upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-02-20 00:10:41 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 14
haproxy/src/action.c

315 lines
9.7 KiB
C
Raw Normal View History

MINOR: action: Add function to check rules using an action ACT_ACTION_TRK_* The function "check_trk_action" has been added to find and check the target table for rules using an action ACT_ACTION_TRK_*.
2017-09-18 08:43:55 -04:00
/*
* Action management functions.
*
* Copyright 2017 HAProxy Technologies, Christopher Faulet <cfaulet@haproxy.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*
*/
REORG: global: move free acl/action in their related source files Move deinit_acl_cond and deinit_act_rules from haproxy.c respectively in acl.c and action.c. The name of the functions has been slightly altered, replacing the prefix deinit_* by free_* to reflect their purpose more clearly. This change has been made in preparation to the implementation of a free proxy function. As a side-effect, it helps to clean up haproxy.c.
2021-03-25 12:15:52 -04:00
#include <haproxy/acl.h>
REORG: include: move action.h to haproxy/action{,-t}.h List.h was missing for LIST_ADDQ(). A few unneeded includes of action.h were removed from certain files. This one still relies on applet.h and stick-table.h.
2020-06-04 04:15:32 -04:00
#include <haproxy/action.h>
REORG: include: update all files to use haproxy/api.h or api-t.h if needed All files that were including one of the following include files have been updated to only include haproxy/api.h or haproxy/api-t.h once instead: - common/config.h - common/compat.h - common/compiler.h - common/defaults.h - common/initcall.h - common/tools.h The choice is simple: if the file only requires type definitions, it includes api-t.h, otherwise it includes the full api.h. In addition, in these files, explicit includes for inttypes.h and limits.h were dropped since these are now covered by api.h and api-t.h. No other change was performed, given that this patch is large and affects 201 files. At least one (tools.h) was already freestanding and didn't get the new one added.
2020-05-27 06:58:42 -04:00
#include <haproxy/api.h>
MINOR: payload/config: Warn if a L6 sample fetch is used from an HTTP proxy L6 sample fetches are now ignored when called from an HTTP proxy. Thus, a warning is emitted during the startup if such usage is detected. It is true for most ACLs and for log-format strings. Unfortunately, it is a bit painful to do so for sample expressions. This patch relies on the commit "MINOR: action: Use a generic function to check validity of an action rule list".
2021-03-26 05:02:46 -04:00
#include <haproxy/cfgparse.h>
REORG: include: move the error reporting functions to from log.h to errors.h Most of the files dealing with error reports have to include log.h in order to access ha_alert(), ha_warning() etc. But while these functions don't depend on anything, log.h depends on a lot of stuff because it deals with log-formats and samples. As a result it's impossible not to embark long dependencies when using ha_warning() or qfprintf(). This patch moves these low-level functions to errors.h, which already defines the error codes used at the same places. About half of the users of log.h could be adjusted, sometimes revealing other issues such as missing tools.h. Interestingly the total preprocessed size shrunk by 4%.
2020-06-05 11:27:29 -04:00
#include <haproxy/errors.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 03:07:15 -04:00
#include <haproxy/list.h>
REORG: include: move obj_type.h to haproxy/obj_type{,-t}.h No change was necessary. It still includes lots of types/* files.
2020-06-04 05:29:21 -04:00
#include <haproxy/obj_type.h>
REORG: include: move common/memory.h to haproxy/pool.h Now the file is ready to be stored into its final destination. A few minor reorderings were performed to keep the file properly organized, making the various sections more visible (cache & lockless). In addition and to stay consistent, memory.c was renamed to pool.c.
2020-06-02 03:38:52 -04:00
#include <haproxy/pool.h>
REORG: include: move proxy.h to haproxy/proxy{,-t}.h This one is particularly difficult to split because it provides all the functions used to manipulate a proxy state and to retrieve names or IDs for error reporting, and as such, it was included in 73 files (down to 68 after cleanup). It would deserve a small cleanup though the cut points are not obvious at the moment given the number of structs involved in the struct proxy itself.
2020-06-04 16:29:18 -04:00
#include <haproxy/proxy.h>
CLEANUP: include: tree-wide alphabetical sort of include files This patch fixes all the leftovers from the include cleanup campaign. There were not that many (~400 entries in ~150 files) but it was definitely worth doing it as it revealed a few duplicates.
