Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 9baae63d8d20067f97a7263e6317639e09fef800 / . / src / acl.c
blob: 2e23e30c3961cdd06f3a9cee71748a9c9f49649c [file] [log] [blame]
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1/*
2 * ACL management functions.
3 *
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100[diff] [blame]4 * Copyright 2000-2013 Willy Tarreau <w@1wt.eu>
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
12
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]13#include <ctype.h>
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]14#include <stdio.h>
15#include <string.h>
16
17#include <common/config.h>
18#include <common/mini-clist.h>
19#include <common/standard.h>
Krzysztof Piotr Oledzki8c8bd452010-01-29 19:29:32 +0100[diff] [blame]20#include <common/uri_auth.h>
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]21
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]22#include <types/global.h>
23
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]24#include <proto/acl.h>
Willy Tarreau34db1082012-04-19 17:16:54 +0200[diff] [blame]25#include <proto/arg.h>
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]26#include <proto/auth.h>
Willy Tarreauc7e42382012-08-24 19:22:53 +0200[diff] [blame]27#include <proto/channel.h>
Willy Tarreau404e8ab2009-07-26 19:40:40 +0200[diff] [blame]28#include <proto/log.h>
Willy Tarreau0b1cd942010-05-16 22:18:27 +0200[diff] [blame]29#include <proto/proxy.h>
Willy Tarreau8ed669b2013-01-11 15:49:37 +0100[diff] [blame]30#include <proto/sample.h>
Willy Tarreaud28c3532012-04-19 19:28:33 +0200[diff] [blame]31#include <proto/stick_table.h>
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]32
Willy Tarreauc4262962010-05-10 23:42:40 +0200[diff] [blame]33#include <ebsttree.h>
34
Willy Tarreaua9802632008-07-25 19:13:19 +0200[diff] [blame]35/* The capabilities of filtering hooks describe the type of information
36 * available to each of them.
37 */
38const unsigned int filt_cap[] = {
39 [ACL_HOOK_REQ_FE_TCP] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY,
Willy Tarreau06457872010-05-23 12:24:38 +0200[diff] [blame]40 [ACL_HOOK_REQ_FE_TCP_CONTENT] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY,
41 [ACL_HOOK_REQ_FE_HTTP_IN] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
42 [ACL_HOOK_REQ_FE_SWITCH] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
43 [ACL_HOOK_REQ_BE_TCP_CONTENT] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
44 [ACL_HOOK_REQ_BE_HTTP_IN] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
45 [ACL_HOOK_REQ_BE_SWITCH] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
46 [ACL_HOOK_REQ_FE_HTTP_OUT] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
47 [ACL_HOOK_REQ_BE_HTTP_OUT] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
Willy Tarreaua9802632008-07-25 19:13:19 +0200[diff] [blame]48
Willy Tarreau06457872010-05-23 12:24:38 +0200[diff] [blame]49 [ACL_HOOK_RTR_BE_TCP_CONTENT] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L6RTR_ANY,
50 [ACL_HOOK_RTR_BE_HTTP_IN] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L6RTR_ANY|ACL_USE_L7RTR_ANY,
51 [ACL_HOOK_RTR_FE_TCP_CONTENT] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L6RTR_ANY|ACL_USE_L7RTR_ANY,
52 [ACL_HOOK_RTR_FE_HTTP_IN] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L6RTR_ANY|ACL_USE_L7RTR_ANY,
53 [ACL_HOOK_RTR_BE_HTTP_OUT] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L6RTR_ANY|ACL_USE_L7RTR_ANY,
54 [ACL_HOOK_RTR_FE_HTTP_OUT] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L6RTR_ANY|ACL_USE_L7RTR_ANY,
Willy Tarreaua9802632008-07-25 19:13:19 +0200[diff] [blame]55};
56
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]57/* List head of all known ACL keywords */
58static struct acl_kw_list acl_keywords = {
59 .list = LIST_HEAD_INIT(acl_keywords.list)
60};
61
62
Willy Tarreaua5909832007-06-17 20:40:25 +0200[diff] [blame]63/*
Willy Tarreau58393e12008-07-20 10:39:22 +0200[diff] [blame]64 * These functions are exported and may be used by any other component.
65 */
66
67/* ignore the current line */
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]68int acl_parse_nothing(const char **text, struct acl_pattern *pattern, int *opaque, char **err)
Willy Tarreaua5909832007-06-17 20:40:25 +0200[diff] [blame]69{
Willy Tarreau58393e12008-07-20 10:39:22 +0200[diff] [blame]70 return 1;
71}
72
Willy Tarreaua5909832007-06-17 20:40:25 +0200[diff] [blame]73/* always return false */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]74int acl_match_nothing(struct sample *smp, struct acl_pattern *pattern)
Willy Tarreaua5909832007-06-17 20:40:25 +0200[diff] [blame]75{
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]76 return ACL_PAT_FAIL;
Willy Tarreaua5909832007-06-17 20:40:25 +0200[diff] [blame]77}
78
79
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]80/* NB: For two strings to be identical, it is required that their lengths match */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]81int acl_match_str(struct sample *smp, struct acl_pattern *pattern)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]82{
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]83 int icase;
84
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]85 if (pattern->len != smp->data.str.len)
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]86 return ACL_PAT_FAIL;
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]87
88 icase = pattern->flags & ACL_PAT_F_IGNORE_CASE;
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]89 if ((icase && strncasecmp(pattern->ptr.str, smp->data.str.str, smp->data.str.len) == 0) ||
90 (!icase && strncmp(pattern->ptr.str, smp->data.str.str, smp->data.str.len) == 0))
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]91 return ACL_PAT_PASS;
92 return ACL_PAT_FAIL;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]93}
94
Emeric Brun07ca4962012-10-17 13:38:19 +0200[diff] [blame]95/* NB: For two binaries buf to be identical, it is required that their lengths match */
96int acl_match_bin(struct sample *smp, struct acl_pattern *pattern)
97{
98 if (pattern->len != smp->data.str.len)
99 return ACL_PAT_FAIL;
100
101 if (memcmp(pattern->ptr.str, smp->data.str.str, smp->data.str.len) == 0)
102 return ACL_PAT_PASS;
103 return ACL_PAT_FAIL;
104}
105
Willy Tarreauc4262962010-05-10 23:42:40 +0200[diff] [blame]106/* Lookup a string in the expression's pattern tree. The node is returned if it
107 * exists, otherwise NULL.
108 */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]109static void *acl_lookup_str(struct sample *smp, struct acl_expr *expr)
Willy Tarreauc4262962010-05-10 23:42:40 +0200[diff] [blame]110{
111 /* data are stored in a tree */
112 struct ebmb_node *node;
113 char prev;
114
115 /* we may have to force a trailing zero on the test pattern */
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]116 prev = smp->data.str.str[smp->data.str.len];
Willy Tarreauc4262962010-05-10 23:42:40 +0200[diff] [blame]117 if (prev)
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]118 smp->data.str.str[smp->data.str.len] = '\0';
119 node = ebst_lookup(&expr->pattern_tree, smp->data.str.str);
Willy Tarreauc4262962010-05-10 23:42:40 +0200[diff] [blame]120 if (prev)
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]121 smp->data.str.str[smp->data.str.len] = prev;
Willy Tarreauc4262962010-05-10 23:42:40 +0200[diff] [blame]122 return node;
123}
124
Willy Tarreau21e5b0e2012-04-23 19:25:44 +0200[diff] [blame]125/* Executes a regex. It temporarily changes the data to add a trailing zero,
126 * and restores the previous character when leaving.
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]127 */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]128int acl_match_reg(struct sample *smp, struct acl_pattern *pattern)
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]129{
130 char old_char;
131 int ret;
132
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]133 old_char = smp->data.str.str[smp->data.str.len];
134 smp->data.str.str[smp->data.str.len] = 0;
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]135
Hiroaki Nakamura70351322013-01-13 15:00:42 +0900[diff] [blame]136 if (regex_exec(pattern->ptr.reg, smp->data.str.str, smp->data.str.len) == 0)
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]137 ret = ACL_PAT_PASS;
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]138 else
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]139 ret = ACL_PAT_FAIL;
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]140
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]141 smp->data.str.str[smp->data.str.len] = old_char;
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]142 return ret;
143}
144
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]145/* Checks that the pattern matches the beginning of the tested string. */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]146int acl_match_beg(struct sample *smp, struct acl_pattern *pattern)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]147{
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]148 int icase;
149
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]150 if (pattern->len > smp->data.str.len)
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]151 return ACL_PAT_FAIL;
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]152
153 icase = pattern->flags & ACL_PAT_F_IGNORE_CASE;
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]154 if ((icase && strncasecmp(pattern->ptr.str, smp->data.str.str, pattern->len) != 0) ||
155 (!icase && strncmp(pattern->ptr.str, smp->data.str.str, pattern->len) != 0))
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]156 return ACL_PAT_FAIL;
157 return ACL_PAT_PASS;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]158}
159
160/* Checks that the pattern matches the end of the tested string. */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]161int acl_match_end(struct sample *smp, struct acl_pattern *pattern)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]162{
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]163 int icase;
164
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]165 if (pattern->len > smp->data.str.len)
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]166 return ACL_PAT_FAIL;
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]167 icase = pattern->flags & ACL_PAT_F_IGNORE_CASE;
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]168 if ((icase && strncasecmp(pattern->ptr.str, smp->data.str.str + smp->data.str.len - pattern->len, pattern->len) != 0) ||
169 (!icase && strncmp(pattern->ptr.str, smp->data.str.str + smp->data.str.len - pattern->len, pattern->len) != 0))
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]170 return ACL_PAT_FAIL;
171 return ACL_PAT_PASS;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]172}
173
174/* Checks that the pattern is included inside the tested string.
175 * NB: Suboptimal, should be rewritten using a Boyer-Moore method.
176 */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]177int acl_match_sub(struct sample *smp, struct acl_pattern *pattern)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]178{
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]179 int icase;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]180 char *end;
181 char *c;
182
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]183 if (pattern->len > smp->data.str.len)
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]184 return ACL_PAT_FAIL;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]185
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]186 end = smp->data.str.str + smp->data.str.len - pattern->len;
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]187 icase = pattern->flags & ACL_PAT_F_IGNORE_CASE;
188 if (icase) {
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]189 for (c = smp->data.str.str; c <= end; c++) {
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]190 if (tolower(*c) != tolower(*pattern->ptr.str))
191 continue;
192 if (strncasecmp(pattern->ptr.str, c, pattern->len) == 0)
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]193 return ACL_PAT_PASS;
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]194 }
195 } else {
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]196 for (c = smp->data.str.str; c <= end; c++) {
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]197 if (*c != *pattern->ptr.str)
198 continue;
199 if (strncmp(pattern->ptr.str, c, pattern->len) == 0)
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]200 return ACL_PAT_PASS;
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]201 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]202 }
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]203 return ACL_PAT_FAIL;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]204}
205
Finn Arne Gangstade8c7ecc2011-09-09 16:09:50 +0200[diff] [blame]206/* Background: Fast way to find a zero byte in a word
207 * http://graphics.stanford.edu/~seander/bithacks.html#ZeroInWord
208 * hasZeroByte = (v - 0x01010101UL) & ~v & 0x80808080UL;
209 *
210 * To look for 4 different byte values, xor the word with those bytes and
211 * then check for zero bytes:
212 *
213 * v = (((unsigned char)c * 0x1010101U) ^ delimiter)
214 * where <delimiter> is the 4 byte values to look for (as an uint)
215 * and <c> is the character that is being tested
216 */
217static inline unsigned int is_delimiter(unsigned char c, unsigned int mask)
218{
219 mask ^= (c * 0x01010101); /* propagate the char to all 4 bytes */
220 return (mask - 0x01010101) & ~mask & 0x80808080U;
221}
222
223static inline unsigned int make_4delim(unsigned char d1, unsigned char d2, unsigned char d3, unsigned char d4)
224{
225 return d1 << 24 | d2 << 16 | d3 << 8 | d4;
226}
227
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]228/* This one is used by other real functions. It checks that the pattern is
229 * included inside the tested string, but enclosed between the specified
Finn Arne Gangstade8c7ecc2011-09-09 16:09:50 +0200[diff] [blame]230 * delimiters or at the beginning or end of the string. The delimiters are
231 * provided as an unsigned int made by make_4delim() and match up to 4 different
232 * delimiters. Delimiters are stripped at the beginning and end of the pattern.
