Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / f2d7caedd1dadd78bbf62cd6713d39e7a44c4de2 / . / src / proto_tcp.c
blob: 5039db8be8dd421af6ace7c0c57929bff1778337 [file] [log] [blame]
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]1/*
2 * AF_INET/AF_INET6 SOCK_STREAM protocol layer (tcp)
3 *
Willy Tarreau1a687942010-05-23 22:40:30 +0200[diff] [blame]4 * Copyright 2000-2010 Willy Tarreau <w@1wt.eu>
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 *
11 */
12
13#include <ctype.h>
14#include <errno.h>
15#include <fcntl.h>
16#include <stdio.h>
17#include <stdlib.h>
18#include <string.h>
19#include <time.h>
20
21#include <sys/param.h>
22#include <sys/socket.h>
23#include <sys/stat.h>
24#include <sys/types.h>
25#include <sys/un.h>
26
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400[diff] [blame]27#include <netinet/tcp.h>
28
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]29#include <common/cfgparse.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]30#include <common/compat.h>
31#include <common/config.h>
32#include <common/debug.h>
33#include <common/errors.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]34#include <common/mini-clist.h>
35#include <common/standard.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]36
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]37#include <types/global.h>
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]38#include <types/server.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]39
40#include <proto/acl.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]41#include <proto/buffers.h>
Willy Tarreau03fa5df2010-05-24 21:02:37 +0200[diff] [blame]42#include <proto/frontend.h>
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]43#include <proto/log.h>
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]44#include <proto/pattern.h>
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]45#include <proto/port_range.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]46#include <proto/protocols.h>
47#include <proto/proto_tcp.h>
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]48#include <proto/proxy.h>
Willy Tarreau9ba2dcc2010-06-14 21:04:55 +0200[diff] [blame]49#include <proto/session.h>
Willy Tarreaua975b8f2010-06-05 19:13:27 +0200[diff] [blame]50#include <proto/stick_table.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]51#include <proto/stream_sock.h>
Willy Tarreaua975b8f2010-06-05 19:13:27 +0200[diff] [blame]52#include <proto/task.h>
Emeric Brun97679e72010-09-23 17:56:44 +0200[diff] [blame]53#include <proto/buffers.h>
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]54
Willy Tarreaue8c66af2008-01-13 18:40:14 +0100[diff] [blame]55#ifdef CONFIG_HAP_CTTPROXY
56#include <import/ip_tproxy.h>
57#endif
58
Emeric Bruncf20bf12010-10-22 16:06:11 +0200[diff] [blame]59static int tcp_bind_listeners(struct protocol *proto, char *errmsg, int errlen);
60static int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen);
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]61
62/* Note: must not be declared <const> as its list will be overwritten */
63static struct protocol proto_tcpv4 = {
64 .name = "tcpv4",
65 .sock_domain = AF_INET,
66 .sock_type = SOCK_STREAM,
67 .sock_prot = IPPROTO_TCP,
68 .sock_family = AF_INET,
69 .sock_addrlen = sizeof(struct sockaddr_in),
70 .l3_addrlen = 32/8,
Willy Tarreaueb472682010-05-28 18:46:57 +0200[diff] [blame]71 .accept = &stream_sock_accept,
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]72 .read = &stream_sock_read,
73 .write = &stream_sock_write,
Emeric Bruncf20bf12010-10-22 16:06:11 +0200[diff] [blame]74 .bind = tcp_bind_listener,
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]75 .bind_all = tcp_bind_listeners,
76 .unbind_all = unbind_all_listeners,
77 .enable_all = enable_all_listeners,
78 .listeners = LIST_HEAD_INIT(proto_tcpv4.listeners),
79 .nb_listeners = 0,
80};
81
82/* Note: must not be declared <const> as its list will be overwritten */
83static struct protocol proto_tcpv6 = {
84 .name = "tcpv6",
85 .sock_domain = AF_INET6,
86 .sock_type = SOCK_STREAM,
87 .sock_prot = IPPROTO_TCP,
88 .sock_family = AF_INET6,
89 .sock_addrlen = sizeof(struct sockaddr_in6),
90 .l3_addrlen = 128/8,
Willy Tarreaueb472682010-05-28 18:46:57 +0200[diff] [blame]91 .accept = &stream_sock_accept,
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]92 .read = &stream_sock_read,
93 .write = &stream_sock_write,
Emeric Bruncf20bf12010-10-22 16:06:11 +0200[diff] [blame]94 .bind = tcp_bind_listener,
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]95 .bind_all = tcp_bind_listeners,
96 .unbind_all = unbind_all_listeners,
97 .enable_all = enable_all_listeners,
98 .listeners = LIST_HEAD_INIT(proto_tcpv6.listeners),
99 .nb_listeners = 0,
100};
101
Willy Tarreaue8c66af2008-01-13 18:40:14 +0100[diff] [blame]102
103/* Binds ipv4 address <local> to socket <fd>, unless <flags> is set, in which
104 * case we try to bind <remote>. <flags> is a 2-bit field consisting of :
105 * - 0 : ignore remote address (may even be a NULL pointer)
106 * - 1 : use provided address
107 * - 2 : use provided port
108 * - 3 : use both
109 *
110 * The function supports multiple foreign binding methods :
111 * - linux_tproxy: we directly bind to the foreign address
112 * - cttproxy: we bind to a local address then nat.
113 * The second one can be used as a fallback for the first one.
114 * This function returns 0 when everything's OK, 1 if it could not bind, to the
115 * local address, 2 if it could not bind to the foreign address.
116 */
117int tcpv4_bind_socket(int fd, int flags, struct sockaddr_in *local, struct sockaddr_in *remote)
118{
119 struct sockaddr_in bind_addr;
120 int foreign_ok = 0;
121 int ret;
122
123#ifdef CONFIG_HAP_LINUX_TPROXY
124 static int ip_transp_working = 1;
125 if (flags && ip_transp_working) {
126 if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == 0
127 || setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == 0)
128 foreign_ok = 1;
129 else
130 ip_transp_working = 0;
131 }
132#endif
133 if (flags) {
134 memset(&bind_addr, 0, sizeof(bind_addr));
135 if (flags & 1)
136 bind_addr.sin_addr = remote->sin_addr;
137 if (flags & 2)
138 bind_addr.sin_port = remote->sin_port;
139 }
140
141 setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *) &one, sizeof(one));
142 if (foreign_ok) {
143 ret = bind(fd, (struct sockaddr *)&bind_addr, sizeof(bind_addr));
144 if (ret < 0)
145 return 2;
146 }
147 else {
148 ret = bind(fd, (struct sockaddr *)local, sizeof(*local));
149 if (ret < 0)
150 return 1;
151 }
152
153 if (!flags)
154 return 0;
155
156#ifdef CONFIG_HAP_CTTPROXY
157 if (!foreign_ok) {
158 struct in_tproxy itp1, itp2;
159 memset(&itp1, 0, sizeof(itp1));
160
161 itp1.op = TPROXY_ASSIGN;
162 itp1.v.addr.faddr = bind_addr.sin_addr;
163 itp1.v.addr.fport = bind_addr.sin_port;
164
165 /* set connect flag on socket */
166 itp2.op = TPROXY_FLAGS;
167 itp2.v.flags = ITP_CONNECT | ITP_ONCE;
168
169 if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp1, sizeof(itp1)) != -1 &&
170 setsockopt(fd, SOL_IP, IP_TPROXY, &itp2, sizeof(itp2)) != -1) {
171 foreign_ok = 1;
172 }
173 }
174#endif
175 if (!foreign_ok)
176 /* we could not bind to a foreign address */
177 return 2;
178
179 return 0;
180}
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]181
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]182
183/*
184 * This function initiates a connection to the server assigned to this session
Willy Tarreaub1d67742010-03-29 19:36:59 +0200[diff] [blame]185 * (s->srv, s->srv_addr). It will assign a server if none is assigned yet. A
186 * source address may be pointed to by <from_addr>. Note that this is only used
187 * in case of transparent proxying. Normal source bind addresses are still
188 * determined locally (due to the possible need of a source port).
189 *
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]190 * It can return one of :
191 * - SN_ERR_NONE if everything's OK
192 * - SN_ERR_SRVTO if there are no more servers
193 * - SN_ERR_SRVCL if the connection was refused by the server
194 * - SN_ERR_PRXCOND if the connection has been limited by the proxy (maxconn)
195 * - SN_ERR_RESOURCE if a system resource is lacking (eg: fd limits, ports, ...)
196 * - SN_ERR_INTERNAL for any other purely internal errors
197 * Additionnally, in the case of SN_ERR_RESOURCE, an emergency log will be emitted.
198 */
199int tcpv4_connect_server(struct stream_interface *si,
200 struct proxy *be, struct server *srv,
Willy Tarreaub1d67742010-03-29 19:36:59 +0200[diff] [blame]201 struct sockaddr *srv_addr, struct sockaddr *from_addr)
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]202{
203 int fd;
204
205 if ((fd = si->fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
206 qfprintf(stderr, "Cannot get a server socket.\n");
207
208 if (errno == ENFILE)
209 send_log(be, LOG_EMERG,
210 "Proxy %s reached system FD limit at %d. Please check system tunables.\n",
211 be->id, maxfd);
212 else if (errno == EMFILE)
213 send_log(be, LOG_EMERG,
214 "Proxy %s reached process FD limit at %d. Please check 'ulimit-n' and restart.\n",
215 be->id, maxfd);
216 else if (errno == ENOBUFS || errno == ENOMEM)
217 send_log(be, LOG_EMERG,
218 "Proxy %s reached system memory limit at %d sockets. Please check system tunables.\n",
219 be->id, maxfd);
220 /* this is a resource error */
221 return SN_ERR_RESOURCE;
222 }
223
224 if (fd >= global.maxsock) {
225 /* do not log anything there, it's a normal condition when this option
226 * is used to serialize connections to a server !