2020-06-09 03:07:15 -04:00
#include <haproxy/stick_table.h>
REORG: include: move task.h to haproxy/task{,-t}.h The TASK_IS_TASKLET() macro was moved to the proto file instead of the type one. The proto part was a bit reordered to remove a number of ugly forward declaration of static inline functions. About a tens of C and H files had their dependency dropped since they were not using anything from task.h.
2020-06-04 11:25:40 -04:00
#include <haproxy/task.h>
REORG: tools: split common/standard.h into haproxy/tools{,-t}.h And also rename standard.c to tools.c. The original split between tools.h and standard.h dates from version 1.3-dev and was mostly an accident. This patch moves the files back to what they were expected to be, and takes care of not changing anything else. However this time tools.h was split between functions and types, because it contains a small number of commonly used macros and structures (e.g. name_desc) which in turn cause the massive list of includes of tools.h to conflict with the callers. They remain the ugliest files of the whole project and definitely need to be cleaned and split apart. A few types are defined there only for functions provided there, and some parts are even OS-specific and should move somewhere else, such as the symbol resolution code.
2020-06-03 12:09:46 -04:00
#include <haproxy/tools.h>
MINOR: action: Add function to check rules using an action ACT_ACTION_TRK_* The function "check_trk_action" has been added to find and check the target table for rules using an action ACT_ACTION_TRK_*.
2017-09-18 08:43:55 -04:00
MINOR: action: Use a generic function to check validity of an action rule list The check_action_rules() function is now used to check the validity of an action rule list. It is used from check_config_validity() function to check L5/6/7 rulesets.
2021-03-25 12:19:04 -04:00
/* Check an action ruleset validity. It returns the number of error encountered
CLEANUP: assorted typo fixes in the code and comments This is 22nd iteration of typo fixes
2021-04-24 04:25:42 -04:00
* and err_code is updated if a warning is emitted.
MINOR: action: Use a generic function to check validity of an action rule list The check_action_rules() function is now used to check the validity of an action rule list. It is used from check_config_validity() function to check L5/6/7 rulesets.
2021-03-25 12:19:04 -04:00
*/
int check_action_rules(struct list *rules, struct proxy *px, int *err_code)
{
struct act_rule *rule;
char *errmsg = NULL;
int err = 0;
list_for_each_entry(rule, rules, list) {
if (rule->check_ptr && !rule->check_ptr(rule, px, &errmsg)) {
ha_alert("Proxy '%s': %s.\n", px->id, errmsg);
err++;
}
MINOR: payload/config: Warn if a L6 sample fetch is used from an HTTP proxy L6 sample fetches are now ignored when called from an HTTP proxy. Thus, a warning is emitted during the startup if such usage is detected. It is true for most ACLs and for log-format strings. Unfortunately, it is a bit painful to do so for sample expressions. This patch relies on the commit "MINOR: action: Use a generic function to check validity of an action rule list".
2021-03-26 05:02:46 -04:00
*err_code |= warnif_tcp_http_cond(px, rule->cond);
MINOR: action: Use a generic function to check validity of an action rule list The check_action_rules() function is now used to check the validity of an action rule list. It is used from check_config_validity() function to check L5/6/7 rulesets.
2021-03-25 12:19:04 -04:00
free(errmsg);
errmsg = NULL;
}
return err;
}
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
/* Find and check the target table used by an action track-sc*. This
MINOR: action: Add function to check rules using an action ACT_ACTION_TRK_* The function "check_trk_action" has been added to find and check the target table for rules using an action ACT_ACTION_TRK_*.
2017-09-18 08:43:55 -04:00
* function should be called during the configuration validity check.
*
* The function returns 1 in success case, otherwise, it returns 0 and err is
* filled.
*/
int check_trk_action(struct act_rule *rule, struct proxy *px, char **err)
{
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
struct stktable *target;
MINOR: action: Add function to check rules using an action ACT_ACTION_TRK_* The function "check_trk_action" has been added to find and check the target table for rules using an action ACT_ACTION_TRK_*.
2017-09-18 08:43:55 -04:00
if (rule->arg.trk_ctr.table.n)
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
target = stktable_find_by_name(rule->arg.trk_ctr.table.n);
MINOR: action: Add function to check rules using an action ACT_ACTION_TRK_* The function "check_trk_action" has been added to find and check the target table for rules using an action ACT_ACTION_TRK_*.
2017-09-18 08:43:55 -04:00
else
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
target = px->table;
MINOR: action: Add function to check rules using an action ACT_ACTION_TRK_* The function "check_trk_action" has been added to find and check the target table for rules using an action ACT_ACTION_TRK_*.
