blob: 82c1c5910f75a294485989b982052bfc785c319e [file] [log] [blame]
Willy Tarreau39713102016-11-25 15:49:32 +01001/*
2 * "tcp" rules processing
3 *
4 * Copyright 2000-2016 Willy Tarreau <w@1wt.eu>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
Willy Tarreaudcc048a2020-06-04 19:11:43 +020012#include <haproxy/acl.h>
Willy Tarreau122eba92020-06-04 10:15:32 +020013#include <haproxy/action.h>
Willy Tarreau4c7e4b72020-05-27 12:58:42 +020014#include <haproxy/api.h>
Willy Tarreaub2551052020-06-09 09:07:15 +020015#include <haproxy/arg-t.h>
Willy Tarreau278161c2020-06-04 11:18:28 +020016#include <haproxy/capture-t.h>
Willy Tarreau6be78492020-06-05 00:00:29 +020017#include <haproxy/cfgparse.h>
Willy Tarreauf1d32c42020-06-04 21:07:02 +020018#include <haproxy/channel.h>
Willy Tarreau7ea393d2020-06-04 18:02:10 +020019#include <haproxy/connection.h>
Willy Tarreauf268ee82020-06-04 17:05:57 +020020#include <haproxy/global.h>
Willy Tarreau853b2972020-05-27 18:01:47 +020021#include <haproxy/list.h>
Willy Tarreauaeed4a82020-06-04 22:01:04 +020022#include <haproxy/log.h>
Willy Tarreaua264d962020-06-04 22:29:18 +020023#include <haproxy/proxy.h>
Willy Tarreaue6ce10b2020-06-04 15:33:47 +020024#include <haproxy/sample.h>
Willy Tarreaudfd3de82020-06-04 23:46:14 +020025#include <haproxy/stick_table.h>
26#include <haproxy/stream-t.h>
Willy Tarreau5e539c92020-06-04 20:45:39 +020027#include <haproxy/stream_interface.h>
Willy Tarreau8b550af2020-06-04 17:42:48 +020028#include <haproxy/tcp_rules.h>
Willy Tarreauc2f7c582020-06-02 18:15:32 +020029#include <haproxy/ticks.h>
Willy Tarreaub2551052020-06-09 09:07:15 +020030#include <haproxy/tools.h>
Willy Tarreaudfd3de82020-06-04 23:46:14 +020031#include <haproxy/trace.h>
Willy Tarreau39713102016-11-25 15:49:32 +010032
Willy Tarreau39713102016-11-25 15:49:32 +010033
Christopher Fauleteea8fc72019-11-05 16:18:10 +010034#define TRACE_SOURCE &trace_strm
35
Willy Tarreau39713102016-11-25 15:49:32 +010036/* List head of all known action keywords for "tcp-request connection" */
37struct list tcp_req_conn_keywords = LIST_HEAD_INIT(tcp_req_conn_keywords);
38struct list tcp_req_sess_keywords = LIST_HEAD_INIT(tcp_req_sess_keywords);
39struct list tcp_req_cont_keywords = LIST_HEAD_INIT(tcp_req_cont_keywords);
40struct list tcp_res_cont_keywords = LIST_HEAD_INIT(tcp_res_cont_keywords);
41
42/*
43 * Register keywords.
44 */
45void tcp_req_conn_keywords_register(struct action_kw_list *kw_list)
46{
Willy Tarreau2b718102021-04-21 07:32:39 +020047 LIST_APPEND(&tcp_req_conn_keywords, &kw_list->list);
Willy Tarreau39713102016-11-25 15:49:32 +010048}
49
50void tcp_req_sess_keywords_register(struct action_kw_list *kw_list)
51{
Willy Tarreau2b718102021-04-21 07:32:39 +020052 LIST_APPEND(&tcp_req_sess_keywords, &kw_list->list);
Willy Tarreau39713102016-11-25 15:49:32 +010053}
54
55void tcp_req_cont_keywords_register(struct action_kw_list *kw_list)
56{
Willy Tarreau2b718102021-04-21 07:32:39 +020057 LIST_APPEND(&tcp_req_cont_keywords, &kw_list->list);
Willy Tarreau39713102016-11-25 15:49:32 +010058}
59
60void tcp_res_cont_keywords_register(struct action_kw_list *kw_list)
61{
Willy Tarreau2b718102021-04-21 07:32:39 +020062 LIST_APPEND(&tcp_res_cont_keywords, &kw_list->list);
Willy Tarreau39713102016-11-25 15:49:32 +010063}
64
65/*
66 * Return the struct tcp_req_action_kw associated to a keyword.
67 */
Thierry Fournier7a71a6d2020-11-28 17:40:24 +010068struct action_kw *tcp_req_conn_action(const char *kw)
Willy Tarreau39713102016-11-25 15:49:32 +010069{
70 return action_lookup(&tcp_req_conn_keywords, kw);
71}
72
Thierry Fournier7a71a6d2020-11-28 17:40:24 +010073struct action_kw *tcp_req_sess_action(const char *kw)
Willy Tarreau39713102016-11-25 15:49:32 +010074{
75 return action_lookup(&tcp_req_sess_keywords, kw);
76}
77
Thierry Fournier7a71a6d2020-11-28 17:40:24 +010078struct action_kw *tcp_req_cont_action(const char *kw)
Willy Tarreau39713102016-11-25 15:49:32 +010079{
80 return action_lookup(&tcp_req_cont_keywords, kw);
81}
82
Thierry Fournier7a71a6d2020-11-28 17:40:24 +010083struct action_kw *tcp_res_cont_action(const char *kw)
Willy Tarreau39713102016-11-25 15:49:32 +010084{
85 return action_lookup(&tcp_res_cont_keywords, kw);
86}
87
88/* This function performs the TCP request analysis on the current request. It
89 * returns 1 if the processing can continue on next analysers, or zero if it
90 * needs more data, encounters an error, or wants to immediately abort the
91 * request. It relies on buffers flags, and updates s->req->analysers. The
92 * function may be called for frontend rules and backend rules. It only relies
93 * on the backend pointer so this works for both cases.
94 */
95int tcp_inspect_request(struct stream *s, struct channel *req, int an_bit)
96{
Christopher Fauletc8016d02021-10-13 15:34:49 +020097 struct list *def_rules, *rules;
Willy Tarreau39713102016-11-25 15:49:32 +010098 struct session *sess = s->sess;
99 struct act_rule *rule;
Willy Tarreau39713102016-11-25 15:49:32 +0100100 int partial;
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100101 int act_opts = 0;
Willy Tarreau39713102016-11-25 15:49:32 +0100102
Christopher Fauleteea8fc72019-11-05 16:18:10 +0100103 DBG_TRACE_ENTER(STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s);
Willy Tarreau39713102016-11-25 15:49:32 +0100104
Christopher Fauletc8016d02021-10-13 15:34:49 +0200105 def_rules = ((s->be->defpx && (an_bit == AN_REQ_INSPECT_FE || s->be->defpx != sess->fe->defpx)) ? &s->be->defpx->tcp_req.inspect_rules : NULL);
106 rules = &s->be->tcp_req.inspect_rules;
107
Willy Tarreau39713102016-11-25 15:49:32 +0100108 /* We don't know whether we have enough data, so must proceed
109 * this way :
110 * - iterate through all rules in their declaration order
111 * - if one rule returns MISS, it means the inspect delay is
112 * not over yet, then return immediately, otherwise consider
113 * it as a non-match.
114 * - if one rule returns OK, then return OK
115 * - if one rule returns KO, then return KO
116 */
117
Christopher Fauletcb59e0b2021-09-30 14:56:30 +0200118 if ((req->flags & (CF_EOI|CF_SHUTR|CF_READ_ERROR)) || channel_full(req, global.tune.maxrewrite) ||
Christopher Faulet78335962021-09-23 14:46:32 +0200119 si_rx_blocked_room(chn_prod(req)) ||
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200120 !s->be->tcp_req.inspect_delay || tick_is_expired(s->rules_exp, now_ms))
Willy Tarreau39713102016-11-25 15:49:32 +0100121 partial = SMP_OPT_FINAL;
122 else
123 partial = 0;
124
125 /* If "the current_rule_list" match the executed rule list, we are in
126 * resume condition. If a resume is needed it is always in the action
127 * and never in the ACL or converters. In this case, we initialise the
128 * current rule, and go to the action execution point.
