blob: bbd5820b4c0e30351c0206331a394f031f6ed50c [file] [log] [blame]
Willy Tarreau39713102016-11-25 15:49:32 +01001/*
2 * "tcp" rules processing
3 *
4 * Copyright 2000-2016 Willy Tarreau <w@1wt.eu>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
Willy Tarreaudcc048a2020-06-04 19:11:43 +020012#include <haproxy/acl.h>
Willy Tarreau122eba92020-06-04 10:15:32 +020013#include <haproxy/action.h>
Willy Tarreau4c7e4b72020-05-27 12:58:42 +020014#include <haproxy/api.h>
Willy Tarreaub2551052020-06-09 09:07:15 +020015#include <haproxy/arg-t.h>
Willy Tarreau278161c2020-06-04 11:18:28 +020016#include <haproxy/capture-t.h>
Willy Tarreau6be78492020-06-05 00:00:29 +020017#include <haproxy/cfgparse.h>
Willy Tarreauf1d32c42020-06-04 21:07:02 +020018#include <haproxy/channel.h>
Willy Tarreau7ea393d2020-06-04 18:02:10 +020019#include <haproxy/connection.h>
Willy Tarreauf268ee82020-06-04 17:05:57 +020020#include <haproxy/global.h>
Willy Tarreau853b2972020-05-27 18:01:47 +020021#include <haproxy/list.h>
Willy Tarreauaeed4a82020-06-04 22:01:04 +020022#include <haproxy/log.h>
Willy Tarreaua264d962020-06-04 22:29:18 +020023#include <haproxy/proxy.h>
Willy Tarreaue6ce10b2020-06-04 15:33:47 +020024#include <haproxy/sample.h>
Willy Tarreaudfd3de82020-06-04 23:46:14 +020025#include <haproxy/stick_table.h>
26#include <haproxy/stream-t.h>
Willy Tarreau5e539c92020-06-04 20:45:39 +020027#include <haproxy/stream_interface.h>
Willy Tarreau8b550af2020-06-04 17:42:48 +020028#include <haproxy/tcp_rules.h>
Willy Tarreauc2f7c582020-06-02 18:15:32 +020029#include <haproxy/ticks.h>
Willy Tarreau92b4f132020-06-01 11:05:15 +020030#include <haproxy/time.h>
Willy Tarreaub2551052020-06-09 09:07:15 +020031#include <haproxy/tools.h>
Willy Tarreaudfd3de82020-06-04 23:46:14 +020032#include <haproxy/trace.h>
Willy Tarreau39713102016-11-25 15:49:32 +010033
Willy Tarreau39713102016-11-25 15:49:32 +010034
Christopher Fauleteea8fc72019-11-05 16:18:10 +010035#define TRACE_SOURCE &trace_strm
36
Willy Tarreau39713102016-11-25 15:49:32 +010037/* List head of all known action keywords for "tcp-request connection" */
38struct list tcp_req_conn_keywords = LIST_HEAD_INIT(tcp_req_conn_keywords);
39struct list tcp_req_sess_keywords = LIST_HEAD_INIT(tcp_req_sess_keywords);
40struct list tcp_req_cont_keywords = LIST_HEAD_INIT(tcp_req_cont_keywords);
41struct list tcp_res_cont_keywords = LIST_HEAD_INIT(tcp_res_cont_keywords);
42
43/*
44 * Register keywords.
45 */
46void tcp_req_conn_keywords_register(struct action_kw_list *kw_list)
47{
Willy Tarreau2b718102021-04-21 07:32:39 +020048 LIST_APPEND(&tcp_req_conn_keywords, &kw_list->list);
Willy Tarreau39713102016-11-25 15:49:32 +010049}
50
51void tcp_req_sess_keywords_register(struct action_kw_list *kw_list)
52{
Willy Tarreau2b718102021-04-21 07:32:39 +020053 LIST_APPEND(&tcp_req_sess_keywords, &kw_list->list);
Willy Tarreau39713102016-11-25 15:49:32 +010054}
55
56void tcp_req_cont_keywords_register(struct action_kw_list *kw_list)
57{
Willy Tarreau2b718102021-04-21 07:32:39 +020058 LIST_APPEND(&tcp_req_cont_keywords, &kw_list->list);
Willy Tarreau39713102016-11-25 15:49:32 +010059}
60
61void tcp_res_cont_keywords_register(struct action_kw_list *kw_list)
62{
Willy Tarreau2b718102021-04-21 07:32:39 +020063 LIST_APPEND(&tcp_res_cont_keywords, &kw_list->list);
Willy Tarreau39713102016-11-25 15:49:32 +010064}
65
66/*
67 * Return the struct tcp_req_action_kw associated to a keyword.
68 */
Thierry Fournier7a71a6d2020-11-28 17:40:24 +010069struct action_kw *tcp_req_conn_action(const char *kw)
Willy Tarreau39713102016-11-25 15:49:32 +010070{
71 return action_lookup(&tcp_req_conn_keywords, kw);
72}
73
Thierry Fournier7a71a6d2020-11-28 17:40:24 +010074struct action_kw *tcp_req_sess_action(const char *kw)
Willy Tarreau39713102016-11-25 15:49:32 +010075{
76 return action_lookup(&tcp_req_sess_keywords, kw);
77}
78
Thierry Fournier7a71a6d2020-11-28 17:40:24 +010079struct action_kw *tcp_req_cont_action(const char *kw)
Willy Tarreau39713102016-11-25 15:49:32 +010080{
81 return action_lookup(&tcp_req_cont_keywords, kw);
82}
83
Thierry Fournier7a71a6d2020-11-28 17:40:24 +010084struct action_kw *tcp_res_cont_action(const char *kw)
Willy Tarreau39713102016-11-25 15:49:32 +010085{
86 return action_lookup(&tcp_res_cont_keywords, kw);
87}
88
89/* This function performs the TCP request analysis on the current request. It
90 * returns 1 if the processing can continue on next analysers, or zero if it
91 * needs more data, encounters an error, or wants to immediately abort the
92 * request. It relies on buffers flags, and updates s->req->analysers. The
93 * function may be called for frontend rules and backend rules. It only relies
94 * on the backend pointer so this works for both cases.
95 */
96int tcp_inspect_request(struct stream *s, struct channel *req, int an_bit)
97{
98 struct session *sess = s->sess;
99 struct act_rule *rule;
Willy Tarreau39713102016-11-25 15:49:32 +0100100 int partial;
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100101 int act_opts = 0;
Willy Tarreau39713102016-11-25 15:49:32 +0100102
Christopher Fauleteea8fc72019-11-05 16:18:10 +0100103 DBG_TRACE_ENTER(STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s);
Willy Tarreau39713102016-11-25 15:49:32 +0100104
105 /* We don't know whether we have enough data, so must proceed
106 * this way :
107 * - iterate through all rules in their declaration order
108 * - if one rule returns MISS, it means the inspect delay is
109 * not over yet, then return immediately, otherwise consider
110 * it as a non-match.
111 * - if one rule returns OK, then return OK
112 * - if one rule returns KO, then return KO
113 */
114
Willy Tarreau23752332018-06-15 14:54:53 +0200115 if ((req->flags & CF_SHUTR) || channel_full(req, global.tune.maxrewrite) ||
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200116 !s->be->tcp_req.inspect_delay || tick_is_expired(s->rules_exp, now_ms))
Willy Tarreau39713102016-11-25 15:49:32 +0100117 partial = SMP_OPT_FINAL;
118 else
119 partial = 0;
120
121 /* If "the current_rule_list" match the executed rule list, we are in
122 * resume condition. If a resume is needed it is always in the action
123 * and never in the ACL or converters. In this case, we initialise the
124 * current rule, and go to the action execution point.