2017-09-18 08:43:55 -04:00
if (!target) {
memprintf(err, "unable to find table '%s' referenced by track-sc%d",
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
rule->arg.trk_ctr.table.n ? rule->arg.trk_ctr.table.n : px->id,
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
rule->action);
MINOR: action: Add function to check rules using an action ACT_ACTION_TRK_* The function "check_trk_action" has been added to find and check the target table for rules using an action ACT_ACTION_TRK_*.
2017-09-18 08:43:55 -04:00
return 0;
}
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
if (!stktable_compatible_sample(rule->arg.trk_ctr.expr, target->type)) {
MINOR: action: Add function to check rules using an action ACT_ACTION_TRK_* The function "check_trk_action" has been added to find and check the target table for rules using an action ACT_ACTION_TRK_*.
2017-09-18 08:43:55 -04:00
memprintf(err, "stick-table '%s' uses a type incompatible with the 'track-sc%d' rule",
rule->arg.trk_ctr.table.n ? rule->arg.trk_ctr.table.n : px->id,
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
rule->action);
MINOR: action: Add function to check rules using an action ACT_ACTION_TRK_* The function "check_trk_action" has been added to find and check the target table for rules using an action ACT_ACTION_TRK_*.
2017-09-18 08:43:55 -04:00
return 0;
}
else {
BUG/MEDIUM: stick-table: Wrong stick-table backends parsing. When parsing references to stick-tables declared as backends, they are added to a list of proxies (they are proxies!) which refer to this stick-tables. Before this patch we added them to these list without checking they were already present, making the silly hypothesis the actions/sample were checked/resolved in the same order the proxies are parsed. This patch implement a simple inline function to in_proxies_list() to test the presence of a proxy in a list of proxies. We use this function when resolving /checking samples/actions. This bug was introduced by 015e4d7 commit. Must be backported to 2.0.
2019-08-07 03:28:39 -04:00
if (!in_proxies_list(target->proxies_list, px)) {
MINOR: stick-tables: Add peers process binding computing. Add a list of proxies for all the stick-tables (->proxies_list struct stktable member) so that to be able to compute the process bindings of the peers after having parsed the configuration file. The proxies are added to the stick-tables they reference when parsing stick-tables lines in proxy sections, when checking the actions in check_trk_action() and when resolving samples args for stick-tables without checking is they are duplicates. We check only there is no loop. Then, after having parsed everything, we add the proxy bindings to the peers frontend bindings with stick-tables they reference.
2019-03-19 09:55:01 -04:00
px->next_stkt_ref = target->proxies_list;
target->proxies_list = px;
}
MINOR: action: Add function to check rules using an action ACT_ACTION_TRK_* The function "check_trk_action" has been added to find and check the target table for rules using an action ACT_ACTION_TRK_*.
2017-09-18 08:43:55 -04:00
free(rule->arg.trk_ctr.table.n);
MEDIUM: stick-table: Stop handling stick-tables as proxies. This patch adds the support for the "table" line parsing in "peers" sections to declare stick-table in such sections. This also prevents the user from having to declare dummy backends sections with a unique stick-table inside. Even if still supported, this usage will become deprecated. To do so, the ->table member of proxy struct which is a stktable struct is replaced by a pointer to a stktable struct allocated at parsing time in src/cfgparse-listen.c for the dummy stick-table backends and in src/cfgparse.c for "peers" sections. This has an impact on the code for stick-table sample converters and on the stickiness rules parsers which first store the name of the dummy before resolving the rules. This patch replaces proxy_tbl_by_name() calls by stktable_find_by_name() calls to lookup for stick-tables stored in "stktable_by_name" ebtree at parsing time. There is only one remaining place where proxy_tbl_by_name() is used: src/hlua.c. At several places in the code we relied on the fact that ->size member of stick-table was equal to zero to consider the stick-table was present by not configured, this do not make sense anymore as ->table member of struct proxyis fow now on a pointer. These tests are replaced by a test on ->table value itself. In "peers" section we do not have to temporary store the name of the section the stick-table are attached to because this name is obviously already known just after having entered this "peers" section. About the CLI stick-table I/O handler, the pointer to proxy struct is replaced by a pointer to a stktable struct.
2019-03-14 02:07:41 -04:00
rule->arg.trk_ctr.table.t = target;
MINOR: action: Add function to check rules using an action ACT_ACTION_TRK_* The function "check_trk_action" has been added to find and check the target table for rules using an action ACT_ACTION_TRK_*.
