Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 1 | /* |
| 2 | * Action management functions. |
| 3 | * |
| 4 | * Copyright 2017 HAProxy Technologies, Christopher Faulet <cfaulet@haproxy.com> |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or |
| 7 | * modify it under the terms of the GNU General Public License |
| 8 | * as published by the Free Software Foundation; either version |
| 9 | * 2 of the License, or (at your option) any later version. |
| 10 | * |
| 11 | */ |
| 12 | |
Amaury Denoyelle | 68fd7e4 | 2021-03-25 17:15:52 +0100 | [diff] [blame] | 13 | #include <haproxy/acl.h> |
Willy Tarreau | 122eba9 | 2020-06-04 10:15:32 +0200 | [diff] [blame] | 14 | #include <haproxy/action.h> |
Willy Tarreau | 4c7e4b7 | 2020-05-27 12:58:42 +0200 | [diff] [blame] | 15 | #include <haproxy/api.h> |
Willy Tarreau | 36979d9 | 2020-06-05 17:27:29 +0200 | [diff] [blame] | 16 | #include <haproxy/errors.h> |
Willy Tarreau | b255105 | 2020-06-09 09:07:15 +0200 | [diff] [blame] | 17 | #include <haproxy/list.h> |
Willy Tarreau | 8efbdfb | 2020-06-04 11:29:21 +0200 | [diff] [blame] | 18 | #include <haproxy/obj_type.h> |
Willy Tarreau | d0ef439 | 2020-06-02 09:38:52 +0200 | [diff] [blame] | 19 | #include <haproxy/pool.h> |
Willy Tarreau | a264d96 | 2020-06-04 22:29:18 +0200 | [diff] [blame] | 20 | #include <haproxy/proxy.h> |
Willy Tarreau | b255105 | 2020-06-09 09:07:15 +0200 | [diff] [blame] | 21 | #include <haproxy/stick_table.h> |
Willy Tarreau | cea0e1b | 2020-06-04 17:25:40 +0200 | [diff] [blame] | 22 | #include <haproxy/task.h> |
Willy Tarreau | 48fbcae | 2020-06-03 18:09:46 +0200 | [diff] [blame] | 23 | #include <haproxy/tools.h> |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 24 | |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 25 | |
Christopher Faulet | ac98d81 | 2019-12-18 09:20:16 +0100 | [diff] [blame] | 26 | /* Find and check the target table used by an action track-sc*. This |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 27 | * function should be called during the configuration validity check. |
| 28 | * |
| 29 | * The function returns 1 in success case, otherwise, it returns 0 and err is |
| 30 | * filled. |
| 31 | */ |
| 32 | int check_trk_action(struct act_rule *rule, struct proxy *px, char **err) |
| 33 | { |
Frédéric Lécaille | 1b8e68e | 2019-03-14 07:07:41 +0100 | [diff] [blame] | 34 | struct stktable *target; |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 35 | |
| 36 | if (rule->arg.trk_ctr.table.n) |
Frédéric Lécaille | 1b8e68e | 2019-03-14 07:07:41 +0100 | [diff] [blame] | 37 | target = stktable_find_by_name(rule->arg.trk_ctr.table.n); |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 38 | else |
Frédéric Lécaille | 1b8e68e | 2019-03-14 07:07:41 +0100 | [diff] [blame] | 39 | target = px->table; |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 40 | |
| 41 | if (!target) { |
| 42 | memprintf(err, "unable to find table '%s' referenced by track-sc%d", |
Frédéric Lécaille | 1b8e68e | 2019-03-14 07:07:41 +0100 | [diff] [blame] | 43 | rule->arg.trk_ctr.table.n ? rule->arg.trk_ctr.table.n : px->id, |
Christopher Faulet | ac98d81 | 2019-12-18 09:20:16 +0100 | [diff] [blame] | 44 | rule->action); |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 45 | return 0; |
| 46 | } |
Frédéric Lécaille | 1b8e68e | 2019-03-14 07:07:41 +0100 | [diff] [blame] | 47 | |
| 48 | if (!stktable_compatible_sample(rule->arg.trk_ctr.expr, target->type)) { |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 49 | memprintf(err, "stick-table '%s' uses a type incompatible with the 'track-sc%d' rule", |
| 50 | rule->arg.trk_ctr.table.n ? rule->arg.trk_ctr.table.n : px->id, |