125 */
126 if (s->current_rule) {
127 rule = s->current_rule;
128 s->current_rule = NULL;
129 if (s->current_rule_list == &s->be->tcp_req.inspect_rules)
130 goto resume_execution;
131 }
132 s->current_rule_list = &s->be->tcp_req.inspect_rules;
133
134 list_for_each_entry(rule, &s->be->tcp_req.inspect_rules, list) {
135 enum acl_test_res ret = ACL_TEST_PASS;
136
137 if (rule->cond) {
138 ret = acl_exec_cond(rule->cond, s->be, sess, s, SMP_OPT_DIR_REQ | partial);
139 if (ret == ACL_TEST_MISS)
140 goto missing_data;
141
142 ret = acl_pass(ret);
143 if (rule->cond->pol == ACL_COND_UNLESS)
144 ret = !ret;
145 }
146
147 if (ret) {
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100148 act_opts |= ACT_OPT_FIRST;
Willy Tarreau39713102016-11-25 15:49:32 +0100149resume_execution:
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100150
151 /* Always call the action function if defined */
152 if (rule->action_ptr) {
153 if (partial & SMP_OPT_FINAL)
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100154 act_opts |= ACT_OPT_FINAL;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100155
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100156 switch (rule->action_ptr(rule, s->be, s->sess, s, act_opts)) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100157 case ACT_RET_CONT:
158 break;
159 case ACT_RET_STOP:
160 case ACT_RET_DONE:
161 goto end;
162 case ACT_RET_YIELD:
163 s->current_rule = rule;
Christopher Faulet99aaca92020-07-28 11:30:19 +0200164 if (partial & SMP_OPT_FINAL) {
165 send_log(s->be, LOG_WARNING,
166 "Internal error: yield not allowed if the inspect-delay expired "
167 "for the tcp-request content actions.");
168 goto internal;
169 }
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100170 goto missing_data;
171 case ACT_RET_DENY:
172 goto deny;
173 case ACT_RET_ABRT:
174 goto abort;
175 case ACT_RET_ERR:
176 goto internal;
177 case ACT_RET_INV:
178 goto invalid;
179 }
180 continue; /* eval the next rule */
181 }
182
183 /* If not action function defined, check for known actions */
Willy Tarreau39713102016-11-25 15:49:32 +0100184 if (rule->action == ACT_ACTION_ALLOW) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100185 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100186 }
187 else if (rule->action == ACT_ACTION_DENY) {
Christopher Faulet282992e2019-12-16 12:34:31 +0100188 goto deny;
Willy Tarreau39713102016-11-25 15:49:32 +0100189 }
Willy Tarreau39713102016-11-25 15:49:32 +0100190 }
191 }
192
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100193 end:
Willy Tarreau39713102016-11-25 15:49:32 +0100194 /* if we get there, it means we have no rule which matches, or
195 * we have an explicit accept, so we apply the default accept.
196 */
197 req->analysers &= ~an_bit;
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200198 req->analyse_exp = s->rules_exp = TICK_ETERNITY;
Christopher Fauleteea8fc72019-11-05 16:18:10 +0100199 DBG_TRACE_LEAVE(STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s);
Willy Tarreau39713102016-11-25 15:49:32 +0100200 return 1;
201
202 missing_data:
203 channel_dont_connect(req);
204 /* just set the request timeout once at the beginning of the request */
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200205 if (!tick_isset(s->rules_exp) && s->be->tcp_req.inspect_delay)
206 s->rules_exp = tick_add(now_ms, s->be->tcp_req.inspect_delay);
207 req->analyse_exp = tick_first((tick_is_expired(req->analyse_exp, now_ms) ? 0 : req->analyse_exp), s->rules_exp);
Christopher Fauleteea8fc72019-11-05 16:18:10 +0100208 DBG_TRACE_DEVEL("waiting for more data", STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s);
Willy Tarreau39713102016-11-25 15:49:32 +0100209 return 0;
210
Christopher Faulet282992e2019-12-16 12:34:31 +0100211 deny:
Willy Tarreau4781b152021-04-06 13:53:36 +0200212 _HA_ATOMIC_INC(&sess->fe->fe_counters.denied_req);
Christopher Faulet282992e2019-12-16 12:34:31 +0100213 if (sess->listener && sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200214 _HA_ATOMIC_INC(&sess->listener->counters->denied_req);
Christopher Faulet282992e2019-12-16 12:34:31 +0100215 goto reject;
216
217 internal:
Willy Tarreau4781b152021-04-06 13:53:36 +0200218 _HA_ATOMIC_INC(&sess->fe->fe_counters.internal_errors);
Christopher Faulet282992e2019-12-16 12:34:31 +0100219 if (sess->listener && sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200220 _HA_ATOMIC_INC(&sess->listener->counters->internal_errors);
Christopher Faulet282992e2019-12-16 12:34:31 +0100221 if (!(s->flags & SF_ERR_MASK))
222 s->flags |= SF_ERR_INTERNAL;
223 goto reject;
224
225 invalid:
Willy Tarreau4781b152021-04-06 13:53:36 +0200226 _HA_ATOMIC_INC(&sess->fe->fe_counters.failed_req);
Christopher Faulet282992e2019-12-16 12:34:31 +0100227 if (sess->listener && sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200228 _HA_ATOMIC_INC(&sess->listener->counters->failed_req);
Christopher Faulet282992e2019-12-16 12:34:31 +0100229
230 reject:
231 si_must_kill_conn(chn_prod(req));
232 channel_abort(req);
233 channel_abort(&s->res);
234
235 abort:
236 req->analysers &= AN_REQ_FLT_END;
237
238 if (!(s->flags & SF_ERR_MASK))
239 s->flags |= SF_ERR_PRXCOND;
240 if (!(s->flags & SF_FINST_MASK))
241 s->flags |= SF_FINST_R;
242 DBG_TRACE_DEVEL("leaving on error|deny|abort", STRM_EV_STRM_ANA|STRM_EV_TCP_ANA|STRM_EV_TCP_ERR, s);
243 return 0;
Willy Tarreau39713102016-11-25 15:49:32 +0100244}
245
246/* This function performs the TCP response analysis on the current response. It
247 * returns 1 if the processing can continue on next analysers, or zero if it
248 * needs more data, encounters an error, or wants to immediately abort the
249 * response. It relies on buffers flags, and updates s->rep->analysers. The
250 * function may be called for backend rules.
251 */
252int tcp_inspect_response(struct stream *s, struct channel *rep, int an_bit)
253{
254 struct session *sess = s->sess;
255 struct act_rule *rule;
256 int partial;
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100257 int act_opts = 0;
Willy Tarreau39713102016-11-25 15:49:32 +0100258
Christopher Fauleteea8fc72019-11-05 16:18:10 +0100259 DBG_TRACE_ENTER(STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s);
Willy Tarreau39713102016-11-25 15:49:32 +0100260
261 /* We don't know whether we have enough data, so must proceed
262 * this way :
263 * - iterate through all rules in their declaration order
264 * - if one rule returns MISS, it means the inspect delay is
265 * not over yet, then return immediately, otherwise consider
266 * it as a non-match.
267 * - if one rule returns OK, then return OK
268 * - if one rule returns KO, then return KO
269 */
Willy Tarreau55ae1ab2020-06-15 18:08:07 +0200270 if ((rep->flags & CF_SHUTR) || channel_full(rep, global.tune.maxrewrite) ||
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200271 !s->be->tcp_rep.inspect_delay || tick_is_expired(s->rules_exp, now_ms))
Willy Tarreau39713102016-11-25 15:49:32 +0100272 partial = SMP_OPT_FINAL;
273 else
274 partial = 0;
275
276 /* If "the current_rule_list" match the executed rule list, we are in
277 * resume condition. If a resume is needed it is always in the action
278 * and never in the ACL or converters. In this case, we initialise the
279 * current rule, and go to the action execution point.
280 */
281 if (s->current_rule) {
282 rule = s->current_rule;
283 s->current_rule = NULL;
284 if (s->current_rule_list == &s->be->tcp_rep.inspect_rules)
285 goto resume_execution;
286 }
287 s->current_rule_list = &s->be->tcp_rep.inspect_rules;
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200288 s->rules_exp = TICK_ETERNITY;
Willy Tarreau39713102016-11-25 15:49:32 +0100289
290 list_for_each_entry(rule, &s->be->tcp_rep.inspect_rules, list) {
291 enum acl_test_res ret = ACL_TEST_PASS;
292
293 if (rule->cond) {
294 ret = acl_exec_cond(rule->cond, s->be, sess, s, SMP_OPT_DIR_RES | partial);
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200295 if (ret == ACL_TEST_MISS)
296 goto missing_data;
Willy Tarreau39713102016-11-25 15:49:32 +0100297
298 ret = acl_pass(ret);
299 if (rule->cond->pol == ACL_COND_UNLESS)
300 ret = !ret;
301 }
302
303 if (ret) {
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100304 act_opts |= ACT_OPT_FIRST;
Willy Tarreau39713102016-11-25 15:49:32 +0100305resume_execution:
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100306 /* Always call the action function if defined */
307 if (rule->action_ptr) {
308 if (partial & SMP_OPT_FINAL)
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100309 act_opts |= ACT_OPT_FINAL;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100310
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100311 switch (rule->action_ptr(rule, s->be, s->sess, s, act_opts)) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100312 case ACT_RET_CONT:
313 break;
314 case ACT_RET_STOP:
315 case ACT_RET_DONE:
316 goto end;
317 case ACT_RET_YIELD:
318 s->current_rule = rule;
Christopher Faulet99aaca92020-07-28 11:30:19 +0200319 if (partial & SMP_OPT_FINAL) {
320 send_log(s->be, LOG_WARNING,
321 "Internal error: yield not allowed if the inspect-delay expired "
322 "for the tcp-response content actions.");
323 goto internal;
324 }
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200325 channel_dont_close(rep);
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100326 goto missing_data;
327 case ACT_RET_DENY:
328 goto deny;
329 case ACT_RET_ABRT:
330 goto abort;
331 case ACT_RET_ERR:
332 goto internal;
333 case ACT_RET_INV:
334 goto invalid;
335 }
336 continue; /* eval the next rule */
337 }
338
339 /* If not action function defined, check for known actions */
Willy Tarreau39713102016-11-25 15:49:32 +0100340 if (rule->action == ACT_ACTION_ALLOW) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100341 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100342 }
343 else if (rule->action == ACT_ACTION_DENY) {
Christopher Faulet282992e2019-12-16 12:34:31 +0100344 goto deny;
Willy Tarreau39713102016-11-25 15:49:32 +0100345 }
346 else if (rule->action == ACT_TCP_CLOSE) {
347 chn_prod(rep)->flags |= SI_FL_NOLINGER | SI_FL_NOHALF;
Willy Tarreau0f9cd7b2019-01-31 19:02:43 +0100348 si_must_kill_conn(chn_prod(rep));
Willy Tarreau39713102016-11-25 15:49:32 +0100349 si_shutr(chn_prod(rep));
350 si_shutw(chn_prod(rep));
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100351 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100352 }
353 }
354 }
355
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100356 end:
Willy Tarreau39713102016-11-25 15:49:32 +0100357 /* if we get there, it means we have no rule which matches, or
358 * we have an explicit accept, so we apply the default accept.