227 */
228 Alert("socket(): not enough free sockets. Raise -n argument. Giving up.\n");
229 close(fd);
230 return SN_ERR_PRXCOND; /* it is a configuration limit */
231 }
232
233 if ((fcntl(fd, F_SETFL, O_NONBLOCK)==-1) ||
234 (setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, (char *) &one, sizeof(one)) == -1)) {
235 qfprintf(stderr,"Cannot set client socket to non blocking mode.\n");
236 close(fd);
237 return SN_ERR_INTERNAL;
238 }
239
240 if (be->options & PR_O_TCP_SRV_KA)
241 setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (char *) &one, sizeof(one));
242
243 if (be->options & PR_O_TCP_NOLING)
244 setsockopt(fd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger));
245
246 /* allow specific binding :
247 * - server-specific at first
248 * - proxy-specific next
249 */
250 if (srv != NULL && srv->state & SRV_BIND_SRC) {
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]251 int ret, flags = 0;
252
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]253 switch (srv->state & SRV_TPROXY_MASK) {
254 case SRV_TPROXY_ADDR:
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]255 case SRV_TPROXY_CLI:
Willy Tarreaub1d67742010-03-29 19:36:59 +0200[diff] [blame]256 flags = 3;
257 break;
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]258 case SRV_TPROXY_CIP:
Willy Tarreau090466c2009-09-07 11:51:47 +0200[diff] [blame]259 case SRV_TPROXY_DYN:
Willy Tarreaub1d67742010-03-29 19:36:59 +0200[diff] [blame]260 flags = 1;
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]261 break;
262 }
Willy Tarreaub1d67742010-03-29 19:36:59 +0200[diff] [blame]263
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]264#ifdef SO_BINDTODEVICE
265 /* Note: this might fail if not CAP_NET_RAW */
266 if (srv->iface_name)
267 setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, srv->iface_name, srv->iface_len + 1);
268#endif
269
270 if (srv->sport_range) {
271 int attempts = 10; /* should be more than enough to find a spare port */
272 struct sockaddr_in src;
273
274 ret = 1;
275 src = srv->source_addr;
276
277 do {
278 /* note: in case of retry, we may have to release a previously
279 * allocated port, hence this loop's construct.
280 */
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200[diff] [blame]281 port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
282 fdinfo[fd].port_range = NULL;
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]283
284 if (!attempts)
285 break;
286 attempts--;
287
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200[diff] [blame]288 fdinfo[fd].local_port = port_range_alloc_port(srv->sport_range);
289 if (!fdinfo[fd].local_port)
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]290 break;
291
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200[diff] [blame]292 fdinfo[fd].port_range = srv->sport_range;
293 src.sin_port = htons(fdinfo[fd].local_port);
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]294
Willy Tarreaub1d67742010-03-29 19:36:59 +0200[diff] [blame]295 ret = tcpv4_bind_socket(fd, flags, &src, (struct sockaddr_in *)from_addr);
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]296 } while (ret != 0); /* binding NOK */
297 }
298 else {
Willy Tarreaub1d67742010-03-29 19:36:59 +0200[diff] [blame]299 ret = tcpv4_bind_socket(fd, flags, &srv->source_addr, (struct sockaddr_in *)from_addr);
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]300 }
301
302 if (ret) {
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200[diff] [blame]303 port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
304 fdinfo[fd].port_range = NULL;
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]305 close(fd);
306
307 if (ret == 1) {
308 Alert("Cannot bind to source address before connect() for server %s/%s. Aborting.\n",
309 be->id, srv->id);
310 send_log(be, LOG_EMERG,
311 "Cannot bind to source address before connect() for server %s/%s.\n",
312 be->id, srv->id);
313 } else {
314 Alert("Cannot bind to tproxy source address before connect() for server %s/%s. Aborting.\n",
315 be->id, srv->id);
316 send_log(be, LOG_EMERG,
317 "Cannot bind to tproxy source address before connect() for server %s/%s.\n",
318 be->id, srv->id);
319 }
320 return SN_ERR_RESOURCE;
321 }
322 }
323 else if (be->options & PR_O_BIND_SRC) {
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]324 int ret, flags = 0;
325
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]326 switch (be->options & PR_O_TPXY_MASK) {
327 case PR_O_TPXY_ADDR:
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]328 case PR_O_TPXY_CLI:
Willy Tarreaub1d67742010-03-29 19:36:59 +0200[diff] [blame]329 flags = 3;
330 break;
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]331 case PR_O_TPXY_CIP:
Willy Tarreau090466c2009-09-07 11:51:47 +0200[diff] [blame]332 case PR_O_TPXY_DYN:
Willy Tarreaub1d67742010-03-29 19:36:59 +0200[diff] [blame]333 flags = 1;
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]334 break;
335 }
Willy Tarreaub1d67742010-03-29 19:36:59 +0200[diff] [blame]336
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]337#ifdef SO_BINDTODEVICE
338 /* Note: this might fail if not CAP_NET_RAW */
339 if (be->iface_name)
340 setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, be->iface_name, be->iface_len + 1);
341#endif
Willy Tarreaub1d67742010-03-29 19:36:59 +0200[diff] [blame]342 ret = tcpv4_bind_socket(fd, flags, &be->source_addr, (struct sockaddr_in *)from_addr);
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]343 if (ret) {
344 close(fd);
345 if (ret == 1) {
346 Alert("Cannot bind to source address before connect() for proxy %s. Aborting.\n",
347 be->id);
348 send_log(be, LOG_EMERG,
349 "Cannot bind to source address before connect() for proxy %s.\n",
350 be->id);
351 } else {
352 Alert("Cannot bind to tproxy source address before connect() for proxy %s. Aborting.\n",
353 be->id);
354 send_log(be, LOG_EMERG,
355 "Cannot bind to tproxy source address before connect() for proxy %s.\n",
356 be->id);
357 }
358 return SN_ERR_RESOURCE;
359 }
360 }
361
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400[diff] [blame]362#if defined(TCP_QUICKACK)
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]363 /* disabling tcp quick ack now allows the first request to leave the
364 * machine with the first ACK. We only do this if there are pending
365 * data in the buffer.
366 */
367 if ((be->options2 & PR_O2_SMARTCON) && si->ob->send_max)
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400[diff] [blame]368 setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, (char *) &zero, sizeof(zero));
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]369#endif
370
Willy Tarreaue803de22010-01-21 17:43:04 +0100[diff] [blame]371 if (global.tune.server_sndbuf)
372 setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &global.tune.server_sndbuf, sizeof(global.tune.server_sndbuf));
373
374 if (global.tune.server_rcvbuf)
375 setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &global.tune.server_rcvbuf, sizeof(global.tune.server_rcvbuf));
376
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]377 if ((connect(fd, (struct sockaddr *)srv_addr, sizeof(struct sockaddr_in)) == -1) &&
378 (errno != EINPROGRESS) && (errno != EALREADY) && (errno != EISCONN)) {
379
380 if (errno == EAGAIN || errno == EADDRINUSE) {
381 char *msg;
382 if (errno == EAGAIN) /* no free ports left, try again later */
383 msg = "no free ports";
384 else
385 msg = "local address already in use";
386
387 qfprintf(stderr,"Cannot connect: %s.\n",msg);
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200[diff] [blame]388 port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
389 fdinfo[fd].port_range = NULL;
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]390 close(fd);
391 send_log(be, LOG_EMERG,
392 "Connect() failed for server %s/%s: %s.\n",
393 be->id, srv->id, msg);
394 return SN_ERR_RESOURCE;
395 } else if (errno == ETIMEDOUT) {
396 //qfprintf(stderr,"Connect(): ETIMEDOUT");
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200[diff] [blame]397 port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
398 fdinfo[fd].port_range = NULL;
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]399 close(fd);
400 return SN_ERR_SRVTO;
401 } else {
402 // (errno == ECONNREFUSED || errno == ENETUNREACH || errno == EACCES || errno == EPERM)
403 //qfprintf(stderr,"Connect(): %d", errno);
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200[diff] [blame]404 port_range_release_port(fdinfo[fd].port_range, fdinfo[fd].local_port);
405 fdinfo[fd].port_range = NULL;
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]406 close(fd);
407 return SN_ERR_SRVCL;
408 }
409 }
410
411 fdtab[fd].owner = si;
412 fdtab[fd].state = FD_STCONN; /* connection in progress */
413 fdtab[fd].flags = FD_FL_TCP | FD_FL_TCP_NODELAY;
414 fdtab[fd].cb[DIR_RD].f = &stream_sock_read;
415 fdtab[fd].cb[DIR_RD].b = si->ib;
416 fdtab[fd].cb[DIR_WR].f = &stream_sock_write;
417 fdtab[fd].cb[DIR_WR].b = si->ob;
418
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200[diff] [blame]419 fdinfo[fd].peeraddr = (struct sockaddr *)srv_addr;
420 fdinfo[fd].peerlen = sizeof(struct sockaddr_in);
Willy Tarreau9650f372009-08-16 14:02:45 +0200[diff] [blame]421
422 fd_insert(fd);
423 EV_FD_SET(fd, DIR_WR); /* for connect status */
424
425 si->state = SI_ST_CON;
426 si->flags |= SI_FL_CAP_SPLTCP; /* TCP supports splicing */
427 si->exp = tick_add_ifset(now_ms, be->timeout.connect);
428
429 return SN_ERR_NONE; /* connection is OK */
430}
431
432
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]433/* This function tries to bind a TCPv4/v6 listener. It may return a warning or
434 * an error message in <err> if the message is at most <errlen> bytes long
435 * (including '\0'). The return value is composed from ERR_ABORT, ERR_WARN,
436 * ERR_ALERT, ERR_RETRYABLE and ERR_FATAL. ERR_NONE indicates that everything
437 * was alright and that no message was returned. ERR_RETRYABLE means that an
438 * error occurred but that it may vanish after a retry (eg: port in use), and
439 * ERR_FATAL indicates a non-fixable error.ERR_WARN and ERR_ALERT do not alter
440 * the meaning of the error, but just indicate that a message is present which
441 * should be displayed with the respective level. Last, ERR_ABORT indicates
442 * that it's pointless to try to start other listeners. No error message is
443 * returned if errlen is NULL.