Christopher Faulet | ac98d81 | 2019-12-18 09:20:16 +0100 | [diff] [blame] | 51 | rule->action); |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 52 | return 0; |
| 53 | } |
Frédéric Lécaille | 1b8e68e | 2019-03-14 07:07:41 +0100 | [diff] [blame] | 54 | else if (target->proxy && (px->bind_proc & ~target->proxy->bind_proc)) { |
Willy Tarreau | 151e1ca | 2019-02-05 11:38:38 +0100 | [diff] [blame] | 55 | memprintf(err, "stick-table '%s' referenced by 'track-sc%d' rule not present on all processes covered by proxy '%s'", |
Christopher Faulet | ac98d81 | 2019-12-18 09:20:16 +0100 | [diff] [blame] | 56 | target->id, rule->action, px->id); |
Willy Tarreau | 151e1ca | 2019-02-05 11:38:38 +0100 | [diff] [blame] | 57 | return 0; |
| 58 | } |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 59 | else { |
Frédéric Lécaille | be36793 | 2019-08-07 09:28:39 +0200 | [diff] [blame] | 60 | if (!in_proxies_list(target->proxies_list, px)) { |
Frédéric Lécaille | 015e4d7 | 2019-03-19 14:55:01 +0100 | [diff] [blame] | 61 | px->next_stkt_ref = target->proxies_list; |
| 62 | target->proxies_list = px; |
| 63 | } |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 64 | free(rule->arg.trk_ctr.table.n); |
Frédéric Lécaille | 1b8e68e | 2019-03-14 07:07:41 +0100 | [diff] [blame] | 65 | rule->arg.trk_ctr.table.t = target; |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 66 | /* Note: if we decide to enhance the track-sc syntax, we may be |
| 67 | * able to pass a list of counters to track and allocate them |
| 68 | * right here using stktable_alloc_data_type(). |
| 69 | */ |
| 70 | } |
Christopher Faulet | ac98d81 | 2019-12-18 09:20:16 +0100 | [diff] [blame] | 71 | |
Christopher Faulet | 2079a4a | 2020-10-02 11:48:57 +0200 | [diff] [blame] | 72 | if (rule->from == ACT_F_TCP_REQ_CNT && (px->cap & PR_CAP_FE)) { |
| 73 | if (!px->tcp_req.inspect_delay && !(rule->arg.trk_ctr.expr->fetch->val & SMP_VAL_FE_SES_ACC)) { |
| 74 | ha_warning("config : %s '%s' : a 'tcp-request content track-sc*' rule explicitly depending on request" |
| 75 | " contents without any 'tcp-request inspect-delay' setting." |
| 76 | " This means that this rule will randomly find its contents. This can be fixed by" |
| 77 | " setting the tcp-request inspect-delay.\n", |
| 78 | proxy_type_str(px), px->id); |
| 79 | } |
| 80 | |
| 81 | /* The following warning is emitted because HTTP multiplexers are able to catch errors |
| 82 | * or timeouts at the session level, before instantiating any stream. |
| 83 | * Thus the tcp-request content ruleset will not be evaluated in such case. It means, |
| 84 | * http_req and http_err counters will not be incremented as expected, even if the tracked |
| 85 | * counter does not use the request content. To track invalid requests it should be |
| 86 | * performed at the session level using a tcp-request session rule. |
| 87 | */ |
| 88 | if (px->mode == PR_MODE_HTTP && |
| 89 | !(rule->arg.trk_ctr.expr->fetch->use & (SMP_USE_L6REQ|SMP_USE_HRQHV|SMP_USE_HRQHP|SMP_USE_HRQBO)) && |
| 90 | (!rule->cond || !(rule->cond->use & (SMP_USE_L6REQ|SMP_USE_HRQHV|SMP_USE_HRQHP|SMP_USE_HRQBO)))) { |
| 91 | ha_warning("config : %s '%s' : a 'tcp-request content track-sc*' rule not depending on request" |
| 92 | " contents for an HTTP frontend should be executed at the session level, using a" |
| 93 | " 'tcp-request session' rule (mandatory to track invalid HTTP requests).\n", |
| 94 | proxy_type_str(px), px->id); |
| 95 | } |
Christopher Faulet | ac98d81 | 2019-12-18 09:20:16 +0100 | [diff] [blame] | 96 | } |
| 97 | |
Christopher Faulet | 78880fb | 2017-09-18 14:43:55 +0200 | [diff] [blame] | 98 | return 1; |
| 99 | } |
| 100 | |