359 */
360 rep->analysers &= ~an_bit;
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200361 rep->analyse_exp = s->rules_exp = TICK_ETERNITY;
Christopher Fauleteea8fc72019-11-05 16:18:10 +0100362 DBG_TRACE_LEAVE(STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s);
Willy Tarreau39713102016-11-25 15:49:32 +0100363 return 1;
Christopher Faulet282992e2019-12-16 12:34:31 +0100364
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100365 missing_data:
Christopher Faulet54f3e182020-07-29 12:00:23 +0200366 /* just set the analyser timeout once at the beginning of the response */
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200367 if (!tick_isset(s->rules_exp) && s->be->tcp_rep.inspect_delay)
368 s->rules_exp = tick_add(now_ms, s->be->tcp_rep.inspect_delay);
369 rep->analyse_exp = tick_first((tick_is_expired(rep->analyse_exp, now_ms) ? 0 : rep->analyse_exp), s->rules_exp);
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100370 DBG_TRACE_DEVEL("waiting for more data", STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s);
371 return 0;
372
Christopher Faulet282992e2019-12-16 12:34:31 +0100373 deny:
Willy Tarreau4781b152021-04-06 13:53:36 +0200374 _HA_ATOMIC_INC(&s->sess->fe->fe_counters.denied_resp);
375 _HA_ATOMIC_INC(&s->be->be_counters.denied_resp);
William Lallemand36119de2021-03-08 15:26:48 +0100376 if (s->sess->listener && s->sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200377 _HA_ATOMIC_INC(&s->sess->listener->counters->denied_resp);
Christopher Faulet282992e2019-12-16 12:34:31 +0100378 if (objt_server(s->target))
Willy Tarreau4781b152021-04-06 13:53:36 +0200379 _HA_ATOMIC_INC(&__objt_server(s->target)->counters.denied_resp);
Christopher Faulet282992e2019-12-16 12:34:31 +0100380 goto reject;
381
382 internal:
Willy Tarreau4781b152021-04-06 13:53:36 +0200383 _HA_ATOMIC_INC(&s->sess->fe->fe_counters.internal_errors);
384 _HA_ATOMIC_INC(&s->be->be_counters.internal_errors);
William Lallemand36119de2021-03-08 15:26:48 +0100385 if (s->sess->listener && s->sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200386 _HA_ATOMIC_INC(&s->sess->listener->counters->internal_errors);
Christopher Faulet282992e2019-12-16 12:34:31 +0100387 if (objt_server(s->target))
Willy Tarreau4781b152021-04-06 13:53:36 +0200388 _HA_ATOMIC_INC(&__objt_server(s->target)->counters.internal_errors);
Christopher Faulet282992e2019-12-16 12:34:31 +0100389 if (!(s->flags & SF_ERR_MASK))
390 s->flags |= SF_ERR_INTERNAL;
391 goto reject;
392
393 invalid:
Willy Tarreau4781b152021-04-06 13:53:36 +0200394 _HA_ATOMIC_INC(&s->be->be_counters.failed_resp);
Christopher Faulet282992e2019-12-16 12:34:31 +0100395 if (objt_server(s->target))
Willy Tarreau4781b152021-04-06 13:53:36 +0200396 _HA_ATOMIC_INC(&__objt_server(s->target)->counters.failed_resp);
Christopher Faulet282992e2019-12-16 12:34:31 +0100397
398 reject:
399 si_must_kill_conn(chn_prod(rep));
400 channel_abort(rep);
401 channel_abort(&s->req);
402
403 abort:
Christopher Faulet19dbf2d2020-07-28 11:40:07 +0200404 rep->analysers &= AN_RES_FLT_END;
Christopher Faulet282992e2019-12-16 12:34:31 +0100405
406 if (!(s->flags & SF_ERR_MASK))
407 s->flags |= SF_ERR_PRXCOND;
408 if (!(s->flags & SF_FINST_MASK))
409 s->flags |= SF_FINST_D;
410 DBG_TRACE_DEVEL("leaving on error", STRM_EV_STRM_ANA|STRM_EV_TCP_ANA|STRM_EV_TCP_ERR, s);
411 return 0;
Willy Tarreau39713102016-11-25 15:49:32 +0100412}
413
414
415/* This function performs the TCP layer4 analysis on the current request. It
416 * returns 0 if a reject rule matches, otherwise 1 if either an accept rule
417 * matches or if no more rule matches. It can only use rules which don't need
418 * any data. This only works on connection-based client-facing stream interfaces.
419 */
420int tcp_exec_l4_rules(struct session *sess)
421{
422 struct act_rule *rule;
Willy Tarreau39713102016-11-25 15:49:32 +0100423 struct connection *conn = objt_conn(sess->origin);
424 int result = 1;
425 enum acl_test_res ret;
426
427 if (!conn)
428 return result;
429
430 list_for_each_entry(rule, &sess->fe->tcp_req.l4_rules, list) {
431 ret = ACL_TEST_PASS;
432
433 if (rule->cond) {
434 ret = acl_exec_cond(rule->cond, sess->fe, sess, NULL, SMP_OPT_DIR_REQ|SMP_OPT_FINAL);
435 ret = acl_pass(ret);
436 if (rule->cond->pol == ACL_COND_UNLESS)
437 ret = !ret;
438 }
439
440 if (ret) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100441 /* Always call the action function if defined */
442 if (rule->action_ptr) {
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100443 switch (rule->action_ptr(rule, sess->fe, sess, NULL, ACT_OPT_FINAL | ACT_OPT_FIRST)) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100444 case ACT_RET_YIELD:
445 /* yield is not allowed at this point. If this return code is
446 * used it is a bug, so I prefer to abort the process.
447 */
448 send_log(sess->fe, LOG_WARNING,
449 "Internal error: yield not allowed with tcp-request connection actions.");
450 /* fall through */
451 case ACT_RET_STOP:
452 case ACT_RET_DONE:
453 goto end;
454 case ACT_RET_CONT:
455 break;
456 case ACT_RET_DENY:
457 case ACT_RET_ABRT:
458 case ACT_RET_ERR:
459 case ACT_RET_INV:
460 result = 0;
461 goto end;
462 }
463 continue; /* eval the next rule */
464 }
465
466 /* If not action function defined, check for known actions */
Willy Tarreau39713102016-11-25 15:49:32 +0100467 if (rule->action == ACT_ACTION_ALLOW) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100468 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100469 }
470 else if (rule->action == ACT_ACTION_DENY) {
Willy Tarreau4781b152021-04-06 13:53:36 +0200471 _HA_ATOMIC_INC(&sess->fe->fe_counters.denied_conn);
Willy Tarreaua12dde02016-12-22 18:14:41 +0100472 if (sess->listener && sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200473 _HA_ATOMIC_INC(&sess->listener->counters->denied_conn);
Willy Tarreau39713102016-11-25 15:49:32 +0100474
475 result = 0;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100476 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100477 }
Willy Tarreau39713102016-11-25 15:49:32 +0100478 else if (rule->action == ACT_TCP_EXPECT_PX) {
Willy Tarreau4450b582020-01-23 15:23:13 +0100479 if (!(conn->flags & CO_FL_HANDSHAKE)) {
Olivier Houchardfe50bfb2019-05-27 12:09:19 +0200480 if (xprt_add_hs(conn) < 0) {
481 result = 0;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100482 goto end;
Olivier Houchardfe50bfb2019-05-27 12:09:19 +0200483 }
484 }
Willy Tarreau39713102016-11-25 15:49:32 +0100485 conn->flags |= CO_FL_ACCEPT_PROXY;
Willy Tarreau39713102016-11-25 15:49:32 +0100486 }
487 else if (rule->action == ACT_TCP_EXPECT_CIP) {
Willy Tarreau4450b582020-01-23 15:23:13 +0100488 if (!(conn->flags & CO_FL_HANDSHAKE)) {
Olivier Houchardfe50bfb2019-05-27 12:09:19 +0200489 if (xprt_add_hs(conn) < 0) {
490 result = 0;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100491 goto end;
Olivier Houchardfe50bfb2019-05-27 12:09:19 +0200492 }
493 }
Willy Tarreau39713102016-11-25 15:49:32 +0100494 conn->flags |= CO_FL_ACCEPT_CIP;
Willy Tarreau39713102016-11-25 15:49:32 +0100495 }
Willy Tarreau39713102016-11-25 15:49:32 +0100496 }
497 }
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100498 end:
Willy Tarreau39713102016-11-25 15:49:32 +0100499 return result;
500}
501
502/* This function performs the TCP layer5 analysis on the current request. It
503 * returns 0 if a reject rule matches, otherwise 1 if either an accept rule
504 * matches or if no more rule matches. It can only use rules which don't need
505 * any data. This only works on session-based client-facing stream interfaces.