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]233 */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]234static int match_word(struct sample *smp, struct acl_pattern *pattern, unsigned int delimiters)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]235{
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]236 int may_match, icase;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]237 char *c, *end;
238 char *ps;
239 int pl;
240
241 pl = pattern->len;
242 ps = pattern->ptr.str;
Finn Arne Gangstade8c7ecc2011-09-09 16:09:50 +0200[diff] [blame]243
244 while (pl > 0 && is_delimiter(*ps, delimiters)) {
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]245 pl--;
246 ps++;
247 }
248
Finn Arne Gangstade8c7ecc2011-09-09 16:09:50 +0200[diff] [blame]249 while (pl > 0 && is_delimiter(ps[pl - 1], delimiters))
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]250 pl--;
251
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]252 if (pl > smp->data.str.len)
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]253 return ACL_PAT_FAIL;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]254
255 may_match = 1;
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]256 icase = pattern->flags & ACL_PAT_F_IGNORE_CASE;
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]257 end = smp->data.str.str + smp->data.str.len - pl;
258 for (c = smp->data.str.str; c <= end; c++) {
Finn Arne Gangstade8c7ecc2011-09-09 16:09:50 +0200[diff] [blame]259 if (is_delimiter(*c, delimiters)) {
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]260 may_match = 1;
261 continue;
262 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]263
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]264 if (!may_match)
265 continue;
266
267 if (icase) {
268 if ((tolower(*c) == tolower(*ps)) &&
269 (strncasecmp(ps, c, pl) == 0) &&
Finn Arne Gangstade8c7ecc2011-09-09 16:09:50 +0200[diff] [blame]270 (c == end || is_delimiter(c[pl], delimiters)))
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]271 return ACL_PAT_PASS;
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]272 } else {
273 if ((*c == *ps) &&
274 (strncmp(ps, c, pl) == 0) &&
Finn Arne Gangstade8c7ecc2011-09-09 16:09:50 +0200[diff] [blame]275 (c == end || is_delimiter(c[pl], delimiters)))
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]276 return ACL_PAT_PASS;
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]277 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]278 may_match = 0;
279 }
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]280 return ACL_PAT_FAIL;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]281}
282
283/* Checks that the pattern is included inside the tested string, but enclosed
Finn Arne Gangstade8c7ecc2011-09-09 16:09:50 +0200[diff] [blame]284 * between the delimiters '?' or '/' or at the beginning or end of the string.
285 * Delimiters at the beginning or end of the pattern are ignored.
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]286 */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]287int acl_match_dir(struct sample *smp, struct acl_pattern *pattern)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]288{
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]289 return match_word(smp, pattern, make_4delim('/', '?', '?', '?'));
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]290}
291
292/* Checks that the pattern is included inside the tested string, but enclosed
Finn Arne Gangstade8c7ecc2011-09-09 16:09:50 +0200[diff] [blame]293 * between the delmiters '/', '?', '.' or ":" or at the beginning or end of
294 * the string. Delimiters at the beginning or end of the pattern are ignored.
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]295 */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]296int acl_match_dom(struct sample *smp, struct acl_pattern *pattern)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]297{
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]298 return match_word(smp, pattern, make_4delim('/', '?', '.', ':'));
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]299}
300
301/* Checks that the integer in <test> is included between min and max */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]302int acl_match_int(struct sample *smp, struct acl_pattern *pattern)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]303{
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]304 if ((!pattern->val.range.min_set || pattern->val.range.min <= smp->data.uint) &&
305 (!pattern->val.range.max_set || smp->data.uint <= pattern->val.range.max))
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]306 return ACL_PAT_PASS;
307 return ACL_PAT_FAIL;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]308}
309
Willy Tarreau0e698542011-09-16 08:32:32 +0200[diff] [blame]310/* Checks that the length of the pattern in <test> is included between min and max */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]311int acl_match_len(struct sample *smp, struct acl_pattern *pattern)
Willy Tarreau0e698542011-09-16 08:32:32 +0200[diff] [blame]312{
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]313 if ((!pattern->val.range.min_set || pattern->val.range.min <= smp->data.str.len) &&
314 (!pattern->val.range.max_set || smp->data.str.len <= pattern->val.range.max))
Willy Tarreau0e698542011-09-16 08:32:32 +0200[diff] [blame]315 return ACL_PAT_PASS;
316 return ACL_PAT_FAIL;
317}
318
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]319int acl_match_ip(struct sample *smp, struct acl_pattern *pattern)
Willy Tarreaua67fad92007-05-08 19:50:09 +0200[diff] [blame]320{
Willy Tarreauceb4ac92012-04-28 00:41:46 +0200[diff] [blame]321 unsigned int v4; /* in network byte order */
322 struct in6_addr *v6;
323 int bits, pos;
324 struct in6_addr tmp6;
Willy Tarreaua67fad92007-05-08 19:50:09 +0200[diff] [blame]325
Willy Tarreauceb4ac92012-04-28 00:41:46 +0200[diff] [blame]326 if (pattern->type == SMP_T_IPV4) {
327 if (smp->type == SMP_T_IPV4) {
328 v4 = smp->data.ipv4.s_addr;
329 }
330 else if (smp->type == SMP_T_IPV6) {
331 /* v4 match on a V6 sample. We want to check at least for
332 * the following forms :
333 * - ::ffff:ip:v4 (ipv4 mapped)
334 * - ::0000:ip:v4 (old ipv4 mapped)
335 * - 2002:ip:v4:: (6to4)
336 */
337 if (*(uint32_t*)&smp->data.ipv6.s6_addr[0] == 0 &&
338 *(uint32_t*)&smp->data.ipv6.s6_addr[4] == 0 &&
339 (*(uint32_t*)&smp->data.ipv6.s6_addr[8] == 0 ||
340 *(uint32_t*)&smp->data.ipv6.s6_addr[8] == htonl(0xFFFF))) {
341 v4 = *(uint32_t*)&smp->data.ipv6.s6_addr[12];
342 }
343 else if (*(uint16_t*)&smp->data.ipv6.s6_addr[0] == htons(0x2002)) {
344 v4 = htonl((ntohs(*(uint16_t*)&smp->data.ipv6.s6_addr[2]) << 16) +
345 ntohs(*(uint16_t*)&smp->data.ipv6.s6_addr[4]));
346 }
347 else
348 return ACL_PAT_FAIL;
349 }
350 else
351 return ACL_PAT_FAIL;
Willy Tarreaua67fad92007-05-08 19:50:09 +0200[diff] [blame]352
Willy Tarreauceb4ac92012-04-28 00:41:46 +0200[diff] [blame]353 if (((v4 ^ pattern->val.ipv4.addr.s_addr) & pattern->val.ipv4.mask.s_addr) == 0)
354 return ACL_PAT_PASS;
355 else
356 return ACL_PAT_FAIL;
357 }
358 else if (pattern->type == SMP_T_IPV6) {
359 if (smp->type == SMP_T_IPV4) {
360 /* Convert the IPv4 sample address to IPv4 with the
361 * mapping method using the ::ffff: prefix.
362 */
363 memset(&tmp6, 0, 10);
364 *(uint16_t*)&tmp6.s6_addr[10] = htons(0xffff);
365 *(uint32_t*)&tmp6.s6_addr[12] = smp->data.ipv4.s_addr;
366 v6 = &tmp6;
367 }
368 else if (smp->type == SMP_T_IPV6) {
369 v6 = &smp->data.ipv6;
370 }
371 else {
372 return ACL_PAT_FAIL;
373 }
374
375 bits = pattern->val.ipv6.mask;
376 for (pos = 0; bits > 0; pos += 4, bits -= 32) {
377 v4 = *(uint32_t*)&v6->s6_addr[pos] ^ *(uint32_t*)&pattern->val.ipv6.addr.s6_addr[pos];
378 if (bits < 32)
Cyril Bonté4c01beb2012-10-23 21:28:31 +0200[diff] [blame]379 v4 &= htonl((~0U) << (32-bits));
Willy Tarreauceb4ac92012-04-28 00:41:46 +0200[diff] [blame]380 if (v4)
381 return ACL_PAT_FAIL;
382 }
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]383 return ACL_PAT_PASS;
Willy Tarreauceb4ac92012-04-28 00:41:46 +0200[diff] [blame]384 }
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]385 return ACL_PAT_FAIL;
Willy Tarreaua67fad92007-05-08 19:50:09 +0200[diff] [blame]386}
387
Willy Tarreaub337b532010-05-13 20:03:41 +0200[diff] [blame]388/* Lookup an IPv4 address in the expression's pattern tree using the longest
389 * match method. The node is returned if it exists, otherwise NULL.
390 */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]391static void *acl_lookup_ip(struct sample *smp, struct acl_expr *expr)
Willy Tarreaub337b532010-05-13 20:03:41 +0200[diff] [blame]392{
393 struct in_addr *s;
394
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]395 if (smp->type != SMP_T_IPV4)
Willy Tarreaub337b532010-05-13 20:03:41 +0200[diff] [blame]396 return ACL_PAT_FAIL;
397
Willy Tarreauf853c462012-04-23 18:53:56 +0200[diff] [blame]398 s = &smp->data.ipv4;
Willy Tarreaub337b532010-05-13 20:03:41 +0200[diff] [blame]399 return ebmb_lookup_longest(&expr->pattern_tree, &s->s_addr);
400}
401
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]402/* Parse a string. It is allocated and duplicated. */
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]403int acl_parse_str(const char **text, struct acl_pattern *pattern, int *opaque, char **err)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]404{
405 int len;
406
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]407 len = strlen(*text);
Willy Tarreauc92ddbc2012-04-27 22:10:57 +0200[diff] [blame]408 pattern->type = SMP_T_CSTR;
Willy Tarreauc4262962010-05-10 23:42:40 +0200[diff] [blame]409
410 if (pattern->flags & ACL_PAT_F_TREE_OK) {
411 /* we're allowed to put the data in a tree whose root is pointed
412 * to by val.tree.
