blob: d4aecc8c0f3044178180eada5880bf328de07299 [file] [log] [blame]
Christopher Faulet78880fb2017-09-18 14:43:55 +02001/*
2 * Action management functions.
3 *
4 * Copyright 2017 HAProxy Technologies, Christopher Faulet <cfaulet@haproxy.com>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
12
Amaury Denoyelle68fd7e42021-03-25 17:15:52 +010013#include <haproxy/acl.h>
Willy Tarreau122eba92020-06-04 10:15:32 +020014#include <haproxy/action.h>
Willy Tarreau4c7e4b72020-05-27 12:58:42 +020015#include <haproxy/api.h>
Christopher Faulet581db2b2021-03-26 10:02:46 +010016#include <haproxy/cfgparse.h>
Willy Tarreau36979d92020-06-05 17:27:29 +020017#include <haproxy/errors.h>
Willy Tarreaub2551052020-06-09 09:07:15 +020018#include <haproxy/list.h>
Willy Tarreau8efbdfb2020-06-04 11:29:21 +020019#include <haproxy/obj_type.h>
Willy Tarreaud0ef4392020-06-02 09:38:52 +020020#include <haproxy/pool.h>
Willy Tarreaua264d962020-06-04 22:29:18 +020021#include <haproxy/proxy.h>
Willy Tarreaub2551052020-06-09 09:07:15 +020022#include <haproxy/stick_table.h>
Willy Tarreaucea0e1b2020-06-04 17:25:40 +020023#include <haproxy/task.h>
Willy Tarreau48fbcae2020-06-03 18:09:46 +020024#include <haproxy/tools.h>
Christopher Faulet78880fb2017-09-18 14:43:55 +020025
Christopher Faulet78880fb2017-09-18 14:43:55 +020026
Christopher Faulet42c6cf92021-03-25 17:19:04 +010027/* Check an action ruleset validity. It returns the number of error encountered
Ilya Shipitsinb2be9a12021-04-24 13:25:42 +050028 * and err_code is updated if a warning is emitted.
Christopher Faulet42c6cf92021-03-25 17:19:04 +010029 */
30int check_action_rules(struct list *rules, struct proxy *px, int *err_code)
31{
32 struct act_rule *rule;
33 char *errmsg = NULL;
34 int err = 0;
35
36 list_for_each_entry(rule, rules, list) {
37 if (rule->check_ptr && !rule->check_ptr(rule, px, &errmsg)) {
38 ha_alert("Proxy '%s': %s.\n", px->id, errmsg);
39 err++;
40 }
Christopher Faulet581db2b2021-03-26 10:02:46 +010041 *err_code |= warnif_tcp_http_cond(px, rule->cond);
Tim Duesterhus025b93e2021-11-04 21:03:52 +010042 ha_free(&errmsg);
Christopher Faulet42c6cf92021-03-25 17:19:04 +010043 }
44
45 return err;
46}
47
Christopher Fauletac98d812019-12-18 09:20:16 +010048/* Find and check the target table used by an action track-sc*. This
Christopher Faulet78880fb2017-09-18 14:43:55 +020049 * function should be called during the configuration validity check.
50 *
51 * The function returns 1 in success case, otherwise, it returns 0 and err is
52 * filled.
