From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 26 Mar 2021 09:02:46 +0000 (+0100)
Subject: MINOR: payload/config: Warn if a L6 sample fetch is used from an HTTP proxy
X-Git-Tag: v2.4-dev15~37
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=581db2b829d84d1086423c6713aa473ff66783be;p=thirdparty%2Fhaproxy.git

MINOR: payload/config: Warn if a L6 sample fetch is used from an HTTP proxy

L6 sample fetches are now ignored when called from an HTTP proxy. Thus, a
warning is emitted during the startup if such usage is detected. It is true
for most ACLs and for log-format strings. Unfortunately, it is a bit painful
to do so for sample expressions.

This patch relies on the commit "MINOR: action: Use a generic function to
check validity of an action rule list".
---

diff --git a/include/haproxy/cfgparse.h b/include/haproxy/cfgparse.h
index 54bfa2a4c1..2d309f4a18 100644
--- a/include/haproxy/cfgparse.h
+++ b/include/haproxy/cfgparse.h
@@ -106,6 +106,7 @@ int warnif_misplaced_tcp_conn(struct proxy *proxy, const char *file, int line, c
 int warnif_misplaced_tcp_sess(struct proxy *proxy, const char *file, int line, const char *arg);
 int warnif_misplaced_tcp_cont(struct proxy *proxy, const char *file, int line, const char *arg);
 int warnif_cond_conflicts(const struct acl_cond *cond, unsigned int where, const char *file, int line);
+int warnif_tcp_http_cond(const struct proxy *px, const struct acl_cond *cond);
 int too_many_args_idx(int maxarg, int index, char **args, char **msg, int *err_code);
 int too_many_args(int maxarg, char **args, char **msg, int *err_code);
 int alertif_too_many_args_idx(int maxarg, int index, const char *file, int linenum, char **args, int *err_code);
diff --git a/src/action.c b/src/action.c
index 7b017f6185..b9d12c0302 100644
--- a/src/action.c
+++ b/src/action.c
@@ -13,6 +13,7 @@
 #include <haproxy/acl.h>
 #include <haproxy/action.h>
 #include <haproxy/api.h>
+#include <haproxy/cfgparse.h>
 #include <haproxy/errors.h>
 #include <haproxy/list.h>
 #include <haproxy/obj_type.h>
@@ -37,7 +38,7 @@ int check_action_rules(struct list *rules, struct proxy *px, int *err_code)
 			ha_alert("Proxy '%s': %s.\n", px->id, errmsg);
 			err++;
 		}
-
+		*err_code |= warnif_tcp_http_cond(px, rule->cond);
 		free(errmsg);
 		errmsg = NULL;
 	}
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 5562185eb4..52d6022953 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -334,6 +334,23 @@ int warnif_cond_conflicts(const struct acl_cond *cond, unsigned int where, const
 	return ERR_WARN;
 }
 
+/* Report it if an ACL uses a L6 sample fetch from an HTTP proxy.  It returns
+ * either 0 or ERR_WARN so that its result can be or'ed with err_code. Note that
+ * <cond> may be NULL and then will be ignored.
+*/
+int warnif_tcp_http_cond(const struct proxy *px, const struct acl_cond *cond)
+{
+	if (!cond || px->mode != PR_MODE_HTTP)
+		return 0;
+
+	if (cond->use & (SMP_USE_L6REQ|SMP_USE_L6RES)) {
+		ha_warning("Proxy '%s': L6 sample fetches ignored on HTTP proxies (declared at %s:%d).\n",
+			   px->id, cond->file, cond->line);
+		return ERR_WARN;
+	}
+	return 0;
+}
+
 /* try to find in <list> the word that looks closest to <word> by counting
  * transitions between letters, digits and other characters. Will return the
  * best matching word if found, otherwise NULL. An optional array of extra
@@ -379,7 +396,6 @@ const char *cfg_find_best_match(const char *word, const struct list *list, int s
 	return best_ptr;
 }
 
-
 /* Parse a string representing a process number or a set of processes. It must
  * be "all", "odd", "even", a number between 1 and <max> or a range with
  * two such numbers delimited by a dash ('-'). On success, it returns
@@ -2362,6 +2378,7 @@ int check_config_validity()
 				ha_free(&rule->be.name);
 				rule->be.backend = target;
 			}
+			err_code |= warnif_tcp_http_cond(curproxy, rule->cond);
 		}
 
 		/* find the target server for 'use_server' rules */
@@ -2404,6 +2421,7 @@ int check_config_validity()
 			srule->dynamic = 0;
 			srule->srv.name = server_name;
 			target = findserver(curproxy, srule->srv.name);
+			err_code |= warnif_tcp_http_cond(curproxy, srule->cond);
 
 			if (!target) {
 				ha_alert("config : %s '%s' : unable to find server '%s' referenced in a 'use-server' rule.\n",
@@ -2453,6 +2471,7 @@ int check_config_validity()
 					target->proxies_list = curproxy;
 				}
 			}
+			err_code |= warnif_tcp_http_cond(curproxy, mrule->cond);
 		}
 
 		/* find the target table for 'store response' rules */
diff --git a/src/log.c b/src/log.c
index c771218237..e002c48ac2 100644
--- a/src/log.c
+++ b/src/log.c
@@ -512,6 +512,11 @@ int add_sample_to_logformat_list(char *text, char *arg, int arg_len, struct prox
 		goto error_free;
 	}
 
+	if ((options & LOG_OPT_HTTP) && (expr->fetch->use & (SMP_USE_L6REQ|SMP_USE_L6RES))) {
+		ha_warning("parsing [%s:%d] : L6 sample fetch <%s> ignored in HTTP log-format string.\n",
+			   curpx->conf.args.file, curpx->conf.args.line, text);
+	}
+
 	/* check if we need to allocate an http_txn struct for HTTP parsing */
 	/* Note, we may also need to set curpx->to_log with certain fetches */
 	curpx->http_needed |= !!(expr->fetch->use & SMP_USE_HTTP_ANY);