MINOR: tcp: add "tcp-request connection expect-netscaler-cip layer4"

This configures the client-facing connection to receive a NetScaler
Client IP insertion protocol header before any byte is read from the
socket. This is equivalent to having the "accept-netscaler-cip" keyword
on the "bind" line, except that using the TCP rule allows the PROXY
protocol to be accepted only for certain IP address ranges using an ACL.
This is convenient when multiple layers of load balancers are passed
through by traffic coming from public hosts.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 8a8055dff311dff75a491ead82164f3ecb0b1ee0..45e2e06d734aaf58ccbad2fe28337aeb790d04ed 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -8652,6 +8652,15 @@ tcp-request connection <action> [{if | unless} <condition>]
         of load balancers are passed through by traffic coming from public
         hosts.
 
+    - expect-netscaler-cip layer4 :
+        configures the client-facing connection to receive a NetScaler Client
+        IP insertion protocol header before any byte is read from the socket.
+        This is equivalent to having the "accept-netscaler-cip" keyword on the
+        "bind" line, except that using the TCP rule allows the PROXY protocol
+        to be accepted only for certain IP address ranges using an ACL. This
+        is convenient when multiple layers of load balancers are passed
+        through by traffic coming from public hosts.
+
     - capture <sample> len <length> :
         This only applies to "tcp-request content" rules. It captures sample
         expression <sample> from the request buffer, and converts it to a
@@ -9746,7 +9755,9 @@ accept-netscaler-cip <magic number>
   protocol, unless it is violated, in which case the real  address will still
   be used. This keyword combined with support from external components can be
   used as an efficient and reliable alternative to the X-Forwarded-For
-  mechanism which is not always reliable and not even always usable.
+  mechanism which is not always reliable and not even always usable. See also
+  "tcp-request connection expect-netscaler-cip" for a finer-grained setting of
+  which client is allowed to use the protocol.
 
 accept-proxy
   Enforces the use of the PROXY protocol over any connection accepted by any of

diff --git a/include/types/action.h b/include/types/action.h
index 742252e1096540b37b20a2ececb340c51d85fb72..fce6bc87bbbd3e2986c4473c13bbcf57b195e956 100644 (file)
--- a/include/types/action.h
+++ b/include/types/action.h
@@ -83,6 +83,7 @@ enum act_name {
 
        /* tcp actions */
        ACT_TCP_EXPECT_PX,
+       ACT_TCP_EXPECT_CIP,
        ACT_TCP_CLOSE, /* close at the sender's */
        ACT_TCP_CAPTURE, /* capture a fetched sample */
 

diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 53447037d984007f35dccefe3f21ce636b0839e5..83bdff8789e55633f76a5cd45dfc96f6daefd878 100644 (file)
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -1399,6 +1399,10 @@ int tcp_exec_req_rules(struct session *sess)
                                conn->flags |= CO_FL_ACCEPT_PROXY;
                                conn_sock_want_recv(conn);
                        }
+                       else if (rule->action == ACT_TCP_EXPECT_CIP) {
+                               conn->flags |= CO_FL_ACCEPT_CIP;
+                               conn_sock_want_recv(conn);
+                       }
                        else {
                                /* Custom keywords. */
                                if (!rule->action_ptr)
@@ -1828,6 +1832,24 @@ static int tcp_parse_request_rule(char **args, int arg, int section_type,
                arg += 2;
                rule->action = ACT_TCP_EXPECT_PX;
        }
+       else if (strcmp(args[arg], "expect-netscaler-cip") == 0) {
+               if (strcmp(args[arg+1], "layer4") != 0) {
+                       memprintf(err,
+                                 "'%s %s %s' only supports 'layer4' in %s '%s' (got '%s')",
+                                 args[0], args[1], args[arg], proxy_type_str(curpx), curpx->id, args[arg+1]);
+                       return -1;
+               }
+
+               if (!(where & SMP_VAL_FE_CON_ACC)) {
+                       memprintf(err,
+                                 "'%s %s' is not allowed in '%s %s' rules in %s '%s'",
+                                 args[arg], args[arg+1], args[0], args[1], proxy_type_str(curpx), curpx->id);
+                       return -1;
+               }
+
+               arg += 2;
+               rule->action = ACT_TCP_EXPECT_CIP;
+       }
        else {
                struct action_kw *kw;
                if (where & SMP_VAL_FE_CON_ACC) {