506 * An example of valid use case is to track a stick-counter on the source
507 * address extracted from the proxy protocol.
508 */
509int tcp_exec_l5_rules(struct session *sess)
510{
511 struct act_rule *rule;
Willy Tarreau39713102016-11-25 15:49:32 +0100512 int result = 1;
513 enum acl_test_res ret;
514
515 list_for_each_entry(rule, &sess->fe->tcp_req.l5_rules, list) {
516 ret = ACL_TEST_PASS;
517
518 if (rule->cond) {
519 ret = acl_exec_cond(rule->cond, sess->fe, sess, NULL, SMP_OPT_DIR_REQ|SMP_OPT_FINAL);
520 ret = acl_pass(ret);
521 if (rule->cond->pol == ACL_COND_UNLESS)
522 ret = !ret;
523 }
524
525 if (ret) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100526 /* Always call the action function if defined */
527 if (rule->action_ptr) {
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100528 switch (rule->action_ptr(rule, sess->fe, sess, NULL, ACT_OPT_FINAL | ACT_OPT_FIRST)) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100529 case ACT_RET_YIELD:
530 /* yield is not allowed at this point. If this return code is
531 * used it is a bug, so I prefer to abort the process.
532 */
533 send_log(sess->fe, LOG_WARNING,
534 "Internal error: yield not allowed with tcp-request session actions.");
535 /* fall through */
536 case ACT_RET_STOP:
537 case ACT_RET_DONE:
538 goto end;
539 case ACT_RET_CONT:
540 break;
541 case ACT_RET_DENY:
542 case ACT_RET_ABRT:
543 case ACT_RET_ERR:
544 case ACT_RET_INV:
545 result = 0;
546 goto end;
547 }
548 continue; /* eval the next rule */
549 }
550
551 /* If not action function defined, check for known actions */
Willy Tarreau39713102016-11-25 15:49:32 +0100552 if (rule->action == ACT_ACTION_ALLOW) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100553 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100554 }
555 else if (rule->action == ACT_ACTION_DENY) {
Willy Tarreau4781b152021-04-06 13:53:36 +0200556 _HA_ATOMIC_INC(&sess->fe->fe_counters.denied_sess);
Willy Tarreaua12dde02016-12-22 18:14:41 +0100557 if (sess->listener && sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200558 _HA_ATOMIC_INC(&sess->listener->counters->denied_sess);
Willy Tarreau39713102016-11-25 15:49:32 +0100559
560 result = 0;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100561 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100562 }
Willy Tarreau39713102016-11-25 15:49:32 +0100563 }
564 }
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100565 end:
Willy Tarreau39713102016-11-25 15:49:32 +0100566 return result;
567}
568
569/* Parse a tcp-response rule. Return a negative value in case of failure */
570static int tcp_parse_response_rule(char **args, int arg, int section_type,
Willy Tarreau01825162021-03-09 09:53:46 +0100571 struct proxy *curpx, const struct proxy *defpx,
Willy Tarreau39713102016-11-25 15:49:32 +0100572 struct act_rule *rule, char **err,
573 unsigned int where,
574 const char *file, int line)
575{
576 if (curpx == defpx || !(curpx->cap & PR_CAP_BE)) {
577 memprintf(err, "%s %s is only allowed in 'backend' sections",
578 args[0], args[1]);
579 return -1;
580 }
581
582 if (strcmp(args[arg], "accept") == 0) {
583 arg++;
584 rule->action = ACT_ACTION_ALLOW;
Christopher Faulet245cf792019-12-18 14:58:12 +0100585 rule->flags |= ACT_FLAG_FINAL;
Willy Tarreau39713102016-11-25 15:49:32 +0100586 }
587 else if (strcmp(args[arg], "reject") == 0) {
588 arg++;
589 rule->action = ACT_ACTION_DENY;
Christopher Faulet245cf792019-12-18 14:58:12 +0100590 rule->flags |= ACT_FLAG_FINAL;
Willy Tarreau39713102016-11-25 15:49:32 +0100591 }
592 else if (strcmp(args[arg], "close") == 0) {
593 arg++;
594 rule->action = ACT_TCP_CLOSE;
Christopher Faulet245cf792019-12-18 14:58:12 +0100595 rule->flags |= ACT_FLAG_FINAL;
Willy Tarreau39713102016-11-25 15:49:32 +0100596 }
597 else {
598 struct action_kw *kw;
599 kw = tcp_res_cont_action(args[arg]);
600 if (kw) {
601 arg++;
Willy Tarreau39713102016-11-25 15:49:32 +0100602 rule->kw = kw;
603 if (kw->parse((const char **)args, &arg, curpx, rule, err) == ACT_RET_PRS_ERR)
604 return -1;
605 } else {
Willy Tarreaudb67b0e2021-03-12 13:46:10 +0100606 const char *extra[] = { "accept", "reject", "close", NULL };
607 const char *best = action_suggest(args[arg], &tcp_res_cont_keywords, extra);
608
Willy Tarreau39713102016-11-25 15:49:32 +0100609 action_build_list(&tcp_res_cont_keywords, &trash);
610 memprintf(err,
Willy Tarreaudb67b0e2021-03-12 13:46:10 +0100611 "'%s %s' expects 'accept', 'close', 'reject', %s in %s '%s' (got '%s').%s%s%s",
Willy Tarreau843b7cb2018-07-13 10:54:26 +0200612 args[0], args[1], trash.area,
Willy Tarreaudb67b0e2021-03-12 13:46:10 +0100613 proxy_type_str(curpx), curpx->id, args[arg],
614 best ? " Did you mean '" : "",
615 best ? best : "",
616 best ? "' maybe ?" : "");
Willy Tarreau39713102016-11-25 15:49:32 +0100617 return -1;
618 }
619 }
620
621 if (strcmp(args[arg], "if") == 0 || strcmp(args[arg], "unless") == 0) {
Christopher Faulet1b421ea2017-09-22 14:38:56 +0200622 if ((rule->cond = build_acl_cond(file, line, &curpx->acl, curpx, (const char **)args+arg, err)) == NULL) {
Willy Tarreau39713102016-11-25 15:49:32 +0100623 memprintf(err,
624 "'%s %s %s' : error detected in %s '%s' while parsing '%s' condition : %s",
625 args[0], args[1], args[2], proxy_type_str(curpx), curpx->id, args[arg], *err);
626 return -1;
627 }
628 }
629 else if (*args[arg]) {
630 memprintf(err,
631 "'%s %s %s' only accepts 'if' or 'unless', in %s '%s' (got '%s')",
632 args[0], args[1], args[2], proxy_type_str(curpx), curpx->id, args[arg]);
633 return -1;
634 }
635 return 0;
636}
637
Christopher Fauletac98d812019-12-18 09:20:16 +0100638
639/* This function executes a track-sc* actions. On success, it returns
640 * ACT_RET_CONT. If it must yield, it return ACT_RET_YIELD. Otherwsize
641 * ACT_RET_ERR is returned.