2017-09-18 08:43:55 -04:00
/* Note: if we decide to enhance the track-sc syntax, we may be
* able to pass a list of counters to track and allocate them
* right here using stktable_alloc_data_type().
*/
}
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
MEDIUM: tcp-rules: Warn if a track-sc* content rule doesn't depend on content The warning is only emitted for HTTP frontend. Idea is to encourage the usage of "tcp-request session" rules to track counters that does not depend on the request content. The documentation has been updated accordingly. The warning is important because since the multiplexers were added in the processing chain, the HTTP parsing is performed at a lower level. Thus parsing errors are detected in the multiplexers, before the stream creation. In HTTP/2, the error is reported by the multiplexer itself and the stream is never created. This difference has a certain number of consequences, one of which is that HTTP request counting in stick tables only works for valid H2 request, and HTTP error tracking in stick tables never considers invalid H2 requests but only invalid H1 ones. And the aim is to do the same with the mux-h1. This change will not be done for the 2.3, but the 2.4. At the end, H1 and H2 parsing errors will be caught by the multiplexers, at the session level. Thus, tracking counters at the content level should be reserved for rules using a key based on the request content or those using ACLs based on the request content. To be clear, a warning will be emitted for the following rules : tcp-request content track-sc0 src tcp-request content track-sc0 src if ! { src 10.0.0.0/24 } tcp-request content track-sc0 src if { ssl_fc } But not for the following ones : tcp-request content track-sc0 req.hdr(host) tcp-request content track-sc0 src if { req.hdr(host) -m found }
2020-10-02 05:48:57 -04:00
if (rule->from == ACT_F_TCP_REQ_CNT && (px->cap & PR_CAP_FE)) {
if (!px->tcp_req.inspect_delay && !(rule->arg.trk_ctr.expr->fetch->val & SMP_VAL_FE_SES_ACC)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("%s '%s' : a 'tcp-request content track-sc*' rule explicitly depending on request"
MEDIUM: tcp-rules: Warn if a track-sc* content rule doesn't depend on content The warning is only emitted for HTTP frontend. Idea is to encourage the usage of "tcp-request session" rules to track counters that does not depend on the request content. The documentation has been updated accordingly. The warning is important because since the multiplexers were added in the processing chain, the HTTP parsing is performed at a lower level. Thus parsing errors are detected in the multiplexers, before the stream creation. In HTTP/2, the error is reported by the multiplexer itself and the stream is never created. This difference has a certain number of consequences, one of which is that HTTP request counting in stick tables only works for valid H2 request, and HTTP error tracking in stick tables never considers invalid H2 requests but only invalid H1 ones. And the aim is to do the same with the mux-h1. This change will not be done for the 2.3, but the 2.4. At the end, H1 and H2 parsing errors will be caught by the multiplexers, at the session level. Thus, tracking counters at the content level should be reserved for rules using a key based on the request content or those using ACLs based on the request content. To be clear, a warning will be emitted for the following rules : tcp-request content track-sc0 src tcp-request content track-sc0 src if ! { src 10.0.0.0/24 } tcp-request content track-sc0 src if { ssl_fc } But not for the following ones : tcp-request content track-sc0 req.hdr(host) tcp-request content track-sc0 src if { req.hdr(host) -m found }
2020-10-02 05:48:57 -04:00
" contents without any 'tcp-request inspect-delay' setting."
" This means that this rule will randomly find its contents. This can be fixed by"
" setting the tcp-request inspect-delay.\n",
proxy_type_str(px), px->id);
}
/* The following warning is emitted because HTTP multiplexers are able to catch errors
* or timeouts at the session level, before instantiating any stream.
* Thus the tcp-request content ruleset will not be evaluated in such case. It means,
* http_req and http_err counters will not be incremented as expected, even if the tracked
* counter does not use the request content. To track invalid requests it should be
* performed at the session level using a tcp-request session rule.
