <haproxy/pool.h>
Willy Tarreaua264d962020-06-04 22:29:18 +020020#include <haproxy/proxy.h>
Willy Tarreaub2551052020-06-09 09:07:15 +020021#include <haproxy/stick_table.h>
Willy Tarreaucea0e1b2020-06-04 17:25:40 +020022#include <haproxy/task.h>
Willy Tarreau48fbcae2020-06-03 18:09:46 +020023#include <haproxy/tools.h>
Christopher Faulet78880fb2017-09-18 14:43:55 +020024
Christopher Faulet78880fb2017-09-18 14:43:55 +020025
Christopher Fauletac98d812019-12-18 09:20:16 +010026/* Find and check the target table used by an action track-sc*. This
Christopher Faulet78880fb2017-09-18 14:43:55 +020027 * function should be called during the configuration validity check.
28 *
29 * The function returns 1 in success case, otherwise, it returns 0 and err is
30 * filled.
31 */
32int check_trk_action(struct act_rule *rule, struct proxy *px, char **err)
33{
Frédéric Lécaille1b8e68e2019-03-14 07:07:41 +010034 struct stktable *target;
Christopher Faulet78880fb2017-09-18 14:43:55 +020035
36 if (rule->arg.trk_ctr.table.n)
Frédéric Lécaille1b8e68e2019-03-14 07:07:41 +010037 target = stktable_find_by_name(rule->arg.trk_ctr.table.n);
Christopher Faulet78880fb2017-09-18 14:43:55 +020038 else
Frédéric Lécaille1b8e68e2019-03-14 07:07:41 +010039 target = px->table;
Christopher Faulet78880fb2017-09-18 14:43:55 +020040
41 if (!target) {
42 memprintf(err, "unable to find table '%s' referenced by track-sc%d",
Frédéric Lécaille1b8e68e2019-03-14 07:07:41 +010043 rule->arg.trk_ctr.table.n ? rule->arg.trk_ctr.table.n : px->id,
Christopher Fauletac98d812019-12-18 09:20:16 +010044 rule->action);
Christopher Faulet78880fb2017-09-18 14:43:55 +020045 return 0;
46 }
Frédéric Lécaille1b8e68e2019-03-14 07:07:41 +010047
48 if (!stktable_compatible_sample(rule->arg.trk_ctr.expr, target->type)) {
Christopher Faulet78880fb2017-09-18 14:43:55 +020049 memprintf(err, "stick-table '%s' uses a type incompatible with the 'track-sc%d' rule",
50 rule->arg.trk_ctr.table.n ? rule->arg.trk_ctr.table.n : px->id,
Christopher Fauletac98d812019-12-18 09:20:16 +010051 rule->action);
Christopher Faulet78880fb2017-09-18 14:43:55 +020052 return 0;
53 }
Frédéric Lécaille1b8e68e2019-03-14 07:07:41 +010054 else if (target->proxy && (px->bind_proc & ~target->proxy->bind_proc)) {
Willy Tarreau151e1ca2019-02-05 11:38:38 +010055 memprintf(err, "stick-table '%s' referenced by 'track-sc%d' rule not present on all processes covered by proxy '%s'",
Christopher Fauletac98d812019-12-18 09:20:16 +010056 target->id, rule->action, px->id);
Willy Tarreau151e1ca2019-02-05 11:38:38 +010057 return 0;
58 }
Christopher Faulet78880fb2017-09-18 14:43:55 +020059 else {
Frédéric Lécaillebe367932019-08-07 09:28:39 +020060 if (!in_proxies_list(target->proxies_list, px)) {
Frédéric Lécaille015e4d72019-03-19 14:55:01 +010061 px->next_stkt_ref = target->proxies_list;
62 target->proxies_list = px;
63 }
Christopher Faulet78880fb2017-09-18 14:43:55 +020064 free(rule->arg.trk_ctr.table.n);
Frédéric Lécaille1b8e68e2019-03-14 07:07:41 +010065 rule->arg.trk_ctr.table.t = target;
Christopher Faulet78880fb2017-09-18 14:43:55 +020066 /* Note: if we decide to enhance the track-sc syntax, we may be
67 * able to pass a list of counters to track and allocate them
68 * right here using stktable_alloc_data_type().