444 */
445int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen)
446{
447 __label__ tcp_return, tcp_close_return;
448 int fd, err;
449 const char *msg = NULL;
450
451 /* ensure we never return garbage */
452 if (errmsg && errlen)
453 *errmsg = 0;
454
455 if (listener->state != LI_ASSIGNED)
456 return ERR_NONE; /* already bound */
457
458 err = ERR_NONE;
459
460 if ((fd = socket(listener->addr.ss_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
461 err |= ERR_RETRYABLE | ERR_ALERT;
462 msg = "cannot create listening socket";
463 goto tcp_return;
464 }
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]465
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]466 if (fd >= global.maxsock) {
467 err |= ERR_FATAL | ERR_ABORT | ERR_ALERT;
468 msg = "not enough free sockets (raise '-n' parameter)";
469 goto tcp_close_return;
470 }
471
Willy Tarreaufb14edc2009-06-14 15:24:37 +0200[diff] [blame]472 if (fcntl(fd, F_SETFL, O_NONBLOCK) == -1) {
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]473 err |= ERR_FATAL | ERR_ALERT;
474 msg = "cannot make socket non-blocking";
475 goto tcp_close_return;
476 }
477
478 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *) &one, sizeof(one)) == -1) {
479 /* not fatal but should be reported */
480 msg = "cannot do so_reuseaddr";
481 err |= ERR_ALERT;
482 }
483
484 if (listener->options & LI_O_NOLINGER)
485 setsockopt(fd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger));
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]486
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]487#ifdef SO_REUSEPORT
488 /* OpenBSD supports this. As it's present in old libc versions of Linux,
489 * it might return an error that we will silently ignore.
490 */
491 setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (char *) &one, sizeof(one));
492#endif
Willy Tarreaub1e52e82008-01-13 14:49:51 +0100[diff] [blame]493#ifdef CONFIG_HAP_LINUX_TPROXY
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]494 if ((listener->options & LI_O_FOREIGN)
Willy Tarreau0a459892008-01-13 17:37:16 +0100[diff] [blame]495 && (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == -1)
496 && (setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == -1)) {
Willy Tarreaub1e52e82008-01-13 14:49:51 +0100[diff] [blame]497 msg = "cannot make listening socket transparent";
498 err |= ERR_ALERT;
499 }
500#endif
Willy Tarreau5e6e2042009-02-04 17:19:29 +0100[diff] [blame]501#ifdef SO_BINDTODEVICE
502 /* Note: this might fail if not CAP_NET_RAW */
503 if (listener->interface) {
504 if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE,
Willy Tarreau604e8302009-03-06 00:48:23 +0100[diff] [blame]505 listener->interface, strlen(listener->interface) + 1) == -1) {
Willy Tarreau5e6e2042009-02-04 17:19:29 +0100[diff] [blame]506 msg = "cannot bind listener to device";
507 err |= ERR_WARN;
508 }
509 }
510#endif
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400[diff] [blame]511#if defined(TCP_MAXSEG)
Willy Tarreaube1b9182009-06-14 18:48:19 +0200[diff] [blame]512 if (listener->maxseg) {
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400[diff] [blame]513 if (setsockopt(fd, IPPROTO_TCP, TCP_MAXSEG,
Willy Tarreaube1b9182009-06-14 18:48:19 +0200[diff] [blame]514 &listener->maxseg, sizeof(listener->maxseg)) == -1) {
515 msg = "cannot set MSS";
516 err |= ERR_WARN;
517 }
518 }
519#endif
Willy Tarreaucb6cd432009-10-13 07:34:14 +0200[diff] [blame]520#if defined(TCP_DEFER_ACCEPT)
521 if (listener->options & LI_O_DEF_ACCEPT) {
522 /* defer accept by up to one second */
523 int accept_delay = 1;
524 if (setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &accept_delay, sizeof(accept_delay)) == -1) {
525 msg = "cannot enable DEFER_ACCEPT";
526 err |= ERR_WARN;
527 }
528 }
529#endif
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]530 if (bind(fd, (struct sockaddr *)&listener->addr, listener->proto->sock_addrlen) == -1) {
531 err |= ERR_RETRYABLE | ERR_ALERT;
532 msg = "cannot bind socket";
533 goto tcp_close_return;
534 }
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]535
Willy Tarreauc73ce2b2008-01-06 10:55:10 +0100[diff] [blame]536 if (listen(fd, listener->backlog ? listener->backlog : listener->maxconn) == -1) {
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]537 err |= ERR_RETRYABLE | ERR_ALERT;
538 msg = "cannot listen to socket";
539 goto tcp_close_return;
540 }
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]541
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400[diff] [blame]542#if defined(TCP_QUICKACK)
Willy Tarreau9ea05a72009-06-14 12:07:01 +0200[diff] [blame]543 if (listener->options & LI_O_NOQUICKACK)
Dmitry Sivachenkocaf58982009-08-24 15:11:06 +0400[diff] [blame]544 setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, (char *) &zero, sizeof(zero));
Willy Tarreau9ea05a72009-06-14 12:07:01 +0200[diff] [blame]545#endif
546
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]547 /* the socket is ready */
548 listener->fd = fd;
549 listener->state = LI_LISTEN;
550
Willy Tarreaueabf3132008-08-29 23:36:51 +0200[diff] [blame]551 fdtab[fd].owner = listener; /* reference the listener instead of a task */
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]552 fdtab[fd].state = FD_STLISTEN;
Willy Tarreaueb472682010-05-28 18:46:57 +0200[diff] [blame]553 fdtab[fd].flags = FD_FL_TCP | ((listener->options & LI_O_NOLINGER) ? FD_FL_TCP_NOLING : 0);
554 fdtab[fd].cb[DIR_RD].f = listener->proto->accept;
555 fdtab[fd].cb[DIR_WR].f = NULL; /* never called */
556 fdtab[fd].cb[DIR_RD].b = fdtab[fd].cb[DIR_WR].b = NULL;
Willy Tarreau5d707e12009-06-28 11:09:07 +0200[diff] [blame]557
Willy Tarreau8d5d77e2009-10-18 07:25:52 +0200[diff] [blame]558 fdinfo[fd].peeraddr = NULL;
559 fdinfo[fd].peerlen = 0;
Willy Tarreaueb472682010-05-28 18:46:57 +0200[diff] [blame]560 fd_insert(fd);
561
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]562 tcp_return:
Cyril Bonté43ba1b32010-11-01 19:26:01 +0100[diff] [blame]563 if (msg && errlen) {
564 char pn[INET6_ADDRSTRLEN];
565
566 if (listener->addr.ss_family == AF_INET) {
567 inet_ntop(AF_INET,
568 (const void *)&((struct sockaddr_in *)&listener->addr)->sin_addr,
569 pn, sizeof(pn));
570 snprintf(errmsg, errlen, "%s [%s:%d]", msg, pn, ntohs(((struct sockaddr_in *)&listener->addr)->sin_port));
571 }
572 else {
573 inet_ntop(AF_INET6,
574 (const void *)&((struct sockaddr_in6 *)(&listener->addr))->sin6_addr,
575 pn, sizeof(pn));
576 snprintf(errmsg, errlen, "%s [%s:%d]", msg, pn, ntohs(((struct sockaddr_in6 *)&listener->addr)->sin6_port));
577 }
578 }
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]579 return err;
580
581 tcp_close_return:
582 close(fd);
583 goto tcp_return;
584}
585
586/* This function creates all TCP sockets bound to the protocol entry <proto>.
587 * It is intended to be used as the protocol's bind_all() function.
588 * The sockets will be registered but not added to any fd_set, in order not to
589 * loose them across the fork(). A call to enable_all_listeners() is needed
590 * to complete initialization. The return value is composed from ERR_*.
591 */
Emeric Bruncf20bf12010-10-22 16:06:11 +0200[diff] [blame]592static int tcp_bind_listeners(struct protocol *proto, char *errmsg, int errlen)
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]593{
594 struct listener *listener;
595 int err = ERR_NONE;
596
597 list_for_each_entry(listener, &proto->listeners, proto_list) {
Emeric Bruncf20bf12010-10-22 16:06:11 +0200[diff] [blame]598 err |= tcp_bind_listener(listener, errmsg, errlen);
599 if (err & ERR_ABORT)
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]600 break;
601 }
602
603 return err;
604}
605
606/* Add listener to the list of tcpv4 listeners. The listener's state
607 * is automatically updated from LI_INIT to LI_ASSIGNED. The number of
608 * listeners is updated. This is the function to use to add a new listener.