Christopher Faulet | d73b96d | 2019-12-19 17:27:03 +0100 | [diff] [blame] | 101 | /* check a capture rule. This function should be called during the configuration |
| 102 | * validity check. |
| 103 | * |
| 104 | * The function returns 1 in success case, otherwise, it returns 0 and err is |
| 105 | * filled. |
| 106 | */ |
| 107 | int check_capture(struct act_rule *rule, struct proxy *px, char **err) |
| 108 | { |
| 109 | if (rule->from == ACT_F_TCP_REQ_CNT && (px->cap & PR_CAP_FE) && !px->tcp_req.inspect_delay && |
| 110 | !(rule->arg.trk_ctr.expr->fetch->val & SMP_VAL_FE_SES_ACC)) { |
| 111 | ha_warning("config : %s '%s' : a 'tcp-request capture' rule explicitly depending on request" |
| 112 | " contents without any 'tcp-request inspect-delay' setting." |
| 113 | " This means that this rule will randomly find its contents. This can be fixed by" |
| 114 | " setting the tcp-request inspect-delay.\n", |
| 115 | proxy_type_str(px), px->id); |
| 116 | } |
| 117 | |
| 118 | return 1; |
| 119 | } |
| 120 | |
Emeric Brun | 08622d3 | 2020-12-23 17:41:43 +0100 | [diff] [blame] | 121 | int act_resolution_cb(struct resolv_requester *requester, struct dns_counters *counters) |
Baptiste Assmann | 333939c | 2019-01-21 08:34:50 +0100 | [diff] [blame] | 122 | { |
| 123 | struct stream *stream; |
| 124 | |
| 125 | if (requester->resolution == NULL) |
| 126 | return 0; |
| 127 | |
| 128 | stream = objt_stream(requester->owner); |
| 129 | if (stream == NULL) |
| 130 | return 0; |
| 131 | |
| 132 | task_wakeup(stream->task, TASK_WOKEN_MSG); |
| 133 | |
| 134 | return 0; |
| 135 | } |
| 136 | |
Emeric Brun | 08622d3 | 2020-12-23 17:41:43 +0100 | [diff] [blame] | 137 | int act_resolution_error_cb(struct resolv_requester *requester, int error_code) |
Baptiste Assmann | 333939c | 2019-01-21 08:34:50 +0100 | [diff] [blame] | 138 | { |
| 139 | struct stream *stream; |
| 140 | |
| 141 | if (requester->resolution == NULL) |
| 142 | return 0; |
| 143 | |
| 144 | stream = objt_stream(requester->owner); |
| 145 | if (stream == NULL) |
| 146 | return 0; |
| 147 | |
| 148 | task_wakeup(stream->task, TASK_WOKEN_MSG); |
| 149 | |
| 150 | return 0; |
| 151 | } |
| 152 | |
Amaury Denoyelle | 8d22823 | 2020-12-10 13:43:54 +0100 | [diff] [blame] | 153 | /* Parse a set-timeout rule statement. It first checks if the timeout name is |
| 154 | * valid and returns it in <name>. Then the timeout is parsed as a plain value |
| 155 | * and * returned in <out_timeout>. If there is a parsing error, the value is |
| 156 | * reparsed as an expression and returned in <expr>. |
| 157 | * |
| 158 | * Returns -1 if the name is invalid or neither a time or an expression can be |
| 159 | * parsed, or if the timeout value is 0. |
| 160 | */ |
| 161 | int cfg_parse_rule_set_timeout(const char **args, int idx, int *out_timeout, |
| 162 | enum act_timeout_name *name, |
| 163 | struct sample_expr **expr, char **err, |
| 164 | const char *file, int line, struct arg_list *al) |
| 165 | { |
| 166 | const char *res; |
| 167 | const char *timeout_name = args[idx++]; |
| 168 | |
Tim Duesterhus | e5ff141 | 2021-01-02 22:31:53 +0100 | [diff] [blame] | 169 | if (strcmp(timeout_name, "server") == 0) { |
Amaury Denoyelle | 8d22823 | 2020-12-10 13:43:54 +0100 | [diff] [blame] | 170 | *name = ACT_TIMEOUT_SERVER; |
| 171 | } |
Tim Duesterhus | e5ff141 | 2021-01-02 22:31:53 +0100 | [diff] [blame] | 172 | else if (strcmp(timeout_name, "tunnel") == 0) { |
Amaury Denoyelle | 8d22823 | 2020-12-10 13:43:54 +0100 | [diff] [blame] | 173 | *name = ACT_TIMEOUT_TUNNEL; |
| 174 | } |
| 175 | else { |
| 176 | memprintf(err, |
| 177 | "'set-timeout' rule supports 'server'/'tunnel' (got '%s')", |
| 178 | timeout_name); |
| 179 | return -1; |