*/
if (px->mode == PR_MODE_HTTP &&
!(rule->arg.trk_ctr.expr->fetch->use & (SMP_USE_L6REQ|SMP_USE_HRQHV|SMP_USE_HRQHP|SMP_USE_HRQBO)) &&
(!rule->cond || !(rule->cond->use & (SMP_USE_L6REQ|SMP_USE_HRQHV|SMP_USE_HRQHP|SMP_USE_HRQBO)))) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("%s '%s' : a 'tcp-request content track-sc*' rule not depending on request"
MEDIUM: tcp-rules: Warn if a track-sc* content rule doesn't depend on content The warning is only emitted for HTTP frontend. Idea is to encourage the usage of "tcp-request session" rules to track counters that does not depend on the request content. The documentation has been updated accordingly. The warning is important because since the multiplexers were added in the processing chain, the HTTP parsing is performed at a lower level. Thus parsing errors are detected in the multiplexers, before the stream creation. In HTTP/2, the error is reported by the multiplexer itself and the stream is never created. This difference has a certain number of consequences, one of which is that HTTP request counting in stick tables only works for valid H2 request, and HTTP error tracking in stick tables never considers invalid H2 requests but only invalid H1 ones. And the aim is to do the same with the mux-h1. This change will not be done for the 2.3, but the 2.4. At the end, H1 and H2 parsing errors will be caught by the multiplexers, at the session level. Thus, tracking counters at the content level should be reserved for rules using a key based on the request content or those using ACLs based on the request content. To be clear, a warning will be emitted for the following rules : tcp-request content track-sc0 src tcp-request content track-sc0 src if ! { src 10.0.0.0/24 } tcp-request content track-sc0 src if { ssl_fc } But not for the following ones : tcp-request content track-sc0 req.hdr(host) tcp-request content track-sc0 src if { req.hdr(host) -m found }
2020-10-02 05:48:57 -04:00
" contents for an HTTP frontend should be executed at the session level, using a"
" 'tcp-request session' rule (mandatory to track invalid HTTP requests).\n",
proxy_type_str(px), px->id);
}
MINOR: http-rule/tcp-rules: Make track-sc* custom actions Now, these actions use their own dedicated function and are no longer handled "in place" during the TCP/HTTP rules evaluation. Thus the action names ACT_ACTION_TRK_SC0 and ACT_ACTION_TRK_SCMAX are removed. The action type is now the tracking index. Thus the function trk_idx() is no longer needed.
2019-12-18 03:20:16 -05:00
}
MINOR: action: Add function to check rules using an action ACT_ACTION_TRK_* The function "check_trk_action" has been added to find and check the target table for rules using an action ACT_ACTION_TRK_*.
2017-09-18 08:43:55 -04:00
return 1;
}
MINOR: tcp-rules: Make tcp-request capture a custom action Now, this action is use its own dedicated function and is no longer handled "in place" during the TCP rules evaluation. Thus the action name ACT_TCP_CAPTURE is removed. The action type is set to ACT_CUSTOM and a check function is used to know if the rule depends on request contents while there is no inspect-delay.
2019-12-19 11:27:03 -05:00
/* check a capture rule. This function should be called during the configuration
* validity check.
*
* The function returns 1 in success case, otherwise, it returns 0 and err is
* filled.
*/
int check_capture(struct act_rule *rule, struct proxy *px, char **err)
{
if (rule->from == ACT_F_TCP_REQ_CNT && (px->cap & PR_CAP_FE) && !px->tcp_req.inspect_delay &&
!(rule->arg.trk_ctr.expr->fetch->val & SMP_VAL_FE_SES_ACC)) {
MINOR: errors: specify prefix "config" for parsing output Set "config :" as a prefix for the user messages context before starting the configuration parsing. All following stderr output will be prefixed by it. As a consequence, remove extraneous prefix "config" already specified in various ha_alert/warning/notice calls.
2021-06-04 12:22:08 -04:00
ha_warning("%s '%s' : a 'tcp-request capture' rule explicitly depending on request"
MINOR: tcp-rules: Make tcp-request capture a custom action Now, this action is use its own dedicated function and is no longer handled "in place" during the TCP rules evaluation. Thus the action name ACT_TCP_CAPTURE is removed. The action type is set to ACT_CUSTOM and a check function is used to know if the rule depends on request contents while there is no inspect-delay.
2019-12-19 11:27:03 -05:00
" contents without any 'tcp-request inspect-delay' setting."
" This means that this rule will randomly find its contents. This can be fixed by"
" setting the tcp-request inspect-delay.\n",
proxy_type_str(px), px->id);
}
return 1;
}
MINOR: resolvers: renames some resolvers specific types to not use dns prefix This patch applies those changes on names: -struct dns_resolution { +struct resolv_resolution { -struct dns_requester { +struct resolv_requester { -struct dns_srvrq { +struct resolv_srvrq { @@ -185,12 +185,12 @@ struct stream { struct { - struct dns_requester *dns_requester; + struct resolv_requester *requester; ... - } dns_ctx; + } resolv_ctx;
2020-12-23 11:41:43 -05:00
int act_resolution_cb(struct resolv_requester *requester, struct dns_counters *counters)
MINOR: action: new '(http-request|tcp-request content) do-resolve' action The 'do-resolve' action is an http-request or tcp-request content action which allows to run DNS resolution at run time in HAProxy. The name to be resolved can be picked up in the request sent by the client and the result of the resolution is stored in a variable. The time the resolution is being performed, the request is on pause. If the resolution can't provide a suitable result, then the variable will be empty. It's up to the admin to take decisions based on this statement (return 503 to prevent loops). Read carefully the documentation concerning this feature, to ensure your setup is secure and safe to be used in production. This patch creates a global counter to track various errors reported by the action 'do-resolve'.
