52
54
* neg(x) = (3 >> x) and(x,y) = (x & y) or(x,y) = (x | y)
56
* For efficiency, the ACL return flags are directly mapped from the pattern
57
* match flags. See include/pattern.h for existing values.
57
ACL_PAT_FAIL = 0, /* test failed */
58
ACL_PAT_MISS = 1, /* test may pass with more info */
59
ACL_PAT_PASS = 3, /* test passed */
60
ACL_TEST_FAIL = 0, /* test failed */
61
ACL_TEST_MISS = 1, /* test may pass with more info */
62
ACL_TEST_PASS = 3, /* test passed */
62
65
/* Condition polarity. It makes it easier for any option to choose between
63
66
* IF/UNLESS if it can store that information within the condition itself.
64
67
* Those should be interpreted as "IF/UNLESS result == PASS".
67
70
ACL_COND_NONE, /* no polarity set yet */
68
71
ACL_COND_IF, /* positive condition (after 'if') */
69
72
ACL_COND_UNLESS, /* negative condition (after 'unless') */
72
/* possible flags for intermediate test values. The flags are maintained
73
* across consecutive fetches for a same entry (eg: parse all req lines).
76
ACL_TEST_F_READ_ONLY = 1 << 0, /* test data are read-only */
77
ACL_TEST_F_MUST_FREE = 1 << 1, /* test data must be freed after end of evaluation */
78
ACL_TEST_F_VOL_TEST = 1 << 2, /* result must not survive longer than the test (eg: time) */
79
ACL_TEST_F_VOL_HDR = 1 << 3, /* result sensitive to changes in headers */
80
ACL_TEST_F_VOL_1ST = 1 << 4, /* result sensitive to changes in first line (eg: URI) */
81
ACL_TEST_F_VOL_TXN = 1 << 5, /* result sensitive to new transaction (eg: persist) */
82
ACL_TEST_F_VOL_SESS = 1 << 6, /* result sensitive to new session (eg: IP) */
83
ACL_TEST_F_VOLATILE = (1<<2)|(1<<3)|(1<<4)|(1<<5)|(1<<6),
84
ACL_TEST_F_FETCH_MORE = 1 << 7, /* if test does not match, retry with next entry (for multi-match) */
85
ACL_TEST_F_MAY_CHANGE = 1 << 8, /* if test does not match, retry later (eg: request size) */
86
ACL_TEST_F_RES_SET = 1 << 9, /* for fetch() function to assign the result without calling match() */
87
ACL_TEST_F_RES_PASS = 1 << 10,/* with SET_RESULT, sets result to PASS (defaults to FAIL) */
88
ACL_TEST_F_SET_RES_PASS = (ACL_TEST_F_RES_SET|ACL_TEST_F_RES_PASS), /* sets result to PASS */
89
ACL_TEST_F_SET_RES_FAIL = (ACL_TEST_F_RES_SET), /* sets result to FAIL */
90
ACL_TEST_F_NULL_MATCH = 1 << 11,/* call expr->kw->match with NULL pattern if expr->patterns is empty */
93
/* ACLs can be evaluated on requests and on responses, and on partial or complete data */
95
ACL_DIR_REQ = 0, /* ACL evaluated on request */
96
ACL_DIR_RTR = (1 << 0), /* ACL evaluated on response */
97
ACL_DIR_MASK = (ACL_DIR_REQ | ACL_DIR_RTR),
98
ACL_PARTIAL = (1 << 1), /* partial data, return MISS if data are missing */
101
/* possible flags for expressions or patterns */
103
ACL_PAT_F_IGNORE_CASE = 1 << 0, /* ignore case */
104
ACL_PAT_F_FROM_FILE = 1 << 1, /* pattern comes from a file */
105
ACL_PAT_F_TREE_OK = 1 << 2, /* the pattern parser is allowed to build a tree */
106
ACL_PAT_F_TREE = 1 << 3, /* some patterns are arranged in a tree */
109
/* what capabilities an ACL uses. These flags are set during parsing, which
110
* allows for flexible ACLs typed by their contents.