69 */
70 }
Christopher Fauletac98d812019-12-18 09:20:16 +010071
Christopher Faulet2079a4a2020-10-02 11:48:57 +020072 if (rule->from == ACT_F_TCP_REQ_CNT && (px->cap & PR_CAP_FE)) {
73 if (!px->tcp_req.inspect_delay && !(rule->arg.trk_ctr.expr->fetch->val & SMP_VAL_FE_SES_ACC)) {
74 ha_warning("config : %s '%s' : a 'tcp-request content track-sc*' rule explicitly depending on request"
75 " contents without any 'tcp-request inspect-delay' setting."
76 " This means that this rule will randomly find its contents. This can be fixed by"
77 " setting the tcp-request inspect-delay.\n",
78 proxy_type_str(px), px->id);
79 }
80
81 /* The following warning is emitted because HTTP multiplexers are able to catch errors
82 * or timeouts at the session level, before instantiating any stream.
83 * Thus the tcp-request content ruleset will not be evaluated in such case. It means,
84 * http_req and http_err counters will not be incremented as expected, even if the tracked
85 * counter does not use the request content. To track invalid requests it should be
86 * performed at the session level using a tcp-request session rule.
87 */
88 if (px->mode == PR_MODE_HTTP &&
89 !(rule->arg.trk_ctr.expr->fetch->use & (SMP_USE_L6REQ|SMP_USE_HRQHV|SMP_USE_HRQHP|SMP_USE_HRQBO)) &&
90 (!rule->cond || !(rule->cond->use & (SMP_USE_L6REQ|SMP_USE_HRQHV|SMP_USE_HRQHP|SMP_USE_HRQBO)))) {
91 ha_warning("config : %s '%s' : a 'tcp-request content track-sc*' rule not depending on request"
92 " contents for an HTTP frontend should be executed at the session level, using a"
93 " 'tcp-request session' rule (mandatory to track invalid HTTP requests).\n",
94 proxy_type_str(px), px->id);
95 }
Christopher Fauletac98d812019-12-18 09:20:16 +010096 }
97
Christopher Faulet78880fb2017-09-18 14:43:55 +020098 return 1;
99}
100
Christopher Fauletd73b96d2019-12-19 17:27:03 +0100101/* check a capture rule. This function should be called during the configuration
102 * validity check.
103 *
104 * The function returns 1 in success case, otherwise, it returns 0 and err is
105 * filled.
106 */
107int check_capture(struct act_rule *rule, struct proxy *px, char **err)
108{
109 if (rule->from == ACT_F_TCP_REQ_CNT && (px->cap & PR_CAP_FE) && !px->tcp_req.inspect_delay &&
110 !(rule->arg.trk_ctr.expr->fetch->val & SMP_VAL_FE_SES_ACC)) {
111 ha_warning("config : %s '%s' : a 'tcp-request capture' rule explicitly depending on request"
112 " contents without any 'tcp-request inspect-delay' setting."
113 " This means that this rule will randomly find its contents. This can be fixed by"
114 " setting the tcp-request inspect-delay.\n",
115 proxy_type_str(px), px->id);
116 }
117
118 return 1;
119}
120
Emeric Brun08622d32020-12-23 17:41:43 +0100121int act_resolution_cb(struct resolv_requester *requester, struct dns_counters *counters)
Baptiste Assmann333939c2019-01-21 08:34:50 +0100122{
123 struct stream *stream;
124
125 if (requester->resolution == NULL)
126 return 0;
127
128 stream = objt_stream(requester->owner);
129 if (stream == NULL)
130 return 0;
131
132 task_wakeup(stream->task, TASK_WOKEN_MSG);
133
134 return 0;
135}
136
Emeric Brun08622d32020-12-23 17:41:43 +0100137int act_resolution_error_cb(struct resolv_requester *requester, int error_code)
Baptiste Assmann333939c2019-01-21 08:34:50 +0100138{
139 struct stream *stream;
140
141 if (requester->resolution == NULL)
142 return 0;
143
144 stream = objt_stream(requester->owner);
145 if (stream == NULL)
146 return 0;
147
148 task_wakeup(stream->task, TASK_WOKEN_MSG);
149
150 return 0;
151}
152
Amaury Denoyelle8d228232020-12-10 13:43:54 +0100153/* Parse a set-timeout rule statement. It first checks if the timeout name is
154 * valid and returns it in <name>. Then the timeout is parsed as a plain value
155 * and * returned in <out_timeout>. If there is a parsing error, the value is
156 * reparsed as an expression and returned in <expr>.
157 *
158 * Returns -1 if the name is invalid or neither a time or an expression can be
159 * parsed, or if the timeout value is 0.