129 */
130 if (s->current_rule) {
131 rule = s->current_rule;
132 s->current_rule = NULL;
Christopher Fauletc8016d02021-10-13 15:34:49 +0200133 if ((def_rules && s->current_rule_list == def_rules) || s->current_rule_list == rules)
Willy Tarreau39713102016-11-25 15:49:32 +0100134 goto resume_execution;
135 }
Christopher Fauletc8016d02021-10-13 15:34:49 +0200136 s->current_rule_list = ((!def_rules || s->current_rule_list == def_rules) ? rules : def_rules);
Willy Tarreau39713102016-11-25 15:49:32 +0100137
Christopher Fauletc8016d02021-10-13 15:34:49 +0200138 restart:
139 list_for_each_entry(rule, s->current_rule_list, list) {
Willy Tarreau39713102016-11-25 15:49:32 +0100140 enum acl_test_res ret = ACL_TEST_PASS;
141
142 if (rule->cond) {
143 ret = acl_exec_cond(rule->cond, s->be, sess, s, SMP_OPT_DIR_REQ | partial);
144 if (ret == ACL_TEST_MISS)
145 goto missing_data;
146
147 ret = acl_pass(ret);
148 if (rule->cond->pol == ACL_COND_UNLESS)
149 ret = !ret;
150 }
151
152 if (ret) {
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100153 act_opts |= ACT_OPT_FIRST;
Willy Tarreau39713102016-11-25 15:49:32 +0100154resume_execution:
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100155
156 /* Always call the action function if defined */
157 if (rule->action_ptr) {
158 if (partial & SMP_OPT_FINAL)
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100159 act_opts |= ACT_OPT_FINAL;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100160
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100161 switch (rule->action_ptr(rule, s->be, s->sess, s, act_opts)) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100162 case ACT_RET_CONT:
163 break;
164 case ACT_RET_STOP:
165 case ACT_RET_DONE:
Willy Tarreauc6dae862022-03-09 17:23:10 +0100166 s->last_rule_file = rule->conf.file;
167 s->last_rule_line = rule->conf.line;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100168 goto end;
169 case ACT_RET_YIELD:
170 s->current_rule = rule;
Christopher Faulet99aaca92020-07-28 11:30:19 +0200171 if (partial & SMP_OPT_FINAL) {
172 send_log(s->be, LOG_WARNING,
173 "Internal error: yield not allowed if the inspect-delay expired "
174 "for the tcp-request content actions.");
175 goto internal;
176 }
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100177 goto missing_data;
178 case ACT_RET_DENY:
Willy Tarreauc6dae862022-03-09 17:23:10 +0100179 s->last_rule_file = rule->conf.file;
180 s->last_rule_line = rule->conf.line;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100181 goto deny;
182 case ACT_RET_ABRT:
Willy Tarreauc6dae862022-03-09 17:23:10 +0100183 s->last_rule_file = rule->conf.file;
184 s->last_rule_line = rule->conf.line;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100185 goto abort;
186 case ACT_RET_ERR:
Willy Tarreauc6dae862022-03-09 17:23:10 +0100187 s->last_rule_file = rule->conf.file;
188 s->last_rule_line = rule->conf.line;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100189 goto internal;
190 case ACT_RET_INV:
Willy Tarreauc6dae862022-03-09 17:23:10 +0100191 s->last_rule_file = rule->conf.file;
192 s->last_rule_line = rule->conf.line;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100193 goto invalid;
194 }
195 continue; /* eval the next rule */
196 }
197
198 /* If not action function defined, check for known actions */
Willy Tarreau39713102016-11-25 15:49:32 +0100199 if (rule->action == ACT_ACTION_ALLOW) {
Willy Tarreauc6dae862022-03-09 17:23:10 +0100200 s->last_rule_file = rule->conf.file;
201 s->last_rule_line = rule->conf.line;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100202 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100203 }
204 else if (rule->action == ACT_ACTION_DENY) {
Willy Tarreauc6dae862022-03-09 17:23:10 +0100205 s->last_rule_file = rule->conf.file;
206 s->last_rule_line = rule->conf.line;
Christopher Faulet282992e2019-12-16 12:34:31 +0100207 goto deny;
Willy Tarreau39713102016-11-25 15:49:32 +0100208 }
Willy Tarreau39713102016-11-25 15:49:32 +0100209 }
210 }
211
Christopher Fauletc8016d02021-10-13 15:34:49 +0200212 if (def_rules && s->current_rule_list == def_rules) {
213 s->current_rule_list = rules;
214 goto restart;
215 }
216
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100217 end:
Willy Tarreau39713102016-11-25 15:49:32 +0100218 /* if we get there, it means we have no rule which matches, or
219 * we have an explicit accept, so we apply the default accept.
220 */
221 req->analysers &= ~an_bit;
Christopher Fauletc8016d02021-10-13 15:34:49 +0200222 s->current_rule = s->current_rule_list = NULL;
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200223 req->analyse_exp = s->rules_exp = TICK_ETERNITY;
Christopher Fauleteea8fc72019-11-05 16:18:10 +0100224 DBG_TRACE_LEAVE(STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s);
Willy Tarreau39713102016-11-25 15:49:32 +0100225 return 1;
226
227 missing_data:
228 channel_dont_connect(req);
229 /* just set the request timeout once at the beginning of the request */
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200230 if (!tick_isset(s->rules_exp) && s->be->tcp_req.inspect_delay)
231 s->rules_exp = tick_add(now_ms, s->be->tcp_req.inspect_delay);
232 req->analyse_exp = tick_first((tick_is_expired(req->analyse_exp, now_ms) ? 0 : req->analyse_exp), s->rules_exp);
Christopher Fauleteea8fc72019-11-05 16:18:10 +0100233 DBG_TRACE_DEVEL("waiting for more data", STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s);
Willy Tarreau39713102016-11-25 15:49:32 +0100234 return 0;
235
Christopher Faulet282992e2019-12-16 12:34:31 +0100236 deny:
Willy Tarreau4781b152021-04-06 13:53:36 +0200237 _HA_ATOMIC_INC(&sess->fe->fe_counters.denied_req);
Christopher Faulet282992e2019-12-16 12:34:31 +0100238 if (sess->listener && sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200239 _HA_ATOMIC_INC(&sess->listener->counters->denied_req);
Christopher Faulet282992e2019-12-16 12:34:31 +0100240 goto reject;
241
242 internal:
Willy Tarreau4781b152021-04-06 13:53:36 +0200243 _HA_ATOMIC_INC(&sess->fe->fe_counters.internal_errors);
Christopher Faulet282992e2019-12-16 12:34:31 +0100244 if (sess->listener && sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200245 _HA_ATOMIC_INC(&sess->listener->counters->internal_errors);
Christopher Faulet282992e2019-12-16 12:34:31 +0100246 if (!(s->flags & SF_ERR_MASK))
247 s->flags |= SF_ERR_INTERNAL;
248 goto reject;
249
250 invalid:
Willy Tarreau4781b152021-04-06 13:53:36 +0200251 _HA_ATOMIC_INC(&sess->fe->fe_counters.failed_req);
Christopher Faulet282992e2019-12-16 12:34:31 +0100252 if (sess->listener && sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200253 _HA_ATOMIC_INC(&sess->listener->counters->failed_req);
Christopher Faulet282992e2019-12-16 12:34:31 +0100254
255 reject:
256 si_must_kill_conn(chn_prod(req));
257 channel_abort(req);
258 channel_abort(&s->res);
259
260 abort:
261 req->analysers &= AN_REQ_FLT_END;
Christopher Fauletc8016d02021-10-13 15:34:49 +0200262 s->current_rule = s->current_rule_list = NULL;
263 req->analyse_exp = s->rules_exp = TICK_ETERNITY;
Christopher Faulet282992e2019-12-16 12:34:31 +0100264
265 if (!(s->flags & SF_ERR_MASK))
266 s->flags |= SF_ERR_PRXCOND;
267 if (!(s->flags & SF_FINST_MASK))
268 s->flags |= SF_FINST_R;
269 DBG_TRACE_DEVEL("leaving on error|deny|abort", STRM_EV_STRM_ANA|STRM_EV_TCP_ANA|STRM_EV_TCP_ERR, s);
270 return 0;
Willy Tarreau39713102016-11-25 15:49:32 +0100271}
272
273/* This function performs the TCP response analysis on the current response. It
274 * returns 1 if the processing can continue on next analysers, or zero if it
275 * needs more data, encounters an error, or wants to immediately abort the
276 * response. It relies on buffers flags, and updates s->rep->analysers. The
277 * function may be called for backend rules.
278 */
279int tcp_inspect_response(struct stream *s, struct channel *rep, int an_bit)
280{
Christopher Fauletc8016d02021-10-13 15:34:49 +0200281 struct list *def_rules, *rules;
Willy Tarreau39713102016-11-25 15:49:32 +0100282 struct session *sess = s->sess;
283 struct act_rule *rule;
284 int partial;
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100285 int act_opts = 0;
Willy Tarreau39713102016-11-25 15:49:32 +0100286
Christopher Fauleteea8fc72019-11-05 16:18:10 +0100287 DBG_TRACE_ENTER(STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s);
Willy Tarreau39713102016-11-25 15:49:32 +0100288
Christopher Fauletc8016d02021-10-13 15:34:49 +0200289 def_rules = (s->be->defpx ? &s->be->defpx->tcp_rep.inspect_rules : NULL);
290 rules = &s->be->tcp_rep.inspect_rules;
291
Willy Tarreau39713102016-11-25 15:49:32 +0100292 /* We don't know whether we have enough data, so must proceed
293 * this way :
294 * - iterate through all rules in their declaration order
295 * - if one rule returns MISS, it means the inspect delay is
296 * not over yet, then return immediately, otherwise consider
297 * it as a non-match.
298 * - if one rule returns OK, then return OK
299 * - if one rule returns KO, then return KO
300 */
Christopher Fauletcb59e0b2021-09-30 14:56:30 +0200301 if ((rep->flags & (CF_EOI|CF_SHUTR|CF_READ_ERROR)) || channel_full(rep, global.tune.maxrewrite) ||
Christopher Faulet78335962021-09-23 14:46:32 +0200302 si_rx_blocked_room(chn_prod(rep)) ||
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200303 !s->be->tcp_rep.inspect_delay || tick_is_expired(s->rules_exp, now_ms))
Willy Tarreau39713102016-11-25 15:49:32 +0100304 partial = SMP_OPT_FINAL;
305 else
306 partial = 0;
307
308 /* If "the current_rule_list" match the executed rule list, we are in
309 * resume condition. If a resume is needed it is always in the action
310 * and never in the ACL or converters. In this case, we initialise the
311 * current rule, and go to the action execution point.