609 */
610void tcpv4_add_listener(struct listener *listener)
611{
612 if (listener->state != LI_INIT)
613 return;
614 listener->state = LI_ASSIGNED;
615 listener->proto = &proto_tcpv4;
616 LIST_ADDQ(&proto_tcpv4.listeners, &listener->proto_list);
617 proto_tcpv4.nb_listeners++;
618}
619
620/* Add listener to the list of tcpv4 listeners. The listener's state
621 * is automatically updated from LI_INIT to LI_ASSIGNED. The number of
622 * listeners is updated. This is the function to use to add a new listener.
623 */
624void tcpv6_add_listener(struct listener *listener)
625{
626 if (listener->state != LI_INIT)
627 return;
628 listener->state = LI_ASSIGNED;
629 listener->proto = &proto_tcpv6;
630 LIST_ADDQ(&proto_tcpv6.listeners, &listener->proto_list);
631 proto_tcpv6.nb_listeners++;
632}
633
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]634/* This function performs the TCP request analysis on the current request. It
635 * returns 1 if the processing can continue on next analysers, or zero if it
636 * needs more data, encounters an error, or wants to immediately abort the
Willy Tarreaufb356202010-08-03 14:02:05 +0200[diff] [blame]637 * request. It relies on buffers flags, and updates s->req->analysers. The
638 * function may be called for frontend rules and backend rules. It only relies
639 * on the backend pointer so this works for both cases.
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]640 */
Willy Tarreau3a816292009-07-07 10:55:49 +0200[diff] [blame]641int tcp_inspect_request(struct session *s, struct buffer *req, int an_bit)
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]642{
643 struct tcp_rule *rule;
Willy Tarreaud1f96522010-08-03 19:34:32 +0200[diff] [blame]644 struct stksess *ts;
645 struct stktable *t;
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]646 int partial;
647
648 DPRINTF(stderr,"[%u] %s: session=%p b=%p, exp(r,w)=%u,%u bf=%08x bl=%d analysers=%02x\n",
649 now_ms, __FUNCTION__,
650 s,
651 req,
652 req->rex, req->wex,
653 req->flags,
654 req->l,
655 req->analysers);
656
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]657 /* We don't know whether we have enough data, so must proceed
658 * this way :
659 * - iterate through all rules in their declaration order
660 * - if one rule returns MISS, it means the inspect delay is
661 * not over yet, then return immediately, otherwise consider
662 * it as a non-match.
663 * - if one rule returns OK, then return OK
664 * - if one rule returns KO, then return KO
665 */
666
Willy Tarreaub824b002010-09-29 16:36:16 +0200[diff] [blame]667 if (req->flags & (BF_SHUTR|BF_FULL) || !s->be->tcp_req.inspect_delay || tick_is_expired(req->analyse_exp, now_ms))
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]668 partial = 0;
669 else
670 partial = ACL_PARTIAL;
671
Willy Tarreaufb356202010-08-03 14:02:05 +0200[diff] [blame]672 list_for_each_entry(rule, &s->be->tcp_req.inspect_rules, list) {
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]673 int ret = ACL_PAT_PASS;
674
675 if (rule->cond) {
Willy Tarreaufb356202010-08-03 14:02:05 +0200[diff] [blame]676 ret = acl_exec_cond(rule->cond, s->be, s, &s->txn, ACL_DIR_REQ | partial);
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]677 if (ret == ACL_PAT_MISS) {
Willy Tarreau520d95e2009-09-19 21:04:57 +0200[diff] [blame]678 buffer_dont_connect(req);
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]679 /* just set the request timeout once at the beginning of the request */
Willy Tarreaufb356202010-08-03 14:02:05 +0200[diff] [blame]680 if (!tick_isset(req->analyse_exp) && s->be->tcp_req.inspect_delay)
681 req->analyse_exp = tick_add_ifset(now_ms, s->be->tcp_req.inspect_delay);
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]682 return 0;
683 }
684
685 ret = acl_pass(ret);
686 if (rule->cond->pol == ACL_COND_UNLESS)
687 ret = !ret;
688 }
689
690 if (ret) {
691 /* we have a matching rule. */
692 if (rule->action == TCP_ACT_REJECT) {
693 buffer_abort(req);
694 buffer_abort(s->rep);
695 req->analysers = 0;
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +0200[diff] [blame]696
Willy Tarreaufb356202010-08-03 14:02:05 +0200[diff] [blame]697 s->be->counters.denied_req++;
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +0200[diff] [blame]698 if (s->listener->counters)
Willy Tarreau23968d82010-05-23 23:50:44 +0200[diff] [blame]699 s->listener->counters->denied_req++;
Krzysztof Piotr Oledzkiaeebf9b2009-10-04 15:43:17 +0200[diff] [blame]700
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]701 if (!(s->flags & SN_ERR_MASK))
702 s->flags |= SN_ERR_PRXCOND;
703 if (!(s->flags & SN_FINST_MASK))
704 s->flags |= SN_FINST_R;
705 return 0;
706 }
Willy Tarreau56123282010-08-06 19:06:56 +0200[diff] [blame]707 else if (rule->action == TCP_ACT_TRK_SC1) {
708 if (!s->stkctr1_entry) {
709 /* only the first valid track-sc1 directive applies.
Willy Tarreaud1f96522010-08-03 19:34:32 +0200[diff] [blame]710 * Also, note that right now we can only track SRC so we
711 * don't check how to get the key, but later we may need
712 * to consider rule->act_prm->trk_ctr.type.
713 */
714 t = rule->act_prm.trk_ctr.table.t;
715 ts = stktable_get_entry(t, tcpv4_src_to_stktable_key(s));
Willy Tarreau0a4838c2010-08-06 20:11:05 +0200[diff] [blame]716 if (ts) {
Willy Tarreau56123282010-08-06 19:06:56 +0200[diff] [blame]717 session_track_stkctr1(s, t, ts);
Willy Tarreau0a4838c2010-08-06 20:11:05 +0200[diff] [blame]718 if (s->fe != s->be)
719 s->flags |= SN_BE_TRACK_SC1;
720 }
Willy Tarreaud1f96522010-08-03 19:34:32 +0200[diff] [blame]721 }
722 }
Willy Tarreau56123282010-08-06 19:06:56 +0200[diff] [blame]723 else if (rule->action == TCP_ACT_TRK_SC2) {
724 if (!s->stkctr2_entry) {
725 /* only the first valid track-sc2 directive applies.
Willy Tarreaud1f96522010-08-03 19:34:32 +0200[diff] [blame]726 * Also, note that right now we can only track SRC so we
727 * don't check how to get the key, but later we may need
728 * to consider rule->act_prm->trk_ctr.type.
729 */
730 t = rule->act_prm.trk_ctr.table.t;
731 ts = stktable_get_entry(t, tcpv4_src_to_stktable_key(s));
Willy Tarreau0a4838c2010-08-06 20:11:05 +0200[diff] [blame]732 if (ts) {
Willy Tarreau56123282010-08-06 19:06:56 +0200[diff] [blame]733 session_track_stkctr2(s, t, ts);
Willy Tarreau0a4838c2010-08-06 20:11:05 +0200[diff] [blame]734 if (s->fe != s->be)
735 s->flags |= SN_BE_TRACK_SC2;
736 }
Willy Tarreaud1f96522010-08-03 19:34:32 +0200[diff] [blame]737 }
738 }
739 else {
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]740 /* otherwise accept */
Willy Tarreaud1f96522010-08-03 19:34:32 +0200[diff] [blame]741 break;
742 }
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]743 }
744 }
745
746 /* if we get there, it means we have no rule which matches, or
747 * we have an explicit accept, so we apply the default accept.
748 */
Willy Tarreau3a816292009-07-07 10:55:49 +0200[diff] [blame]749 req->analysers &= ~an_bit;
Willy Tarreauedcf6682008-11-30 23:15:34 +0100[diff] [blame]750 req->analyse_exp = TICK_ETERNITY;
751 return 1;
752}
753
Emeric Brun97679e72010-09-23 17:56:44 +0200[diff] [blame]754/* This function performs the TCP response analysis on the current response. It
755 * returns 1 if the processing can continue on next analysers, or zero if it
756 * needs more data, encounters an error, or wants to immediately abort the
757 * response. It relies on buffers flags, and updates s->rep->analysers. The
758 * function may be called for backend rules.
759 */
760int tcp_inspect_response(struct session *s, struct buffer *rep, int an_bit)
761{
762 struct tcp_rule *rule;
763 int partial;
764
765 DPRINTF(stderr,"[%u] %s: session=%p b=%p, exp(r,w)=%u,%u bf=%08x bl=%d analysers=%02x\n",
766 now_ms, __FUNCTION__,
767 s,
768 rep,
769 rep->rex, rep->wex,
770 rep->flags,
771 rep->l,
772 rep->analysers);
773
774 /* We don't know whether we have enough data, so must proceed
775 * this way :
776 * - iterate through all rules in their declaration order
777 * - if one rule returns MISS, it means the inspect delay is
778 * not over yet, then return immediately, otherwise consider
779 * it as a non-match.