| 180 | } |
| 181 | |
| 182 | res = parse_time_err(args[idx], (unsigned int *)out_timeout, TIME_UNIT_MS); |
| 183 | if (res == PARSE_TIME_OVER) { |
| 184 | memprintf(err, "timer overflow in argument '%s' to rule 'set-timeout %s' (maximum value is 2147483647 ms or ~24.8 days)", |
| 185 | args[idx], timeout_name); |
| 186 | return -1; |
| 187 | } |
| 188 | else if (res == PARSE_TIME_UNDER) { |
| 189 | memprintf(err, "timer underflow in argument '%s' to rule 'set-timeout %s' (minimum value is 1 ms)", |
| 190 | args[idx], timeout_name); |
| 191 | return -1; |
| 192 | } |
| 193 | /* res not NULL, parsing error */ |
| 194 | else if (res) { |
| 195 | *expr = sample_parse_expr((char **)args, &idx, file, line, err, al, NULL); |
| 196 | if (!*expr) { |
| 197 | memprintf(err, "unexpected character '%c' in rule 'set-timeout %s'", *res, timeout_name); |
| 198 | return -1; |
| 199 | } |
| 200 | } |
| 201 | /* res NULL, parsing ok but value is 0 */ |
| 202 | else if (!(*out_timeout)) { |
| 203 | memprintf(err, "null value is not valid for a 'set-timeout %s' rule", |
| 204 | timeout_name); |
| 205 | return -1; |
| 206 | } |
| 207 | |
| 208 | return 0; |
| 209 | } |
Willy Tarreau | 99eb2cc | 2021-03-12 11:59:24 +0100 | [diff] [blame] | 210 | |
| 211 | /* tries to find in list <keywords> a similar looking action as the one in |
| 212 | * <word>, and returns it otherwise NULL. <word> may be NULL or empty. An |
| 213 | * optional array of extra words to compare may be passed in <extra>, but it |
| 214 | * must then be terminated by a NULL entry. If unused it may be NULL. |
| 215 | */ |
| 216 | const char *action_suggest(const char *word, const struct list *keywords, const char **extra) |
| 217 | { |
| 218 | uint8_t word_sig[1024]; |
| 219 | uint8_t list_sig[1024]; |
| 220 | const struct action_kw_list *kwl; |
| 221 | const struct action_kw *best_kw = NULL; |
| 222 | const char *best_ptr = NULL; |
| 223 | int dist, best_dist = INT_MAX; |
| 224 | int index; |
| 225 | |
| 226 | if (!word || !*word) |
| 227 | return NULL; |
| 228 | |
| 229 | make_word_fingerprint(word_sig, word); |
| 230 | list_for_each_entry(kwl, keywords, list) { |
| 231 | for (index = 0; kwl->kw[index].kw != NULL; index++) { |
| 232 | make_word_fingerprint(list_sig, kwl->kw[index].kw); |
| 233 | dist = word_fingerprint_distance(word_sig, list_sig); |
| 234 | if (dist < best_dist) { |
| 235 | best_dist = dist; |
| 236 | best_kw = &kwl->kw[index]; |
| 237 | best_ptr = best_kw->kw; |
| 238 | } |
| 239 | } |
| 240 | } |
| 241 | |
| 242 | while (extra && *extra) { |
| 243 | make_word_fingerprint(list_sig, *extra); |
| 244 | dist = word_fingerprint_distance(word_sig, list_sig); |
| 245 | if (dist < best_dist) { |
| 246 | best_dist = dist; |
| 247 | best_kw = NULL; |
| 248 | best_ptr = *extra; |
| 249 | } |
| 250 | extra++; |
| 251 | } |
| 252 | |
| 253 | /* eliminate too different ones, with more tolerance for prefixes |
| 254 | * when they're known to exist (not from extra list). |
| 255 | */ |
| 256 | if (best_ptr && |
| 257 | (best_dist > (2 + (best_kw && best_kw->match_pfx)) * strlen(word) || |
| 258 | best_dist > (2 + (best_kw && best_kw->match_pfx)) * strlen(best_ptr))) |
| 259 | best_ptr = NULL; |
| 260 | |
| 261 | return best_ptr; |
| 262 | } |
Amaury Denoyelle | 68fd7e4 | 2021-03-25 17:15:52 +0100 | [diff] [blame] | 263 | |
| 264 | void free_act_rules(struct list *rules) |
| 265 | { |
| 266 | struct act_rule *rule, *ruleb; |
| 267 | |
| 268 | list_for_each_entry_safe(rule, ruleb, rules, list) { |
| 269 | LIST_DEL(&rule->list); |
| 270 | free_acl_cond(rule->cond); |
| 271 | if (rule->release_ptr) |
| 272 | rule->release_ptr(rule); |
| 273 | free(rule); |
| 274 | } |
| 275 | } |