312 */
313 if (s->current_rule) {
314 rule = s->current_rule;
315 s->current_rule = NULL;
Christopher Fauletc8016d02021-10-13 15:34:49 +0200316 if ((def_rules && s->current_rule_list == def_rules) || s->current_rule_list == rules)
Willy Tarreau39713102016-11-25 15:49:32 +0100317 goto resume_execution;
318 }
Christopher Fauletc8016d02021-10-13 15:34:49 +0200319 s->current_rule_list = ((!def_rules || s->current_rule_list == def_rules) ? rules : def_rules);
Willy Tarreau39713102016-11-25 15:49:32 +0100320
Christopher Fauletc8016d02021-10-13 15:34:49 +0200321 restart:
322 list_for_each_entry(rule, s->current_rule_list, list) {
Willy Tarreau39713102016-11-25 15:49:32 +0100323 enum acl_test_res ret = ACL_TEST_PASS;
324
325 if (rule->cond) {
326 ret = acl_exec_cond(rule->cond, s->be, sess, s, SMP_OPT_DIR_RES | partial);
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200327 if (ret == ACL_TEST_MISS)
328 goto missing_data;
Willy Tarreau39713102016-11-25 15:49:32 +0100329
330 ret = acl_pass(ret);
331 if (rule->cond->pol == ACL_COND_UNLESS)
332 ret = !ret;
333 }
334
335 if (ret) {
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100336 act_opts |= ACT_OPT_FIRST;
Willy Tarreau39713102016-11-25 15:49:32 +0100337resume_execution:
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100338 /* Always call the action function if defined */
339 if (rule->action_ptr) {
340 if (partial & SMP_OPT_FINAL)
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100341 act_opts |= ACT_OPT_FINAL;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100342
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100343 switch (rule->action_ptr(rule, s->be, s->sess, s, act_opts)) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100344 case ACT_RET_CONT:
345 break;
346 case ACT_RET_STOP:
347 case ACT_RET_DONE:
Willy Tarreauc6dae862022-03-09 17:23:10 +0100348 s->last_rule_file = rule->conf.file;
349 s->last_rule_line = rule->conf.line;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100350 goto end;
351 case ACT_RET_YIELD:
352 s->current_rule = rule;
Christopher Faulet99aaca92020-07-28 11:30:19 +0200353 if (partial & SMP_OPT_FINAL) {
354 send_log(s->be, LOG_WARNING,
355 "Internal error: yield not allowed if the inspect-delay expired "
356 "for the tcp-response content actions.");
357 goto internal;
358 }
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200359 channel_dont_close(rep);
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100360 goto missing_data;
361 case ACT_RET_DENY:
Willy Tarreauc6dae862022-03-09 17:23:10 +0100362 s->last_rule_file = rule->conf.file;
363 s->last_rule_line = rule->conf.line;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100364 goto deny;
365 case ACT_RET_ABRT:
Willy Tarreauc6dae862022-03-09 17:23:10 +0100366 s->last_rule_file = rule->conf.file;
367 s->last_rule_line = rule->conf.line;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100368 goto abort;
369 case ACT_RET_ERR:
Willy Tarreauc6dae862022-03-09 17:23:10 +0100370 s->last_rule_file = rule->conf.file;
371 s->last_rule_line = rule->conf.line;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100372 goto internal;
373 case ACT_RET_INV:
Willy Tarreauc6dae862022-03-09 17:23:10 +0100374 s->last_rule_file = rule->conf.file;
375 s->last_rule_line = rule->conf.line;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100376 goto invalid;
377 }
378 continue; /* eval the next rule */
379 }
380
381 /* If not action function defined, check for known actions */
Willy Tarreau39713102016-11-25 15:49:32 +0100382 if (rule->action == ACT_ACTION_ALLOW) {
Willy Tarreauc6dae862022-03-09 17:23:10 +0100383 s->last_rule_file = rule->conf.file;
384 s->last_rule_line = rule->conf.line;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100385 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100386 }
387 else if (rule->action == ACT_ACTION_DENY) {
Willy Tarreauc6dae862022-03-09 17:23:10 +0100388 s->last_rule_file = rule->conf.file;
389 s->last_rule_line = rule->conf.line;
Christopher Faulet282992e2019-12-16 12:34:31 +0100390 goto deny;
Willy Tarreau39713102016-11-25 15:49:32 +0100391 }
392 else if (rule->action == ACT_TCP_CLOSE) {
393 chn_prod(rep)->flags |= SI_FL_NOLINGER | SI_FL_NOHALF;
Willy Tarreau0f9cd7b2019-01-31 19:02:43 +0100394 si_must_kill_conn(chn_prod(rep));
Willy Tarreau39713102016-11-25 15:49:32 +0100395 si_shutr(chn_prod(rep));
396 si_shutw(chn_prod(rep));
Willy Tarreauc6dae862022-03-09 17:23:10 +0100397 s->last_rule_file = rule->conf.file;
398 s->last_rule_line = rule->conf.line;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100399 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100400 }
401 }
402 }
403
Christopher Fauletc8016d02021-10-13 15:34:49 +0200404 if (def_rules && s->current_rule_list == def_rules) {
405 s->current_rule_list = rules;
406 goto restart;
407 }
408
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100409 end:
Willy Tarreau39713102016-11-25 15:49:32 +0100410 /* if we get there, it means we have no rule which matches, or
411 * we have an explicit accept, so we apply the default accept.
412 */
413 rep->analysers &= ~an_bit;
Christopher Fauletc8016d02021-10-13 15:34:49 +0200414 s->current_rule = s->current_rule_list = NULL;
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200415 rep->analyse_exp = s->rules_exp = TICK_ETERNITY;
Christopher Fauleteea8fc72019-11-05 16:18:10 +0100416 DBG_TRACE_LEAVE(STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s);
Willy Tarreau39713102016-11-25 15:49:32 +0100417 return 1;
Christopher Faulet282992e2019-12-16 12:34:31 +0100418
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100419 missing_data:
Christopher Faulet54f3e182020-07-29 12:00:23 +0200420 /* just set the analyser timeout once at the beginning of the response */
Christopher Faulet2747fbb2020-07-28 11:56:13 +0200421 if (!tick_isset(s->rules_exp) && s->be->tcp_rep.inspect_delay)
422 s->rules_exp = tick_add(now_ms, s->be->tcp_rep.inspect_delay);
423 rep->analyse_exp = tick_first((tick_is_expired(rep->analyse_exp, now_ms) ? 0 : rep->analyse_exp), s->rules_exp);
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100424 DBG_TRACE_DEVEL("waiting for more data", STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s);
425 return 0;
426
Christopher Faulet282992e2019-12-16 12:34:31 +0100427 deny:
Willy Tarreau4781b152021-04-06 13:53:36 +0200428 _HA_ATOMIC_INC(&s->sess->fe->fe_counters.denied_resp);
429 _HA_ATOMIC_INC(&s->be->be_counters.denied_resp);
William Lallemand36119de2021-03-08 15:26:48 +0100430 if (s->sess->listener && s->sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200431 _HA_ATOMIC_INC(&s->sess->listener->counters->denied_resp);
Christopher Faulet282992e2019-12-16 12:34:31 +0100432 if (objt_server(s->target))
Willy Tarreau4781b152021-04-06 13:53:36 +0200433 _HA_ATOMIC_INC(&__objt_server(s->target)->counters.denied_resp);
Christopher Faulet282992e2019-12-16 12:34:31 +0100434 goto reject;
435
436 internal:
Willy Tarreau4781b152021-04-06 13:53:36 +0200437 _HA_ATOMIC_INC(&s->sess->fe->fe_counters.internal_errors);
438 _HA_ATOMIC_INC(&s->be->be_counters.internal_errors);
William Lallemand36119de2021-03-08 15:26:48 +0100439 if (s->sess->listener && s->sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200440 _HA_ATOMIC_INC(&s->sess->listener->counters->internal_errors);
Christopher Faulet282992e2019-12-16 12:34:31 +0100441 if (objt_server(s->target))
Willy Tarreau4781b152021-04-06 13:53:36 +0200442 _HA_ATOMIC_INC(&__objt_server(s->target)->counters.internal_errors);
Christopher Faulet282992e2019-12-16 12:34:31 +0100443 if (!(s->flags & SF_ERR_MASK))
444 s->flags |= SF_ERR_INTERNAL;
445 goto reject;
446
447 invalid:
Willy Tarreau4781b152021-04-06 13:53:36 +0200448 _HA_ATOMIC_INC(&s->be->be_counters.failed_resp);
Christopher Faulet282992e2019-12-16 12:34:31 +0100449 if (objt_server(s->target))
Willy Tarreau4781b152021-04-06 13:53:36 +0200450 _HA_ATOMIC_INC(&__objt_server(s->target)->counters.failed_resp);
Christopher Faulet282992e2019-12-16 12:34:31 +0100451
452 reject:
453 si_must_kill_conn(chn_prod(rep));
454 channel_abort(rep);
455 channel_abort(&s->req);
456
457 abort:
Christopher Faulet19dbf2d2020-07-28 11:40:07 +0200458 rep->analysers &= AN_RES_FLT_END;
Christopher Fauletc8016d02021-10-13 15:34:49 +0200459 s->current_rule = s->current_rule_list = NULL;
460 rep->analyse_exp = s->rules_exp = TICK_ETERNITY;
Christopher Faulet282992e2019-12-16 12:34:31 +0100461
462 if (!(s->flags & SF_ERR_MASK))
463 s->flags |= SF_ERR_PRXCOND;
464 if (!(s->flags & SF_FINST_MASK))
465 s->flags |= SF_FINST_D;
466 DBG_TRACE_DEVEL("leaving on error", STRM_EV_STRM_ANA|STRM_EV_TCP_ANA|STRM_EV_TCP_ERR, s);
467 return 0;
Willy Tarreau39713102016-11-25 15:49:32 +0100468}
469
470
471/* This function performs the TCP layer4 analysis on the current request. It
472 * returns 0 if a reject rule matches, otherwise 1 if either an accept rule
473 * matches or if no more rule matches. It can only use rules which don't need
474 * any data. This only works on connection-based client-facing stream interfaces.