780 * - if one rule returns OK, then return OK
781 * - if one rule returns KO, then return KO
782 */
783
784 if (rep->flags & BF_SHUTR || tick_is_expired(rep->analyse_exp, now_ms))
785 partial = 0;
786 else
787 partial = ACL_PARTIAL;
788
789 list_for_each_entry(rule, &s->be->tcp_rep.inspect_rules, list) {
790 int ret = ACL_PAT_PASS;
791
792 if (rule->cond) {
793 ret = acl_exec_cond(rule->cond, s->be, s, &s->txn, ACL_DIR_RTR | partial);
794 if (ret == ACL_PAT_MISS) {
795 /* just set the analyser timeout once at the beginning of the response */
796 if (!tick_isset(rep->analyse_exp) && s->be->tcp_rep.inspect_delay)
797 rep->analyse_exp = tick_add_ifset(now_ms, s->be->tcp_rep.inspect_delay);
798 return 0;
799 }
800
801 ret = acl_pass(ret);
802 if (rule->cond->pol == ACL_COND_UNLESS)
803 ret = !ret;
804 }
805
806 if (ret) {
807 /* we have a matching rule. */
808 if (rule->action == TCP_ACT_REJECT) {
809 buffer_abort(rep);
810 buffer_abort(s->req);
811 rep->analysers = 0;
812
813 s->be->counters.denied_resp++;
814 if (s->listener->counters)
815 s->listener->counters->denied_resp++;
816
817 if (!(s->flags & SN_ERR_MASK))
818 s->flags |= SN_ERR_PRXCOND;
819 if (!(s->flags & SN_FINST_MASK))
820 s->flags |= SN_FINST_D;
821 return 0;
822 }
823 else {
824 /* otherwise accept */
825 break;
826 }
827 }
828 }
829
830 /* if we get there, it means we have no rule which matches, or
831 * we have an explicit accept, so we apply the default accept.
832 */
833 rep->analysers &= ~an_bit;
834 rep->analyse_exp = TICK_ETERNITY;
835 return 1;
836}
837
838
Willy Tarreaua5c0ab22010-05-31 10:30:33 +0200[diff] [blame]839/* This function performs the TCP layer4 analysis on the current request. It
840 * returns 0 if a reject rule matches, otherwise 1 if either an accept rule
841 * matches or if no more rule matches. It can only use rules which don't need
842 * any data.
843 */
844int tcp_exec_req_rules(struct session *s)
845{
846 struct tcp_rule *rule;
Willy Tarreauf059a0f2010-08-03 16:29:52 +0200[diff] [blame]847 struct stksess *ts;
Willy Tarreau9ba2dcc2010-06-14 21:04:55 +0200[diff] [blame]848 struct stktable *t = NULL;
849 int result = 1;
Willy Tarreaua5c0ab22010-05-31 10:30:33 +0200[diff] [blame]850 int ret;
851
852 list_for_each_entry(rule, &s->fe->tcp_req.l4_rules, list) {
853 ret = ACL_PAT_PASS;
854
855 if (rule->cond) {
856 ret = acl_exec_cond(rule->cond, s->fe, s, NULL, ACL_DIR_REQ);
857 ret = acl_pass(ret);
858 if (rule->cond->pol == ACL_COND_UNLESS)
859 ret = !ret;
860 }
861
862 if (ret) {
863 /* we have a matching rule. */
864 if (rule->action == TCP_ACT_REJECT) {
Willy Tarreau2799e982010-06-05 15:43:21 +0200[diff] [blame]865 s->fe->counters.denied_conn++;
Willy Tarreaua5c0ab22010-05-31 10:30:33 +0200[diff] [blame]866 if (s->listener->counters)
Willy Tarreau2799e982010-06-05 15:43:21 +0200[diff] [blame]867 s->listener->counters->denied_conn++;
Willy Tarreaua5c0ab22010-05-31 10:30:33 +0200[diff] [blame]868
869 if (!(s->flags & SN_ERR_MASK))
870 s->flags |= SN_ERR_PRXCOND;
871 if (!(s->flags & SN_FINST_MASK))
872 s->flags |= SN_FINST_R;
Willy Tarreau9ba2dcc2010-06-14 21:04:55 +0200[diff] [blame]873 result = 0;
874 break;
Willy Tarreaua5c0ab22010-05-31 10:30:33 +0200[diff] [blame]875 }
Willy Tarreau56123282010-08-06 19:06:56 +0200[diff] [blame]876 else if (rule->action == TCP_ACT_TRK_SC1) {
877 if (!s->stkctr1_entry) {
878 /* only the first valid track-sc1 directive applies.
Willy Tarreau9ba2dcc2010-06-14 21:04:55 +0200[diff] [blame]879 * Also, note that right now we can only track SRC so we
880 * don't check how to get the key, but later we may need
881 * to consider rule->act_prm->trk_ctr.type.
882 */
883 t = rule->act_prm.trk_ctr.table.t;
884 ts = stktable_get_entry(t, tcpv4_src_to_stktable_key(s));
885 if (ts)
Willy Tarreau56123282010-08-06 19:06:56 +0200[diff] [blame]886 session_track_stkctr1(s, t, ts);
Willy Tarreau9ba2dcc2010-06-14 21:04:55 +0200[diff] [blame]887 }
888 }
Willy Tarreau56123282010-08-06 19:06:56 +0200[diff] [blame]889 else if (rule->action == TCP_ACT_TRK_SC2) {
890 if (!s->stkctr2_entry) {
891 /* only the first valid track-sc2 directive applies.
Willy Tarreauf059a0f2010-08-03 16:29:52 +0200[diff] [blame]892 * Also, note that right now we can only track SRC so we
893 * don't check how to get the key, but later we may need
894 * to consider rule->act_prm->trk_ctr.type.
895 */
896 t = rule->act_prm.trk_ctr.table.t;
897 ts = stktable_get_entry(t, tcpv4_src_to_stktable_key(s));
898 if (ts)
Willy Tarreau56123282010-08-06 19:06:56 +0200[diff] [blame]899 session_track_stkctr2(s, t, ts);
Willy Tarreauf059a0f2010-08-03 16:29:52 +0200[diff] [blame]900 }
901 }
Willy Tarreau9ba2dcc2010-06-14 21:04:55 +0200[diff] [blame]902 else {
903 /* otherwise it's an accept */
904 break;
905 }
Willy Tarreaua5c0ab22010-05-31 10:30:33 +0200[diff] [blame]906 }
907 }
Willy Tarreau9ba2dcc2010-06-14 21:04:55 +0200[diff] [blame]908 return result;
Willy Tarreaua5c0ab22010-05-31 10:30:33 +0200[diff] [blame]909}
910
Emeric Brun97679e72010-09-23 17:56:44 +0200[diff] [blame]911/* Parse a tcp-response rule. Return a negative value in case of failure */
912static int tcp_parse_response_rule(char **args, int arg, int section_type,
913 struct proxy *curpx, struct proxy *defpx,
914 struct tcp_rule *rule, char *err, int errlen)
915{
916 if (curpx == defpx || !(curpx->cap & PR_CAP_BE)) {
917 snprintf(err, errlen, "%s %s is only allowed in 'backend' sections",
918 args[0], args[1]);
919 return -1;
920 }
921
922 if (strcmp(args[arg], "accept") == 0) {
923 arg++;
924 rule->action = TCP_ACT_ACCEPT;
925 }
926 else if (strcmp(args[arg], "reject") == 0) {
927 arg++;
928 rule->action = TCP_ACT_REJECT;
929 }
930 else {
931 snprintf(err, errlen,
932 "'%s %s' expects 'accept' or 'reject' in %s '%s' (was '%s')",
933 args[0], args[1], proxy_type_str(curpx), curpx->id, args[arg]);
934 return -1;
935 }
936
937 if (strcmp(args[arg], "if") == 0 || strcmp(args[arg], "unless") == 0) {
938 if ((rule->cond = build_acl_cond(NULL, 0, curpx, (const char **)args+arg)) == NULL) {
939 snprintf(err, errlen,
940 "error detected in %s '%s' while parsing '%s' condition",
941 proxy_type_str(curpx), curpx->id, args[arg]);
942 return -1;
943 }
944 }
945 else if (*args[arg]) {
946 snprintf(err, errlen,
947 "'%s %s %s' only accepts 'if' or 'unless', in %s '%s' (was '%s')",
948 args[0], args[1], args[2], proxy_type_str(curpx), curpx->id, args[arg]);
949 return -1;
950 }
951 return 0;
952}
953
954
955
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]956/* Parse a tcp-request rule. Return a negative value in case of failure */
957static int tcp_parse_request_rule(char **args, int arg, int section_type,
958 struct proxy *curpx, struct proxy *defpx,
959 struct tcp_rule *rule, char *err, int errlen)
960{
961 if (curpx == defpx) {
962 snprintf(err, errlen, "%s %s is not allowed in 'defaults' sections",
963 args[0], args[1]);
964 return -1;
965 }
966
967 if (!strcmp(args[arg], "accept")) {
968 arg++;
969 rule->action = TCP_ACT_ACCEPT;
970 }
971 else if (!strcmp(args[arg], "reject")) {
972 arg++;
973 rule->action = TCP_ACT_REJECT;
974 }
Willy Tarreau56123282010-08-06 19:06:56 +0200[diff] [blame]975 else if (strcmp(args[arg], "track-sc1") == 0) {
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]976 int ret;
977
978 arg++;
979 ret = parse_track_counters(args, &arg, section_type, curpx,
980 &rule->act_prm.trk_ctr, defpx, err, errlen);
981
982 if (ret < 0) /* nb: warnings are not handled yet */
983 return -1;
984
Willy Tarreau56123282010-08-06 19:06:56 +0200[diff] [blame]985 rule->action = TCP_ACT_TRK_SC1;
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]986 }
Willy Tarreau56123282010-08-06 19:06:56 +0200[diff] [blame]987 else if (strcmp(args[arg], "track-sc2") == 0) {
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]988 int ret;
989
990 arg++;
991 ret = parse_track_counters(args, &arg, section_type, curpx,
992 &rule->act_prm.trk_ctr, defpx, err, errlen);
993
994 if (ret < 0) /* nb: warnings are not handled yet */
995 return -1;
996
Willy Tarreau56123282010-08-06 19:06:56 +0200[diff] [blame]997 rule->action = TCP_ACT_TRK_SC2;
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]998 }
999 else {
1000 snprintf(err, errlen,
Willy Tarreau56123282010-08-06 19:06:56 +0200[diff] [blame]1001 "'%s %s' expects 'accept', 'reject', 'track-sc1' "
1002 "or 'track-sc2' in %s '%s' (was '%s')",
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]1003 args[0], args[1], proxy_type_str(curpx), curpx->id, args[arg]);
1004 return -1;
1005 }
1006
1007 if (strcmp(args[arg], "if") == 0 || strcmp(args[arg], "unless") == 0) {
1008 if ((rule->cond = build_acl_cond(NULL, 0, curpx, (const char **)args+arg)) == NULL) {
1009 snprintf(err, errlen,
1010 "error detected in %s '%s' while parsing '%s' condition",
1011 proxy_type_str(curpx), curpx->id, args[arg]);
1012 return -1;
1013 }
1014 }
1015 else if (*args[arg]) {
1016 snprintf(err, errlen,
1017 "'%s %s %s' only accepts 'if' or 'unless', in %s '%s' (was '%s')",
1018 args[0], args[1], args[2], proxy_type_str(curpx), curpx->id, args[arg]);
1019 return -1;
1020 }
1021 return 0;
1022}
1023
Emeric Brun97679e72010-09-23 17:56:44 +0200[diff] [blame]1024/* This function should be called to parse a line starting with the "tcp-response"
1025 * keyword.
