minimal list of actions is supported :
- accept
- dgram-drop
+ - reject
rate-limit sessions <rate>
expect-proxy layer4 - X - - - - - -
normalize-uri - - - - - X - -
redirect - - - - - X X -
-reject - X X X X X - -
+reject X X X X X X - -
replace-header - - - - - X X X
replace-path - - - - - X - -
replace-pathq - - - - - X - -
reject
Usable in: QUIC Ini| TCP RqCon| RqSes| RqCnt| RsCnt| HTTP Req| Res| Aft
- - | X | X | X | X | X | - | -
+ X | X | X | X | X | X | - | -
This stops the evaluation of the rules and immediately closes the connection
without sending any response. For HTTP rules, it acts similarly to the
information from leaking, typically after inspecting contents in conjunction
with the "wait-for-body" action.
+ This action can also be used in "quic-initial" rules. The newly opened QUIC
+ connection is immediately closed without any SSL handshake processing and the
+ client is notified via a CONNECTION_REFUSED error code.
+
replace-header <name> <match-regex> <replace-fmt>
Usable in: QUIC Ini| TCP RqCon| RqSes| RqCnt| RsCnt| HTTP Req| Res| Aft
struct mt_list rxbuf_el; /* list element into receiver.rxbuf_list. */
};
+#define QUIC_DGRAM_FL_REJECT 0x00000001
+
/* QUIC datagram */
struct quic_dgram {
enum obj_type obj_type;
struct list recv_list; /* element pointing to quic_receiver_buf <dgram_list>. */
struct mt_list handler_list; /* element pointing to quic_dghdlr <dgrams>. */
+
+ int flags; /* QUIC_DGRAM_FL_* values */
};
/* QUIC datagram handler */
return ACT_RET_PRS_OK;
}
+static enum act_return quic_init_action_reject(struct act_rule *rule, struct proxy *px,
+ struct session *sess, struct stream *s, int flags)
+{
+ struct quic_dgram *dgram = __objt_dgram(sess->origin);
+ dgram->flags |= QUIC_DGRAM_FL_REJECT;
+ return ACT_RET_DONE;
+}
+
+static enum act_parse_ret parse_reject(const char **args, int *orig_arg,
+ struct proxy *px,
+ struct act_rule *rule, char **err)
+{
+ rule->action = ACT_CUSTOM;
+ rule->action_ptr = quic_init_action_reject;
+ return ACT_RET_PRS_OK;
+}
+
/* List head of all known action keywords for "quic-initial" */
struct action_kw_list quic_init_actions_list = {
.list = LIST_HEAD_INIT(quic_init_actions_list.list)
static struct action_kw_list quic_init_actions = { ILH, {
{ "accept", parse_accept, 0 },
{ "dgram-drop", parse_dgram_drop, 0 },
+ { "reject", parse_reject, 0 },
{ /* END */ },
}
};
goto err;
}
- if (!pkt->token_len &&
- ((l->bind_conf->options & BC_O_QUIC_FORCE_RETRY) ||
- HA_ATOMIC_LOAD(&prx_counters->half_open_conn) >= global.tune.quic_retry_threshold)) {
+ /* No need to emit Retry if connection is refused. */
+ if (!pkt->token_len && !(dgram->flags & QUIC_DGRAM_FL_REJECT)) {
+ if ((l->bind_conf->options & BC_O_QUIC_FORCE_RETRY) ||
+ HA_ATOMIC_LOAD(&prx_counters->half_open_conn) >= global.tune.quic_retry_threshold) {
+
+ TRACE_PROTO("Initial without token, sending retry",
+ QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
+ if (send_retry(l->rx.fd, &dgram->saddr, pkt, pkt->version)) {
+ TRACE_ERROR("Error during Retry generation",
+ QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
+ goto out;
+ }
- TRACE_PROTO("Initial without token, sending retry",
- QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
- if (send_retry(l->rx.fd, &dgram->saddr, pkt, pkt->version)) {
- TRACE_ERROR("Error during Retry generation",
- QUIC_EV_CONN_LPKT, NULL, NULL, NULL, pkt->version);
+ HA_ATOMIC_INC(&prx_counters->retry_sent);
goto out;
}
-
- HA_ATOMIC_INC(&prx_counters->retry_sent);
- goto out;
}
/* RFC 9000 7.2. Negotiating Connection IDs:
eb64_insert(qc->cids, &conn_id->seq_num);
/* Initialize the next CID sequence number to be used for this connection. */
qc->next_cid_seq_num = 1;
+
+ if (dgram->flags & QUIC_DGRAM_FL_REJECT)
+ quic_set_connection_close(qc, quic_err_transport(QC_ERR_CONNECTION_REFUSED));
}
if (*new_tid != -1)
projects / thirdparty / haproxy.git / commitdiff