413 */
414 struct ebmb_node *node;
415
416 node = calloc(1, sizeof(*node) + len + 1);
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]417 if (!node) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]418 memprintf(err, "out of memory while loading string pattern");
Willy Tarreauc4262962010-05-10 23:42:40 +0200[diff] [blame]419 return 0;
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]420 }
Willy Tarreauc4262962010-05-10 23:42:40 +0200[diff] [blame]421 memcpy(node->key, *text, len + 1);
422 if (ebst_insert(pattern->val.tree, node) != node)
423 free(node); /* was a duplicate */
424 pattern->flags |= ACL_PAT_F_TREE; /* this pattern now contains a tree */
425 return 1;
426 }
427
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]428 pattern->ptr.str = strdup(*text);
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]429 if (!pattern->ptr.str) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]430 memprintf(err, "out of memory while loading string pattern");
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]431 return 0;
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]432 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]433 pattern->len = len;
434 return 1;
435}
436
Emeric Brun07ca4962012-10-17 13:38:19 +0200[diff] [blame]437/* Parse a binary written in hexa. It is allocated. */
438int acl_parse_bin(const char **text, struct acl_pattern *pattern, int *opaque, char **err)
439{
440 int len;
441 const char *p = *text;
442 int i,j;
443
444 len = strlen(p);
445 if (len%2) {
446 memprintf(err, "an even number of hex digit is expected");
447 return 0;
448 }
449
450 pattern->type = SMP_T_CBIN;
451 pattern->len = len >> 1;
452 pattern->ptr.str = malloc(pattern->len);
453 if (!pattern->ptr.str) {
454 memprintf(err, "out of memory while loading string pattern");
455 return 0;
456 }
457
458 i = j = 0;
459 while (j < pattern->len) {
460 if (!ishex(p[i++]))
461 goto bad_input;
462 if (!ishex(p[i++]))
463 goto bad_input;
464 pattern->ptr.str[j++] = (hex2i(p[i-2]) << 4) + hex2i(p[i-1]);
465 }
466 return 1;
467
468bad_input:
469 memprintf(err, "an hex digit is expected (found '%c')", p[i-1]);
470 free(pattern->ptr.str);
471 return 0;
472}
473
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]474/* Parse and concatenate all further strings into one. */
475int
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]476acl_parse_strcat(const char **text, struct acl_pattern *pattern, int *opaque, char **err)
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]477{
478
479 int len = 0, i;
480 char *s;
481
482 for (i = 0; *text[i]; i++)
483 len += strlen(text[i])+1;
484
Willy Tarreauc92ddbc2012-04-27 22:10:57 +0200[diff] [blame]485 pattern->type = SMP_T_CSTR;
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]486 pattern->ptr.str = s = calloc(1, len);
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]487 if (!pattern->ptr.str) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]488 memprintf(err, "out of memory while loading pattern");
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]489 return 0;
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]490 }
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]491
492 for (i = 0; *text[i]; i++)
493 s += sprintf(s, i?" %s":"%s", text[i]);
494
495 pattern->len = len;
496
497 return i;
498}
499
Krzysztof Piotr Oledzki8001d612008-05-31 13:53:23 +0200[diff] [blame]500/* Free data allocated by acl_parse_reg */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]501static void acl_free_reg(void *ptr)
502{
Hiroaki Nakamura70351322013-01-13 15:00:42 +0900[diff] [blame]503 regex_free(ptr);
Krzysztof Piotr Oledzki8001d612008-05-31 13:53:23 +0200[diff] [blame]504}
505
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]506/* Parse a regex. It is allocated. */
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]507int acl_parse_reg(const char **text, struct acl_pattern *pattern, int *opaque, char **err)
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]508{
Hiroaki Nakamura70351322013-01-13 15:00:42 +0900[diff] [blame]509 regex *preg;
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]510 int icase;
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]511
Hiroaki Nakamura70351322013-01-13 15:00:42 +0900[diff] [blame]512 preg = calloc(1, sizeof(*preg));
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]513
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]514 if (!preg) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]515 memprintf(err, "out of memory while loading pattern");
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]516 return 0;
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]517 }
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]518
Hiroaki Nakamura70351322013-01-13 15:00:42 +0900[diff] [blame]519#ifdef USE_PCRE_JIT
520 icase = (pattern->flags & ACL_PAT_F_IGNORE_CASE) ? PCRE_CASELESS : 0;
521 preg->reg = pcre_compile(*text, PCRE_NO_AUTO_CAPTURE | icase, NULL, NULL,
522 NULL);
523 if (!preg->reg) {
524 free(preg);
525 memprintf(err, "regex '%s' is invalid", *text);
526 return 0;
527 }
528
529 preg->extra = pcre_study(preg->reg, PCRE_STUDY_JIT_COMPILE, NULL);
530 if (!preg->extra) {
531 pcre_free(preg->reg);
532 free(preg);
533 memprintf(err, "failed to compile regex '%s'", *text);
534 return 0;
535 }
536#else
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]537 icase = (pattern->flags & ACL_PAT_F_IGNORE_CASE) ? REG_ICASE : 0;
538 if (regcomp(preg, *text, REG_EXTENDED | REG_NOSUB | icase) != 0) {
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]539 free(preg);
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]540 memprintf(err, "regex '%s' is invalid", *text);
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]541 return 0;
542 }
Hiroaki Nakamura70351322013-01-13 15:00:42 +0900[diff] [blame]543#endif
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]544
545 pattern->ptr.reg = preg;
Krzysztof Piotr Oledzki8001d612008-05-31 13:53:23 +0200[diff] [blame]546 pattern->freeptrbuf = &acl_free_reg;
Willy Tarreauf3d25982007-05-08 22:45:09 +0200[diff] [blame]547 return 1;
548}
549
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]550/* Parse a range of positive integers delimited by either ':' or '-'. If only
551 * one integer is read, it is set as both min and max. An operator may be
552 * specified as the prefix, among this list of 5 :
553 *
554 * 0:eq, 1:gt, 2:ge, 3:lt, 4:le
555 *
556 * The default operator is "eq". It supports range matching. Ranges are
557 * rejected for other operators. The operator may be changed at any time.
558 * The operator is stored in the 'opaque' argument.
559 *
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]560 * If err is non-NULL, an error message will be returned there on errors and
561 * the caller will have to free it.
562 *
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]563 */
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]564int acl_parse_int(const char **text, struct acl_pattern *pattern, int *opaque, char **err)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]565{
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]566 signed long long i;
567 unsigned int j, last, skip = 0;
568 const char *ptr = *text;
569
Willy Tarreauc92ddbc2012-04-27 22:10:57 +0200[diff] [blame]570 pattern->type = SMP_T_UINT;
Willy Tarreau8f8e6452007-06-17 21:51:38 +0200[diff] [blame]571 while (!isdigit((unsigned char)*ptr)) {
Willy Tarreau1c7cc5b2010-07-18 10:46:33 +0200[diff] [blame]572 switch (get_std_op(ptr)) {
573 case STD_OP_EQ: *opaque = 0; break;
574 case STD_OP_GT: *opaque = 1; break;
575 case STD_OP_GE: *opaque = 2; break;
576 case STD_OP_LT: *opaque = 3; break;
577 case STD_OP_LE: *opaque = 4; break;
578 default:
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]579 memprintf(err, "'%s' is neither a number nor a supported operator", ptr);
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]580 return 0;
Willy Tarreau1c7cc5b2010-07-18 10:46:33 +0200[diff] [blame]581 }
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]582
583 skip++;
584 ptr = text[skip];
585 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]586
587 last = i = 0;
588 while (1) {
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]589 j = *ptr++;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]590 if ((j == '-' || j == ':') && !last) {
591 last++;
592 pattern->val.range.min = i;
593 i = 0;
594 continue;
595 }
596 j -= '0';
597 if (j > 9)
598 // also catches the terminating zero
599 break;
600 i *= 10;
601 i += j;
602 }
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]603
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]604 if (last && *opaque >= 1 && *opaque <= 4) {
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]605 /* having a range with a min or a max is absurd */
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]606 memprintf(err, "integer range '%s' specified with a comparison operator", text[skip]);
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]607 return 0;
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]608 }
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]609
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]610 if (!last)
611 pattern->val.range.min = i;
612 pattern->val.range.max = i;
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]613
614 switch (*opaque) {
615 case 0: /* eq */
616 pattern->val.range.min_set = 1;
617 pattern->val.range.max_set = 1;
618 break;
619 case 1: /* gt */
620 pattern->val.range.min++; /* gt = ge + 1 */
621 case 2: /* ge */
622 pattern->val.range.min_set = 1;
623 pattern->val.range.max_set = 0;
624 break;
625 case 3: /* lt */
626 pattern->val.range.max--; /* lt = le - 1 */
627 case 4: /* le */
628 pattern->val.range.min_set = 0;
629 pattern->val.range.max_set = 1;
630 break;
631 }
632 return skip + 1;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]633}
634
Willy Tarreau4a26d2f2008-07-15 16:05:33 +0200[diff] [blame]635/* Parse a range of positive 2-component versions delimited by either ':' or
636 * '-'. The version consists in a major and a minor, both of which must be
637 * smaller than 65536, because internally they will be represented as a 32-bit
638 * integer.
639 * If only one version is read, it is set as both min and max. Just like for
640 * pure integers, an operator may be specified as the prefix, among this list
641 * of 5 :
642 *
643 * 0:eq, 1:gt, 2:ge, 3:lt, 4:le
644 *
645 * The default operator is "eq". It supports range matching. Ranges are
646 * rejected for other operators. The operator may be changed at any time.
647 * The operator is stored in the 'opaque' argument. This allows constructs
648 * such as the following one :
649 *
650 * acl obsolete_ssl ssl_req_proto lt 3
651 * acl unsupported_ssl ssl_req_proto gt 3.1
652 * acl valid_ssl ssl_req_proto 3.0-3.1
653 *
654 */
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]655int acl_parse_dotted_ver(const char **text, struct acl_pattern *pattern, int *opaque, char **err)
Willy Tarreau4a26d2f2008-07-15 16:05:33 +0200[diff] [blame]656{
657 signed long long i;
658 unsigned int j, last, skip = 0;
659 const char *ptr = *text;
660
661
662 while (!isdigit((unsigned char)*ptr)) {
Willy Tarreau1c7cc5b2010-07-18 10:46:33 +0200[diff] [blame]663 switch (get_std_op(ptr)) {
664 case STD_OP_EQ: *opaque = 0; break;
665 case STD_OP_GT: *opaque = 1; break;
666 case STD_OP_GE: *opaque = 2; break;
667 case STD_OP_LT: *opaque = 3; break;
668 case STD_OP_LE: *opaque = 4; break;
669 default:
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]670 memprintf(err, "'%s' is neither a number nor a supported operator", ptr);
Willy Tarreau4a26d2f2008-07-15 16:05:33 +0200[diff] [blame]671 return 0;
Willy Tarreau1c7cc5b2010-07-18 10:46:33 +0200[diff] [blame]672 }
Willy Tarreau4a26d2f2008-07-15 16:05:33 +0200[diff] [blame]673
674 skip++;
675 ptr = text[skip];
676 }
677
678 last = i = 0;
679 while (1) {
680 j = *ptr++;
681 if (j == '.') {
682 /* minor part */
683 if (i >= 65536)
684 return 0;
685 i <<= 16;
686 continue;
687 }
688 if ((j == '-' || j == ':') && !last) {
689 last++;
690 if (i < 65536)
691 i <<= 16;
692 pattern->val.range.min = i;
693 i = 0;
694 continue;
695 }
696 j -= '0';
697 if (j > 9)
698 // also catches the terminating zero
699 break;
700 i = (i & 0xFFFF0000) + (i & 0xFFFF) * 10;
701 i += j;
702 }
703
704 /* if we only got a major version, let's shift it now */
705 if (i < 65536)
706 i <<= 16;
707
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]708 if (last && *opaque >= 1 && *opaque <= 4) {
Willy Tarreau4a26d2f2008-07-15 16:05:33 +0200[diff] [blame]709 /* having a range with a min or a max is absurd */
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]710 memprintf(err, "version range '%s' specified with a comparison operator", text[skip]);
Willy Tarreau4a26d2f2008-07-15 16:05:33 +0200[diff] [blame]711 return 0;
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]712 }
Willy Tarreau4a26d2f2008-07-15 16:05:33 +0200[diff] [blame]713
714 if (!last)
715 pattern->val.range.min = i;
716 pattern->val.range.max = i;
717
718 switch (*opaque) {
719 case 0: /* eq */
720 pattern->val.range.min_set = 1;
721 pattern->val.range.max_set = 1;
722 break;
723 case 1: /* gt */
724 pattern->val.range.min++; /* gt = ge + 1 */
725 case 2: /* ge */
726 pattern->val.range.min_set = 1;
727 pattern->val.range.max_set = 0;
728 break;
729 case 3: /* lt */
730 pattern->val.range.max--; /* lt = le - 1 */
731 case 4: /* le */
732 pattern->val.range.min_set = 0;
733 pattern->val.range.max_set = 1;
734 break;
735 }
736 return skip + 1;
737}
738
Willy Tarreaua67fad92007-05-08 19:50:09 +0200[diff] [blame]739/* Parse an IP address and an optional mask in the form addr[/mask].
740 * The addr may either be an IPv4 address or a hostname. The mask
741 * may either be a dotted mask or a number of bits. Returns 1 if OK,
Willy Tarreauc92ddbc2012-04-27 22:10:57 +0200[diff] [blame]742 * otherwise 0. NOTE: IP address patterns are typed (IPV4/IPV6).
Willy Tarreaua67fad92007-05-08 19:50:09 +0200[diff] [blame]743 */
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]744int acl_parse_ip(const char **text, struct acl_pattern *pattern, int *opaque, char **err)
Willy Tarreaua67fad92007-05-08 19:50:09 +0200[diff] [blame]745{
Willy Tarreaub337b532010-05-13 20:03:41 +0200[diff] [blame]746 struct eb_root *tree = NULL;
747 if (pattern->flags & ACL_PAT_F_TREE_OK)
748 tree = pattern->val.tree;
749
750 if (str2net(*text, &pattern->val.ipv4.addr, &pattern->val.ipv4.mask)) {
751 unsigned int mask = ntohl(pattern->val.ipv4.mask.s_addr);
752 struct ebmb_node *node;
753 /* check if the mask is contiguous so that we can insert the
754 * network into the tree. A continuous mask has only ones on
755 * the left. This means that this mask + its lower bit added
756 * once again is null.