1026 */
1027static int tcp_parse_tcp_rep(char **args, int section_type, struct proxy *curpx,
1028 struct proxy *defpx, char *err, int errlen)
1029{
1030 const char *ptr = NULL;
1031 unsigned int val;
1032 int retlen;
1033 int warn = 0;
1034 int arg;
1035 struct tcp_rule *rule;
1036
1037 if (!*args[1]) {
1038 snprintf(err, errlen, "missing argument for '%s' in %s '%s'",
1039 args[0], proxy_type_str(curpx), curpx->id);
1040 return -1;
1041 }
1042
1043 if (strcmp(args[1], "inspect-delay") == 0) {
1044 if (curpx == defpx || !(curpx->cap & PR_CAP_BE)) {
1045 snprintf(err, errlen, "%s %s is only allowed in 'backend' sections",
1046 args[0], args[1]);
1047 return -1;
1048 }
1049
1050 if (!*args[2] || (ptr = parse_time_err(args[2], &val, TIME_UNIT_MS))) {
1051 retlen = snprintf(err, errlen,
1052 "'%s %s' expects a positive delay in milliseconds, in %s '%s'",
1053 args[0], args[1], proxy_type_str(curpx), curpx->id);
1054 if (ptr && retlen < errlen)
1055 retlen += snprintf(err + retlen, errlen - retlen,
1056 " (unexpected character '%c')", *ptr);
1057 return -1;
1058 }
1059
1060 if (curpx->tcp_rep.inspect_delay) {
1061 snprintf(err, errlen, "ignoring %s %s (was already defined) in %s '%s'",
1062 args[0], args[1], proxy_type_str(curpx), curpx->id);
1063 return 1;
1064 }
1065 curpx->tcp_rep.inspect_delay = val;
1066 return 0;
1067 }
1068
1069 rule = (struct tcp_rule *)calloc(1, sizeof(*rule));
1070 LIST_INIT(&rule->list);
1071 arg = 1;
1072
1073 if (strcmp(args[1], "content") == 0) {
1074 arg++;
1075 if (tcp_parse_response_rule(args, arg, section_type, curpx, defpx, rule, err, errlen) < 0)
1076 goto error;
1077
1078 if (rule->cond && (rule->cond->requires & ACL_USE_L6REQ_VOLATILE)) {
1079 struct acl *acl;
1080 const char *name;
1081
1082 acl = cond_find_require(rule->cond, ACL_USE_L6REQ_VOLATILE);
1083 name = acl ? acl->name : "(unknown)";
1084
1085 retlen = snprintf(err, errlen,
1086 "acl '%s' involves some request-only criteria which will be ignored.",
1087 name);
1088 warn++;
1089 }
1090
1091 LIST_ADDQ(&curpx->tcp_rep.inspect_rules, &rule->list);
1092 }
1093 else {
1094 retlen = snprintf(err, errlen,
1095 "'%s' expects 'inspect-delay' or 'content' in %s '%s' (was '%s')",
1096 args[0], proxy_type_str(curpx), curpx->id, args[1]);
1097 goto error;
1098 }
1099
1100 return warn;
1101 error:
1102 free(rule);
1103 return -1;
1104}
1105
1106
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1107/* This function should be called to parse a line starting with the "tcp-request"
1108 * keyword.
1109 */
1110static int tcp_parse_tcp_req(char **args, int section_type, struct proxy *curpx,
1111 struct proxy *defpx, char *err, int errlen)
1112{
1113 const char *ptr = NULL;
Willy Tarreauc7e961e2008-08-17 17:13:47 +0200[diff] [blame]1114 unsigned int val;
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1115 int retlen;
Willy Tarreau1a687942010-05-23 22:40:30 +0200[diff] [blame]1116 int warn = 0;
Willy Tarreau6a984fa2010-06-14 16:44:27 +0200[diff] [blame]1117 int arg;
Willy Tarreau1a687942010-05-23 22:40:30 +0200[diff] [blame]1118 struct tcp_rule *rule;
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1119
1120 if (!*args[1]) {
1121 snprintf(err, errlen, "missing argument for '%s' in %s '%s'",
Willy Tarreauf5356832010-06-14 18:40:26 +0200[diff] [blame]1122 args[0], proxy_type_str(curpx), curpx->id);
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1123 return -1;
1124 }
1125
1126 if (!strcmp(args[1], "inspect-delay")) {
1127 if (curpx == defpx) {
1128 snprintf(err, errlen, "%s %s is not allowed in 'defaults' sections",
1129 args[0], args[1]);
1130 return -1;
1131 }
1132
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1133 if (!*args[2] || (ptr = parse_time_err(args[2], &val, TIME_UNIT_MS))) {
1134 retlen = snprintf(err, errlen,
1135 "'%s %s' expects a positive delay in milliseconds, in %s '%s'",
Willy Tarreauf5356832010-06-14 18:40:26 +0200[diff] [blame]1136 args[0], args[1], proxy_type_str(curpx), curpx->id);
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1137 if (ptr && retlen < errlen)
1138 retlen += snprintf(err+retlen, errlen - retlen,
1139 " (unexpected character '%c')", *ptr);
1140 return -1;
1141 }
1142
1143 if (curpx->tcp_req.inspect_delay) {
1144 snprintf(err, errlen, "ignoring %s %s (was already defined) in %s '%s'",
Willy Tarreauf5356832010-06-14 18:40:26 +0200[diff] [blame]1145 args[0], args[1], proxy_type_str(curpx), curpx->id);
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1146 return 1;
1147 }
1148 curpx->tcp_req.inspect_delay = val;
1149 return 0;
1150 }
1151
Willy Tarreau6a984fa2010-06-14 16:44:27 +0200[diff] [blame]1152 rule = (struct tcp_rule *)calloc(1, sizeof(*rule));
Willy Tarreaufb024dc2010-08-20 13:35:41 +0200[diff] [blame]1153 LIST_INIT(&rule->list);
Willy Tarreau6a984fa2010-06-14 16:44:27 +0200[diff] [blame]1154 arg = 1;
1155
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]1156 if (strcmp(args[1], "content") == 0) {
Willy Tarreaud1f96522010-08-03 19:34:32 +0200[diff] [blame]1157 arg++;
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]1158 if (tcp_parse_request_rule(args, arg, section_type, curpx, defpx, rule, err, errlen) < 0)
Willy Tarreau6a984fa2010-06-14 16:44:27 +0200[diff] [blame]1159 goto error;
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1160
Willy Tarreau6a984fa2010-06-14 16:44:27 +0200[diff] [blame]1161 if (rule->cond && (rule->cond->requires & ACL_USE_RTR_ANY)) {
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200[diff] [blame]1162 struct acl *acl;
1163 const char *name;
1164
Willy Tarreau6a984fa2010-06-14 16:44:27 +0200[diff] [blame]1165 acl = cond_find_require(rule->cond, ACL_USE_RTR_ANY);
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200[diff] [blame]1166 name = acl ? acl->name : "(unknown)";
1167
1168 retlen = snprintf(err, errlen,
Willy Tarreau1a211942009-07-14 13:53:17 +0200[diff] [blame]1169 "acl '%s' involves some response-only criteria which will be ignored.",
1170 name);
Willy Tarreaudd64f8d2008-07-27 22:02:32 +0200[diff] [blame]1171 warn++;
1172 }
Willy Tarreaufb024dc2010-08-20 13:35:41 +0200[diff] [blame]1173 LIST_ADDQ(&curpx->tcp_req.inspect_rules, &rule->list);
Willy Tarreau9ba2dcc2010-06-14 21:04:55 +0200[diff] [blame]1174 }
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]1175 else if (strcmp(args[1], "connection") == 0) {
Willy Tarreau9ba2dcc2010-06-14 21:04:55 +0200[diff] [blame]1176 arg++;
Willy Tarreau9ba2dcc2010-06-14 21:04:55 +0200[diff] [blame]1177
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]1178 if (!(curpx->cap & PR_CAP_FE)) {
1179 snprintf(err, errlen, "%s %s is not allowed because %s %s is not a frontend",
1180 args[0], args[1], proxy_type_str(curpx), curpx->id);
1181 return -1;
1182 }
Willy Tarreau9ba2dcc2010-06-14 21:04:55 +0200[diff] [blame]1183
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]1184 if (tcp_parse_request_rule(args, arg, section_type, curpx, defpx, rule, err, errlen) < 0)
Willy Tarreau9ba2dcc2010-06-14 21:04:55 +0200[diff] [blame]1185 goto error;
1186
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]1187 if (rule->cond && (rule->cond->requires & (ACL_USE_RTR_ANY|ACL_USE_L6_ANY|ACL_USE_L7_ANY))) {
1188 struct acl *acl;
1189 const char *name;
Willy Tarreauf059a0f2010-08-03 16:29:52 +0200[diff] [blame]1190