475 */
476int tcp_exec_l4_rules(struct session *sess)
477{
Christopher Fauletc8016d02021-10-13 15:34:49 +0200478 struct proxy *px = sess->fe;
Willy Tarreau39713102016-11-25 15:49:32 +0100479 struct act_rule *rule;
Willy Tarreau39713102016-11-25 15:49:32 +0100480 struct connection *conn = objt_conn(sess->origin);
481 int result = 1;
482 enum acl_test_res ret;
483
484 if (!conn)
485 return result;
486
Christopher Fauletc8016d02021-10-13 15:34:49 +0200487 if (sess->fe->defpx)
488 px = sess->fe->defpx;
489
490 restart:
491 list_for_each_entry(rule, &px->tcp_req.l4_rules, list) {
Willy Tarreau39713102016-11-25 15:49:32 +0100492 ret = ACL_TEST_PASS;
493
494 if (rule->cond) {
495 ret = acl_exec_cond(rule->cond, sess->fe, sess, NULL, SMP_OPT_DIR_REQ|SMP_OPT_FINAL);
496 ret = acl_pass(ret);
497 if (rule->cond->pol == ACL_COND_UNLESS)
498 ret = !ret;
499 }
500
501 if (ret) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100502 /* Always call the action function if defined */
503 if (rule->action_ptr) {
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100504 switch (rule->action_ptr(rule, sess->fe, sess, NULL, ACT_OPT_FINAL | ACT_OPT_FIRST)) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100505 case ACT_RET_YIELD:
506 /* yield is not allowed at this point. If this return code is
507 * used it is a bug, so I prefer to abort the process.
508 */
509 send_log(sess->fe, LOG_WARNING,
510 "Internal error: yield not allowed with tcp-request connection actions.");
511 /* fall through */
512 case ACT_RET_STOP:
513 case ACT_RET_DONE:
514 goto end;
515 case ACT_RET_CONT:
516 break;
517 case ACT_RET_DENY:
518 case ACT_RET_ABRT:
519 case ACT_RET_ERR:
520 case ACT_RET_INV:
521 result = 0;
522 goto end;
523 }
524 continue; /* eval the next rule */
525 }
526
527 /* If not action function defined, check for known actions */
Willy Tarreau39713102016-11-25 15:49:32 +0100528 if (rule->action == ACT_ACTION_ALLOW) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100529 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100530 }
531 else if (rule->action == ACT_ACTION_DENY) {
Willy Tarreau4781b152021-04-06 13:53:36 +0200532 _HA_ATOMIC_INC(&sess->fe->fe_counters.denied_conn);
Willy Tarreaua12dde02016-12-22 18:14:41 +0100533 if (sess->listener && sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200534 _HA_ATOMIC_INC(&sess->listener->counters->denied_conn);
Willy Tarreau39713102016-11-25 15:49:32 +0100535
536 result = 0;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100537 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100538 }
Willy Tarreau39713102016-11-25 15:49:32 +0100539 else if (rule->action == ACT_TCP_EXPECT_PX) {
Willy Tarreau4450b582020-01-23 15:23:13 +0100540 if (!(conn->flags & CO_FL_HANDSHAKE)) {
Olivier Houchardfe50bfb2019-05-27 12:09:19 +0200541 if (xprt_add_hs(conn) < 0) {
542 result = 0;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100543 goto end;
Olivier Houchardfe50bfb2019-05-27 12:09:19 +0200544 }
545 }
Willy Tarreau39713102016-11-25 15:49:32 +0100546 conn->flags |= CO_FL_ACCEPT_PROXY;
Willy Tarreau39713102016-11-25 15:49:32 +0100547 }
548 else if (rule->action == ACT_TCP_EXPECT_CIP) {
Willy Tarreau4450b582020-01-23 15:23:13 +0100549 if (!(conn->flags & CO_FL_HANDSHAKE)) {
Olivier Houchardfe50bfb2019-05-27 12:09:19 +0200550 if (xprt_add_hs(conn) < 0) {
551 result = 0;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100552 goto end;
Olivier Houchardfe50bfb2019-05-27 12:09:19 +0200553 }
554 }
Willy Tarreau39713102016-11-25 15:49:32 +0100555 conn->flags |= CO_FL_ACCEPT_CIP;
Willy Tarreau39713102016-11-25 15:49:32 +0100556 }
Willy Tarreau39713102016-11-25 15:49:32 +0100557 }
558 }
Christopher Fauletc8016d02021-10-13 15:34:49 +0200559
560 if (px != sess->fe) {
561 px = sess->fe;
562 goto restart;
563 }
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100564 end:
Willy Tarreau39713102016-11-25 15:49:32 +0100565 return result;
566}
567
568/* This function performs the TCP layer5 analysis on the current request. It
569 * returns 0 if a reject rule matches, otherwise 1 if either an accept rule
570 * matches or if no more rule matches. It can only use rules which don't need
571 * any data. This only works on session-based client-facing stream interfaces.
572 * An example of valid use case is to track a stick-counter on the source
573 * address extracted from the proxy protocol.
574 */
575int tcp_exec_l5_rules(struct session *sess)
576{
Christopher Fauletc8016d02021-10-13 15:34:49 +0200577 struct proxy *px = sess->fe;
Willy Tarreau39713102016-11-25 15:49:32 +0100578 struct act_rule *rule;
Willy Tarreau39713102016-11-25 15:49:32 +0100579 int result = 1;
580 enum acl_test_res ret;
581
Christopher Fauletc8016d02021-10-13 15:34:49 +0200582 if (sess->fe->defpx)
583 px = sess->fe->defpx;
584
585 restart:
586 list_for_each_entry(rule, &px->tcp_req.l5_rules, list) {
Willy Tarreau39713102016-11-25 15:49:32 +0100587 ret = ACL_TEST_PASS;
588
589 if (rule->cond) {
590 ret = acl_exec_cond(rule->cond, sess->fe, sess, NULL, SMP_OPT_DIR_REQ|SMP_OPT_FINAL);
591 ret = acl_pass(ret);
592 if (rule->cond->pol == ACL_COND_UNLESS)
593 ret = !ret;
594 }
595
596 if (ret) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100597 /* Always call the action function if defined */
598 if (rule->action_ptr) {
Christopher Faulet105ba6c2019-12-18 14:41:51 +0100599 switch (rule->action_ptr(rule, sess->fe, sess, NULL, ACT_OPT_FINAL | ACT_OPT_FIRST)) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100600 case ACT_RET_YIELD:
601 /* yield is not allowed at this point. If this return code is
602 * used it is a bug, so I prefer to abort the process.
603 */
604 send_log(sess->fe, LOG_WARNING,
605 "Internal error: yield not allowed with tcp-request session actions.");
606 /* fall through */
607 case ACT_RET_STOP:
608 case ACT_RET_DONE:
609 goto end;
610 case ACT_RET_CONT:
611 break;
612 case ACT_RET_DENY:
613 case ACT_RET_ABRT:
614 case ACT_RET_ERR:
615 case ACT_RET_INV:
616 result = 0;
617 goto end;
618 }
619 continue; /* eval the next rule */
620 }
621
622 /* If not action function defined, check for known actions */
Willy Tarreau39713102016-11-25 15:49:32 +0100623 if (rule->action == ACT_ACTION_ALLOW) {
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100624 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100625 }
626 else if (rule->action == ACT_ACTION_DENY) {
Willy Tarreau4781b152021-04-06 13:53:36 +0200627 _HA_ATOMIC_INC(&sess->fe->fe_counters.denied_sess);
Willy Tarreaua12dde02016-12-22 18:14:41 +0100628 if (sess->listener && sess->listener->counters)
Willy Tarreau4781b152021-04-06 13:53:36 +0200629 _HA_ATOMIC_INC(&sess->listener->counters->denied_sess);
Willy Tarreau39713102016-11-25 15:49:32 +0100630
631 result = 0;
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100632 goto end;
Willy Tarreau39713102016-11-25 15:49:32 +0100633 }
Willy Tarreau39713102016-11-25 15:49:32 +0100634 }
635 }
Christopher Fauletc8016d02021-10-13 15:34:49 +0200636
637 if (px != sess->fe) {
638 px = sess->fe;
639 goto restart;
640 }
Christopher Fauletcd26e8a2019-12-18 11:13:39 +0100641 end:
Willy Tarreau39713102016-11-25 15:49:32 +0100642 return result;
643}
644
645/* Parse a tcp-response rule. Return a negative value in case of failure */
646static int tcp_parse_response_rule(char **args, int arg, int section_type,
Willy Tarreau01825162021-03-09 09:53:46 +0100647 struct proxy *curpx, const struct proxy *defpx,
Willy Tarreau39713102016-11-25 15:49:32 +0100648 struct act_rule *rule, char **err,
649 unsigned int where,
650 const char *file, int line)
651{
Christopher Fauletee08d6c2021-10-13 15:40:15 +0200652 if ((curpx == defpx && strlen(defpx->id) == 0) || !(curpx->cap & PR_CAP_BE)) {
653 memprintf(err, "%s %s is only allowed in 'backend' sections or 'defaults' section with a name",
Willy Tarreau39713102016-11-25 15:49:32 +0100654 args[0], args[1]);
655 return -1;
656 }
657
658 if (strcmp(args[arg], "accept") == 0) {
659 arg++;
660 rule->action = ACT_ACTION_ALLOW;
Christopher Faulet245cf792019-12-18 14:58:12 +0100661 rule->flags |= ACT_FLAG_FINAL;
Willy Tarreau39713102016-11-25 15:49:32 +0100662 }
663 else if (strcmp(args[arg], "reject") == 0) {
664 arg++;
665 rule->action = ACT_ACTION_DENY;
Christopher Faulet245cf792019-12-18 14:58:12 +0100666 rule->flags |= ACT_FLAG_FINAL;
Willy Tarreau39713102016-11-25 15:49:32 +0100667 }
668 else if (strcmp(args[arg], "close") == 0) {
669 arg++;
670 rule->action = ACT_TCP_CLOSE;
Christopher Faulet245cf792019-12-18 14:58:12 +0100671 rule->flags |= ACT_FLAG_FINAL;
Willy Tarreau39713102016-11-25 15:49:32 +0100672 }
673 else {
674 struct action_kw *kw;
675 kw = tcp_res_cont_action(args[arg]);
676 if (kw) {
677 arg++;
Willy Tarreau39713102016-11-25 15:49:32 +0100678 rule->kw = kw;
679 if (kw->parse((const char **)args, &arg, curpx, rule, err) == ACT_RET_PRS_ERR)
680 return -1;
681 } else {
Willy Tarreaudb67b0e2021-03-12 13:46:10 +0100682 const char *extra[] = { "accept", "reject", "close", NULL };
683 const char *best = action_suggest(args[arg], &tcp_res_cont_keywords, extra);
684
Willy Tarreau39713102016-11-25 15:49:32 +0100685 action_build_list(&tcp_res_cont_keywords, &trash);
686 memprintf(err,
Willy Tarreaudb67b0e2021-03-12 13:46:10 +0100687 "'%s %s' expects 'accept', 'close', 'reject', %s in %s '%s' (got '%s').%s%s%s",
Willy Tarreau843b7cb2018-07-13 10:54:26 +0200688 args[0], args[1], trash.area,
Willy Tarreaudb67b0e2021-03-12 13:46:10 +0100689 proxy_type_str(curpx), curpx->id, args[arg],
690 best ? " Did you mean '" : "",
691 best ? best : "",
692 best ? "' maybe ?" : "");
Willy Tarreau39713102016-11-25 15:49:32 +0100693 return -1;
694 }
695 }
696
697 if (strcmp(args[arg], "if") == 0 || strcmp(args[arg], "unless") == 0) {
Christopher Faulet1b421ea2017-09-22 14:38:56 +0200698 if ((rule->cond = build_acl_cond(file, line, &curpx->acl, curpx, (const char **)args+arg, err)) == NULL) {
Willy Tarreau39713102016-11-25 15:49:32 +0100699 memprintf(err,
700 "'%s %s %s' : error detected in %s '%s' while parsing '%s' condition : %s",
701 args[0], args[1], args[2], proxy_type_str(curpx), curpx->id, args[arg], *err);
702 return -1;
703 }
704 }
705 else if (*args[arg]) {
706 memprintf(err,
707 "'%s %s %s' only accepts 'if' or 'unless', in %s '%s' (got '%s')",
708 args[0], args[1], args[2], proxy_type_str(curpx), curpx->id, args[arg]);
709 return -1;
710 }
711 return 0;
712}
713
Christopher Fauletac98d812019-12-18 09:20:16 +0100714
715/* This function executes a track-sc* actions. On success, it returns
716 * ACT_RET_CONT. If it must yield, it return ACT_RET_YIELD. Otherwsize
717 * ACT_RET_ERR is returned.