757 */
Willy Tarreauceb4ac92012-04-28 00:41:46 +0200[diff] [blame]758 pattern->type = SMP_T_IPV4;
Willy Tarreaub337b532010-05-13 20:03:41 +0200[diff] [blame]759 if (mask + (mask & -mask) == 0 && tree) {
760 mask = mask ? 33 - flsnz(mask & -mask) : 0; /* equals cidr value */
761 /* FIXME: insert <addr>/<mask> into the tree here */
762 node = calloc(1, sizeof(*node) + 4); /* reserve 4 bytes for IPv4 address */
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]763 if (!node) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]764 memprintf(err, "out of memory while loading IPv4 pattern");
Willy Tarreaub337b532010-05-13 20:03:41 +0200[diff] [blame]765 return 0;
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]766 }
Willy Tarreaub337b532010-05-13 20:03:41 +0200[diff] [blame]767 memcpy(node->key, &pattern->val.ipv4.addr, 4); /* network byte order */
768 node->node.pfx = mask;
769 if (ebmb_insert_prefix(tree, node, 4) != node)
770 free(node); /* was a duplicate */
771 pattern->flags |= ACL_PAT_F_TREE;
772 return 1;
773 }
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]774 return 1;
Willy Tarreaub337b532010-05-13 20:03:41 +0200[diff] [blame]775 }
Willy Tarreauceb4ac92012-04-28 00:41:46 +0200[diff] [blame]776 else if (str62net(*text, &pattern->val.ipv6.addr, &pattern->val.ipv6.mask)) {
777 /* no tree support right now */
778 pattern->type = SMP_T_IPV6;
779 return 1;
780 }
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]781 else {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]782 memprintf(err, "'%s' is not a valid IPv4 or IPv6 address", *text);
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]783 return 0;
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]784 }
Willy Tarreaua67fad92007-05-08 19:50:09 +0200[diff] [blame]785}
786
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]787/*
788 * Registers the ACL keyword list <kwl> as a list of valid keywords for next
789 * parsing sessions.
790 */
791void acl_register_keywords(struct acl_kw_list *kwl)
792{
793 LIST_ADDQ(&acl_keywords.list, &kwl->list);
794}
795
796/*
797 * Unregisters the ACL keyword list <kwl> from the list of valid keywords.
798 */
799void acl_unregister_keywords(struct acl_kw_list *kwl)
800{
801 LIST_DEL(&kwl->list);
802 LIST_INIT(&kwl->list);
803}
804
805/* Return a pointer to the ACL <name> within the list starting at <head>, or
806 * NULL if not found.
807 */
808struct acl *find_acl_by_name(const char *name, struct list *head)
809{
810 struct acl *acl;
811 list_for_each_entry(acl, head, list) {
812 if (strcmp(acl->name, name) == 0)
813 return acl;
814 }
815 return NULL;
816}
817
818/* Return a pointer to the ACL keyword <kw>, or NULL if not found. Note that if
819 * <kw> contains an opening parenthesis, only the left part of it is checked.
820 */
821struct acl_keyword *find_acl_kw(const char *kw)
822{
823 int index;
824 const char *kwend;
825 struct acl_kw_list *kwl;
826
827 kwend = strchr(kw, '(');
828 if (!kwend)
829 kwend = kw + strlen(kw);
830
831 list_for_each_entry(kwl, &acl_keywords.list, list) {
832 for (index = 0; kwl->kw[index].kw != NULL; index++) {
833 if ((strncmp(kwl->kw[index].kw, kw, kwend - kw) == 0) &&
834 kwl->kw[index].kw[kwend-kw] == 0)
835 return &kwl->kw[index];
836 }
837 }
838 return NULL;
839}
840
Willy Tarreaudfd7fca2011-03-09 07:27:02 +0100[diff] [blame]841/* NB: does nothing if <pat> is NULL */
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]842static void free_pattern(struct acl_pattern *pat)
843{
Willy Tarreaudfd7fca2011-03-09 07:27:02 +0100[diff] [blame]844 if (!pat)
845 return;
Krzysztof Piotr Oledzki8001d612008-05-31 13:53:23 +0200[diff] [blame]846
847 if (pat->ptr.ptr) {
848 if (pat->freeptrbuf)
849 pat->freeptrbuf(pat->ptr.ptr);
850
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]851 free(pat->ptr.ptr);
Krzysztof Piotr Oledzki8001d612008-05-31 13:53:23 +0200[diff] [blame]852 }
853
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]854 free(pat);
855}
856
857static void free_pattern_list(struct list *head)
858{
859 struct acl_pattern *pat, *tmp;
860 list_for_each_entry_safe(pat, tmp, head, list)
861 free_pattern(pat);
862}
863
Willy Tarreaue56cda92010-05-11 23:25:05 +0200[diff] [blame]864static void free_pattern_tree(struct eb_root *root)
865{
866 struct eb_node *node, *next;
867 node = eb_first(root);
868 while (node) {
869 next = eb_next(node);
870 free(node);
871 node = next;
872 }
873}
874
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]875static struct acl_expr *prune_acl_expr(struct acl_expr *expr)
876{
Willy Tarreau34db1082012-04-19 17:16:54 +0200[diff] [blame]877 struct arg *arg;
878
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]879 free_pattern_list(&expr->patterns);
Willy Tarreaue56cda92010-05-11 23:25:05 +0200[diff] [blame]880 free_pattern_tree(&expr->pattern_tree);
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]881 LIST_INIT(&expr->patterns);
Willy Tarreau34db1082012-04-19 17:16:54 +0200[diff] [blame]882
883 for (arg = expr->args; arg; arg++) {
884 if (arg->type == ARGT_STOP)
885 break;
Willy Tarreau496aa012012-06-01 10:38:29 +0200[diff] [blame]886 if (arg->type == ARGT_STR || arg->unresolved) {
Willy Tarreau34db1082012-04-19 17:16:54 +0200[diff] [blame]887 free(arg->data.str.str);
888 arg->data.str.str = NULL;
Willy Tarreau496aa012012-06-01 10:38:29 +0200[diff] [blame]889 arg->unresolved = 0;
Willy Tarreau34db1082012-04-19 17:16:54 +0200[diff] [blame]890 }
Willy Tarreau34db1082012-04-19 17:16:54 +0200[diff] [blame]891 }
892
Willy Tarreau2e845be2012-10-19 19:49:09 +0200[diff] [blame]893 if (expr->args != empty_arg_list)
894 free(expr->args);
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]895 expr->kw->use_cnt--;
896 return expr;
897}
898
Willy Tarreau08ad0b32012-04-27 17:25:24 +0200[diff] [blame]899
900/* Reads patterns from a file. If <err_msg> is non-NULL, an error message will
901 * be returned there on errors and the caller will have to free it.
902 */
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]903static int acl_read_patterns_from_file( struct acl_keyword *aclkw,
904 struct acl_expr *expr,
Willy Tarreau08ad0b32012-04-27 17:25:24 +0200[diff] [blame]905 const char *filename, int patflags,
906 char **err)
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]907{
908 FILE *file;
909 char *c;
910 const char *args[2];
911 struct acl_pattern *pattern;
912 int opaque;
Willy Tarreau6a8097f2011-02-26 15:14:15 +0100[diff] [blame]913 int ret = 0;
Willy Tarreau08ad0b32012-04-27 17:25:24 +0200[diff] [blame]914 int line = 0;
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]915
916 file = fopen(filename, "r");
Willy Tarreau08ad0b32012-04-27 17:25:24 +0200[diff] [blame]917 if (!file) {
918 memprintf(err, "failed to open pattern file <%s>", filename);
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]919 return 0;
Willy Tarreau08ad0b32012-04-27 17:25:24 +0200[diff] [blame]920 }
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]921
922 /* now parse all patterns. The file may contain only one pattern per
923 * line. If the line contains spaces, they will be part of the pattern.
924 * The pattern stops at the first CR, LF or EOF encountered.
925 */
926 opaque = 0;
Willy Tarreaue56cda92010-05-11 23:25:05 +0200[diff] [blame]927 pattern = NULL;
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]928 args[1] = "";
Willy Tarreau19d14ef2012-10-29 16:51:55 +0100[diff] [blame]929 while (fgets(trash.str, trash.size, file) != NULL) {
Willy Tarreau08ad0b32012-04-27 17:25:24 +0200[diff] [blame]930 line++;
Willy Tarreau19d14ef2012-10-29 16:51:55 +0100[diff] [blame]931 c = trash.str;
Willy Tarreau58215a02010-05-13 22:07:43 +0200[diff] [blame]932
933 /* ignore lines beginning with a dash */
934 if (*c == '#')
935 continue;
936
937 /* strip leading spaces and tabs */
938 while (*c == ' ' || *c == '\t')
939 c++;
940
Willy Tarreau58215a02010-05-13 22:07:43 +0200[diff] [blame]941
942 args[0] = c;
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]943 while (*c && *c != '\n' && *c != '\r')
944 c++;
945 *c = 0;
946
Willy Tarreau51091962011-01-03 21:04:10 +0100[diff] [blame]947 /* empty lines are ignored too */
948 if (c == args[0])
949 continue;
950
Willy Tarreaue56cda92010-05-11 23:25:05 +0200[diff] [blame]951 /* we keep the previous pattern along iterations as long as it's not used */
952 if (!pattern)
953 pattern = (struct acl_pattern *)malloc(sizeof(*pattern));
Willy Tarreau08ad0b32012-04-27 17:25:24 +0200[diff] [blame]954 if (!pattern) {
955 memprintf(err, "out of memory when loading patterns from file <%s>", filename);
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]956 goto out_close;
Willy Tarreau08ad0b32012-04-27 17:25:24 +0200[diff] [blame]957 }
Willy Tarreaue56cda92010-05-11 23:25:05 +0200[diff] [blame]958
959 memset(pattern, 0, sizeof(*pattern));
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]960 pattern->flags = patflags;
961
Willy Tarreaue0db1e82013-01-04 16:31:47 +0100[diff] [blame]962 if (!(pattern->flags & ACL_PAT_F_IGNORE_CASE) &&
963 (aclkw->match == acl_match_str || aclkw->match == acl_match_ip)) {
Willy Tarreaue56cda92010-05-11 23:25:05 +0200[diff] [blame]964 /* we pre-set the data pointer to the tree's head so that functions
965 * which are able to insert in a tree know where to do that.
966 */
967 pattern->flags |= ACL_PAT_F_TREE_OK;
968 pattern->val.tree = &expr->pattern_tree;
969 }
970
Willy Tarreauc92ddbc2012-04-27 22:10:57 +0200[diff] [blame]971 pattern->type = SMP_TYPES; /* unspecified type by default */
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]972 if (!aclkw->parse(args, pattern, &opaque, err))
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]973 goto out_free_pattern;
Willy Tarreaue56cda92010-05-11 23:25:05 +0200[diff] [blame]974
975 /* if the parser did not feed the tree, let's chain the pattern to the list */
976 if (!(pattern->flags & ACL_PAT_F_TREE)) {
977 LIST_ADDQ(&expr->patterns, &pattern->list);
978 pattern = NULL; /* get a new one */
979 }
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]980 }
Willy Tarreau6a8097f2011-02-26 15:14:15 +0100[diff] [blame]981
982 ret = 1; /* success */
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]983
984 out_free_pattern:
985 free_pattern(pattern);
986 out_close:
987 fclose(file);
Willy Tarreau6a8097f2011-02-26 15:14:15 +0100[diff] [blame]988 return ret;
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]989}
990
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]991/* Parse an ACL expression starting at <args>[0], and return it. If <err> is
992 * not NULL, it will be filled with a pointer to an error message in case of
993 * error. This pointer must be freeable or NULL.
994 *
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]995 * Right now, the only accepted syntax is :
996 * <subject> [<value>...]