642 */
643static enum act_return tcp_action_track_sc(struct act_rule *rule, struct proxy *px,
644 struct session *sess, struct stream *s, int flags)
645{
646 struct stksess *ts;
647 struct stktable *t;
648 struct stktable_key *key;
649 struct sample smp;
650 int opt;
651
Christopher Faulet67307792020-02-10 09:54:49 +0100652 opt = SMP_OPT_DIR_REQ;
Christopher Fauletac98d812019-12-18 09:20:16 +0100653 if (flags & ACT_FLAG_FINAL)
654 opt |= SMP_OPT_FINAL;
Willy Tarreau39713102016-11-25 15:49:32 +0100655
Christopher Fauletac98d812019-12-18 09:20:16 +0100656 t = rule->arg.trk_ctr.table.t;
Christopher Faulet67307792020-02-10 09:54:49 +0100657 if (rule->from == ACT_F_TCP_REQ_CNT) { /* L7 rules: use the stream */
658 if (stkctr_entry(&s->stkctr[rule->action]))
659 goto end;
Christopher Fauletac98d812019-12-18 09:20:16 +0100660
Christopher Faulet67307792020-02-10 09:54:49 +0100661 key = stktable_fetch_key(t, s->be, sess, s, opt, rule->arg.trk_ctr.expr, &smp);
Christopher Fauletac98d812019-12-18 09:20:16 +0100662
Christopher Faulet67307792020-02-10 09:54:49 +0100663 if ((smp.flags & SMP_F_MAY_CHANGE) && !(flags & ACT_FLAG_FINAL))
664 return ACT_RET_YIELD; /* key might appear later */
665
666 if (key && (ts = stktable_get_entry(t, key))) {
667 stream_track_stkctr(&s->stkctr[rule->action], t, ts);
Christopher Fauletac98d812019-12-18 09:20:16 +0100668 stkctr_set_flags(&s->stkctr[rule->action], STKCTR_TRACK_CONTENT);
669 if (sess->fe != s->be)
670 stkctr_set_flags(&s->stkctr[rule->action], STKCTR_TRACK_BACKEND);
671 }
672 }
Christopher Faulet67307792020-02-10 09:54:49 +0100673 else { /* L4/L5 rules: use the session */
674 if (stkctr_entry(&sess->stkctr[rule->action]))
675 goto end;
676
677 key = stktable_fetch_key(t, sess->fe, sess, NULL, opt, rule->arg.trk_ctr.expr, NULL);
678 if (key && (ts = stktable_get_entry(t, key)))
679 stream_track_stkctr(&sess->stkctr[rule->action], t, ts);
680 }
Christopher Fauletac98d812019-12-18 09:20:16 +0100681
682 end:
683 return ACT_RET_CONT;
684}
Willy Tarreau39713102016-11-25 15:49:32 +0100685
Christopher Fauletd73b96d2019-12-19 17:27:03 +0100686/* This function executes a capture actions. It executes a fetch expression,
687 * turns the result into a string and puts it in a capture slot. On success, it
688 * returns ACT_RET_CONT. If it must yield, it return ACT_RET_YIELD. Otherwsize
689 * ACT_RET_ERR is returned.
690 */
691static enum act_return tcp_action_capture(struct act_rule *rule, struct proxy *px,
692 struct session *sess, struct stream *s, int flags)
693{
694 struct sample *key;
695 struct cap_hdr *h = rule->arg.cap.hdr;
696 char **cap = s->req_cap;
697 int len, opt;
698
699 opt = ((rule->from == ACT_F_TCP_REQ_CNT) ? SMP_OPT_DIR_REQ : SMP_OPT_DIR_RES);
700 if (flags & ACT_FLAG_FINAL)
701 opt |= SMP_OPT_FINAL;
702
703 key = sample_fetch_as_type(s->be, sess, s, opt, rule->arg.cap.expr, SMP_T_STR);
704 if (!key)
705 goto end;
706
707 if ((key->flags & SMP_F_MAY_CHANGE) && !(flags & ACT_FLAG_FINAL))
708 return ACT_RET_YIELD; /* key might appear later */
709
710 if (cap[h->index] == NULL) {
711 cap[h->index] = pool_alloc(h->pool);
712 if (cap[h->index] == NULL) /* no more capture memory, ignore error */
713 goto end;
714 }
715
716 len = key->data.u.str.data;
717 if (len > h->len)
718 len = h->len;
719
720 memcpy(cap[h->index], key->data.u.str.area, len);
721 cap[h->index][len] = 0;
722
723 end:
724 return ACT_RET_CONT;
725}
726
Christopher Fauletadfc6e82020-01-14 15:05:33 +0100727static void release_tcp_capture(struct act_rule * rule)
728{
729 release_sample_expr(rule->arg.cap.expr);
730}
731
732
733static void release_tcp_track_sc(struct act_rule * rule)
734{
735 release_sample_expr(rule->arg.trk_ctr.expr);
736}
737
Willy Tarreau39713102016-11-25 15:49:32 +0100738/* Parse a tcp-request rule. Return a negative value in case of failure */
739static int tcp_parse_request_rule(char **args, int arg, int section_type,
Willy Tarreau01825162021-03-09 09:53:46 +0100740 struct proxy *curpx, const struct proxy *defpx,
Willy Tarreau39713102016-11-25 15:49:32 +0100741 struct act_rule *rule, char **err,
742 unsigned int where, const char *file, int line)
743{
744 if (curpx == defpx) {
745 memprintf(err, "%s %s is not allowed in 'defaults' sections",
746 args[0], args[1]);
747 return -1;
748 }
749
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100750 if (strcmp(args[arg], "accept") == 0) {
Willy Tarreau39713102016-11-25 15:49:32 +0100751 arg++;
752 rule->action = ACT_ACTION_ALLOW;
Christopher Faulet245cf792019-12-18 14:58:12 +0100753 rule->flags |= ACT_FLAG_FINAL;
Willy Tarreau39713102016-11-25 15:49:32 +0100754 }
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100755 else if (strcmp(args[arg], "reject") == 0) {
Willy Tarreau39713102016-11-25 15:49:32 +0100756 arg++;
757 rule->action = ACT_ACTION_DENY;
Christopher Faulet245cf792019-12-18 14:58:12 +0100758 rule->flags |= ACT_FLAG_FINAL;
Willy Tarreau39713102016-11-25 15:49:32 +0100759 }
760 else if (strcmp(args[arg], "capture") == 0) {
761 struct sample_expr *expr;
762 struct cap_hdr *hdr;
763 int kw = arg;
764 int len = 0;
765
766 if (!(curpx->cap & PR_CAP_FE)) {
767 memprintf(err,
768 "'%s %s %s' : proxy '%s' has no frontend capability",
769 args[0], args[1], args[kw], curpx->id);
770 return -1;
771 }
772
773 if (!(where & SMP_VAL_FE_REQ_CNT)) {
774 memprintf(err,
775 "'%s %s' is not allowed in '%s %s' rules in %s '%s'",
776 args[arg], args[arg+1], args[0], args[1], proxy_type_str(curpx), curpx->id);
777 return -1;
778 }
779
780 arg++;
781
782 curpx->conf.args.ctx = ARGC_CAP;
Willy Tarreaue3b57bf2020-02-14 16:50:14 +0100783 expr = sample_parse_expr(args, &arg, file, line, err, &curpx->conf.args, NULL);
Willy Tarreau39713102016-11-25 15:49:32 +0100784 if (!expr) {
785 memprintf(err,
786 "'%s %s %s' : %s",
787 args[0], args[1], args[kw], *err);
788 return -1;
789 }
790
791 if (!(expr->fetch->val & where)) {
792 memprintf(err,
793 "'%s %s %s' : fetch method '%s' extracts information from '%s', none of which is available here",
794 args[0], args[1], args[kw], args[arg-1], sample_src_names(expr->fetch->use));
Christopher Fauletfdb6fbf2020-01-14 15:05:56 +0100795 release_sample_expr(expr);
Willy Tarreau39713102016-11-25 15:49:32 +0100796 return -1;
797 }
798
799 if (strcmp(args[arg], "len") == 0) {
800 arg++;
801 if (!args[arg]) {
802 memprintf(err,
803 "'%s %s %s' : missing length value",
804 args[0], args[1], args[kw]);
Christopher Fauletfdb6fbf2020-01-14 15:05:56 +0100805 release_sample_expr(expr);
Willy Tarreau39713102016-11-25 15:49:32 +0100806 return -1;
807 }
808 /* we copy the table name for now, it will be resolved later */
809 len = atoi(args[arg]);
810 if (len <= 0) {
811 memprintf(err,
812 "'%s %s %s' : length must be > 0",
813 args[0], args[1], args[kw]);
Christopher Fauletfdb6fbf2020-01-14 15:05:56 +0100814 release_sample_expr(expr);
Willy Tarreau39713102016-11-25 15:49:32 +0100815 return -1;
816 }
817 arg++;
818 }
819
820 if (!len) {
821 memprintf(err,
822 "'%s %s %s' : a positive 'len' argument is mandatory",
823 args[0], args[1], args[kw]);
824 free(expr);
825 return -1;
826 }
827
828 hdr = calloc(1, sizeof(*hdr));
Remi Tricot-Le Breton8cb03362021-05-17 10:08:16 +0200829 if (!hdr) {
830 memprintf(err, "parsing [%s:%d] : out of memory", file, line);
831 release_sample_expr(expr);
832 return -1;
833 }
Willy Tarreau39713102016-11-25 15:49:32 +0100834 hdr->next = curpx->req_cap;
835 hdr->name = NULL; /* not a header capture */
836 hdr->namelen = 0;
837 hdr->len = len;
838 hdr->pool = create_pool("caphdr", hdr->len + 1, MEM_F_SHARED);
839 hdr->index = curpx->nb_req_cap++;