718 */
719static enum act_return tcp_action_track_sc(struct act_rule *rule, struct proxy *px,
720 struct session *sess, struct stream *s, int flags)
721{
722 struct stksess *ts;
723 struct stktable *t;
724 struct stktable_key *key;
725 struct sample smp;
726 int opt;
727
Christopher Faulet67307792020-02-10 09:54:49 +0100728 opt = SMP_OPT_DIR_REQ;
Christopher Fauletac98d812019-12-18 09:20:16 +0100729 if (flags & ACT_FLAG_FINAL)
730 opt |= SMP_OPT_FINAL;
Willy Tarreau39713102016-11-25 15:49:32 +0100731
Christopher Fauletac98d812019-12-18 09:20:16 +0100732 t = rule->arg.trk_ctr.table.t;
Christopher Faulet67307792020-02-10 09:54:49 +0100733 if (rule->from == ACT_F_TCP_REQ_CNT) { /* L7 rules: use the stream */
734 if (stkctr_entry(&s->stkctr[rule->action]))
735 goto end;
Christopher Fauletac98d812019-12-18 09:20:16 +0100736
Christopher Faulet67307792020-02-10 09:54:49 +0100737 key = stktable_fetch_key(t, s->be, sess, s, opt, rule->arg.trk_ctr.expr, &smp);
Christopher Fauletac98d812019-12-18 09:20:16 +0100738
Christopher Faulet67307792020-02-10 09:54:49 +0100739 if ((smp.flags & SMP_F_MAY_CHANGE) && !(flags & ACT_FLAG_FINAL))
740 return ACT_RET_YIELD; /* key might appear later */
741
742 if (key && (ts = stktable_get_entry(t, key))) {
743 stream_track_stkctr(&s->stkctr[rule->action], t, ts);
Christopher Fauletac98d812019-12-18 09:20:16 +0100744 stkctr_set_flags(&s->stkctr[rule->action], STKCTR_TRACK_CONTENT);
745 if (sess->fe != s->be)
746 stkctr_set_flags(&s->stkctr[rule->action], STKCTR_TRACK_BACKEND);
747 }
748 }
Christopher Faulet67307792020-02-10 09:54:49 +0100749 else { /* L4/L5 rules: use the session */
750 if (stkctr_entry(&sess->stkctr[rule->action]))
751 goto end;
752
753 key = stktable_fetch_key(t, sess->fe, sess, NULL, opt, rule->arg.trk_ctr.expr, NULL);
754 if (key && (ts = stktable_get_entry(t, key)))
755 stream_track_stkctr(&sess->stkctr[rule->action], t, ts);
756 }
Christopher Fauletac98d812019-12-18 09:20:16 +0100757
758 end:
759 return ACT_RET_CONT;
760}
Willy Tarreau39713102016-11-25 15:49:32 +0100761
Christopher Fauletd73b96d2019-12-19 17:27:03 +0100762/* This function executes a capture actions. It executes a fetch expression,
763 * turns the result into a string and puts it in a capture slot. On success, it
764 * returns ACT_RET_CONT. If it must yield, it return ACT_RET_YIELD. Otherwsize
765 * ACT_RET_ERR is returned.
766 */
767static enum act_return tcp_action_capture(struct act_rule *rule, struct proxy *px,
768 struct session *sess, struct stream *s, int flags)
769{
770 struct sample *key;
771 struct cap_hdr *h = rule->arg.cap.hdr;
772 char **cap = s->req_cap;
773 int len, opt;
774
775 opt = ((rule->from == ACT_F_TCP_REQ_CNT) ? SMP_OPT_DIR_REQ : SMP_OPT_DIR_RES);
776 if (flags & ACT_FLAG_FINAL)
777 opt |= SMP_OPT_FINAL;
778
779 key = sample_fetch_as_type(s->be, sess, s, opt, rule->arg.cap.expr, SMP_T_STR);
780 if (!key)
781 goto end;
782
783 if ((key->flags & SMP_F_MAY_CHANGE) && !(flags & ACT_FLAG_FINAL))
784 return ACT_RET_YIELD; /* key might appear later */
785
786 if (cap[h->index] == NULL) {
787 cap[h->index] = pool_alloc(h->pool);
788 if (cap[h->index] == NULL) /* no more capture memory, ignore error */
789 goto end;
790 }
791
792 len = key->data.u.str.data;
793 if (len > h->len)
794 len = h->len;
795
796 memcpy(cap[h->index], key->data.u.str.area, len);
797 cap[h->index][len] = 0;
798
799 end:
800 return ACT_RET_CONT;
801}
802
Christopher Fauletadfc6e82020-01-14 15:05:33 +0100803static void release_tcp_capture(struct act_rule * rule)
804{
805 release_sample_expr(rule->arg.cap.expr);
806}
807
808
809static void release_tcp_track_sc(struct act_rule * rule)
810{
811 release_sample_expr(rule->arg.trk_ctr.expr);
812}
813
Willy Tarreau39713102016-11-25 15:49:32 +0100814/* Parse a tcp-request rule. Return a negative value in case of failure */
815static int tcp_parse_request_rule(char **args, int arg, int section_type,
Willy Tarreau01825162021-03-09 09:53:46 +0100816 struct proxy *curpx, const struct proxy *defpx,
Willy Tarreau39713102016-11-25 15:49:32 +0100817 struct act_rule *rule, char **err,
818 unsigned int where, const char *file, int line)
819{
Christopher Fauletee08d6c2021-10-13 15:40:15 +0200820 if (curpx == defpx && strlen(defpx->id) == 0) {
821 memprintf(err, "%s %s is not allowed in anonymous 'defaults' sections",
822 args[0], args[1]);
Willy Tarreau39713102016-11-25 15:49:32 +0100823 return -1;
824 }
825
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100826 if (strcmp(args[arg], "accept") == 0) {
Willy Tarreau39713102016-11-25 15:49:32 +0100827 arg++;
828 rule->action = ACT_ACTION_ALLOW;
Christopher Faulet245cf792019-12-18 14:58:12 +0100829 rule->flags |= ACT_FLAG_FINAL;
Willy Tarreau39713102016-11-25 15:49:32 +0100830 }
Tim Duesterhuse5ff1412021-01-02 22:31:53 +0100831 else if (strcmp(args[arg], "reject") == 0) {
Willy Tarreau39713102016-11-25 15:49:32 +0100832 arg++;
833 rule->action = ACT_ACTION_DENY;
Christopher Faulet245cf792019-12-18 14:58:12 +0100834 rule->flags |= ACT_FLAG_FINAL;
Willy Tarreau39713102016-11-25 15:49:32 +0100835 }
836 else if (strcmp(args[arg], "capture") == 0) {
837 struct sample_expr *expr;
838 struct cap_hdr *hdr;
839 int kw = arg;
840 int len = 0;
841
842 if (!(curpx->cap & PR_CAP_FE)) {
843 memprintf(err,
844 "'%s %s %s' : proxy '%s' has no frontend capability",
845 args[0], args[1], args[kw], curpx->id);
846 return -1;
847 }
848
849 if (!(where & SMP_VAL_FE_REQ_CNT)) {
850 memprintf(err,
851 "'%s %s' is not allowed in '%s %s' rules in %s '%s'",
852 args[arg], args[arg+1], args[0], args[1], proxy_type_str(curpx), curpx->id);
853 return -1;
854 }
855
856 arg++;
857
858 curpx->conf.args.ctx = ARGC_CAP;
Willy Tarreaue3b57bf2020-02-14 16:50:14 +0100859 expr = sample_parse_expr(args, &arg, file, line, err, &curpx->conf.args, NULL);
Willy Tarreau39713102016-11-25 15:49:32 +0100860 if (!expr) {
861 memprintf(err,
862 "'%s %s %s' : %s",
863 args[0], args[1], args[kw], *err);
864 return -1;
865 }
866
867 if (!(expr->fetch->val & where)) {
868 memprintf(err,
869 "'%s %s %s' : fetch method '%s' extracts information from '%s', none of which is available here",
870 args[0], args[1], args[kw], args[arg-1], sample_src_names(expr->fetch->use));
Christopher Fauletfdb6fbf2020-01-14 15:05:56 +0100871 release_sample_expr(expr);
Willy Tarreau39713102016-11-25 15:49:32 +0100872 return -1;
873 }
874
875 if (strcmp(args[arg], "len") == 0) {
876 arg++;
877 if (!args[arg]) {
878 memprintf(err,
879 "'%s %s %s' : missing length value",
880 args[0], args[1], args[kw]);