997 */
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]998struct acl_expr *parse_acl_expr(const char **args, char **err)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]999{
1000 __label__ out_return, out_free_expr, out_free_pattern;
1001 struct acl_expr *expr;
1002 struct acl_keyword *aclkw;
1003 struct acl_pattern *pattern;
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]1004 int opaque, patflags;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1005 const char *arg;
1006
1007 aclkw = find_acl_kw(args[0]);
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1008 if (!aclkw || !aclkw->parse) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1009 memprintf(err, "unknown ACL keyword '%s'", *args);
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1010 goto out_return;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1011 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1012
1013 expr = (struct acl_expr *)calloc(1, sizeof(*expr));
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1014 if (!expr) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1015 memprintf(err, "out of memory when parsing ACL expression");
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1016 goto out_return;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1017 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1018
1019 expr->kw = aclkw;
1020 aclkw->use_cnt++;
1021 LIST_INIT(&expr->patterns);
Willy Tarreaue56cda92010-05-11 23:25:05 +0200[diff] [blame]1022 expr->pattern_tree = EB_ROOT_UNIQUE;
Willy Tarreau2e845be2012-10-19 19:49:09 +0200[diff] [blame]1023 expr->args = empty_arg_list;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1024
1025 arg = strchr(args[0], '(');
Willy Tarreauc48c90d2013-01-11 16:56:48 +0100[diff] [blame]1026 if (aclkw->smp->arg_mask) {
Willy Tarreau61612d42012-04-19 18:42:05 +0200[diff] [blame]1027 int nbargs = 0;
Willy Tarreau34db1082012-04-19 17:16:54 +0200[diff] [blame]1028 char *end;
Willy Tarreau34db1082012-04-19 17:16:54 +0200[diff] [blame]1029
Willy Tarreau61612d42012-04-19 18:42:05 +0200[diff] [blame]1030 if (arg != NULL) {
1031 /* there are 0 or more arguments in the form "subject(arg[,arg]*)" */
1032 arg++;
1033 end = strchr(arg, ')');
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1034 if (!end) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1035 memprintf(err, "missing closing ')' after arguments to ACL keyword '%s'", aclkw->kw);
Willy Tarreau61612d42012-04-19 18:42:05 +0200[diff] [blame]1036 goto out_free_expr;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1037 }
Willy Tarreau34db1082012-04-19 17:16:54 +0200[diff] [blame]1038
Willy Tarreau61612d42012-04-19 18:42:05 +0200[diff] [blame]1039 /* Parse the arguments. Note that currently we have no way to
1040 * report parsing errors, hence the NULL in the error pointers.
1041 * An error is also reported if some mandatory arguments are
1042 * missing.
1043 */
Willy Tarreauc48c90d2013-01-11 16:56:48 +0100[diff] [blame]1044 nbargs = make_arg_list(arg, end - arg, aclkw->smp->arg_mask, &expr->args,
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1045 err, NULL, NULL);
1046 if (nbargs < 0) {
1047 /* note that make_arg_list will have set <err> here */
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1048 memprintf(err, "in argument to '%s', %s", aclkw->kw, *err);
Willy Tarreau61612d42012-04-19 18:42:05 +0200[diff] [blame]1049 goto out_free_expr;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1050 }
Willy Tarreauae52f062012-04-26 12:13:35 +0200[diff] [blame]1051
Willy Tarreau2e845be2012-10-19 19:49:09 +0200[diff] [blame]1052 if (!expr->args)
1053 expr->args = empty_arg_list;
1054
Willy Tarreau9baae632013-01-11 17:06:15 +0100[diff] [blame^]1055 if (aclkw->smp->val_args && !aclkw->smp->val_args(expr->args, err)) {
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1056 /* invalid keyword argument, error must have been
1057 * set by val_args().
1058 */
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1059 memprintf(err, "in argument to '%s', %s", aclkw->kw, *err);
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1060 goto out_free_expr;
1061 }
Willy Tarreau61612d42012-04-19 18:42:05 +0200[diff] [blame]1062 }
Willy Tarreauc48c90d2013-01-11 16:56:48 +0100[diff] [blame]1063 else if (ARGM(aclkw->smp->arg_mask) == 1) {
1064 int type = (aclkw->smp->arg_mask >> 4) & 15;
Willy Tarreaufc2c1fd2012-04-19 23:35:54 +0200[diff] [blame]1065
1066 /* If a proxy is noted as a mandatory argument, we'll fake
1067 * an empty one so that acl_find_targets() resolves it as
1068 * the current one later.
1069 */
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1070 if (type != ARGT_FE && type != ARGT_BE && type != ARGT_TAB) {
Willy Tarreauc48c90d2013-01-11 16:56:48 +0100[diff] [blame]1071 memprintf(err, "ACL keyword '%s' expects %d arguments", aclkw->kw, ARGM(aclkw->smp->arg_mask));
Willy Tarreaufc2c1fd2012-04-19 23:35:54 +0200[diff] [blame]1072 goto out_free_expr;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1073 }
Willy Tarreaufc2c1fd2012-04-19 23:35:54 +0200[diff] [blame]1074
1075 /* Build an arg list containing the type as an empty string
1076 * and the usual STOP.
1077 */
1078 expr->args = calloc(2, sizeof(*expr->args));
1079 expr->args[0].type = type;
Willy Tarreaue3a46112012-06-15 08:02:34 +0200[diff] [blame]1080 expr->args[0].unresolved = 1;
Willy Tarreaufc2c1fd2012-04-19 23:35:54 +0200[diff] [blame]1081 expr->args[0].data.str.str = strdup("");
1082 expr->args[0].data.str.len = 1;
1083 expr->args[0].data.str.len = 0;
1084 expr->args[1].type = ARGT_STOP;
1085 }
Willy Tarreauc48c90d2013-01-11 16:56:48 +0100[diff] [blame]1086 else if (ARGM(aclkw->smp->arg_mask)) {
Willy Tarreau61612d42012-04-19 18:42:05 +0200[diff] [blame]1087 /* there were some mandatory arguments */
Willy Tarreauc48c90d2013-01-11 16:56:48 +0100[diff] [blame]1088 memprintf(err, "ACL keyword '%s' expects %d arguments", aclkw->kw, ARGM(aclkw->smp->arg_mask));
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1089 goto out_free_expr;
Willy Tarreau61612d42012-04-19 18:42:05 +0200[diff] [blame]1090 }
1091 }
1092 else {
1093 if (arg) {
1094 /* no argument expected */
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1095 memprintf(err, "ACL keyword '%s' takes no argument", aclkw->kw);
Willy Tarreau61612d42012-04-19 18:42:05 +0200[diff] [blame]1096 goto out_free_expr;
1097 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1098 }
1099
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1100 args++;
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]1101
1102 /* check for options before patterns. Supported options are :
1103 * -i : ignore case for all patterns by default
1104 * -f : read patterns from those files
1105 * -- : everything after this is not an option
1106 */
1107 patflags = 0;
1108 while (**args == '-') {
1109 if ((*args)[1] == 'i')
1110 patflags |= ACL_PAT_F_IGNORE_CASE;
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]1111 else if ((*args)[1] == 'f') {
Willy Tarreau08ad0b32012-04-27 17:25:24 +0200[diff] [blame]1112 if (!acl_read_patterns_from_file(aclkw, expr, args[1], patflags | ACL_PAT_F_FROM_FILE, err))
Willy Tarreau2b5285d2010-05-09 23:45:24 +0200[diff] [blame]1113 goto out_free_expr;
1114 args++;
1115 }
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]1116 else if ((*args)[1] == '-') {
1117 args++;
1118 break;
1119 }
1120 else
1121 break;
1122 args++;
1123 }
1124
1125 /* now parse all patterns */
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]1126 opaque = 0;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1127 while (**args) {
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]1128 int ret;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1129 pattern = (struct acl_pattern *)calloc(1, sizeof(*pattern));
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1130 if (!pattern) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1131 memprintf(err, "out of memory when parsing ACL pattern");
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1132 goto out_free_expr;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1133 }
Willy Tarreauc8d7c962007-06-17 08:20:33 +0200[diff] [blame]1134 pattern->flags = patflags;
1135
Willy Tarreauc92ddbc2012-04-27 22:10:57 +0200[diff] [blame]1136 pattern->type = SMP_TYPES; /* unspecified type */
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]1137 ret = aclkw->parse(args, pattern, &opaque, err);
1138 if (!ret)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1139 goto out_free_pattern;
Willy Tarreau7dcb6482012-04-27 17:52:25 +0200[diff] [blame]1140
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1141 LIST_ADDQ(&expr->patterns, &pattern->list);
Willy Tarreauae8b7962007-06-09 23:10:04 +0200[diff] [blame]1142 args += ret;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1143 }
1144
1145 return expr;
1146
1147 out_free_pattern:
1148 free_pattern(pattern);
1149 out_free_expr:
1150 prune_acl_expr(expr);
1151 free(expr);
1152 out_return:
1153 return NULL;
1154}
1155
Krzysztof Piotr Oledzkia643baf2008-05-29 23:53:44 +0200[diff] [blame]1156/* Purge everything in the acl <acl>, then return <acl>. */
1157struct acl *prune_acl(struct acl *acl) {
1158
1159 struct acl_expr *expr, *exprb;
1160
1161 free(acl->name);
1162
1163 list_for_each_entry_safe(expr, exprb, &acl->expr, list) {
1164 LIST_DEL(&expr->list);
1165 prune_acl_expr(expr);
1166 free(expr);
1167 }
1168
1169 return acl;
1170}
1171
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1172/* Parse an ACL with the name starting at <args>[0], and with a list of already
1173 * known ACLs in <acl>. If the ACL was not in the list, it will be added.
Willy Tarreau2a56c5e2010-03-15 16:13:29 +0100[diff] [blame]1174 * A pointer to that ACL is returned. If the ACL has an empty name, then it's
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1175 * an anonymous one and it won't be merged with any other one. If <err> is not
1176 * NULL, it will be filled with an appropriate error. This pointer must be
1177 * freeable or NULL.
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1178 *
1179 * args syntax: <aclname> <acl_expr>
1180 */
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1181struct acl *parse_acl(const char **args, struct list *known_acl, char **err)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1182{
1183 __label__ out_return, out_free_acl_expr, out_free_name;
1184 struct acl *cur_acl;
1185 struct acl_expr *acl_expr;
1186 char *name;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1187 const char *pos;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1188
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1189 if (**args && (pos = invalid_char(*args))) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1190 memprintf(err, "invalid character in ACL name : '%c'", *pos);
Willy Tarreau2e74c3f2007-12-02 18:45:09 +0100[diff] [blame]1191 goto out_return;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1192 }
Willy Tarreau2e74c3f2007-12-02 18:45:09 +0100[diff] [blame]1193
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1194 acl_expr = parse_acl_expr(args + 1, err);
1195 if (!acl_expr) {
1196 /* parse_acl_expr will have filled <err> here */
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1197 goto out_return;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1198 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1199
Willy Tarreau404e8ab2009-07-26 19:40:40 +0200[diff] [blame]1200 /* Check for args beginning with an opening parenthesis just after the
1201 * subject, as this is almost certainly a typo. Right now we can only
1202 * emit a warning, so let's do so.