840
841 curpx->req_cap = hdr;
842 curpx->to_log |= LW_REQHDR;
843
Christopher Faulet711ed6a2019-07-16 14:16:10 +0200844 /* check if we need to allocate an http_txn struct for HTTP parsing */
Willy Tarreau39713102016-11-25 15:49:32 +0100845 curpx->http_needed |= !!(expr->fetch->use & SMP_USE_HTTP_ANY);
846
847 rule->arg.cap.expr = expr;
848 rule->arg.cap.hdr = hdr;
Christopher Fauletd73b96d2019-12-19 17:27:03 +0100849 rule->action = ACT_CUSTOM;
850 rule->action_ptr = tcp_action_capture;
851 rule->check_ptr = check_capture;
Christopher Fauletadfc6e82020-01-14 15:05:33 +0100852 rule->release_ptr = release_tcp_capture;
Willy Tarreau39713102016-11-25 15:49:32 +0100853 }
Frédéric Lécaillea41d5312018-01-29 12:05:07 +0100854 else if (strncmp(args[arg], "track-sc", 8) == 0) {
Willy Tarreau39713102016-11-25 15:49:32 +0100855 struct sample_expr *expr;
856 int kw = arg;
Frédéric Lécaillea41d5312018-01-29 12:05:07 +0100857 unsigned int tsc_num;
858 const char *tsc_num_str;
Willy Tarreau39713102016-11-25 15:49:32 +0100859
860 arg++;
861
Frédéric Lécaillea41d5312018-01-29 12:05:07 +0100862 tsc_num_str = &args[kw][8];
863 if (cfg_parse_track_sc_num(&tsc_num, tsc_num_str, tsc_num_str + strlen(tsc_num_str), err) == -1) {
864 memprintf(err, "'%s %s %s' : %s", args[0], args[1], args[kw], *err);
865 return -1;
866 }
867
Willy Tarreau39713102016-11-25 15:49:32 +0100868 curpx->conf.args.ctx = ARGC_TRK;
Willy Tarreaue3b57bf2020-02-14 16:50:14 +0100869 expr = sample_parse_expr(args, &arg, file, line, err, &curpx->conf.args, NULL);
Willy Tarreau39713102016-11-25 15:49:32 +0100870 if (!expr) {
871 memprintf(err,
872 "'%s %s %s' : %s",
873 args[0], args[1], args[kw], *err);
874 return -1;
875 }
876
877 if (!(expr->fetch->val & where)) {
878 memprintf(err,
879 "'%s %s %s' : fetch method '%s' extracts information from '%s', none of which is available here",
880 args[0], args[1], args[kw], args[arg-1], sample_src_names(expr->fetch->use));
Christopher Fauletfdb6fbf2020-01-14 15:05:56 +0100881 release_sample_expr(expr);
Willy Tarreau39713102016-11-25 15:49:32 +0100882 return -1;
883 }
884
Christopher Faulet711ed6a2019-07-16 14:16:10 +0200885 /* check if we need to allocate an http_txn struct for HTTP parsing */
Willy Tarreau39713102016-11-25 15:49:32 +0100886 curpx->http_needed |= !!(expr->fetch->use & SMP_USE_HTTP_ANY);
887
888 if (strcmp(args[arg], "table") == 0) {
889 arg++;
890 if (!args[arg]) {
891 memprintf(err,
892 "'%s %s %s' : missing table name",
893 args[0], args[1], args[kw]);
Christopher Fauletfdb6fbf2020-01-14 15:05:56 +0100894 release_sample_expr(expr);
Willy Tarreau39713102016-11-25 15:49:32 +0100895 return -1;
896 }
897 /* we copy the table name for now, it will be resolved later */
898 rule->arg.trk_ctr.table.n = strdup(args[arg]);
899 arg++;
900 }
Christopher Fauletac98d812019-12-18 09:20:16 +0100901 rule->action = tsc_num;
Willy Tarreau39713102016-11-25 15:49:32 +0100902 rule->arg.trk_ctr.expr = expr;
Christopher Fauletac98d812019-12-18 09:20:16 +0100903 rule->action_ptr = tcp_action_track_sc;
Christopher Faulet78880fb2017-09-18 14:43:55 +0200904 rule->check_ptr = check_trk_action;
Christopher Fauletadfc6e82020-01-14 15:05:33 +0100905 rule->release_ptr = release_tcp_track_sc;
Willy Tarreau39713102016-11-25 15:49:32 +0100906 }
907 else if (strcmp(args[arg], "expect-proxy") == 0) {
908 if (strcmp(args[arg+1], "layer4") != 0) {
909 memprintf(err,
910 "'%s %s %s' only supports 'layer4' in %s '%s' (got '%s')",
911 args[0], args[1], args[arg], proxy_type_str(curpx), curpx->id, args[arg+1]);
912 return -1;
913 }
914
915 if (!(where & SMP_VAL_FE_CON_ACC)) {
916 memprintf(err,
917 "'%s %s' is not allowed in '%s %s' rules in %s '%s'",
918 args[arg], args[arg+1], args[0], args[1], proxy_type_str(curpx), curpx->id);
919 return -1;
920 }
921
922 arg += 2;
923 rule->action = ACT_TCP_EXPECT_PX;
924 }
925 else if (strcmp(args[arg], "expect-netscaler-cip") == 0) {
926 if (strcmp(args[arg+1], "layer4") != 0) {
927 memprintf(err,
928 "'%s %s %s' only supports 'layer4' in %s '%s' (got '%s')",
929 args[0], args[1], args[arg], proxy_type_str(curpx), curpx->id, args[arg+1]);
930 return -1;
931 }
932
933 if (!(where & SMP_VAL_FE_CON_ACC)) {
934 memprintf(err,
935 "'%s %s' is not allowed in '%s %s' rules in %s '%s'",
936 args[arg], args[arg+1], args[0], args[1], proxy_type_str(curpx), curpx->id);
937 return -1;
938 }
939
940 arg += 2;
941 rule->action = ACT_TCP_EXPECT_CIP;
942 }
943 else {
944 struct action_kw *kw;
945 if (where & SMP_VAL_FE_CON_ACC) {
946 /* L4 */
947 kw = tcp_req_conn_action(args[arg]);
948 rule->kw = kw;
Willy Tarreau39713102016-11-25 15:49:32 +0100949 } else if (where & SMP_VAL_FE_SES_ACC) {
950 /* L5 */
951 kw = tcp_req_sess_action(args[arg]);
952 rule->kw = kw;
Willy Tarreau39713102016-11-25 15:49:32 +0100953 } else {
954 /* L6 */
955 kw = tcp_req_cont_action(args[arg]);
956 rule->kw = kw;
Willy Tarreau39713102016-11-25 15:49:32 +0100957 }
958 if (kw) {
959 arg++;
960 if (kw->parse((const char **)args, &arg, curpx, rule, err) == ACT_RET_PRS_ERR)
961 return -1;
962 } else {
Christopher Fauleta561ffb2021-03-19 08:53:26 +0100963 const char *extra[] = { "accept", "reject", "capture", "track-sc", "expect-proxy", "expect-netscaler-cip", NULL };
Willy Tarreaudb67b0e2021-03-12 13:46:10 +0100964 const char *best = NULL;
965
966
967 if (where & SMP_VAL_FE_CON_ACC) {
Willy Tarreau39713102016-11-25 15:49:32 +0100968 action_build_list(&tcp_req_conn_keywords, &trash);
Willy Tarreaudb67b0e2021-03-12 13:46:10 +0100969 best = action_suggest(args[arg], &tcp_req_conn_keywords, extra);
970 }
971 else if (where & SMP_VAL_FE_SES_ACC) {
Willy Tarreau39713102016-11-25 15:49:32 +0100972 action_build_list(&tcp_req_sess_keywords, &trash);
Willy Tarreaudb67b0e2021-03-12 13:46:10 +0100973 best = action_suggest(args[arg], &tcp_req_sess_keywords, extra);
974 }
975 else {
Willy Tarreau39713102016-11-25 15:49:32 +0100976 action_build_list(&tcp_req_cont_keywords, &trash);
Willy Tarreaudb67b0e2021-03-12 13:46:10 +0100977 best = action_suggest(args[arg], &tcp_req_cont_keywords, extra);
978 }
979
Willy Tarreau39713102016-11-25 15:49:32 +0100980 memprintf(err,
Christopher Fauleta561ffb2021-03-19 08:53:26 +0100981 "'%s %s' expects 'accept', 'reject', 'capture', 'expect-proxy', 'expect-netscaler-cip', 'track-sc0' ... 'track-sc%d', %s "
Willy Tarreaudb67b0e2021-03-12 13:46:10 +0100982 "in %s '%s' (got '%s').%s%s%s\n",
Willy Tarreau843b7cb2018-07-13 10:54:26 +0200983 args[0], args[1], MAX_SESS_STKCTR-1,
984 trash.area, proxy_type_str(curpx),
Willy Tarreaudb67b0e2021-03-12 13:46:10 +0100985 curpx->id, args[arg],
986 best ? " Did you mean '" : "",
987 best ? best : "",
988 best ? "' maybe ?" : "");
Willy Tarreau39713102016-11-25 15:49:32 +0100989 return -1;
990 }
991 }
992
993 if (strcmp(args[arg], "if") == 0 || strcmp(args[arg], "unless") == 0) {
Christopher Faulet1b421ea2017-09-22 14:38:56 +0200994 if ((rule->cond = build_acl_cond(file, line, &curpx->acl, curpx, (const char **)args+arg, err)) == NULL) {
Willy Tarreau39713102016-11-25 15:49:32 +0100995 memprintf(err,
996 "'%s %s %s' : error detected in %s '%s' while parsing '%s' condition : %s",
997 args[0], args[1], args[2], proxy_type_str(curpx), curpx->id, args[arg], *err);
998 return -1;
999 }
1000 }
1001 else if (*args[arg]) {
1002 memprintf(err,
1003 "'%s %s %s' only accepts 'if' or 'unless', in %s '%s' (got '%s')",
1004 args[0], args[1], args[2], proxy_type_str(curpx), curpx->id, args[arg]);
1005 return -1;
1006 }
1007 return 0;
1008}
1009
1010/* This function should be called to parse a line starting with the "tcp-response"
1011 * keyword.
