From: Willy Tarreau Date: Mon, 31 May 2010 08:30:33 +0000 (+0200) Subject: [MEDIUM] frontend: check for LI_O_TCP_RULES in the listener X-Git-Tag: v1.5-dev8~590 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a5c0ab200b80a478c5f9274f1e2d9f5d493842fc;p=thirdparty%2Fhaproxy.git [MEDIUM] frontend: check for LI_O_TCP_RULES in the listener The new LI_O_TCP_RULES listener option indicates that some TCP rules must be checked upon accept on this listener. It is now checked by the frontend and the L4 rules are evaluated only in this case. The flag is only set when at least one tcp-req rule is present in the frontend. The L4 rules check function has now been moved to proto_tcp.c where it ought to be. --- diff --git a/include/proto/proto_tcp.h b/include/proto/proto_tcp.h index 5c0087b814..37d8ea8bd6 100644 --- a/include/proto/proto_tcp.h +++ b/include/proto/proto_tcp.h @@ -35,6 +35,7 @@ int tcpv4_connect_server(struct stream_interface *si, struct sockaddr *srv_addr, struct sockaddr *from_addr); int tcp_inspect_request(struct session *s, struct buffer *req, int an_bit); int tcp_persist_rdp_cookie(struct session *s, struct buffer *req, int an_bit); +int tcp_exec_req_rules(struct session *s); #endif /* _PROTO_PROTO_TCP_H */ diff --git a/include/types/protocols.h b/include/types/protocols.h index 0911a40e70..8f8faefbe1 100644 --- a/include/types/protocols.h +++ b/include/types/protocols.h @@ -72,6 +72,7 @@ #define LI_O_FOREIGN 0x0002 /* permit listening on foreing addresses */ #define LI_O_NOQUICKACK 0x0004 /* disable quick ack of immediate data (linux) */ #define LI_O_DEF_ACCEPT 0x0008 /* wait up to 1 second for data before accepting */ +#define LI_O_TCP_RULES 0x0010 /* run TCP rules checks on the incoming connection */ /* The listener will be directly referenced by the fdtab[] which holds its * socket. The listener provides the protocol-specific accept() function to diff --git a/src/cfgparse.c b/src/cfgparse.c index e5b66e8ca2..41313783fe 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -5356,6 +5356,9 @@ out_uri_auth_compat: listener->handler = process_session; listener->analysers |= curproxy->fe_req_ana; + if (!LIST_ISEMPTY(&curproxy->tcp_req.l4_rules)) + listener->options |= LI_O_TCP_RULES; + /* smart accept mode is automatic in HTTP mode */ if ((curproxy->options2 & PR_O2_SMARTACC) || (curproxy->mode == PR_MODE_HTTP && diff --git a/src/frontend.c b/src/frontend.c index 08569ff4fb..5af5582e8e 100644 --- a/src/frontend.c +++ b/src/frontend.c @@ -63,7 +63,6 @@ int frontend_accept(struct listener *l, int cfd, struct sockaddr_storage *addr) struct session *s; struct http_txn *txn; struct task *t; - struct tcp_rule *rule; if (unlikely((s = pool_alloc2(pool2_session)) == NULL)) { Alert("out of memory in event_accept().\n"); @@ -134,40 +133,13 @@ int frontend_accept(struct listener *l, int cfd, struct sockaddr_storage *addr) proxy_inc_fe_ctr(l, p); /* note: cum_beconn will be increased once assigned */ /* now evaluate the tcp-request rules */ - list_for_each_entry(rule, &p->tcp_req.l4_rules, list) { - int ret = ACL_PAT_PASS; - - if (rule->cond) { - ret = acl_exec_cond(rule->cond, p, s, &s->txn, ACL_DIR_REQ); - ret = acl_pass(ret); - if (rule->cond->pol == ACL_COND_UNLESS) - ret = !ret; - } - - if (ret) { - /* we have a matching rule. */ - if (rule->action == TCP_ACT_REJECT) { - p->counters.denied_req++; - if (l->counters) - l->counters->denied_req++; - - if (!(s->flags & SN_ERR_MASK)) - s->flags |= SN_ERR_PRXCOND; - if (!(s->flags & SN_FINST_MASK)) - s->flags |= SN_FINST_R; - - task_free(t); - LIST_DEL(&s->list); - pool_free2(pool2_session, s); - - /* let's do a no-linger now to close with a single RST. */ - setsockopt(cfd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger)); - return 0; - } - - /* otherwise it's an accept */ - break; - } + if ((l->options & LI_O_TCP_RULES) && !tcp_exec_req_rules(s)) { + task_free(t); + LIST_DEL(&s->list); + pool_free2(pool2_session, s); + /* let's do a no-linger now to close with a single RST. */ + setsockopt(cfd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger)); + return 0; } /* pre-initialize the other side's stream interface */ diff --git a/src/proto_tcp.c b/src/proto_tcp.c index b753c3bbd4..3a1abad9e6 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -708,6 +708,46 @@ int tcp_inspect_request(struct session *s, struct buffer *req, int an_bit) return 1; } +/* This function performs the TCP layer4 analysis on the current request. It + * returns 0 if a reject rule matches, otherwise 1 if either an accept rule + * matches or if no more rule matches. It can only use rules which don't need + * any data. + */ +int tcp_exec_req_rules(struct session *s) +{ + struct tcp_rule *rule; + int ret; + + list_for_each_entry(rule, &s->fe->tcp_req.l4_rules, list) { + ret = ACL_PAT_PASS; + + if (rule->cond) { + ret = acl_exec_cond(rule->cond, s->fe, s, NULL, ACL_DIR_REQ); + ret = acl_pass(ret); + if (rule->cond->pol == ACL_COND_UNLESS) + ret = !ret; + } + + if (ret) { + /* we have a matching rule. */ + if (rule->action == TCP_ACT_REJECT) { + s->fe->counters.denied_req++; + if (s->listener->counters) + s->listener->counters->denied_req++; + + if (!(s->flags & SN_ERR_MASK)) + s->flags |= SN_ERR_PRXCOND; + if (!(s->flags & SN_FINST_MASK)) + s->flags |= SN_FINST_R; + return 0; + } + /* otherwise it's an accept */ + break; + } + } + return 1; +} + /* This function should be called to parse a line starting with the "tcp-request" * keyword. */