Christopher Fauletfdb6fbf2020-01-14 15:05:56 +0100881 release_sample_expr(expr);
Willy Tarreau39713102016-11-25 15:49:32 +0100882 return -1;
883 }
884 /* we copy the table name for now, it will be resolved later */
885 len = atoi(args[arg]);
886 if (len <= 0) {
887 memprintf(err,
888 "'%s %s %s' : length must be > 0",
889 args[0], args[1], args[kw]);
Christopher Fauletfdb6fbf2020-01-14 15:05:56 +0100890 release_sample_expr(expr);
Willy Tarreau39713102016-11-25 15:49:32 +0100891 return -1;
892 }
893 arg++;
894 }
895
896 if (!len) {
897 memprintf(err,
898 "'%s %s %s' : a positive 'len' argument is mandatory",
899 args[0], args[1], args[kw]);
900 free(expr);
901 return -1;
902 }
903
904 hdr = calloc(1, sizeof(*hdr));
Remi Tricot-Le Breton8cb03362021-05-17 10:08:16 +0200905 if (!hdr) {
906 memprintf(err, "parsing [%s:%d] : out of memory", file, line);
907 release_sample_expr(expr);
908 return -1;
909 }
Willy Tarreau39713102016-11-25 15:49:32 +0100910 hdr->next = curpx->req_cap;
911 hdr->name = NULL; /* not a header capture */
912 hdr->namelen = 0;
913 hdr->len = len;
914 hdr->pool = create_pool("caphdr", hdr->len + 1, MEM_F_SHARED);
915 hdr->index = curpx->nb_req_cap++;
916
917 curpx->req_cap = hdr;
918 curpx->to_log |= LW_REQHDR;
919
Christopher Faulet711ed6a2019-07-16 14:16:10 +0200920 /* check if we need to allocate an http_txn struct for HTTP parsing */
Willy Tarreau39713102016-11-25 15:49:32 +0100921 curpx->http_needed |= !!(expr->fetch->use & SMP_USE_HTTP_ANY);
922
923 rule->arg.cap.expr = expr;
924 rule->arg.cap.hdr = hdr;
Christopher Fauletd73b96d2019-12-19 17:27:03 +0100925 rule->action = ACT_CUSTOM;
926 rule->action_ptr = tcp_action_capture;
927 rule->check_ptr = check_capture;
Christopher Fauletadfc6e82020-01-14 15:05:33 +0100928 rule->release_ptr = release_tcp_capture;
Willy Tarreau39713102016-11-25 15:49:32 +0100929 }
Frédéric Lécaillea41d5312018-01-29 12:05:07 +0100930 else if (strncmp(args[arg], "track-sc", 8) == 0) {
Willy Tarreau39713102016-11-25 15:49:32 +0100931 struct sample_expr *expr;
932 int kw = arg;
Frédéric Lécaillea41d5312018-01-29 12:05:07 +0100933 unsigned int tsc_num;
934 const char *tsc_num_str;
Willy Tarreau39713102016-11-25 15:49:32 +0100935
936 arg++;
937
Frédéric Lécaillea41d5312018-01-29 12:05:07 +0100938 tsc_num_str = &args[kw][8];
939 if (cfg_parse_track_sc_num(&tsc_num, tsc_num_str, tsc_num_str + strlen(tsc_num_str), err) == -1) {
940 memprintf(err, "'%s %s %s' : %s", args[0], args[1], args[kw], *err);
941 return -1;
942 }
943
Willy Tarreau39713102016-11-25 15:49:32 +0100944 curpx->conf.args.ctx = ARGC_TRK;
Willy Tarreaue3b57bf2020-02-14 16:50:14 +0100945 expr = sample_parse_expr(args, &arg, file, line, err, &curpx->conf.args, NULL);
Willy Tarreau39713102016-11-25 15:49:32 +0100946 if (!expr) {
947 memprintf(err,
948 "'%s %s %s' : %s",
949 args[0], args[1], args[kw], *err);
950 return -1;
951 }
952
953 if (!(expr->fetch->val & where)) {
954 memprintf(err,
955 "'%s %s %s' : fetch method '%s' extracts information from '%s', none of which is available here",
956 args[0], args[1], args[kw], args[arg-1], sample_src_names(expr->fetch->use));
Christopher Fauletfdb6fbf2020-01-14 15:05:56 +0100957 release_sample_expr(expr);
Willy Tarreau39713102016-11-25 15:49:32 +0100958 return -1;
959 }
960
Christopher Faulet711ed6a2019-07-16 14:16:10 +0200961 /* check if we need to allocate an http_txn struct for HTTP parsing */
Willy Tarreau39713102016-11-25 15:49:32 +0100962 curpx->http_needed |= !!(expr->fetch->use & SMP_USE_HTTP_ANY);
963
964 if (strcmp(args[arg], "table") == 0) {
965 arg++;
966 if (!args[arg]) {
967 memprintf(err,
968 "'%s %s %s' : missing table name",
969 args[0], args[1], args[kw]);
Christopher Fauletfdb6fbf2020-01-14 15:05:56 +0100970 release_sample_expr(expr);
Willy Tarreau39713102016-11-25 15:49:32 +0100971 return -1;
972 }
973 /* we copy the table name for now, it will be resolved later */
974 rule->arg.trk_ctr.table.n = strdup(args[arg]);
975 arg++;
976 }
Christopher Fauletac98d812019-12-18 09:20:16 +0100977 rule->action = tsc_num;
Willy Tarreau39713102016-11-25 15:49:32 +0100978 rule->arg.trk_ctr.expr = expr;
Christopher Fauletac98d812019-12-18 09:20:16 +0100979 rule->action_ptr = tcp_action_track_sc;
Christopher Faulet78880fb2017-09-18 14:43:55 +0200980 rule->check_ptr = check_trk_action;
Christopher Fauletadfc6e82020-01-14 15:05:33 +0100981 rule->release_ptr = release_tcp_track_sc;
Willy Tarreau39713102016-11-25 15:49:32 +0100982 }
983 else if (strcmp(args[arg], "expect-proxy") == 0) {
984 if (strcmp(args[arg+1], "layer4") != 0) {
985 memprintf(err,
986 "'%s %s %s' only supports 'layer4' in %s '%s' (got '%s')",
987 args[0], args[1], args[arg], proxy_type_str(curpx), curpx->id, args[arg+1]);
988 return -1;
989 }
990
991 if (!(where & SMP_VAL_FE_CON_ACC)) {
992 memprintf(err,
993 "'%s %s' is not allowed in '%s %s' rules in %s '%s'",
994 args[arg], args[arg+1], args[0], args[1], proxy_type_str(curpx), curpx->id);
995 return -1;
996 }
997
998 arg += 2;
999 rule->action = ACT_TCP_EXPECT_PX;
1000 }
1001 else if (strcmp(args[arg], "expect-netscaler-cip") == 0) {
1002 if (strcmp(args[arg+1], "layer4") != 0) {
1003 memprintf(err,
1004 "'%s %s %s' only supports 'layer4' in %s '%s' (got '%s')",
1005 args[0], args[1], args[arg], proxy_type_str(curpx), curpx->id, args[arg+1]);
1006 return -1;
1007 }
1008
1009 if (!(where & SMP_VAL_FE_CON_ACC)) {
1010 memprintf(err,
1011 "'%s %s' is not allowed in '%s %s' rules in %s '%s'",
1012 args[arg], args[arg+1], args[0], args[1], proxy_type_str(curpx), curpx->id);
1013 return -1;
1014 }
1015
1016 arg += 2;
1017 rule->action = ACT_TCP_EXPECT_CIP;
1018 }
1019 else {
1020 struct action_kw *kw;
1021 if (where & SMP_VAL_FE_CON_ACC) {
1022 /* L4 */
1023 kw = tcp_req_conn_action(args[arg]);
1024 rule->kw = kw;
Willy Tarreau39713102016-11-25 15:49:32 +01001025 } else if (where & SMP_VAL_FE_SES_ACC) {
1026 /* L5 */
1027 kw = tcp_req_sess_action(args[arg]);
1028 rule->kw = kw;
Willy Tarreau39713102016-11-25 15:49:32 +01001029 } else {
1030 /* L6 */
1031 kw = tcp_req_cont_action(args[arg]);
1032 rule->kw = kw;
Willy Tarreau39713102016-11-25 15:49:32 +01001033 }
1034 if (kw) {
1035 arg++;
1036 if (kw->parse((const char **)args, &arg, curpx, rule, err) == ACT_RET_PRS_ERR)
1037 return -1;
1038 } else {
Christopher Fauleta561ffb2021-03-19 08:53:26 +01001039 const char *extra[] = { "accept", "reject", "capture", "track-sc", "expect-proxy", "expect-netscaler-cip", NULL };
Willy Tarreaudb67b0e2021-03-12 13:46:10 +01001040 const char *best = NULL;
1041
1042
1043 if (where & SMP_VAL_FE_CON_ACC) {