1012 */
1013static int tcp_parse_tcp_rep(char **args, int section_type, struct proxy *curpx,
Willy Tarreau01825162021-03-09 09:53:46 +01001014 const struct proxy *defpx, const char *file, int line,
Willy Tarreau39713102016-11-25 15:49:32 +01001015 char **err)
1016{
1017 const char *ptr = NULL;
1018 unsigned int val;
1019 int warn = 0;
1020 int arg;
1021 struct act_rule *rule;
1022 unsigned int where;
1023 const struct acl *acl;
1024 const char *kw;
1025
1026 if (!*args[1]) {
1027 memprintf(err, "missing argument for '%s' in %s '%s'",
1028 args[0], proxy_type_str(curpx), curpx->id);
1029 return -1;
1030 }
1031
1032 if (strcmp(args[1], "inspect-delay") == 0) {
1033 if (curpx == defpx || !(curpx->cap & PR_CAP_BE)) {
1034 memprintf(err, "%s %s is only allowed in 'backend' sections",
1035 args[0], args[1]);
1036 return -1;
1037 }
1038
1039 if (!*args[2] || (ptr = parse_time_err(args[2], &val, TIME_UNIT_MS))) {
1040 memprintf(err,
1041 "'%s %s' expects a positive delay in milliseconds, in %s '%s'",
1042 args[0], args[1], proxy_type_str(curpx), curpx->id);
Willy Tarreau9faebe32019-06-07 19:00:37 +02001043
1044 if (ptr == PARSE_TIME_OVER)
1045 memprintf(err, "%s (timer overflow in '%s', maximum value is 2147483647 ms or ~24.8 days)", *err, args[2]);
1046 else if (ptr == PARSE_TIME_UNDER)
1047 memprintf(err, "%s (timer underflow in '%s', minimum non-null value is 1 ms)", *err, args[2]);
1048 else if (ptr)
Willy Tarreau39713102016-11-25 15:49:32 +01001049 memprintf(err, "%s (unexpected character '%c')", *err, *ptr);
1050 return -1;
1051 }
1052
1053 if (curpx->tcp_rep.inspect_delay) {
1054 memprintf(err, "ignoring %s %s (was already defined) in %s '%s'",
1055 args[0], args[1], proxy_type_str(curpx), curpx->id);
1056 return 1;
1057 }
1058 curpx->tcp_rep.inspect_delay = val;
1059 return 0;
1060 }
1061
1062 rule = calloc(1, sizeof(*rule));
Remi Tricot-Le Breton2ca42b42021-05-12 18:24:18 +02001063 if (!rule) {
1064 memprintf(err, "parsing [%s:%d] : out of memory", file, line);
1065 return -1;
1066 }
Willy Tarreau39713102016-11-25 15:49:32 +01001067 LIST_INIT(&rule->list);
1068 arg = 1;
1069 where = 0;
1070
1071 if (strcmp(args[1], "content") == 0) {
1072 arg++;
1073
1074 if (curpx->cap & PR_CAP_FE)
1075 where |= SMP_VAL_FE_RES_CNT;
1076 if (curpx->cap & PR_CAP_BE)
1077 where |= SMP_VAL_BE_RES_CNT;
Christopher Fauletcb9106b2019-12-19 15:23:17 +01001078 rule->from = ACT_F_TCP_RES_CNT;
Willy Tarreau39713102016-11-25 15:49:32 +01001079 if (tcp_parse_response_rule(args, arg, section_type, curpx, defpx, rule, err, where, file, line) < 0)
1080 goto error;
1081
1082 acl = rule->cond ? acl_cond_conflicts(rule->cond, where) : NULL;
1083 if (acl) {
1084 if (acl->name && *acl->name)
1085 memprintf(err,
1086 "acl '%s' will never match in '%s %s' because it only involves keywords that are incompatible with '%s'",
1087 acl->name, args[0], args[1], sample_ckp_names(where));
1088 else
1089 memprintf(err,
1090 "anonymous acl will never match in '%s %s' because it uses keyword '%s' which is incompatible with '%s'",
1091 args[0], args[1],
1092 LIST_ELEM(acl->expr.n, struct acl_expr *, list)->kw,
1093 sample_ckp_names(where));
1094
1095 warn++;
1096 }
1097 else if (rule->cond && acl_cond_kw_conflicts(rule->cond, where, &acl, &kw)) {
1098 if (acl->name && *acl->name)
1099 memprintf(err,
1100 "acl '%s' involves keyword '%s' which is incompatible with '%s'",
1101 acl->name, kw, sample_ckp_names(where));
1102 else
1103 memprintf(err,
1104 "anonymous acl involves keyword '%s' which is incompatible with '%s'",
1105 kw, sample_ckp_names(where));
1106 warn++;
1107 }
1108
Willy Tarreau2b718102021-04-21 07:32:39 +02001109 LIST_APPEND(&curpx->tcp_rep.inspect_rules, &rule->list);
Willy Tarreau39713102016-11-25 15:49:32 +01001110 }
1111 else {
1112 memprintf(err,
1113 "'%s' expects 'inspect-delay' or 'content' in %s '%s' (got '%s')",
1114 args[0], proxy_type_str(curpx), curpx->id, args[1]);
1115 goto error;
1116 }
1117
1118 return warn;
1119 error:
1120 free(rule);
1121 return -1;
1122}
1123
1124
1125/* This function should be called to parse a line starting with the "tcp-request"
1126 * keyword.