2019-01-21 02:34:50 -05:00
{
struct stream *stream;
if (requester->resolution == NULL)
return 0;
stream = objt_stream(requester->owner);
if (stream == NULL)
return 0;
task_wakeup(stream->task, TASK_WOKEN_MSG);
return 0;
}
BUG/MINOR: resolvers: answser item list was randomly purged or errors In case of SRV records, The answer item list was purged by the error callback of the first requester which considers the error could not be safely ignored. It makes this item list unavailable for subsequent requesters even if they consider the error could be ignored. On A resolution or do_resolve action error, the answer items were never trashed. This patch re-work the error callbacks and the code to check the return code If a callback return 1, we consider the error was ignored and the answer item list must be kept. At the opposite, If all error callbacks of all requesters of the same resolution returns 0 the list will be purged This patch should be backported as far as 2.0.
2021-06-10 09:25:25 -04:00
/*
* Do resolve error management callback
* returns:
* 0 if we can trash answser items.
* 1 when safely ignored and we must kept answer items
*/
MINOR: resolvers: renames some resolvers specific types to not use dns prefix This patch applies those changes on names: -struct dns_resolution { +struct resolv_resolution { -struct dns_requester { +struct resolv_requester { -struct dns_srvrq { +struct resolv_srvrq { @@ -185,12 +185,12 @@ struct stream { struct { - struct dns_requester *dns_requester; + struct resolv_requester *requester; ... - } dns_ctx; + } resolv_ctx;
2020-12-23 11:41:43 -05:00
int act_resolution_error_cb(struct resolv_requester *requester, int error_code)
MINOR: action: new '(http-request|tcp-request content) do-resolve' action The 'do-resolve' action is an http-request or tcp-request content action which allows to run DNS resolution at run time in HAProxy. The name to be resolved can be picked up in the request sent by the client and the result of the resolution is stored in a variable. The time the resolution is being performed, the request is on pause. If the resolution can't provide a suitable result, then the variable will be empty. It's up to the admin to take decisions based on this statement (return 503 to prevent loops). Read carefully the documentation concerning this feature, to ensure your setup is secure and safe to be used in production. This patch creates a global counter to track various errors reported by the action 'do-resolve'.
2019-01-21 02:34:50 -05:00
{
struct stream *stream;
if (requester->resolution == NULL)
return 0;
stream = objt_stream(requester->owner);
if (stream == NULL)
return 0;
task_wakeup(stream->task, TASK_WOKEN_MSG);
return 0;
}
MEDIUM: http_act: define set-timeout server/tunnel action Add a new http-request action 'set-timeout [server/tunnel]'. This action can be used to update the server or tunnel timeout of a stream. It takes two parameters, the timeout name to update and the new timeout value. This rule is only valid for a proxy with backend capabilities. The timeout value cannot be null. A sample expression can also be used instead of a plain value.
2020-12-10 07:43:54 -05:00
/* Parse a set-timeout rule statement. It first checks if the timeout name is
* valid and returns it in <name>. Then the timeout is parsed as a plain value
* and * returned in <out_timeout>. If there is a parsing error, the value is
* reparsed as an expression and returned in <expr>.
*
* Returns -1 if the name is invalid or neither a time or an expression can be
* parsed, or if the timeout value is 0.
*/
int cfg_parse_rule_set_timeout(const char **args, int idx, int *out_timeout,
enum act_timeout_name *name,
struct sample_expr **expr, char **err,
const char *file, int line, struct arg_list *al)
{
const char *res;
const char *timeout_name = args[idx++];
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
if (strcmp(timeout_name, "server") == 0) {
MEDIUM: http_act: define set-timeout server/tunnel action Add a new http-request action 'set-timeout [server/tunnel]'. This action can be used to update the server or tunnel timeout of a stream. It takes two parameters, the timeout name to update and the new timeout value. This rule is only valid for a proxy with backend capabilities. The timeout value cannot be null. A sample expression can also be used instead of a plain value.