160 */
161int cfg_parse_rule_set_timeout(const char **args, int idx, int *out_timeout,
162 enum act_timeout_name *name,
163 struct sample_expr **expr, char **err,
164 const char *file, int line, struct arg_list *al)
165{
166 const char *res;
167 const char *timeout_name = args[idx++];
168
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100169 if (strcmp(timeout_name, "server") == 0) {
Amaury Denoyelle8d228232020-12-10 13:43:54 +0100170 *name = ACT_TIMEOUT_SERVER;
171 }
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100172 else if (strcmp(timeout_name, "tunnel") == 0) {
Amaury Denoyelle8d228232020-12-10 13:43:54 +0100173 *name = ACT_TIMEOUT_TUNNEL;
174 }
175 else {
176 memprintf(err,
177 "'set-timeout' rule supports 'server'/'tunnel' (got '%s')",
178 timeout_name);
179 return -1;
180 }
181
182 res = parse_time_err(args[idx], (unsigned int *)out_timeout, TIME_UNIT_MS);
183 if (res == PARSE_TIME_OVER) {
184 memprintf(err, "timer overflow in argument '%s' to rule 'set-timeout %s' (maximum value is 2147483647 ms or ~24.8 days)",
185 args[idx], timeout_name);
186 return -1;
187 }
188 else if (res == PARSE_TIME_UNDER) {
189 memprintf(err, "timer underflow in argument '%s' to rule 'set-timeout %s' (minimum value is 1 ms)",
190 args[idx], timeout_name);
191 return -1;
192 }
193 /* res not NULL, parsing error */
194 else if (res) {
195 *expr = sample_parse_expr((char **)args, &idx, file, line, err, al, NULL);
196 if (!*expr) {
197 memprintf(err, "unexpected character '%c' in rule 'set-timeout %s'", *res, timeout_name);
198 return -1;
199 }
200 }
201 /* res NULL, parsing ok but value is 0 */
202 else if (!(*out_timeout)) {
203 memprintf(err, "null value is not valid for a 'set-timeout %s' rule",
204 timeout_name);
205 return -1;
206 }
207
208 return 0;
209}
Willy Tarreau99eb2cc2021-03-12 11:59:24 +0100210
211/* tries to find in list <keywords> a similar looking action as the one in
212 * <word>, and returns it otherwise NULL. <word> may be NULL or empty. An
213 * optional array of extra words to compare may be passed in <extra>, but it
214 * must then be terminated by a NULL entry. If unused it may be NULL.
215 */
216const char *action_suggest(const char *word, const struct list *keywords, const char **extra)
217{
218 uint8_t word_sig[1024];
219 uint8_t list_sig[1024];
220 const struct action_kw_list *kwl;
221 const struct action_kw *best_kw = NULL;
222 const char *best_ptr = NULL;
223 int dist, best_dist = INT_MAX;
224 int index;
225
226 if (!word || !*word)
227 return NULL;
228
229 make_word_fingerprint(word_sig, word);
230 list_for_each_entry(kwl, keywords, list) {
231 for (index = 0; kwl->kw[index].kw != NULL; index++) {
232 make_word_fingerprint(list_sig, kwl->kw[index].kw);
233 dist = word_fingerprint_distance(word_sig, list_sig);
234 if (dist < best_dist) {
235 best_dist = dist;
236 best_kw = &kwl->kw[index];
237 best_ptr = best_kw->kw;
238 }
239 }
240 }
241
242 while (extra && *extra) {
243 make_word_fingerprint(list_sig, *extra);
244 dist = word_fingerprint_distance(word_sig, list_sig);
245 if (dist < best_dist) {
246 best_dist = dist;
247 best_kw = NULL;
248 best_ptr = *extra;
249 }
250 extra++;
251 }
252
253 /* eliminate too different ones, with more tolerance for prefixes
254 * when they're known to exist (not from extra list).
255 */
256 if (best_ptr &&
257 (best_dist > (2 + (best_kw && best_kw->match_pfx)) * strlen(word) ||
258 best_dist > (2 + (best_kw && best_kw->match_pfx)) * strlen(best_ptr)))
259 best_ptr = NULL;
260
261 return best_ptr;
262}
Amaury Denoyelle68fd7e42021-03-25 17:15:52 +0100263
264void free_act_rules(struct list *rules)
265{
266 struct act_rule *rule, *ruleb;
267
268 list_for_each_entry_safe(rule, ruleb, rules, list) {
269 LIST_DEL(&rule->list);
270 free_acl_cond(rule->cond);
271 if (rule->release_ptr)
272 rule->release_ptr(rule);
273 free(rule);
274 }
275}