53 */
54int check_trk_action(struct act_rule *rule, struct proxy *px, char **err)
55{
Frédéric Lécaille1b8e68e2019-03-14 07:07:41 +010056 struct stktable *target;
Christopher Faulet78880fb2017-09-18 14:43:55 +020057
58 if (rule->arg.trk_ctr.table.n)
Frédéric Lécaille1b8e68e2019-03-14 07:07:41 +010059 target = stktable_find_by_name(rule->arg.trk_ctr.table.n);
Christopher Faulet78880fb2017-09-18 14:43:55 +020060 else
Frédéric Lécaille1b8e68e2019-03-14 07:07:41 +010061 target = px->table;
Christopher Faulet78880fb2017-09-18 14:43:55 +020062
63 if (!target) {
64 memprintf(err, "unable to find table '%s' referenced by track-sc%d",
Frédéric Lécaille1b8e68e2019-03-14 07:07:41 +010065 rule->arg.trk_ctr.table.n ? rule->arg.trk_ctr.table.n : px->id,
Christopher Fauletac98d812019-12-18 09:20:16 +010066 rule->action);
Christopher Faulet78880fb2017-09-18 14:43:55 +020067 return 0;
68 }
Frédéric Lécaille1b8e68e2019-03-14 07:07:41 +010069
70 if (!stktable_compatible_sample(rule->arg.trk_ctr.expr, target->type)) {
Christopher Faulet78880fb2017-09-18 14:43:55 +020071 memprintf(err, "stick-table '%s' uses a type incompatible with the 'track-sc%d' rule",
72 rule->arg.trk_ctr.table.n ? rule->arg.trk_ctr.table.n : px->id,
Christopher Fauletac98d812019-12-18 09:20:16 +010073 rule->action);
Christopher Faulet78880fb2017-09-18 14:43:55 +020074 return 0;
75 }
Christopher Faulet78880fb2017-09-18 14:43:55 +020076 else {
Frédéric Lécaillebe367932019-08-07 09:28:39 +020077 if (!in_proxies_list(target->proxies_list, px)) {
Frédéric Lécaille015e4d72019-03-19 14:55:01 +010078 px->next_stkt_ref = target->proxies_list;
79 target->proxies_list = px;
80 }
Christopher Faulet78880fb2017-09-18 14:43:55 +020081 free(rule->arg.trk_ctr.table.n);
Frédéric Lécaille1b8e68e2019-03-14 07:07:41 +010082 rule->arg.trk_ctr.table.t = target;
Christopher Faulet78880fb2017-09-18 14:43:55 +020083 /* Note: if we decide to enhance the track-sc syntax, we may be
84 * able to pass a list of counters to track and allocate them
85 * right here using stktable_alloc_data_type().
86 */
87 }
Christopher Fauletac98d812019-12-18 09:20:16 +010088
Christopher Faulet2079a4a2020-10-02 11:48:57 +020089 if (rule->from == ACT_F_TCP_REQ_CNT && (px->cap & PR_CAP_FE)) {
90 if (!px->tcp_req.inspect_delay && !(rule->arg.trk_ctr.expr->fetch->val & SMP_VAL_FE_SES_ACC)) {
Amaury Denoyelle11124302021-06-04 18:22:08 +020091 ha_warning("%s '%s' : a 'tcp-request content track-sc*' rule explicitly depending on request"
Christopher Faulet2079a4a2020-10-02 11:48:57 +020092 " contents without any 'tcp-request inspect-delay' setting."
93 " This means that this rule will randomly find its contents. This can be fixed by"
94 " setting the tcp-request inspect-delay.\n",
95 proxy_type_str(px), px->id);
96 }
97
98 /* The following warning is emitted because HTTP multiplexers are able to catch errors
99 * or timeouts at the session level, before instantiating any stream.
100 * Thus the tcp-request content ruleset will not be evaluated in such case. It means,
101 * http_req and http_err counters will not be incremented as expected, even if the tracked
102 * counter does not use the request content. To track invalid requests it should be
103 * performed at the session level using a tcp-request session rule.
104 */
105 if (px->mode == PR_MODE_HTTP &&
106 !(rule->arg.trk_ctr.expr->fetch->use & (SMP_USE_L6REQ|SMP_USE_HRQHV|SMP_USE_HRQHP|SMP_USE_HRQBO)) &&
107 (!rule->cond || !(rule->cond->use & (SMP_USE_L6REQ|SMP_USE_HRQHV|SMP_USE_HRQHP|SMP_USE_HRQBO)))) {
Amaury Denoyelle11124302021-06-04 18:22:08 +0200108 ha_warning("%s '%s' : a 'tcp-request content track-sc*' rule not depending on request"
Christopher Faulet2079a4a2020-10-02 11:48:57 +0200109 " contents for an HTTP frontend should be executed at the session level, using a"
110 " 'tcp-request session' rule (mandatory to track invalid HTTP requests).\n",
111 proxy_type_str(px), px->id);
112 }
Christopher Fauletac98d812019-12-18 09:20:16 +0100113 }
114
Christopher Faulet78880fb2017-09-18 14:43:55 +0200115 return 1;
116}
117
Christopher Fauletd73b96d2019-12-19 17:27:03 +0100118/* check a capture rule. This function should be called during the configuration
119 * validity check.
120 *
121 * The function returns 1 in success case, otherwise, it returns 0 and err is
122 * filled.