2020-12-10 07:43:54 -05:00
*name = ACT_TIMEOUT_SERVER;
}
CLEANUP: Compare the return value of `XXXcmp()` functions with zero According to coding-style.txt it is recommended to use: `strcmp(a, b) == 0` instead of `!strcmp(a, b)` So let's do this. The change was performed by running the following (very long) coccinelle patch on src/: @@ statement S; expression E; expression F; @@ if ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) ( S | { ... } ) @@ statement S; expression E; expression F; @@ if ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) ( S | { ... } ) @@ expression E; expression F; expression G; @@ ( G && ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( G || ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 && G ) @@ expression E; expression F; expression G; @@ ( ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) != 0 || G ) @@ expression E; expression F; expression G; @@ ( G && - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( G || - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 && G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 || G ) @@ expression E; expression F; expression G; @@ ( - ! ( dns_hostname_cmp | eb_memcmp | memcmp | strcasecmp | strcmp | strncasecmp | strncmp ) - (E, F) + (E, F) == 0 )
2021-01-02 16:31:53 -05:00
else if (strcmp(timeout_name, "tunnel") == 0) {
MEDIUM: http_act: define set-timeout server/tunnel action Add a new http-request action 'set-timeout [server/tunnel]'. This action can be used to update the server or tunnel timeout of a stream. It takes two parameters, the timeout name to update and the new timeout value. This rule is only valid for a proxy with backend capabilities. The timeout value cannot be null. A sample expression can also be used instead of a plain value.
2020-12-10 07:43:54 -05:00
*name = ACT_TIMEOUT_TUNNEL;
}
else {
memprintf(err,
"'set-timeout' rule supports 'server'/'tunnel' (got '%s')",
timeout_name);
return -1;
}
res = parse_time_err(args[idx], (unsigned int *)out_timeout, TIME_UNIT_MS);
if (res == PARSE_TIME_OVER) {
memprintf(err, "timer overflow in argument '%s' to rule 'set-timeout %s' (maximum value is 2147483647 ms or ~24.8 days)",
args[idx], timeout_name);
return -1;
}
else if (res == PARSE_TIME_UNDER) {
memprintf(err, "timer underflow in argument '%s' to rule 'set-timeout %s' (minimum value is 1 ms)",
args[idx], timeout_name);
return -1;
}
/* res not NULL, parsing error */
else if (res) {
*expr = sample_parse_expr((char **)args, &idx, file, line, err, al, NULL);
if (!*expr) {
memprintf(err, "unexpected character '%c' in rule 'set-timeout %s'", *res, timeout_name);
return -1;
}
}
/* res NULL, parsing ok but value is 0 */
else if (!(*out_timeout)) {
memprintf(err, "null value is not valid for a 'set-timeout %s' rule",
timeout_name);
return -1;
}
return 0;
}
MINOR: actions: add a function to suggest an action ressembling a given word action_suggest() will return a pointer to an action whose keyword more or less ressembles the passed argument. It also accepts to be more tolerant against prefixes (since actions taking arguments are handled as prefixes). This will be used to suggest approaching words.
2021-03-12 05:59:24 -05:00
/* tries to find in list <keywords> a similar looking action as the one in
* <word>, and returns it otherwise NULL. <word> may be NULL or empty. An
* optional array of extra words to compare may be passed in <extra>, but it
* must then be terminated by a NULL entry. If unused it may be NULL.
*/
const char *action_suggest(const char *word, const struct list *keywords, const char **extra)
{
uint8_t word_sig[1024];
uint8_t list_sig[1024];
const struct action_kw_list *kwl;
const struct action_kw *best_kw = NULL;
const char *best_ptr = NULL;
int dist, best_dist = INT_MAX;
int index;
if (!word || !*word)
return NULL;
make_word_fingerprint(word_sig, word);
list_for_each_entry(kwl, keywords, list) {
for (index = 0; kwl->kw[index].kw != NULL; index++) {
make_word_fingerprint(list_sig, kwl->kw[index].kw);
dist = word_fingerprint_distance(word_sig, list_sig);
if (dist < best_dist) {
best_dist = dist;
best_kw = &kwl->kw[index];
best_ptr = best_kw->kw;
}
}
}
while (extra && *extra) {
make_word_fingerprint(list_sig, *extra);
dist = word_fingerprint_distance(word_sig, list_sig);
if (dist < best_dist) {
best_dist = dist;
best_kw = NULL;
best_ptr = *extra;
}
extra++;
}
/* eliminate too different ones, with more tolerance for prefixes
* when they're known to exist (not from extra list).