1203 */
Krzysztof Piotr Oledzki4cdd8312009-10-05 00:23:35 +0200[diff] [blame]1204 if (!strchr(args[1], '(') && *args[2] == '(')
Willy Tarreau404e8ab2009-07-26 19:40:40 +0200[diff] [blame]1205 Warning("parsing acl '%s' :\n"
1206 " matching '%s' for pattern '%s' is likely a mistake and probably\n"
1207 " not what you want. Maybe you need to remove the extraneous space before '('.\n"
1208 " If you are really sure this is not an error, please insert '--' between the\n"
1209 " match and the pattern to make this warning message disappear.\n",
1210 args[0], args[1], args[2]);
1211
Willy Tarreau2a56c5e2010-03-15 16:13:29 +0100[diff] [blame]1212 if (*args[0])
1213 cur_acl = find_acl_by_name(args[0], known_acl);
1214 else
1215 cur_acl = NULL;
1216
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1217 if (!cur_acl) {
1218 name = strdup(args[0]);
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1219 if (!name) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1220 memprintf(err, "out of memory when parsing ACL");
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1221 goto out_free_acl_expr;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1222 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1223 cur_acl = (struct acl *)calloc(1, sizeof(*cur_acl));
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1224 if (cur_acl == NULL) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1225 memprintf(err, "out of memory when parsing ACL");
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1226 goto out_free_name;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1227 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1228
1229 LIST_INIT(&cur_acl->expr);
1230 LIST_ADDQ(known_acl, &cur_acl->list);
1231 cur_acl->name = name;
1232 }
1233
Willy Tarreaua9802632008-07-25 19:13:19 +0200[diff] [blame]1234 cur_acl->requires |= acl_expr->kw->requires;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1235 LIST_ADDQ(&cur_acl->expr, &acl_expr->list);
1236 return cur_acl;
1237
1238 out_free_name:
1239 free(name);
1240 out_free_acl_expr:
1241 prune_acl_expr(acl_expr);
1242 free(acl_expr);
1243 out_return:
1244 return NULL;
1245}
1246
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1247/* Some useful ACLs provided by default. Only those used are allocated. */
1248
1249const struct {
1250 const char *name;
1251 const char *expr[4]; /* put enough for longest expression */
1252} default_acl_list[] = {
Willy Tarreau58393e12008-07-20 10:39:22 +0200[diff] [blame]1253 { .name = "TRUE", .expr = {"always_true",""}},
1254 { .name = "FALSE", .expr = {"always_false",""}},
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1255 { .name = "LOCALHOST", .expr = {"src","127.0.0.1/8",""}},
Willy Tarreau2492d5b2009-07-11 00:06:00 +0200[diff] [blame]1256 { .name = "HTTP", .expr = {"req_proto_http",""}},
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1257 { .name = "HTTP_1.0", .expr = {"req_ver","1.0",""}},
1258 { .name = "HTTP_1.1", .expr = {"req_ver","1.1",""}},
1259 { .name = "METH_CONNECT", .expr = {"method","CONNECT",""}},
1260 { .name = "METH_GET", .expr = {"method","GET","HEAD",""}},
1261 { .name = "METH_HEAD", .expr = {"method","HEAD",""}},
1262 { .name = "METH_OPTIONS", .expr = {"method","OPTIONS",""}},
1263 { .name = "METH_POST", .expr = {"method","POST",""}},
1264 { .name = "METH_TRACE", .expr = {"method","TRACE",""}},
1265 { .name = "HTTP_URL_ABS", .expr = {"url_reg","^[^/:]*://",""}},
1266 { .name = "HTTP_URL_SLASH", .expr = {"url_beg","/",""}},
1267 { .name = "HTTP_URL_STAR", .expr = {"url","*",""}},
1268 { .name = "HTTP_CONTENT", .expr = {"hdr_val(content-length)","gt","0",""}},
Emeric Brunbede3d02009-06-30 17:54:00 +0200[diff] [blame]1269 { .name = "RDP_COOKIE", .expr = {"req_rdp_cookie_cnt","gt","0",""}},
Willy Tarreauc6317702008-07-20 09:29:50 +0200[diff] [blame]1270 { .name = "REQ_CONTENT", .expr = {"req_len","gt","0",""}},
Willy Tarreaub6fb4202008-07-20 11:18:28 +0200[diff] [blame]1271 { .name = "WAIT_END", .expr = {"wait_end",""}},
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1272 { .name = NULL, .expr = {""}}
1273};
1274
1275/* Find a default ACL from the default_acl list, compile it and return it.
1276 * If the ACL is not found, NULL is returned. In theory, it cannot fail,
1277 * except when default ACLs are broken, in which case it will return NULL.
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1278 * If <known_acl> is not NULL, the ACL will be queued at its tail. If <err> is
1279 * not NULL, it will be filled with an error message if an error occurs. This
1280 * pointer must be freeable or NULL.
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1281 */
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1282struct acl *find_acl_default(const char *acl_name, struct list *known_acl, char **err)
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1283{
1284 __label__ out_return, out_free_acl_expr, out_free_name;
1285 struct acl *cur_acl;
1286 struct acl_expr *acl_expr;
1287 char *name;
1288 int index;
1289
1290 for (index = 0; default_acl_list[index].name != NULL; index++) {
1291 if (strcmp(acl_name, default_acl_list[index].name) == 0)
1292 break;
1293 }
1294
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1295 if (default_acl_list[index].name == NULL) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1296 memprintf(err, "no such ACL : '%s'", acl_name);
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1297 return NULL;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1298 }
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1299
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1300 acl_expr = parse_acl_expr((const char **)default_acl_list[index].expr, err);
1301 if (!acl_expr) {
1302 /* parse_acl_expr must have filled err here */
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1303 goto out_return;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1304 }
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1305
1306 name = strdup(acl_name);
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1307 if (!name) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1308 memprintf(err, "out of memory when building default ACL '%s'", acl_name);
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1309 goto out_free_acl_expr;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1310 }
1311
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1312 cur_acl = (struct acl *)calloc(1, sizeof(*cur_acl));
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1313 if (cur_acl == NULL) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1314 memprintf(err, "out of memory when building default ACL '%s'", acl_name);
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1315 goto out_free_name;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1316 }
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1317
1318 cur_acl->name = name;
Willy Tarreaua55b7dc2009-07-12 09:21:30 +0200[diff] [blame]1319 cur_acl->requires |= acl_expr->kw->requires;
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1320 LIST_INIT(&cur_acl->expr);
1321 LIST_ADDQ(&cur_acl->expr, &acl_expr->list);
1322 if (known_acl)
1323 LIST_ADDQ(known_acl, &cur_acl->list);
1324
1325 return cur_acl;
1326
1327 out_free_name:
1328 free(name);
1329 out_free_acl_expr:
1330 prune_acl_expr(acl_expr);
1331 free(acl_expr);
1332 out_return:
1333 return NULL;
1334}
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1335
1336/* Purge everything in the acl_cond <cond>, then return <cond>. */
1337struct acl_cond *prune_acl_cond(struct acl_cond *cond)
1338{
1339 struct acl_term_suite *suite, *tmp_suite;
1340 struct acl_term *term, *tmp_term;
1341
1342 /* iterate through all term suites and free all terms and all suites */
1343 list_for_each_entry_safe(suite, tmp_suite, &cond->suites, list) {
1344 list_for_each_entry_safe(term, tmp_term, &suite->terms, list)
1345 free(term);
1346 free(suite);
1347 }
1348 return cond;
1349}
1350
1351/* Parse an ACL condition starting at <args>[0], relying on a list of already
1352 * known ACLs passed in <known_acl>. The new condition is returned (or NULL in
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1353 * case of low memory). Supports multiple conditions separated by "or". If
1354 * <err> is not NULL, it will be filled with a pointer to an error message in
1355 * case of error, that the caller is responsible for freeing. The initial
1356 * location must either be freeable or NULL.
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1357 */
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1358struct acl_cond *parse_acl_cond(const char **args, struct list *known_acl, int pol, char **err)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1359{
1360 __label__ out_return, out_free_suite, out_free_term;
Willy Tarreau74b98a82007-06-16 19:35:18 +0200[diff] [blame]1361 int arg, neg;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1362 const char *word;
1363 struct acl *cur_acl;
1364 struct acl_term *cur_term;
1365 struct acl_term_suite *cur_suite;
1366 struct acl_cond *cond;
1367
1368 cond = (struct acl_cond *)calloc(1, sizeof(*cond));
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1369 if (cond == NULL) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1370 memprintf(err, "out of memory when parsing condition");
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1371 goto out_return;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1372 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1373
1374 LIST_INIT(&cond->list);
1375 LIST_INIT(&cond->suites);
1376 cond->pol = pol;
1377
1378 cur_suite = NULL;
Willy Tarreau74b98a82007-06-16 19:35:18 +0200[diff] [blame]1379 neg = 0;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1380 for (arg = 0; *args[arg]; arg++) {
1381 word = args[arg];
1382
1383 /* remove as many exclamation marks as we can */
1384 while (*word == '!') {
1385 neg = !neg;
1386 word++;
1387 }
1388
1389 /* an empty word is allowed because we cannot force the user to
1390 * always think about not leaving exclamation marks alone.
1391 */
1392 if (!*word)
1393 continue;
1394
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1395 if (strcasecmp(word, "or") == 0 || strcmp(word, "||") == 0) {
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1396 /* new term suite */
1397 cur_suite = NULL;
1398 neg = 0;
1399 continue;
1400 }
1401
Willy Tarreau95fa4692010-02-01 13:05:50 +0100[diff] [blame]1402 if (strcmp(word, "{") == 0) {
1403 /* we may have a complete ACL expression between two braces,
1404 * find the last one.
1405 */
1406 int arg_end = arg + 1;
1407 const char **args_new;
1408
1409 while (*args[arg_end] && strcmp(args[arg_end], "}") != 0)
1410 arg_end++;
1411
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1412 if (!*args[arg_end]) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1413 memprintf(err, "missing closing '}' in condition");
Willy Tarreau95fa4692010-02-01 13:05:50 +0100[diff] [blame]1414 goto out_free_suite;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1415 }
Willy Tarreau95fa4692010-02-01 13:05:50 +0100[diff] [blame]1416
1417 args_new = calloc(1, (arg_end - arg + 1) * sizeof(*args_new));
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1418 if (!args_new) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1419 memprintf(err, "out of memory when parsing condition");
Willy Tarreau95fa4692010-02-01 13:05:50 +0100[diff] [blame]1420 goto out_free_suite;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1421 }
Willy Tarreau95fa4692010-02-01 13:05:50 +0100[diff] [blame]1422
Willy Tarreau2a56c5e2010-03-15 16:13:29 +0100[diff] [blame]1423 args_new[0] = "";
Willy Tarreau95fa4692010-02-01 13:05:50 +0100[diff] [blame]1424 memcpy(args_new + 1, args + arg + 1, (arg_end - arg) * sizeof(*args_new));
1425 args_new[arg_end - arg] = "";
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1426 cur_acl = parse_acl(args_new, known_acl, err);
Willy Tarreau95fa4692010-02-01 13:05:50 +0100[diff] [blame]1427 free(args_new);
1428
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1429 if (!cur_acl) {
1430 /* note that parse_acl() must have filled <err> here */
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1431 goto out_free_suite;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1432 }
Willy Tarreau95fa4692010-02-01 13:05:50 +0100[diff] [blame]1433 arg = arg_end;
1434 }
1435 else {
1436 /* search for <word> in the known ACL names. If we do not find
1437 * it, let's look for it in the default ACLs, and if found, add
1438 * it to the list of ACLs of this proxy. This makes it possible
1439 * to override them.
1440 */
1441 cur_acl = find_acl_by_name(word, known_acl);
1442 if (cur_acl == NULL) {
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1443 cur_acl = find_acl_default(word, known_acl, err);
1444 if (cur_acl == NULL) {
1445 /* note that find_acl_default() must have filled <err> here */
Willy Tarreau95fa4692010-02-01 13:05:50 +0100[diff] [blame]1446 goto out_free_suite;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1447 }
Willy Tarreau95fa4692010-02-01 13:05:50 +0100[diff] [blame]1448 }
Willy Tarreau16fbe822007-06-17 11:54:31 +0200[diff] [blame]1449 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1450
1451 cur_term = (struct acl_term *)calloc(1, sizeof(*cur_term));
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1452 if (cur_term == NULL) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1453 memprintf(err, "out of memory when parsing condition");
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1454 goto out_free_suite;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1455 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1456
1457 cur_term->acl = cur_acl;
1458 cur_term->neg = neg;
Willy Tarreaua9802632008-07-25 19:13:19 +0200[diff] [blame]1459 cond->requires |= cur_acl->requires;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1460
1461 if (!cur_suite) {
1462 cur_suite = (struct acl_term_suite *)calloc(1, sizeof(*cur_suite));
Willy Tarreauf678b7f2013-01-24 00:25:39 +0100[diff] [blame]1463 if (cur_suite == NULL) {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1464 memprintf(err, "out of memory when parsing condition");
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1465 goto out_free_term;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1466 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1467 LIST_INIT(&cur_suite->terms);
1468 LIST_ADDQ(&cond->suites, &cur_suite->list);
1469 }
1470 LIST_ADDQ(&cur_suite->terms, &cur_term->list);
Willy Tarreau74b98a82007-06-16 19:35:18 +0200[diff] [blame]1471 neg = 0;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1472 }
1473
1474 return cond;
1475
1476 out_free_term:
1477 free(cur_term);
1478 out_free_suite:
1479 prune_acl_cond(cond);
1480 free(cond);
1481 out_return:
1482 return NULL;
1483}
1484
Willy Tarreau2bbba412010-01-28 16:48:33 +0100[diff] [blame]1485/* Builds an ACL condition starting at the if/unless keyword. The complete
1486 * condition is returned. NULL is returned in case of error or if the first
1487 * word is neither "if" nor "unless". It automatically sets the file name and
1488 * the line number in the condition for better error reporting, and adds the
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1489 * ACL requirements to the proxy's acl_requires. If <err> is not NULL, it will
1490 * be filled with a pointer to an error message in case of error, that the
1491 * caller is responsible for freeing. The initial location must either be
1492 * freeable or NULL.