123 */
124int check_capture(struct act_rule *rule, struct proxy *px, char **err)
125{
126 if (rule->from == ACT_F_TCP_REQ_CNT && (px->cap & PR_CAP_FE) && !px->tcp_req.inspect_delay &&
127 !(rule->arg.trk_ctr.expr->fetch->val & SMP_VAL_FE_SES_ACC)) {
Amaury Denoyelle11124302021-06-04 18:22:08 +0200128 ha_warning("%s '%s' : a 'tcp-request capture' rule explicitly depending on request"
Christopher Fauletd73b96d2019-12-19 17:27:03 +0100129 " contents without any 'tcp-request inspect-delay' setting."
130 " This means that this rule will randomly find its contents. This can be fixed by"
131 " setting the tcp-request inspect-delay.\n",
132 proxy_type_str(px), px->id);
133 }
134
135 return 1;
136}
137
Emeric Brun08622d32020-12-23 17:41:43 +0100138int act_resolution_cb(struct resolv_requester *requester, struct dns_counters *counters)
Baptiste Assmann333939c2019-01-21 08:34:50 +0100139{
140 struct stream *stream;
141
142 if (requester->resolution == NULL)
143 return 0;
144
145 stream = objt_stream(requester->owner);
146 if (stream == NULL)
147 return 0;
148
149 task_wakeup(stream->task, TASK_WOKEN_MSG);
150
151 return 0;
152}
153
Emeric Brun12ca6582021-06-10 15:25:25 +0200154/*
155 * Do resolve error management callback
156 * returns:
157 * 0 if we can trash answser items.
158 * 1 when safely ignored and we must kept answer items
159 */
Emeric Brun08622d32020-12-23 17:41:43 +0100160int act_resolution_error_cb(struct resolv_requester *requester, int error_code)
Baptiste Assmann333939c2019-01-21 08:34:50 +0100161{
162 struct stream *stream;
163
164 if (requester->resolution == NULL)
165 return 0;
166
167 stream = objt_stream(requester->owner);
168 if (stream == NULL)
169 return 0;
170
171 task_wakeup(stream->task, TASK_WOKEN_MSG);
172
173 return 0;
174}
175
Amaury Denoyelle8d228232020-12-10 13:43:54 +0100176/* Parse a set-timeout rule statement. It first checks if the timeout name is
177 * valid and returns it in <name>. Then the timeout is parsed as a plain value
178 * and * returned in <out_timeout>. If there is a parsing error, the value is
179 * reparsed as an expression and returned in <expr>.
180 *
181 * Returns -1 if the name is invalid or neither a time or an expression can be
182 * parsed, or if the timeout value is 0.
183 */
184int cfg_parse_rule_set_timeout(const char **args, int idx, int *out_timeout,
185 enum act_timeout_name *name,
186 struct sample_expr **expr, char **err,
187 const char *file, int line, struct arg_list *al)
188{
189 const char *res;
190 const char *timeout_name = args[idx++];
191
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100192 if (strcmp(timeout_name, "server") == 0) {
Amaury Denoyelle8d228232020-12-10 13:43:54 +0100193 *name = ACT_TIMEOUT_SERVER;
194 }
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100195 else if (strcmp(timeout_name, "tunnel") == 0) {
Amaury Denoyelle8d228232020-12-10 13:43:54 +0100196 *name = ACT_TIMEOUT_TUNNEL;
197 }
198 else {
199 memprintf(err,
200 "'set-timeout' rule supports 'server'/'tunnel' (got '%s')",
201 timeout_name);
202 return -1;
203 }
204
205 res = parse_time_err(args[idx], (unsigned int *)out_timeout, TIME_UNIT_MS);
206 if (res == PARSE_TIME_OVER) {
207 memprintf(err, "timer overflow in argument '%s' to rule 'set-timeout %s' (maximum value is 2147483647 ms or ~24.8 days)",
208 args[idx], timeout_name);
209 return -1;
210 }
211 else if (res == PARSE_TIME_UNDER) {
212 memprintf(err, "timer underflow in argument '%s' to rule 'set-timeout %s' (minimum value is 1 ms)",
213 args[idx], timeout_name);
214 return -1;
215 }
216 /* res not NULL, parsing error */
217 else if (res) {
218 *expr = sample_parse_expr((char **)args, &idx, file, line, err, al, NULL);
219 if (!*expr) {
220 memprintf(err, "unexpected character '%c' in rule 'set-timeout %s'", *res, timeout_name);
221 return -1;
222 }
223 }
224 /* res NULL, parsing ok but value is 0 */
225 else if (!(*out_timeout)) {
226 memprintf(err, "null value is not valid for a 'set-timeout %s' rule",
227 timeout_name);
228 return -1;
229 }
230
231 return 0;
232}
Willy Tarreau99eb2cc2021-03-12 11:59:24 +0100233
234/* tries to find in list <keywords> a similar looking action as the one in
235 * <word>, and returns it otherwise NULL. <word> may be NULL or empty. An
236 * optional array of extra words to compare may be passed in <extra>, but it
237 * must then be terminated by a NULL entry. If unused it may be NULL.