*/
if (best_ptr &&
MINOR: action: replace match_pfx by a keyword flags field Define a new keyword flag KWF_MATCH_PREFIX. This is used to replace the match_pfx field of action struct. This has the benefit to have more explicit action declaration, and now it is possible to quickly implement experimental actions.
2021-05-06 09:33:09 -04:00
(best_dist > (2 + (best_kw && (best_kw->flags & KWF_MATCH_PREFIX))) * strlen(word) ||
best_dist > (2 + (best_kw && (best_kw->flags & KWF_MATCH_PREFIX))) * strlen(best_ptr)))
MINOR: actions: add a function to suggest an action ressembling a given word action_suggest() will return a pointer to an action whose keyword more or less ressembles the passed argument. It also accepts to be more tolerant against prefixes (since actions taking arguments are handled as prefixes). This will be used to suggest approaching words.
2021-03-12 05:59:24 -05:00
best_ptr = NULL;
return best_ptr;
}
REORG: global: move free acl/action in their related source files Move deinit_acl_cond and deinit_act_rules from haproxy.c respectively in acl.c and action.c. The name of the functions has been slightly altered, replacing the prefix deinit_* by free_* to reflect their purpose more clearly. This change has been made in preparation to the implementation of a free proxy function. As a side-effect, it helps to clean up haproxy.c.
2021-03-25 12:15:52 -04:00
MINOR: rules: add a new function new_act_rule() to allocate act_rules Rules are currently allocated using calloc() by their caller, which does not make it very convenient to pass more information such as the file name and line number. This patch introduces new_act_rule() which performs the malloc() and already takes in argument the ruleset (ACT_F_*), the file name and the line number. This saves the caller from having to assing ->from, and will allow to improve the internal storage with more info.
2021-10-11 02:49:26 -04:00
/* allocates a rule for ruleset <from> (ACT_F_*), from file name <file> and
* line <linenum>. <file> and <linenum> may be zero if unknown. Returns the
* rule, otherwise NULL in case of memory allocation error.
*/
struct act_rule *new_act_rule(enum act_from from, const char *file, int linenum)
{
struct act_rule *rule;
rule = calloc(1, sizeof(*rule));
if (!rule)
return NULL;
rule->from = from;
return rule;
}
REORG: global: move free acl/action in their related source files Move deinit_acl_cond and deinit_act_rules from haproxy.c respectively in acl.c and action.c. The name of the functions has been slightly altered, replacing the prefix deinit_* by free_* to reflect their purpose more clearly. This change has been made in preparation to the implementation of a free proxy function. As a side-effect, it helps to clean up haproxy.c.
2021-03-25 12:15:52 -04:00
void free_act_rules(struct list *rules)
{
struct act_rule *rule, *ruleb;
list_for_each_entry_safe(rule, ruleb, rules, list) {
CLEANUP: lists/tree-wide: rename some list operations to avoid some confusion The current "ADD" vs "ADDQ" is confusing because when thinking in terms of appending at the end of a list, "ADD" naturally comes to mind, but here it does the opposite, it inserts. Several times already it's been incorrectly used where ADDQ was expected, the latest of which was a fortunate accident explained in 6fa922562 ("CLEANUP: stream: explain why we queue the stream at the head of the server list"). Let's use more explicit (but slightly longer) names now: LIST_ADD -> LIST_INSERT LIST_ADDQ -> LIST_APPEND LIST_ADDED -> LIST_INLIST LIST_DEL -> LIST_DELETE The same is true for MT_LISTs, including their "TRY" variant. LIST_DEL_INIT keeps its short name to encourage to use it instead of the lazier LIST_DELETE which is often less safe. The change is large (~674 non-comment entries) but is mechanical enough to remain safe. No permutation was performed, so any out-of-tree code can easily map older names to new ones. The list doc was updated.
2021-04-21 01:32:39 -04:00
LIST_DELETE(&rule->list);
REORG: global: move free acl/action in their related source files Move deinit_acl_cond and deinit_act_rules from haproxy.c respectively in acl.c and action.c. The name of the functions has been slightly altered, replacing the prefix deinit_* by free_* to reflect their purpose more clearly. This change has been made in preparation to the implementation of a free proxy function. As a side-effect, it helps to clean up haproxy.c.
2021-03-25 12:15:52 -04:00
free_acl_cond(rule->cond);
if (rule->release_ptr)
rule->release_ptr(rule);
free(rule);
}
}
Reference in a new issue Copy permalink