Willy Tarreau2bbba412010-01-28 16:48:33 +0100[diff] [blame]1493 */
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1494struct acl_cond *build_acl_cond(const char *file, int line, struct proxy *px, const char **args, char **err)
Willy Tarreau2bbba412010-01-28 16:48:33 +0100[diff] [blame]1495{
1496 int pol = ACL_COND_NONE;
1497 struct acl_cond *cond = NULL;
1498
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1499 if (err)
1500 *err = NULL;
1501
Willy Tarreau2bbba412010-01-28 16:48:33 +0100[diff] [blame]1502 if (!strcmp(*args, "if")) {
1503 pol = ACL_COND_IF;
1504 args++;
1505 }
1506 else if (!strcmp(*args, "unless")) {
1507 pol = ACL_COND_UNLESS;
1508 args++;
1509 }
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1510 else {
Willy Tarreaueb6cead2012-09-20 19:43:14 +0200[diff] [blame]1511 memprintf(err, "conditions must start with either 'if' or 'unless'");
Willy Tarreau2bbba412010-01-28 16:48:33 +0100[diff] [blame]1512 return NULL;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1513 }
Willy Tarreau2bbba412010-01-28 16:48:33 +0100[diff] [blame]1514
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1515 cond = parse_acl_cond(args, &px->acl, pol, err);
1516 if (!cond) {
1517 /* note that parse_acl_cond must have filled <err> here */
Willy Tarreau2bbba412010-01-28 16:48:33 +0100[diff] [blame]1518 return NULL;
Willy Tarreaub7451bb2012-04-27 12:38:15 +0200[diff] [blame]1519 }
Willy Tarreau2bbba412010-01-28 16:48:33 +0100[diff] [blame]1520
1521 cond->file = file;
1522 cond->line = line;
1523 px->acl_requires |= cond->requires;
1524
1525 return cond;
1526}
1527
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]1528/* Execute condition <cond> and return either ACL_PAT_FAIL, ACL_PAT_MISS or
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1529 * ACL_PAT_PASS depending on the test results. ACL_PAT_MISS may only be
Willy Tarreau32a6f2e2012-04-25 10:13:36 +0200[diff] [blame]1530 * returned if <opt> does not contain SMP_OPT_FINAL, indicating that incomplete
Willy Tarreau7a777ed2012-04-26 11:44:02 +0200[diff] [blame]1531 * data is being examined. The function automatically sets SMP_OPT_ITERATE.
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1532 * This function only computes the condition, it does not apply the polarity
1533 * required by IF/UNLESS, it's up to the caller to do this using something like
1534 * this :
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]1535 *
1536 * res = acl_pass(res);
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1537 * if (res == ACL_PAT_MISS)
1538 * return 0;
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]1539 * if (cond->pol == ACL_COND_UNLESS)
1540 * res = !res;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1541 */
Willy Tarreau32a6f2e2012-04-25 10:13:36 +0200[diff] [blame]1542int acl_exec_cond(struct acl_cond *cond, struct proxy *px, struct session *l4, void *l7, unsigned int opt)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1543{
1544 __label__ fetch_next;
1545 struct acl_term_suite *suite;
1546 struct acl_term *term;
1547 struct acl_expr *expr;
1548 struct acl *acl;
1549 struct acl_pattern *pattern;
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]1550 struct sample smp;
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]1551 int acl_res, suite_res, cond_res;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1552
Willy Tarreau7a777ed2012-04-26 11:44:02 +0200[diff] [blame]1553 /* ACLs are iterated over all values, so let's always set the flag to
1554 * indicate this to the fetch functions.
1555 */
1556 opt |= SMP_OPT_ITERATE;
1557
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]1558 /* We're doing a logical OR between conditions so we initialize to FAIL.
1559 * The MISS status is propagated down from the suites.
1560 */
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1561 cond_res = ACL_PAT_FAIL;
1562 list_for_each_entry(suite, &cond->suites, list) {
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]1563 /* Evaluate condition suite <suite>. We stop at the first term
1564 * which returns ACL_PAT_FAIL. The MISS status is still propagated
1565 * in case of uncertainty in the result.
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1566 */
1567
1568 /* we're doing a logical AND between terms, so we must set the
1569 * initial value to PASS.
1570 */
1571 suite_res = ACL_PAT_PASS;
1572 list_for_each_entry(term, &suite->terms, list) {
1573 acl = term->acl;
1574
1575 /* FIXME: use cache !
1576 * check acl->cache_idx for this.
1577 */
1578
1579 /* ACL result not cached. Let's scan all the expressions
1580 * and use the first one to match.
1581 */
1582 acl_res = ACL_PAT_FAIL;
1583 list_for_each_entry(expr, &acl->expr, list) {
Willy Tarreaud41f8d82007-06-10 10:06:18 +0200[diff] [blame]1584 /* we need to reset context and flags */
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]1585 memset(&smp, 0, sizeof(smp));
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1586 fetch_next:
Willy Tarreau8ed669b2013-01-11 15:49:37 +0100[diff] [blame]1587 if (!expr->kw->smp->process(px, l4, l7, opt, expr->args, &smp)) {
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1588 /* maybe we could not fetch because of missing data */
Willy Tarreau32a6f2e2012-04-25 10:13:36 +0200[diff] [blame]1589 if (smp.flags & SMP_F_MAY_CHANGE && !(opt & SMP_OPT_FINAL))
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1590 acl_res |= ACL_PAT_MISS;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1591 continue;
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1592 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1593
Willy Tarreau197e10a2012-04-23 19:18:42 +0200[diff] [blame]1594 if (smp.type == SMP_T_BOOL) {
1595 if (smp.data.uint)
Willy Tarreaua79534f2008-07-20 10:13:37 +0200[diff] [blame]1596 acl_res |= ACL_PAT_PASS;
1597 else
1598 acl_res |= ACL_PAT_FAIL;
1599 }
1600 else {
Willy Tarreau020534d2010-05-16 21:45:45 +0200[diff] [blame]1601 if (!eb_is_empty(&expr->pattern_tree)) {
Willy Tarreauc4262962010-05-10 23:42:40 +0200[diff] [blame]1602 /* a tree is present, let's check what type it is */
1603 if (expr->kw->match == acl_match_str)
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]1604 acl_res |= acl_lookup_str(&smp, expr) ? ACL_PAT_PASS : ACL_PAT_FAIL;
Willy Tarreaub337b532010-05-13 20:03:41 +0200[diff] [blame]1605 else if (expr->kw->match == acl_match_ip)
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]1606 acl_res |= acl_lookup_ip(&smp, expr) ? ACL_PAT_PASS : ACL_PAT_FAIL;
Willy Tarreauc4262962010-05-10 23:42:40 +0200[diff] [blame]1607 }
1608
Willy Tarreaua79534f2008-07-20 10:13:37 +0200[diff] [blame]1609 /* call the match() function for all tests on this value */
1610 list_for_each_entry(pattern, &expr->patterns, list) {
Willy Tarreaua79534f2008-07-20 10:13:37 +0200[diff] [blame]1611 if (acl_res == ACL_PAT_PASS)
1612 break;
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]1613 acl_res |= expr->kw->match(&smp, pattern);
Willy Tarreaua79534f2008-07-20 10:13:37 +0200[diff] [blame]1614 }
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1615 }
1616 /*
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]1617 * OK now acl_res holds the result of this expression
1618 * as one of ACL_PAT_FAIL, ACL_PAT_MISS or ACL_PAT_PASS.
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1619 *
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]1620 * Then if (!MISS) we can cache the result, and put
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]1621 * (smp.flags & SMP_F_VOLATILE) in the cache flags.
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1622 *
1623 * FIXME: implement cache.
1624 *
1625 */
1626
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]1627 /* we're ORing these terms, so a single PASS is enough */
1628 if (acl_res == ACL_PAT_PASS)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1629 break;
1630
Willy Tarreau37406352012-04-23 16:16:37 +0200[diff] [blame]1631 if (smp.flags & SMP_F_NOT_LAST)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1632 goto fetch_next;
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1633
1634 /* sometimes we know the fetched data is subject to change
1635 * later and give another chance for a new match (eg: request
1636 * size, time, ...)
1637 */
Willy Tarreau32a6f2e2012-04-25 10:13:36 +0200[diff] [blame]1638 if (smp.flags & SMP_F_MAY_CHANGE && !(opt & SMP_OPT_FINAL))
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1639 acl_res |= ACL_PAT_MISS;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1640 }
1641 /*
1642 * Here we have the result of an ACL (cached or not).
1643 * ACLs are combined, negated or not, to form conditions.
1644 */
1645
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1646 if (term->neg)
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]1647 acl_res = acl_neg(acl_res);
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1648
1649 suite_res &= acl_res;
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]1650
1651 /* we're ANDing these terms, so a single FAIL is enough */
1652 if (suite_res == ACL_PAT_FAIL)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1653 break;
1654 }
1655 cond_res |= suite_res;
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]1656
1657 /* we're ORing these terms, so a single PASS is enough */
1658 if (cond_res == ACL_PAT_PASS)
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1659 break;
1660 }
Willy Tarreau11382812008-07-09 16:18:21 +0200[diff] [blame]1661 return cond_res;
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1662}
1663
1664
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200[diff] [blame]1665/* Reports a pointer to the first ACL used in condition <cond> which requires
1666 * at least one of the USE_FLAGS in <require>. Returns NULL if none matches.
1667 * The construct is almost the same as for acl_exec_cond() since we're walking
1668 * down the ACL tree as well. It is important that the tree is really walked
1669 * through and never cached, because that way, this function can be used as a
1670 * late check.
1671 */
Willy Tarreauf1e98b82010-01-28 17:59:39 +0100[diff] [blame]1672struct acl *cond_find_require(const struct acl_cond *cond, unsigned int require)
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200[diff] [blame]1673{
1674 struct acl_term_suite *suite;
1675 struct acl_term *term;
1676 struct acl *acl;
1677
1678 list_for_each_entry(suite, &cond->suites, list) {
1679 list_for_each_entry(term, &suite->terms, list) {
1680 acl = term->acl;
1681 if (acl->requires & require)
1682 return acl;
1683 }
1684 }
1685 return NULL;
1686}
1687
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]1688/*
1689 * Find targets for userlist and groups in acl. Function returns the number
1690 * of errors or OK if everything is fine.