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]1191 acl = cond_find_require(rule->cond, ACL_USE_RTR_ANY|ACL_USE_L6_ANY|ACL_USE_L7_ANY);
1192 name = acl ? acl->name : "(unknown)";
Willy Tarreauf059a0f2010-08-03 16:29:52 +0200[diff] [blame]1193
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]1194 if (acl->requires & (ACL_USE_L6_ANY|ACL_USE_L7_ANY)) {
1195 retlen = snprintf(err, errlen,
1196 "'%s %s' may not reference acl '%s' which makes use of "
1197 "payload in %s '%s'. Please use '%s content' for this.",
1198 args[0], args[1], name, proxy_type_str(curpx), curpx->id, args[0]);
1199 goto error;
1200 }
1201 if (acl->requires & ACL_USE_RTR_ANY)
1202 retlen = snprintf(err, errlen,
1203 "acl '%s' involves some response-only criteria which will be ignored.",
1204 name);
1205 warn++;
1206 }
Willy Tarreaufb024dc2010-08-20 13:35:41 +0200[diff] [blame]1207 LIST_ADDQ(&curpx->tcp_req.l4_rules, &rule->list);
Willy Tarreau9ba2dcc2010-06-14 21:04:55 +0200[diff] [blame]1208 }
Willy Tarreau1a687942010-05-23 22:40:30 +0200[diff] [blame]1209 else {
1210 retlen = snprintf(err, errlen,
Willy Tarreau68c03ab2010-08-06 15:08:45 +0200[diff] [blame]1211 "'%s' expects 'inspect-delay', 'connection', or 'content' in %s '%s' (was '%s')",
Willy Tarreau1a687942010-05-23 22:40:30 +0200[diff] [blame]1212 args[0], proxy_type_str(curpx), curpx->id, args[1]);
Willy Tarreau6a984fa2010-06-14 16:44:27 +0200[diff] [blame]1213 goto error;
Willy Tarreau1a687942010-05-23 22:40:30 +0200[diff] [blame]1214 }
1215
Willy Tarreau1a687942010-05-23 22:40:30 +0200[diff] [blame]1216 return warn;
Willy Tarreau6a984fa2010-06-14 16:44:27 +0200[diff] [blame]1217 error:
1218 free(rule);
1219 return -1;
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1220}
1221
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1222
1223/************************************************************************/
1224/* All supported ACL keywords must be declared here. */
1225/************************************************************************/
1226
1227/* set test->ptr to point to the source IPv4/IPv6 address and test->i to the family */
1228static int
1229acl_fetch_src(struct proxy *px, struct session *l4, void *l7, int dir,
1230 struct acl_expr *expr, struct acl_test *test)
1231{
1232 test->i = l4->cli_addr.ss_family;
1233 if (test->i == AF_INET)
1234 test->ptr = (void *)&((struct sockaddr_in *)&l4->cli_addr)->sin_addr;
Emeric Brunf769f512010-10-22 17:14:01 +0200[diff] [blame]1235 else if (test->i == AF_INET6)
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1236 test->ptr = (void *)&((struct sockaddr_in6 *)(&l4->cli_addr))->sin6_addr;
Emeric Brunf769f512010-10-22 17:14:01 +0200[diff] [blame]1237 else
1238 return 0;
1239
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1240 test->flags = ACL_TEST_F_READ_ONLY;
1241 return 1;
1242}
1243
1244/* extract the connection's source address */
1245static int
1246pattern_fetch_src(struct proxy *px, struct session *l4, void *l7, int dir,
Emeric Brun485479d2010-09-23 18:02:19 +0200[diff] [blame]1247 const struct pattern_arg *arg_p, int arg_i, union pattern_data *data)
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1248{
Emeric Brunf769f512010-10-22 17:14:01 +0200[diff] [blame]1249 if (l4->cli_addr.ss_family != AF_INET )
1250 return 0;
1251
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1252 data->ip.s_addr = ((struct sockaddr_in *)&l4->cli_addr)->sin_addr.s_addr;
1253 return 1;
1254}
1255
1256
1257/* set test->i to the connection's source port */
1258static int
1259acl_fetch_sport(struct proxy *px, struct session *l4, void *l7, int dir,
1260 struct acl_expr *expr, struct acl_test *test)
1261{
1262 if (l4->cli_addr.ss_family == AF_INET)
1263 test->i = ntohs(((struct sockaddr_in *)&l4->cli_addr)->sin_port);
Emeric Brunf769f512010-10-22 17:14:01 +0200[diff] [blame]1264 else if (l4->cli_addr.ss_family == AF_INET6)
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1265 test->i = ntohs(((struct sockaddr_in6 *)(&l4->cli_addr))->sin6_port);
Emeric Brunf769f512010-10-22 17:14:01 +0200[diff] [blame]1266 else
1267 return 0;
1268
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1269 test->flags = 0;
1270 return 1;
1271}
1272
1273
1274/* set test->ptr to point to the frontend's IPv4/IPv6 address and test->i to the family */
1275static int
1276acl_fetch_dst(struct proxy *px, struct session *l4, void *l7, int dir,
1277 struct acl_expr *expr, struct acl_test *test)
1278{
1279 if (!(l4->flags & SN_FRT_ADDR_SET))
1280 get_frt_addr(l4);
1281
1282 test->i = l4->frt_addr.ss_family;
1283 if (test->i == AF_INET)
1284 test->ptr = (void *)&((struct sockaddr_in *)&l4->frt_addr)->sin_addr;
Emeric Brunf769f512010-10-22 17:14:01 +0200[diff] [blame]1285 else if (test->i == AF_INET6)
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1286 test->ptr = (void *)&((struct sockaddr_in6 *)(&l4->frt_addr))->sin6_addr;
Emeric Brunf769f512010-10-22 17:14:01 +0200[diff] [blame]1287 else
1288 return 0;
1289
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1290 test->flags = ACL_TEST_F_READ_ONLY;
1291 return 1;
1292}
1293
1294
1295/* extract the connection's destination address */
1296static int
1297pattern_fetch_dst(struct proxy *px, struct session *l4, void *l7, int dir,
Emeric Brun485479d2010-09-23 18:02:19 +0200[diff] [blame]1298 const struct pattern_arg *arg_p, int arg_i, union pattern_data *data)
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1299{
emeric8aa6b372010-10-22 17:06:26 +0200[diff] [blame]1300 if (!(l4->flags & SN_FRT_ADDR_SET))
1301 get_frt_addr(l4);
1302
Emeric Brunf769f512010-10-22 17:14:01 +0200[diff] [blame]1303 if (l4->frt_addr.ss_family != AF_INET)
1304 return 0;
1305
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1306 data->ip.s_addr = ((struct sockaddr_in *)&l4->frt_addr)->sin_addr.s_addr;
1307 return 1;
1308}
1309
1310/* set test->i to the frontend connexion's destination port */
1311static int
1312acl_fetch_dport(struct proxy *px, struct session *l4, void *l7, int dir,
1313 struct acl_expr *expr, struct acl_test *test)
1314{
1315 if (!(l4->flags & SN_FRT_ADDR_SET))
1316 get_frt_addr(l4);
1317
1318 if (l4->frt_addr.ss_family == AF_INET)
1319 test->i = ntohs(((struct sockaddr_in *)&l4->frt_addr)->sin_port);
Emeric Brunf769f512010-10-22 17:14:01 +0200[diff] [blame]1320 else if (l4->frt_addr.ss_family == AF_INET6)
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1321 test->i = ntohs(((struct sockaddr_in6 *)(&l4->frt_addr))->sin6_port);
Emeric Brunf769f512010-10-22 17:14:01 +0200[diff] [blame]1322 else
1323 return 0;
1324
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1325 test->flags = 0;
1326 return 1;
1327}
1328
1329static int
1330pattern_fetch_dport(struct proxy *px, struct session *l4, void *l7, int dir,
Emeric Brun485479d2010-09-23 18:02:19 +0200[diff] [blame]1331 const struct pattern_arg *arg, int i, union pattern_data *data)
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1332{
emeric8aa6b372010-10-22 17:06:26 +0200[diff] [blame]1333 if (!(l4->flags & SN_FRT_ADDR_SET))
1334 get_frt_addr(l4);
1335
Emeric Brunf769f512010-10-22 17:14:01 +0200[diff] [blame]1336 if (l4->frt_addr.ss_family != AF_INET)
1337 return 0;
1338
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1339 data->integer = ntohs(((struct sockaddr_in *)&l4->frt_addr)->sin_port);