1127 */
1128static int tcp_parse_tcp_req(char **args, int section_type, struct proxy *curpx,
Willy Tarreau01825162021-03-09 09:53:46 +01001129 const struct proxy *defpx, const char *file, int line,
Willy Tarreau39713102016-11-25 15:49:32 +01001130 char **err)
1131{
1132 const char *ptr = NULL;
1133 unsigned int val;
1134 int warn = 0;
1135 int arg;
1136 struct act_rule *rule;
1137 unsigned int where;
1138 const struct acl *acl;
1139 const char *kw;
1140
1141 if (!*args[1]) {
1142 if (curpx == defpx)
1143 memprintf(err, "missing argument for '%s' in defaults section", args[0]);
1144 else
1145 memprintf(err, "missing argument for '%s' in %s '%s'",
1146 args[0], proxy_type_str(curpx), curpx->id);
1147 return -1;
1148 }
1149
Tim Duesterhuse5ff1412021-01-02 22:31:53 +01001150 if (strcmp(args[1], "inspect-delay") == 0) {
Willy Tarreau39713102016-11-25 15:49:32 +01001151 if (curpx == defpx) {
1152 memprintf(err, "%s %s is not allowed in 'defaults' sections",
1153 args[0], args[1]);
1154 return -1;
1155 }
1156
1157 if (!*args[2] || (ptr = parse_time_err(args[2], &val, TIME_UNIT_MS))) {
1158 memprintf(err,
1159 "'%s %s' expects a positive delay in milliseconds, in %s '%s'",
1160 args[0], args[1], proxy_type_str(curpx), curpx->id);
Willy Tarreau9faebe32019-06-07 19:00:37 +02001161
1162 if (ptr == PARSE_TIME_OVER)
1163 memprintf(err, "%s (timer overflow in '%s', maximum value is 2147483647 ms or ~24.8 days)", *err, args[2]);
1164 else if (ptr == PARSE_TIME_UNDER)
1165 memprintf(err, "%s (timer underflow in '%s', minimum non-null value is 1 ms)", *err, args[2]);
1166 else if (ptr)
Willy Tarreau39713102016-11-25 15:49:32 +01001167 memprintf(err, "%s (unexpected character '%c')", *err, *ptr);
1168 return -1;
1169 }
1170
1171 if (curpx->tcp_req.inspect_delay) {
1172 memprintf(err, "ignoring %s %s (was already defined) in %s '%s'",
1173 args[0], args[1], proxy_type_str(curpx), curpx->id);
1174 return 1;
1175 }
1176 curpx->tcp_req.inspect_delay = val;
1177 return 0;
1178 }
1179
1180 rule = calloc(1, sizeof(*rule));
Remi Tricot-Le Breton2ca42b42021-05-12 18:24:18 +02001181 if (!rule) {
1182 memprintf(err, "parsing [%s:%d] : out of memory", file, line);
1183 return -1;
1184 }
Willy Tarreau39713102016-11-25 15:49:32 +01001185 LIST_INIT(&rule->list);
1186 arg = 1;
1187 where = 0;
1188
1189 if (strcmp(args[1], "content") == 0) {
1190 arg++;
1191
1192 if (curpx->cap & PR_CAP_FE)
1193 where |= SMP_VAL_FE_REQ_CNT;
1194 if (curpx->cap & PR_CAP_BE)
1195 where |= SMP_VAL_BE_REQ_CNT;
Christopher Fauletcb9106b2019-12-19 15:23:17 +01001196 rule->from = ACT_F_TCP_REQ_CNT;
Willy Tarreau39713102016-11-25 15:49:32 +01001197 if (tcp_parse_request_rule(args, arg, section_type, curpx, defpx, rule, err, where, file, line) < 0)
1198 goto error;
1199
1200 acl = rule->cond ? acl_cond_conflicts(rule->cond, where) : NULL;
1201 if (acl) {
1202 if (acl->name && *acl->name)
1203 memprintf(err,
1204 "acl '%s' will never match in '%s %s' because it only involves keywords that are incompatible with '%s'",
1205 acl->name, args[0], args[1], sample_ckp_names(where));
1206 else
1207 memprintf(err,
1208 "anonymous acl will never match in '%s %s' because it uses keyword '%s' which is incompatible with '%s'",
1209 args[0], args[1],
1210 LIST_ELEM(acl->expr.n, struct acl_expr *, list)->kw,
1211 sample_ckp_names(where));
1212
1213 warn++;
1214 }
1215 else if (rule->cond && acl_cond_kw_conflicts(rule->cond, where, &acl, &kw)) {
1216 if (acl->name && *acl->name)
1217 memprintf(err,
1218 "acl '%s' involves keyword '%s' which is incompatible with '%s'",
1219 acl->name, kw, sample_ckp_names(where));
1220 else
1221 memprintf(err,
1222 "anonymous acl involves keyword '%s' which is incompatible with '%s'",
1223 kw, sample_ckp_names(where));
1224 warn++;
1225 }
1226
1227 /* the following function directly emits the warning */
1228 warnif_misplaced_tcp_cont(curpx, file, line, args[0]);
Willy Tarreau2b718102021-04-21 07:32:39 +02001229 LIST_APPEND(&curpx->tcp_req.inspect_rules, &rule->list);
Willy Tarreau39713102016-11-25 15:49:32 +01001230 }
1231 else if (strcmp(args[1], "connection") == 0) {
1232 arg++;
1233
1234 if (!(curpx->cap & PR_CAP_FE)) {
1235 memprintf(err, "%s %s is not allowed because %s %s is not a frontend",
1236 args[0], args[1], proxy_type_str(curpx), curpx->id);
1237 goto error;
1238 }
1239
1240 where |= SMP_VAL_FE_CON_ACC;
Christopher Fauletcb9106b2019-12-19 15:23:17 +01001241 rule->from = ACT_F_TCP_REQ_CON;
Willy Tarreau39713102016-11-25 15:49:32 +01001242 if (tcp_parse_request_rule(args, arg, section_type, curpx, defpx, rule, err, where, file, line) < 0)
1243 goto error;
1244
1245 acl = rule->cond ? acl_cond_conflicts(rule->cond, where) : NULL;
1246 if (acl) {
1247 if (acl->name && *acl->name)
1248 memprintf(err,
1249 "acl '%s' will never match in '%s %s' because it only involves keywords that are incompatible with '%s'",
1250 acl->name, args[0], args[1], sample_ckp_names(where));
1251 else
1252 memprintf(err,
1253 "anonymous acl will never match in '%s %s' because it uses keyword '%s' which is incompatible with '%s'",
1254 args[0], args[1],
1255 LIST_ELEM(acl->expr.n, struct acl_expr *, list)->kw,
1256 sample_ckp_names(where));
1257
1258 warn++;
1259 }
1260 else if (rule->cond && acl_cond_kw_conflicts(rule->cond, where, &acl, &kw)) {
1261 if (acl->name && *acl->name)
1262 memprintf(err,
1263 "acl '%s' involves keyword '%s' which is incompatible with '%s'",
1264 acl->name, kw, sample_ckp_names(where));
1265 else
1266 memprintf(err,
1267 "anonymous acl involves keyword '%s' which is incompatible with '%s'",
1268 kw, sample_ckp_names(where));
1269 warn++;
1270 }
1271
1272 /* the following function directly emits the warning */
1273 warnif_misplaced_tcp_conn(curpx, file, line, args[0]);
Willy Tarreau2b718102021-04-21 07:32:39 +02001274 LIST_APPEND(&curpx->tcp_req.l4_rules, &rule->list);
Willy Tarreau39713102016-11-25 15:49:32 +01001275 }
1276 else if (strcmp(args[1], "session") == 0) {
1277 arg++;
1278
1279 if (!(curpx->cap & PR_CAP_FE)) {
1280 memprintf(err, "%s %s is not allowed because %s %s is not a frontend",
1281 args[0], args[1], proxy_type_str(curpx), curpx->id);
1282 goto error;
1283 }
1284
1285 where |= SMP_VAL_FE_SES_ACC;
Christopher Fauletcb9106b2019-12-19 15:23:17 +01001286 rule->from = ACT_F_TCP_REQ_SES;
Willy Tarreau39713102016-11-25 15:49:32 +01001287 if (tcp_parse_request_rule(args, arg, section_type, curpx, defpx, rule, err, where, file, line) < 0)
1288 goto error;
1289
1290 acl = rule->cond ? acl_cond_conflicts(rule->cond, where) : NULL;
1291 if (acl) {
1292 if (acl->name && *acl->name)
1293 memprintf(err,
1294 "acl '%s' will never match in '%s %s' because it only involves keywords that are incompatible with '%s'",
1295 acl->name, args[0], args[1], sample_ckp_names(where));
1296 else
1297 memprintf(err,
1298 "anonymous acl will never match in '%s %s' because it uses keyword '%s' which is incompatible with '%s'",
1299 args[0], args[1],
1300 LIST_ELEM(acl->expr.n, struct acl_expr *, list)->kw,
1301 sample_ckp_names(where));
1302 warn++;
1303 }
1304 else if (rule->cond && acl_cond_kw_conflicts(rule->cond, where, &acl, &kw)) {
1305 if (acl->name && *acl->name)
1306 memprintf(err,
1307 "acl '%s' involves keyword '%s' which is incompatible with '%s'",
1308 acl->name, kw, sample_ckp_names(where));
1309 else
1310 memprintf(err,
1311 "anonymous acl involves keyword '%s' which is incompatible with '%s'",
1312 kw, sample_ckp_names(where));
1313 warn++;
1314 }
1315
1316 /* the following function directly emits the warning */
1317 warnif_misplaced_tcp_sess(curpx, file, line, args[0]);
Willy Tarreau2b718102021-04-21 07:32:39 +02001318 LIST_APPEND(&curpx->tcp_req.l5_rules, &rule->list);
Willy Tarreau39713102016-11-25 15:49:32 +01001319 }
1320 else {
1321 if (curpx == defpx)
1322 memprintf(err,
1323 "'%s' expects 'inspect-delay', 'connection', or 'content' in defaults section (got '%s')",
1324 args[0], args[1]);
1325 else
1326 memprintf(err,
1327 "'%s' expects 'inspect-delay', 'connection', or 'content' in %s '%s' (got '%s')",
1328 args[0], proxy_type_str(curpx), curpx->id, args[1]);
1329 goto error;
1330 }
1331
1332 return warn;
1333 error:
1334 free(rule);
1335 return -1;
1336}
1337
1338static struct cfg_kw_list cfg_kws = {ILH, {
1339 { CFG_LISTEN, "tcp-request", tcp_parse_tcp_req },
1340 { CFG_LISTEN, "tcp-response", tcp_parse_tcp_rep },
1341 { 0, NULL, NULL },
1342}};
1343
Willy Tarreau0108d902018-11-25 19:14:37 +01001344INITCALL1(STG_REGISTER, cfg_register_keywords, &cfg_kws);
Willy Tarreau39713102016-11-25 15:49:32 +01001345
1346/*
1347 * Local variables:
1348 * c-indent-level: 8
1349 * c-basic-offset: 8
1350 * End:
1351 */