1691 */
1692int
1693acl_find_targets(struct proxy *p)
1694{
1695
1696 struct acl *acl;
1697 struct acl_expr *expr;
1698 struct acl_pattern *pattern;
1699 struct userlist *ul;
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1700 struct arg *arg;
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]1701 int cfgerr = 0;
1702
1703 list_for_each_entry(acl, &p->acl, list) {
1704 list_for_each_entry(expr, &acl->expr, list) {
Willy Tarreau2e845be2012-10-19 19:49:09 +0200[diff] [blame]1705 for (arg = expr->args; arg && arg->type != ARGT_STOP; arg++) {
1706 if (!arg->unresolved)
Willy Tarreau496aa012012-06-01 10:38:29 +0200[diff] [blame]1707 continue;
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1708 else if (arg->type == ARGT_SRV) {
1709 struct proxy *px;
1710 struct server *srv;
1711 char *pname, *sname;
Willy Tarreau0b1cd942010-05-16 22:18:27 +0200[diff] [blame]1712
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1713 if (!arg->data.str.len) {
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1714 Alert("proxy %s: acl '%s' %s(): missing server name.\n",
1715 p->id, acl->name, expr->kw->kw);
1716 cfgerr++;
1717 continue;
1718 }
Willy Tarreau0b1cd942010-05-16 22:18:27 +0200[diff] [blame]1719
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1720 pname = arg->data.str.str;
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1721 sname = strrchr(pname, '/');
Willy Tarreau0b1cd942010-05-16 22:18:27 +0200[diff] [blame]1722
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1723 if (sname)
1724 *sname++ = '\0';
1725 else {
1726 sname = pname;
1727 pname = NULL;
1728 }
1729
1730 px = p;
1731 if (pname) {
1732 px = findproxy(pname, PR_CAP_BE);
1733 if (!px) {
1734 Alert("proxy %s: acl '%s' %s(): unable to find proxy '%s'.\n",
1735 p->id, acl->name, expr->kw->kw, pname);
1736 cfgerr++;
1737 continue;
1738 }
1739 }
Willy Tarreau0b1cd942010-05-16 22:18:27 +0200[diff] [blame]1740
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1741 srv = findserver(px, sname);
1742 if (!srv) {
1743 Alert("proxy %s: acl '%s' %s(): unable to find server '%s'.\n",
1744 p->id, acl->name, expr->kw->kw, sname);
Willy Tarreau0b1cd942010-05-16 22:18:27 +0200[diff] [blame]1745 cfgerr++;
1746 continue;
1747 }
Willy Tarreau0b1cd942010-05-16 22:18:27 +0200[diff] [blame]1748
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1749 free(arg->data.str.str);
1750 arg->data.str.str = NULL;
Willy Tarreau496aa012012-06-01 10:38:29 +0200[diff] [blame]1751 arg->unresolved = 0;
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1752 arg->data.srv = srv;
Willy Tarreaud28c3532012-04-19 19:28:33 +0200[diff] [blame]1753 }
1754 else if (arg->type == ARGT_FE) {
Willy Tarreaufc2c1fd2012-04-19 23:35:54 +0200[diff] [blame]1755 struct proxy *prx = p;
1756 char *pname = p->id;
Willy Tarreaud28c3532012-04-19 19:28:33 +0200[diff] [blame]1757
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1758 if (arg->data.str.len) {
1759 pname = arg->data.str.str;
Willy Tarreaufc2c1fd2012-04-19 23:35:54 +0200[diff] [blame]1760 prx = findproxy(pname, PR_CAP_FE);
Willy Tarreaud28c3532012-04-19 19:28:33 +0200[diff] [blame]1761 }
1762
Willy Tarreaud28c3532012-04-19 19:28:33 +0200[diff] [blame]1763 if (!prx) {
1764 Alert("proxy %s: acl '%s' %s(): unable to find frontend '%s'.\n",
1765 p->id, acl->name, expr->kw->kw, pname);
1766 cfgerr++;
1767 continue;
1768 }
1769
Willy Tarreaufc2c1fd2012-04-19 23:35:54 +0200[diff] [blame]1770 if (!(prx->cap & PR_CAP_FE)) {
1771 Alert("proxy %s: acl '%s' %s(): proxy '%s' has no frontend capability.\n",
1772 p->id, acl->name, expr->kw->kw, pname);
1773 cfgerr++;
1774 continue;
1775 }
1776
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1777 free(arg->data.str.str);
1778 arg->data.str.str = NULL;
Willy Tarreau496aa012012-06-01 10:38:29 +0200[diff] [blame]1779 arg->unresolved = 0;
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1780 arg->data.prx = prx;
Willy Tarreaud28c3532012-04-19 19:28:33 +0200[diff] [blame]1781 }
1782 else if (arg->type == ARGT_BE) {
Willy Tarreaufc2c1fd2012-04-19 23:35:54 +0200[diff] [blame]1783 struct proxy *prx = p;
1784 char *pname = p->id;
Willy Tarreaud28c3532012-04-19 19:28:33 +0200[diff] [blame]1785
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1786 if (arg->data.str.len) {
1787 pname = arg->data.str.str;
Willy Tarreaufc2c1fd2012-04-19 23:35:54 +0200[diff] [blame]1788 prx = findproxy(pname, PR_CAP_BE);
Willy Tarreaud28c3532012-04-19 19:28:33 +0200[diff] [blame]1789 }
1790
Willy Tarreaud28c3532012-04-19 19:28:33 +0200[diff] [blame]1791 if (!prx) {
1792 Alert("proxy %s: acl '%s' %s(): unable to find backend '%s'.\n",
1793 p->id, acl->name, expr->kw->kw, pname);
1794 cfgerr++;
1795 continue;
1796 }
1797
Willy Tarreaufc2c1fd2012-04-19 23:35:54 +0200[diff] [blame]1798 if (!(prx->cap & PR_CAP_BE)) {
1799 Alert("proxy %s: acl '%s' %s(): proxy '%s' has no backend capability.\n",
1800 p->id, acl->name, expr->kw->kw, pname);
1801 cfgerr++;
1802 continue;
1803 }
1804
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1805 free(arg->data.str.str);
1806 arg->data.str.str = NULL;
Willy Tarreau496aa012012-06-01 10:38:29 +0200[diff] [blame]1807 arg->unresolved = 0;
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1808 arg->data.prx = prx;
Willy Tarreaud28c3532012-04-19 19:28:33 +0200[diff] [blame]1809 }
1810 else if (arg->type == ARGT_TAB) {
Willy Tarreaufc2c1fd2012-04-19 23:35:54 +0200[diff] [blame]1811 struct proxy *prx = p;
1812 char *pname = p->id;
Willy Tarreaud28c3532012-04-19 19:28:33 +0200[diff] [blame]1813
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1814 if (arg->data.str.len) {
1815 pname = arg->data.str.str;
Willy Tarreaufc2c1fd2012-04-19 23:35:54 +0200[diff] [blame]1816 prx = find_stktable(pname);
Willy Tarreaud28c3532012-04-19 19:28:33 +0200[diff] [blame]1817 }
1818
Willy Tarreaud28c3532012-04-19 19:28:33 +0200[diff] [blame]1819 if (!prx) {
1820 Alert("proxy %s: acl '%s' %s(): unable to find table '%s'.\n",
1821 p->id, acl->name, expr->kw->kw, pname);
1822 cfgerr++;
1823 continue;
1824 }
1825
Willy Tarreaufc2c1fd2012-04-19 23:35:54 +0200[diff] [blame]1826
1827 if (!prx->table.size) {
1828 Alert("proxy %s: acl '%s' %s(): no table in proxy '%s'.\n",
1829 p->id, acl->name, expr->kw->kw, pname);
1830 cfgerr++;
1831 continue;
1832 }
1833
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1834 free(arg->data.str.str);
1835 arg->data.str.str = NULL;
Willy Tarreau496aa012012-06-01 10:38:29 +0200[diff] [blame]1836 arg->unresolved = 0;
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1837 arg->data.prx = prx;
Willy Tarreau0b1cd942010-05-16 22:18:27 +0200[diff] [blame]1838 }
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1839 else if (arg->type == ARGT_USR) {
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1840 if (!arg->data.str.len) {
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1841 Alert("proxy %s: acl '%s' %s(): missing userlist name.\n",
1842 p->id, acl->name, expr->kw->kw);
1843 cfgerr++;
1844 continue;
1845 }
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]1846
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1847 if (p->uri_auth && p->uri_auth->userlist &&
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1848 !strcmp(p->uri_auth->userlist->name, arg->data.str.str))
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1849 ul = p->uri_auth->userlist;
1850 else
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1851 ul = auth_find_userlist(arg->data.str.str);
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]1852
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1853 if (!ul) {
1854 Alert("proxy %s: acl '%s' %s(%s): unable to find userlist.\n",
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1855 p->id, acl->name, expr->kw->kw, arg->data.str.str);
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1856 cfgerr++;
1857 continue;
1858 }
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]1859
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1860 free(arg->data.str.str);
1861 arg->data.str.str = NULL;
Willy Tarreau496aa012012-06-01 10:38:29 +0200[diff] [blame]1862 arg->unresolved = 0;
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1863 arg->data.usr = ul;
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]1864 }
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1865 } /* end of args processing */
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]1866
Willy Tarreau46b39d02012-05-10 23:40:14 +0200[diff] [blame]1867 /* don't try to resolve groups if we're not certain of having
1868 * resolved userlists first.
1869 */
1870 if (cfgerr)
1871 break;
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]1872
1873 if (!strcmp(expr->kw->kw, "http_auth_group")) {
Willy Tarreau63364ee2012-04-19 19:11:13 +0200[diff] [blame]1874 /* note: argument resolved above thanks to ARGT_USR */
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]1875
1876 if (LIST_ISEMPTY(&expr->patterns)) {
1877 Alert("proxy %s: acl %s %s(): no groups specified.\n",
1878 p->id, acl->name, expr->kw->kw);
1879 cfgerr++;
1880 continue;
1881 }
1882
1883 list_for_each_entry(pattern, &expr->patterns, list) {
Willy Tarreau7d1df412012-11-23 23:47:36 +0100[diff] [blame]1884 /* this keyword only has one argument */
Willy Tarreau34db1082012-04-19 17:16:54 +0200[diff] [blame]1885 pattern->val.group_mask = auth_resolve_groups(expr->args->data.usr, pattern->ptr.str);
Krzysztof Piotr Oledzkif9423ae2010-01-29 19:26:18 +0100[diff] [blame]1886
1887 free(pattern->ptr.str);
1888 pattern->ptr.str = NULL;
1889 pattern->len = 0;
1890
1891 if (!pattern->val.group_mask) {
1892 Alert("proxy %s: acl %s %s(): invalid group(s).\n",
1893 p->id, acl->name, expr->kw->kw);
1894 cfgerr++;
1895 continue;
1896 }
1897 }
1898 }
1899 }
1900 }
1901
1902 return cfgerr;
1903}
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200[diff] [blame]1904
Willy Tarreau8ed669b2013-01-11 15:49:37 +0100[diff] [blame]1905/* initializes ACLs by resolving the sample fetch names they rely upon.
1906 * Returns 0 on success, otherwise an error.
1907 */
1908int init_acl()
1909{
1910 int err = 0;
1911 int index;
1912 const char *name;
1913 struct acl_kw_list *kwl;
1914 struct sample_fetch *smp;
1915
1916 list_for_each_entry(kwl, &acl_keywords.list, list) {
1917 for (index = 0; kwl->kw[index].kw != NULL; index++) {
1918 name = kwl->kw[index].fetch_kw;
1919 if (!name)
1920 name = kwl->kw[index].kw;
1921
1922 smp = find_sample_fetch(name, strlen(name));
1923 if (!smp) {
1924 Alert("Critical internal error: ACL keyword '%s' relies on sample fetch '%s' which was not registered!\n",
1925 kwl->kw[index].kw, name);
1926 err++;
1927 continue;
1928 }
1929 kwl->kw[index].smp = smp;
1930 }
1931 }
1932 return err;
1933}
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100[diff] [blame]1934
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1935/************************************************************************/
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100[diff] [blame]1936/* All supported sample fetch functions must be declared here */
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1937/************************************************************************/
1938
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100[diff] [blame]1939/* force TRUE to be returned at the fetch level */
1940static int
1941smp_fetch_true(struct proxy *px, struct session *s, void *l7, unsigned int opt,
1942 const struct arg *args, struct sample *smp)
1943{
1944 smp->type = SMP_T_BOOL;
1945 smp->data.uint = 1;
1946 return 1;
1947}
1948
1949/* force FALSE to be returned at the fetch level */
1950static int
1951smp_fetch_false(struct proxy *px, struct session *s, void *l7, unsigned int opt,
1952 const struct arg *args, struct sample *smp)
1953{
1954 smp->type = SMP_T_BOOL;
1955 smp->data.uint = 0;
1956 return 1;
1957}
1958
1959
1960/************************************************************************/
1961/* All supported sample and ACL keywords must be declared here. */
1962/************************************************************************/
1963
1964/* Note: must not be declared <const> as its list will be overwritten.
1965 * Note: fetches that may return multiple types must be declared as the lowest
1966 * common denominator, the type that can be casted into all other ones. For
1967 * instance IPv4/IPv6 must be declared IPv4.
1968 */
1969static struct sample_fetch_kw_list smp_kws = {{ },{
1970 { "always_false", smp_fetch_false, 0, NULL, SMP_T_BOOL, SMP_USE_INTRN },
1971 { "always_true", smp_fetch_true, 0, NULL, SMP_T_BOOL, SMP_USE_INTRN },
1972 { /* END */ },
1973}};
1974
1975
Willy Tarreau61612d42012-04-19 18:42:05 +0200[diff] [blame]1976/* Note: must not be declared <const> as its list will be overwritten.
1977 * Please take care of keeping this list alphabetically sorted.
1978 */
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1979static struct acl_kw_list acl_kws = {{ },{
Willy Tarreauc48c90d2013-01-11 16:56:48 +0100[diff] [blame]1980 { "always_false", NULL, acl_parse_nothing, acl_match_nothing, ACL_USE_NOTHING },
1981 { "always_true", NULL, acl_parse_nothing, acl_match_nothing, ACL_USE_NOTHING },
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100[diff] [blame]1982 { /* END */ },
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1983}};
1984
1985
1986__attribute__((constructor))
1987static void __acl_init(void)
1988{
Willy Tarreaud4c33c82013-01-07 21:59:07 +0100[diff] [blame]1989 sample_register_fetches(&smp_kws);
Willy Tarreaua84d3742007-05-07 00:36:48 +0200[diff] [blame]1990 acl_register_keywords(&acl_kws);
1991}
1992
1993
1994/*
1995 * Local variables:
1996 * c-indent-level: 8
1997 * c-basic-offset: 8
1998 * End:
1999 */