Willy Tarreau39713102016-11-25 15:49:32 +01001044 action_build_list(&tcp_req_conn_keywords, &trash);
Willy Tarreaudb67b0e2021-03-12 13:46:10 +01001045 best = action_suggest(args[arg], &tcp_req_conn_keywords, extra);
1046 }
1047 else if (where & SMP_VAL_FE_SES_ACC) {
Willy Tarreau39713102016-11-25 15:49:32 +01001048 action_build_list(&tcp_req_sess_keywords, &trash);
Willy Tarreaudb67b0e2021-03-12 13:46:10 +01001049 best = action_suggest(args[arg], &tcp_req_sess_keywords, extra);
1050 }
1051 else {
Willy Tarreau39713102016-11-25 15:49:32 +01001052 action_build_list(&tcp_req_cont_keywords, &trash);
Willy Tarreaudb67b0e2021-03-12 13:46:10 +01001053 best = action_suggest(args[arg], &tcp_req_cont_keywords, extra);
1054 }
1055
Willy Tarreau39713102016-11-25 15:49:32 +01001056 memprintf(err,
Christopher Fauleta561ffb2021-03-19 08:53:26 +01001057 "'%s %s' expects 'accept', 'reject', 'capture', 'expect-proxy', 'expect-netscaler-cip', 'track-sc0' ... 'track-sc%d', %s "
Willy Tarreaudb67b0e2021-03-12 13:46:10 +01001058 "in %s '%s' (got '%s').%s%s%s\n",
Willy Tarreau843b7cb2018-07-13 10:54:26 +02001059 args[0], args[1], MAX_SESS_STKCTR-1,
1060 trash.area, proxy_type_str(curpx),
Willy Tarreaudb67b0e2021-03-12 13:46:10 +01001061 curpx->id, args[arg],
1062 best ? " Did you mean '" : "",
1063 best ? best : "",
1064 best ? "' maybe ?" : "");
Willy Tarreau39713102016-11-25 15:49:32 +01001065 return -1;
1066 }
1067 }
1068
1069 if (strcmp(args[arg], "if") == 0 || strcmp(args[arg], "unless") == 0) {
Christopher Faulet1b421ea2017-09-22 14:38:56 +02001070 if ((rule->cond = build_acl_cond(file, line, &curpx->acl, curpx, (const char **)args+arg, err)) == NULL) {
Willy Tarreau39713102016-11-25 15:49:32 +01001071 memprintf(err,
1072 "'%s %s %s' : error detected in %s '%s' while parsing '%s' condition : %s",
1073 args[0], args[1], args[2], proxy_type_str(curpx), curpx->id, args[arg], *err);
1074 return -1;
1075 }
1076 }
1077 else if (*args[arg]) {
1078 memprintf(err,
1079 "'%s %s %s' only accepts 'if' or 'unless', in %s '%s' (got '%s')",
1080 args[0], args[1], args[2], proxy_type_str(curpx), curpx->id, args[arg]);
1081 return -1;
1082 }
1083 return 0;
1084}
1085
1086/* This function should be called to parse a line starting with the "tcp-response"
1087 * keyword.
1088 */
1089static int tcp_parse_tcp_rep(char **args, int section_type, struct proxy *curpx,
Willy Tarreau01825162021-03-09 09:53:46 +01001090 const struct proxy *defpx, const char *file, int line,
Willy Tarreau39713102016-11-25 15:49:32 +01001091 char **err)
1092{
1093 const char *ptr = NULL;
1094 unsigned int val;
1095 int warn = 0;
1096 int arg;
1097 struct act_rule *rule;
1098 unsigned int where;
1099 const struct acl *acl;
1100 const char *kw;
1101
1102 if (!*args[1]) {
1103 memprintf(err, "missing argument for '%s' in %s '%s'",
1104 args[0], proxy_type_str(curpx), curpx->id);
1105 return -1;
1106 }
1107
1108 if (strcmp(args[1], "inspect-delay") == 0) {
Christopher Fauletee08d6c2021-10-13 15:40:15 +02001109 if ((curpx == defpx && strlen(defpx->id) == 0) || !(curpx->cap & PR_CAP_BE)) {
1110 memprintf(err, "%s %s is only allowed in 'backend' sections or 'defaults' section with a name",
Willy Tarreau39713102016-11-25 15:49:32 +01001111 args[0], args[1]);
1112 return -1;
1113 }
1114
1115 if (!*args[2] || (ptr = parse_time_err(args[2], &val, TIME_UNIT_MS))) {
1116 memprintf(err,
1117 "'%s %s' expects a positive delay in milliseconds, in %s '%s'",
1118 args[0], args[1], proxy_type_str(curpx), curpx->id);
Willy Tarreau9faebe32019-06-07 19:00:37 +02001119
1120 if (ptr == PARSE_TIME_OVER)
1121 memprintf(err, "%s (timer overflow in '%s', maximum value is 2147483647 ms or ~24.8 days)", *err, args[2]);
1122 else if (ptr == PARSE_TIME_UNDER)
1123 memprintf(err, "%s (timer underflow in '%s', minimum non-null value is 1 ms)", *err, args[2]);
1124 else if (ptr)
Willy Tarreau39713102016-11-25 15:49:32 +01001125 memprintf(err, "%s (unexpected character '%c')", *err, *ptr);
1126 return -1;
1127 }
1128
1129 if (curpx->tcp_rep.inspect_delay) {
1130 memprintf(err, "ignoring %s %s (was already defined) in %s '%s'",
1131 args[0], args[1], proxy_type_str(curpx), curpx->id);
1132 return 1;
1133 }
1134 curpx->tcp_rep.inspect_delay = val;
1135 return 0;
1136 }
1137
Willy Tarreaud535f802021-10-11 08:49:26 +02001138 rule = new_act_rule(ACT_F_TCP_RES_CNT, file, line);
Remi Tricot-Le Breton2ca42b42021-05-12 18:24:18 +02001139 if (!rule) {
1140 memprintf(err, "parsing [%s:%d] : out of memory", file, line);
1141 return -1;
1142 }
Willy Tarreau39713102016-11-25 15:49:32 +01001143 LIST_INIT(&rule->list);
1144 arg = 1;
1145 where = 0;
1146
1147 if (strcmp(args[1], "content") == 0) {
1148 arg++;
1149
1150 if (curpx->cap & PR_CAP_FE)
1151 where |= SMP_VAL_FE_RES_CNT;
1152 if (curpx->cap & PR_CAP_BE)
1153 where |= SMP_VAL_BE_RES_CNT;
Willy Tarreau39713102016-11-25 15:49:32 +01001154 if (tcp_parse_response_rule(args, arg, section_type, curpx, defpx, rule, err, where, file, line) < 0)
1155 goto error;
1156
1157 acl = rule->cond ? acl_cond_conflicts(rule->cond, where) : NULL;
1158 if (acl) {
1159 if (acl->name && *acl->name)
1160 memprintf(err,
1161 "acl '%s' will never match in '%s %s' because it only involves keywords that are incompatible with '%s'",
1162 acl->name, args[0], args[1], sample_ckp_names(where));
1163 else
1164 memprintf(err,
1165 "anonymous acl will never match in '%s %s' because it uses keyword '%s' which is incompatible with '%s'",
1166 args[0], args[1],
1167 LIST_ELEM(acl->expr.n, struct acl_expr *, list)->kw,
1168 sample_ckp_names(where));
1169
1170 warn++;
1171 }
1172 else if (rule->cond && acl_cond_kw_conflicts(rule->cond, where, &acl, &kw)) {
1173 if (acl->name && *acl->name)
1174 memprintf(err,
1175 "acl '%s' involves keyword '%s' which is incompatible with '%s'",
1176 acl->name, kw, sample_ckp_names(where));
1177 else
1178 memprintf(err,
1179 "anonymous acl involves keyword '%s' which is incompatible with '%s'",
1180 kw, sample_ckp_names(where));
1181 warn++;
1182 }
1183
Willy Tarreau2b718102021-04-21 07:32:39 +02001184 LIST_APPEND(&curpx->tcp_rep.inspect_rules, &rule->list);
Willy Tarreau39713102016-11-25 15:49:32 +01001185 }
1186 else {
1187 memprintf(err,
1188 "'%s' expects 'inspect-delay' or 'content' in %s '%s' (got '%s')",
1189 args[0], proxy_type_str(curpx), curpx->id, args[1]);
1190 goto error;
1191 }
1192
1193 return warn;
1194 error:
1195 free(rule);
1196 return -1;
1197}
1198
1199
1200/* This function should be called to parse a line starting with the "tcp-request"
1201 * keyword.