238 */
239const char *action_suggest(const char *word, const struct list *keywords, const char **extra)
240{
241 uint8_t word_sig[1024];
242 uint8_t list_sig[1024];
243 const struct action_kw_list *kwl;
244 const struct action_kw *best_kw = NULL;
245 const char *best_ptr = NULL;
246 int dist, best_dist = INT_MAX;
247 int index;
248
249 if (!word || !*word)
250 return NULL;
251
252 make_word_fingerprint(word_sig, word);
253 list_for_each_entry(kwl, keywords, list) {
254 for (index = 0; kwl->kw[index].kw != NULL; index++) {
255 make_word_fingerprint(list_sig, kwl->kw[index].kw);
256 dist = word_fingerprint_distance(word_sig, list_sig);
257 if (dist < best_dist) {
258 best_dist = dist;
259 best_kw = &kwl->kw[index];
260 best_ptr = best_kw->kw;
261 }
262 }
263 }
264
265 while (extra && *extra) {
266 make_word_fingerprint(list_sig, *extra);
267 dist = word_fingerprint_distance(word_sig, list_sig);
268 if (dist < best_dist) {
269 best_dist = dist;
270 best_kw = NULL;
271 best_ptr = *extra;
272 }
273 extra++;
274 }
275
276 /* eliminate too different ones, with more tolerance for prefixes
277 * when they're known to exist (not from extra list).
278 */
279 if (best_ptr &&
Amaury Denoyellee4a617c2021-05-06 15:33:09 +0200280 (best_dist > (2 + (best_kw && (best_kw->flags & KWF_MATCH_PREFIX))) * strlen(word) ||
281 best_dist > (2 + (best_kw && (best_kw->flags & KWF_MATCH_PREFIX))) * strlen(best_ptr)))
Willy Tarreau99eb2cc2021-03-12 11:59:24 +0100282 best_ptr = NULL;
283
284 return best_ptr;
285}
Amaury Denoyelle68fd7e42021-03-25 17:15:52 +0100286
Willy Tarreaud535f802021-10-11 08:49:26 +0200287/* allocates a rule for ruleset <from> (ACT_F_*), from file name <file> and
288 * line <linenum>. <file> and <linenum> may be zero if unknown. Returns the
289 * rule, otherwise NULL in case of memory allocation error.
290 */
291struct act_rule *new_act_rule(enum act_from from, const char *file, int linenum)
292{
293 struct act_rule *rule;
294
295 rule = calloc(1, sizeof(*rule));
296 if (!rule)
297 return NULL;
298 rule->from = from;
Willy Tarreauc9e48682021-10-11 09:13:07 +0200299 rule->conf.file = file ? strdup(file) : NULL;
300 rule->conf.line = linenum;
Willy Tarreaud535f802021-10-11 08:49:26 +0200301 return rule;
302}
303
Willy Tarreau6a783e42022-03-17 20:23:43 +0100304/* fees rule <rule> and its elements as well as the condition */
305void free_act_rule(struct act_rule *rule)
306{
307 LIST_DELETE(&rule->list);
308 free_acl_cond(rule->cond);
309 if (rule->release_ptr)
310 rule->release_ptr(rule);
311 free(rule->conf.file);
312 free(rule);
313}
314
Amaury Denoyelle68fd7e42021-03-25 17:15:52 +0100315void free_act_rules(struct list *rules)
316{
317 struct act_rule *rule, *ruleb;
318
319 list_for_each_entry_safe(rule, ruleb, rules, list) {
Willy Tarreau6a783e42022-03-17 20:23:43 +0100320 free_act_rule(rule);
Amaury Denoyelle68fd7e42021-03-25 17:15:52 +0100321 }
322}