1340 return 1;
1341}
1342
Emericf2d7cae2010-11-05 18:13:50 +0100[diff] [blame^]1343static int
1344pattern_arg_fetch_payloadlv(const char *arg, struct pattern_arg **arg_p, int *arg_i)
1345{
1346 int member = 0;
1347 int len_offset = 0;
1348 int len_size = 0;
1349 int buf_offset = 0;
1350 int relative = 0;
1351 int arg_len = strlen(arg);
1352 int i;
1353
1354 for (i = 0; i < arg_len; i++) {
1355 if (arg[i] == ',') {
1356 member++;
1357 } else if (member == 0) {
1358 if (arg[i] < '0' || arg[i] > '9')
1359 return 0;
1360
1361 len_offset = 10 * len_offset + arg[i] - '0';
1362 } else if (member == 1) {
1363 if (arg[i] < '0' || arg[i] > '9')
1364 return 0;
1365
1366 len_size = 10 * len_size + arg[i] - '0';
1367 } else if (member == 2) {
1368 if (!relative && !buf_offset && arg[i] == '+') {
1369 relative = 1;
1370 continue;
1371 } else if (!relative && !buf_offset && arg[i] == '-') {
1372 relative = 2;
1373 continue;
1374 } else if (arg[i] < '0' || arg[i] > '9')
1375 return 0;
1376
1377 buf_offset = 10 * buf_offset + arg[i] - '0';
1378 }
1379 }
1380
1381 if (member < 1)
1382 return 0;
1383
1384 if (!len_size)
1385 return 0;
1386
1387 if (member == 1) {
1388 buf_offset = len_offset + len_size;
1389 }
1390 else if (relative == 1) {
1391 buf_offset = len_offset + len_size + buf_offset;
1392 }
1393 else if (relative == 2) {
1394 if (len_offset + len_size < buf_offset)
1395 return 0;
1396
1397 buf_offset = len_offset + len_size - buf_offset;
1398 }
1399
1400 *arg_i = 3;
1401 *arg_p = calloc(1, *arg_i*sizeof(struct pattern_arg));
1402 (*arg_p)[0].type = PATTERN_ARG_TYPE_INTEGER;
1403 (*arg_p)[0].data.integer = len_offset;
1404 (*arg_p)[1].type = PATTERN_ARG_TYPE_INTEGER;
1405 (*arg_p)[1].data.integer = len_size;
1406 (*arg_p)[2].type = PATTERN_ARG_TYPE_INTEGER;
1407 (*arg_p)[2].data.integer = buf_offset;
1408
1409 return 1;
1410}
1411
1412static int
1413pattern_fetch_payloadlv(struct proxy *px, struct session *l4, void *l7, int dir,
1414 const struct pattern_arg *arg_p, int arg_i, union pattern_data *data)
1415{
1416 int len_offset = arg_p[0].data.integer;
1417 int len_size = arg_p[1].data.integer;
1418 int buf_offset = arg_p[2].data.integer;
1419 int buf_size = 0;
1420 struct buffer *b;
1421 int i;
1422
1423 /* Format is (len offset, len size, buf offset) or (len offset, len size) */
1424 /* by default buf offset == len offset + len size */
1425 /* buf offset could be absolute or relative to len offset + len size if prefixed by + or - */
1426
1427 if (!l4)
1428 return 0;
1429
1430 b = (dir & PATTERN_FETCH_RTR) ? l4->rep : l4->req;
1431
1432 if (!b || !b->l)
1433 return 0;
1434
1435 if (len_offset + len_size > b->l)
1436 return 0;
1437
1438 for (i = 0; i < len_size; i++) {
1439 buf_size = (buf_size << 8) + ((unsigned char *)b->w)[i + len_offset];
1440 }
1441
1442 if (!buf_size)
1443 return 0;
1444
1445 if (buf_offset + buf_size > b->l)
1446 return 0;
1447
1448 /* init chunk as read only */
1449 chunk_initlen(&data->str, (char *)(b->w + buf_offset), 0, buf_size);
1450
1451 return 1;
1452}
1453
1454static int
1455pattern_arg_fetch_payload (const char *arg, struct pattern_arg **arg_p, int *arg_i)
1456{
1457 int member = 0;
1458 int buf_offset = 0;
1459 int buf_size = 0;
1460 int arg_len = strlen(arg);
1461 int i;
1462
1463 for (i = 0 ; i < arg_len ; i++) {
1464 if (arg[i] == ',') {
1465 member++;
1466 } else if (member == 0) {
1467 if (arg[i] < '0' || arg[i] > '9')
1468 return 0;
1469
1470 buf_offset = 10 * buf_offset + arg[i] - '0';
1471 } else if (member == 1) {
1472 if (arg[i] < '0' || arg[i] > '9')
1473 return 0;
1474
1475 buf_size = 10 * buf_size + arg[i] - '0';
1476 }
1477 }
1478
1479 if (!buf_size)
1480 return 0;
1481
1482 *arg_i = 2;
1483 *arg_p = calloc(1, *arg_i*sizeof(struct pattern_arg));
1484 (*arg_p)[0].type = PATTERN_ARG_TYPE_INTEGER;
1485 (*arg_p)[0].data.integer = buf_offset;
1486 (*arg_p)[1].type = PATTERN_ARG_TYPE_INTEGER;
1487 (*arg_p)[1].data.integer = buf_size;
1488
1489 return 1;
1490}
1491
1492static int
1493pattern_fetch_payload(struct proxy *px, struct session *l4, void *l7, int dir,
1494 const struct pattern_arg *arg_p, int arg_i, union pattern_data *data)
1495{
1496 int buf_offset = arg_p[0].data.integer;
1497 int buf_size = arg_p[1].data.integer;
1498 struct buffer *b;
1499
1500 if (!l4)
1501 return 0;
1502
1503 b = (dir & PATTERN_FETCH_RTR) ? l4->rep : l4->req;
1504
1505 if (!b || !b->l)
1506 return 0;
1507
1508 if (buf_offset + buf_size > b->l)
1509 return 0;
1510
1511 /* init chunk as read only */
1512 chunk_initlen(&data->str, (char *)(b->w + buf_offset), 0, buf_size);
1513
1514 return 1;
1515}
1516
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1517static struct cfg_kw_list cfg_kws = {{ },{
1518 { CFG_LISTEN, "tcp-request", tcp_parse_tcp_req },
Emeric Brun97679e72010-09-23 17:56:44 +0200[diff] [blame]1519 { CFG_LISTEN, "tcp-response", tcp_parse_tcp_rep },
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1520 { 0, NULL, NULL },
1521}};
1522
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1523/* Note: must not be declared <const> as its list will be overwritten */
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1524static struct acl_kw_list acl_kws = {{ },{
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1525 { "src_port", acl_parse_int, acl_fetch_sport, acl_match_int, ACL_USE_TCP_PERMANENT },
1526 { "src", acl_parse_ip, acl_fetch_src, acl_match_ip, ACL_USE_TCP4_PERMANENT|ACL_MAY_LOOKUP },
1527 { "dst", acl_parse_ip, acl_fetch_dst, acl_match_ip, ACL_USE_TCP4_PERMANENT|ACL_MAY_LOOKUP },
1528 { "dst_port", acl_parse_int, acl_fetch_dport, acl_match_int, ACL_USE_TCP_PERMANENT },
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1529 { NULL, NULL, NULL, NULL },
1530}};
1531
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1532/* Note: must not be declared <const> as its list will be overwritten */
1533static struct pattern_fetch_kw_list pattern_fetch_keywords = {{ },{
Emericf2d7cae2010-11-05 18:13:50 +0100[diff] [blame^]1534 { "src", pattern_fetch_src, NULL, PATTERN_TYPE_IP, PATTERN_FETCH_REQ },
1535 { "dst", pattern_fetch_dst, NULL, PATTERN_TYPE_IP, PATTERN_FETCH_REQ },
1536 { "dst_port", pattern_fetch_dport, NULL, PATTERN_TYPE_INTEGER, PATTERN_FETCH_REQ },
1537 { "payload", pattern_fetch_payload, pattern_arg_fetch_payload, PATTERN_TYPE_CONSTDATA, PATTERN_FETCH_REQ|PATTERN_FETCH_RTR },
1538 { "payload_lv", pattern_fetch_payloadlv, pattern_arg_fetch_payloadlv, PATTERN_TYPE_CONSTDATA, PATTERN_FETCH_REQ|PATTERN_FETCH_RTR },
Emeric Brun485479d2010-09-23 18:02:19 +0200[diff] [blame]1539 { NULL, NULL, NULL, 0, 0 },
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1540}};
1541
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]1542__attribute__((constructor))
1543static void __tcp_protocol_init(void)
1544{
1545 protocol_register(&proto_tcpv4);
1546 protocol_register(&proto_tcpv6);
Willy Tarreau645513a2010-05-24 20:55:15 +0200[diff] [blame]1547 pattern_register_fetches(&pattern_fetch_keywords);
Willy Tarreaub6866442008-07-14 23:54:42 +0200[diff] [blame]1548 cfg_register_keywords(&cfg_kws);
1549 acl_register_keywords(&acl_kws);
Willy Tarreaue6b98942007-10-29 01:09:36 +0100[diff] [blame]1550}
1551
1552
1553/*
1554 * Local variables:
1555 * c-indent-level: 8
1556 * c-basic-offset: 8
1557 * End:
1558 */