1202 */
1203static int tcp_parse_tcp_req(char **args, int section_type, struct proxy *curpx,
Willy Tarreau01825162021-03-09 09:53:46 +01001204 const struct proxy *defpx, const char *file, int line,
Willy Tarreau39713102016-11-25 15:49:32 +01001205 char **err)
1206{
1207 const char *ptr = NULL;
1208 unsigned int val;
1209 int warn = 0;
1210 int arg;
1211 struct act_rule *rule;
1212 unsigned int where;
1213 const struct acl *acl;
1214 const char *kw;
1215
1216 if (!*args[1]) {
1217 if (curpx == defpx)
1218 memprintf(err, "missing argument for '%s' in defaults section", args[0]);
1219 else
1220 memprintf(err, "missing argument for '%s' in %s '%s'",
1221 args[0], proxy_type_str(curpx), curpx->id);
1222 return -1;
1223 }
1224
Tim Duesterhuse5ff1412021-01-02 22:31:53 +01001225 if (strcmp(args[1], "inspect-delay") == 0) {
Christopher Fauletee08d6c2021-10-13 15:40:15 +02001226 if (curpx == defpx && strlen(defpx->id) == 0) {
1227 memprintf(err, "%s %s is not allowed in anonymous 'defaults' sections",
1228 args[0], args[1]);
Willy Tarreau39713102016-11-25 15:49:32 +01001229 return -1;
1230 }
1231
1232 if (!*args[2] || (ptr = parse_time_err(args[2], &val, TIME_UNIT_MS))) {
1233 memprintf(err,
1234 "'%s %s' expects a positive delay in milliseconds, in %s '%s'",
1235 args[0], args[1], proxy_type_str(curpx), curpx->id);
Willy Tarreau9faebe32019-06-07 19:00:37 +02001236
1237 if (ptr == PARSE_TIME_OVER)
1238 memprintf(err, "%s (timer overflow in '%s', maximum value is 2147483647 ms or ~24.8 days)", *err, args[2]);
1239 else if (ptr == PARSE_TIME_UNDER)
1240 memprintf(err, "%s (timer underflow in '%s', minimum non-null value is 1 ms)", *err, args[2]);
1241 else if (ptr)
Willy Tarreau39713102016-11-25 15:49:32 +01001242 memprintf(err, "%s (unexpected character '%c')", *err, *ptr);
1243 return -1;
1244 }
1245
1246 if (curpx->tcp_req.inspect_delay) {
1247 memprintf(err, "ignoring %s %s (was already defined) in %s '%s'",
1248 args[0], args[1], proxy_type_str(curpx), curpx->id);
1249 return 1;
1250 }
1251 curpx->tcp_req.inspect_delay = val;
1252 return 0;
1253 }
1254
Willy Tarreaud535f802021-10-11 08:49:26 +02001255 rule = new_act_rule(0, file, line);
Remi Tricot-Le Breton2ca42b42021-05-12 18:24:18 +02001256 if (!rule) {
1257 memprintf(err, "parsing [%s:%d] : out of memory", file, line);
1258 return -1;
1259 }
Willy Tarreau39713102016-11-25 15:49:32 +01001260 LIST_INIT(&rule->list);
1261 arg = 1;
1262 where = 0;
1263
1264 if (strcmp(args[1], "content") == 0) {
1265 arg++;
1266
1267 if (curpx->cap & PR_CAP_FE)
1268 where |= SMP_VAL_FE_REQ_CNT;
1269 if (curpx->cap & PR_CAP_BE)
1270 where |= SMP_VAL_BE_REQ_CNT;
Christopher Fauletcb9106b2019-12-19 15:23:17 +01001271 rule->from = ACT_F_TCP_REQ_CNT;
Willy Tarreau39713102016-11-25 15:49:32 +01001272 if (tcp_parse_request_rule(args, arg, section_type, curpx, defpx, rule, err, where, file, line) < 0)
1273 goto error;
1274
1275 acl = rule->cond ? acl_cond_conflicts(rule->cond, where) : NULL;
1276 if (acl) {
1277 if (acl->name && *acl->name)
1278 memprintf(err,
1279 "acl '%s' will never match in '%s %s' because it only involves keywords that are incompatible with '%s'",
1280 acl->name, args[0], args[1], sample_ckp_names(where));
1281 else
1282 memprintf(err,
1283 "anonymous acl will never match in '%s %s' because it uses keyword '%s' which is incompatible with '%s'",
1284 args[0], args[1],
1285 LIST_ELEM(acl->expr.n, struct acl_expr *, list)->kw,
1286 sample_ckp_names(where));
1287
1288 warn++;
1289 }
1290 else if (rule->cond && acl_cond_kw_conflicts(rule->cond, where, &acl, &kw)) {
1291 if (acl->name && *acl->name)
1292 memprintf(err,
1293 "acl '%s' involves keyword '%s' which is incompatible with '%s'",
1294 acl->name, kw, sample_ckp_names(where));
1295 else
1296 memprintf(err,
1297 "anonymous acl involves keyword '%s' which is incompatible with '%s'",
1298 kw, sample_ckp_names(where));
1299 warn++;
1300 }
1301
1302 /* the following function directly emits the warning */
1303 warnif_misplaced_tcp_cont(curpx, file, line, args[0]);
Willy Tarreau2b718102021-04-21 07:32:39 +02001304 LIST_APPEND(&curpx->tcp_req.inspect_rules, &rule->list);
Willy Tarreau39713102016-11-25 15:49:32 +01001305 }
1306 else if (strcmp(args[1], "connection") == 0) {
1307 arg++;
1308
1309 if (!(curpx->cap & PR_CAP_FE)) {
1310 memprintf(err, "%s %s is not allowed because %s %s is not a frontend",
1311 args[0], args[1], proxy_type_str(curpx), curpx->id);
1312 goto error;
1313 }
1314
1315 where |= SMP_VAL_FE_CON_ACC;
Christopher Fauletcb9106b2019-12-19 15:23:17 +01001316 rule->from = ACT_F_TCP_REQ_CON;
Willy Tarreau39713102016-11-25 15:49:32 +01001317 if (tcp_parse_request_rule(args, arg, section_type, curpx, defpx, rule, err, where, file, line) < 0)
1318 goto error;
1319
1320 acl = rule->cond ? acl_cond_conflicts(rule->cond, where) : NULL;
1321 if (acl) {
1322 if (acl->name && *acl->name)
1323 memprintf(err,
1324 "acl '%s' will never match in '%s %s' because it only involves keywords that are incompatible with '%s'",
1325 acl->name, args[0], args[1], sample_ckp_names(where));
1326 else
1327 memprintf(err,
1328 "anonymous acl will never match in '%s %s' because it uses keyword '%s' which is incompatible with '%s'",
1329 args[0], args[1],
1330 LIST_ELEM(acl->expr.n, struct acl_expr *, list)->kw,
1331 sample_ckp_names(where));
1332
1333 warn++;
1334 }
1335 else if (rule->cond && acl_cond_kw_conflicts(rule->cond, where, &acl, &kw)) {
1336 if (acl->name && *acl->name)
1337 memprintf(err,
1338 "acl '%s' involves keyword '%s' which is incompatible with '%s'",
1339 acl->name, kw, sample_ckp_names(where));
1340 else
1341 memprintf(err,
1342 "anonymous acl involves keyword '%s' which is incompatible with '%s'",
1343 kw, sample_ckp_names(where));
1344 warn++;
1345 }
1346
1347 /* the following function directly emits the warning */
1348 warnif_misplaced_tcp_conn(curpx, file, line, args[0]);
Willy Tarreau2b718102021-04-21 07:32:39 +02001349 LIST_APPEND(&curpx->tcp_req.l4_rules, &rule->list);
Willy Tarreau39713102016-11-25 15:49:32 +01001350 }
1351 else if (strcmp(args[1], "session") == 0) {
1352 arg++;
1353
1354 if (!(curpx->cap & PR_CAP_FE)) {
1355 memprintf(err, "%s %s is not allowed because %s %s is not a frontend",
1356 args[0], args[1], proxy_type_str(curpx), curpx->id);
1357 goto error;
1358 }
1359
1360 where |= SMP_VAL_FE_SES_ACC;
Christopher Fauletcb9106b2019-12-19 15:23:17 +01001361 rule->from = ACT_F_TCP_REQ_SES;
Willy Tarreau39713102016-11-25 15:49:32 +01001362 if (tcp_parse_request_rule(args, arg, section_type, curpx, defpx, rule, err, where, file, line) < 0)
1363 goto error;
1364
1365 acl = rule->cond ? acl_cond_conflicts(rule->cond, where) : NULL;
1366 if (acl) {
1367 if (acl->name && *acl->name)
1368 memprintf(err,
1369 "acl '%s' will never match in '%s %s' because it only involves keywords that are incompatible with '%s'",
1370 acl->name, args[0], args[1], sample_ckp_names(where));
1371 else
1372 memprintf(err,
1373 "anonymous acl will never match in '%s %s' because it uses keyword '%s' which is incompatible with '%s'",
1374 args[0], args[1],
1375 LIST_ELEM(acl->expr.n, struct acl_expr *, list)->kw,
1376 sample_ckp_names(where));
1377 warn++;
1378 }
1379 else if (rule->cond && acl_cond_kw_conflicts(rule->cond, where, &acl, &kw)) {
1380 if (acl->name && *acl->name)
1381 memprintf(err,
1382 "acl '%s' involves keyword '%s' which is incompatible with '%s'",
1383 acl->name, kw, sample_ckp_names(where));
1384 else
1385 memprintf(err,
1386 "anonymous acl involves keyword '%s' which is incompatible with '%s'",
1387 kw, sample_ckp_names(where));
1388 warn++;
1389 }
1390
1391 /* the following function directly emits the warning */
1392 warnif_misplaced_tcp_sess(curpx, file, line, args[0]);
Willy Tarreau2b718102021-04-21 07:32:39 +02001393 LIST_APPEND(&curpx->tcp_req.l5_rules, &rule->list);
Willy Tarreau39713102016-11-25 15:49:32 +01001394 }
1395 else {
1396 if (curpx == defpx)
1397 memprintf(err,
1398 "'%s' expects 'inspect-delay', 'connection', or 'content' in defaults section (got '%s')",
1399 args[0], args[1]);
1400 else
1401 memprintf(err,
1402 "'%s' expects 'inspect-delay', 'connection', or 'content' in %s '%s' (got '%s')",
1403 args[0], proxy_type_str(curpx), curpx->id, args[1]);
1404 goto error;
1405 }
1406
1407 return warn;
1408 error:
1409 free(rule);
1410 return -1;
1411}
1412
1413static struct cfg_kw_list cfg_kws = {ILH, {
1414 { CFG_LISTEN, "tcp-request", tcp_parse_tcp_req },
1415 { CFG_LISTEN, "tcp-response", tcp_parse_tcp_rep },
1416 { 0, NULL, NULL },
1417}};
1418
Willy Tarreau0108d902018-11-25 19:14:37 +01001419INITCALL1(STG_REGISTER, cfg_register_keywords, &cfg_kws);
Willy Tarreau39713102016-11-25 15:49:32 +01001420
1421/*
1422 * Local variables:
1423 * c-indent-level: 8
1424 * c-basic-offset: 8
1425 * End:
1426 */