113
ACL_USE_NOTHING = 0, /* no need for anything beyond internal information */
114
ACL_USE_TCP4_PERMANENT = 1 << 0, /* unchanged TCPv4 data (eg: source IP) */
115
ACL_USE_TCP4_CACHEABLE = 1 << 1, /* cacheable TCPv4 data (eg: src conns) */
116
ACL_USE_TCP4_VOLATILE = 1 << 2, /* volatile TCPv4 data (eg: RTT) */
117
ACL_USE_TCP4_ANY = (ACL_USE_TCP4_PERMANENT | ACL_USE_TCP4_CACHEABLE | ACL_USE_TCP4_VOLATILE),
119
ACL_USE_TCP6_PERMANENT = 1 << 3, /* unchanged TCPv6 data (eg: source IP) */
120
ACL_USE_TCP6_CACHEABLE = 1 << 4, /* cacheable TCPv6 data (eg: src conns) */
121
ACL_USE_TCP6_VOLATILE = 1 << 5, /* volatile TCPv6 data (eg: RTT) */
122
ACL_USE_TCP6_ANY = (ACL_USE_TCP6_PERMANENT | ACL_USE_TCP6_CACHEABLE | ACL_USE_TCP6_VOLATILE),
124
ACL_USE_TCP_PERMANENT = 1 << 6, /* unchanged TCPv4/v6 data (eg: source IP) */
125
ACL_USE_TCP_CACHEABLE = 1 << 7, /* cacheable TCPv4/v6 data (eg: src conns) */
126
ACL_USE_TCP_VOLATILE = 1 << 8, /* volatile TCPv4/v6 data (eg: RTT) */
127
ACL_USE_TCP_ANY = (ACL_USE_TCP_PERMANENT | ACL_USE_TCP_CACHEABLE | ACL_USE_TCP_VOLATILE),
129
ACL_USE_L4REQ_PERMANENT = 1 << 9, /* unchanged layer4 request data */
130
ACL_USE_L4REQ_CACHEABLE = 1 << 10, /* cacheable layer4 request data (eg: length) */
131
ACL_USE_L4REQ_VOLATILE = 1 << 11, /* volatile layer4 request data (eg: contents) */
132
ACL_USE_L4REQ_ANY = (ACL_USE_L4REQ_PERMANENT | ACL_USE_L4REQ_CACHEABLE | ACL_USE_L4REQ_VOLATILE),
134
ACL_USE_L4RTR_PERMANENT = 1 << 12, /* unchanged layer4 response data */
135
ACL_USE_L4RTR_CACHEABLE = 1 << 13, /* cacheable layer4 response data (eg: length) */
136
ACL_USE_L4RTR_VOLATILE = 1 << 14, /* volatile layer4 response data (eg: contents) */
137
ACL_USE_L4RTR_ANY = (ACL_USE_L4RTR_PERMANENT | ACL_USE_L4RTR_CACHEABLE | ACL_USE_L4RTR_VOLATILE),
139
ACL_USE_L7REQ_PERMANENT = 1 << 15, /* unchanged layer7 request data (eg: method) */
140
ACL_USE_L7REQ_CACHEABLE = 1 << 16, /* cacheable layer7 request data (eg: content-length) */
141
ACL_USE_L7REQ_VOLATILE = 1 << 17, /* volatile layer7 request data (eg: cookie) */
142
ACL_USE_L7REQ_ANY = (ACL_USE_L7REQ_PERMANENT | ACL_USE_L7REQ_CACHEABLE | ACL_USE_L7REQ_VOLATILE),
144
ACL_USE_L7RTR_PERMANENT = 1 << 18, /* unchanged layer7 response data (eg: status) */
145
ACL_USE_L7RTR_CACHEABLE = 1 << 19, /* cacheable layer7 response data (eg: content-length) */
146
ACL_USE_L7RTR_VOLATILE = 1 << 20, /* volatile layer7 response data (eg: cookie) */
147
ACL_USE_L7RTR_ANY = (ACL_USE_L7RTR_PERMANENT | ACL_USE_L7RTR_CACHEABLE | ACL_USE_L7RTR_VOLATILE),
149
/* those ones are used for ambiguous "hdr_xxx" verbs */
150
ACL_USE_HDR_CACHEABLE = 1 << 21, /* cacheable request or response header (eg: content-length) */
151
ACL_USE_HDR_VOLATILE = 1 << 22, /* volatile request or response header (eg: cookie) */
152
ACL_USE_HDR_ANY = (ACL_USE_HDR_CACHEABLE | ACL_USE_HDR_VOLATILE),
154
/* information which remains during response */
155
ACL_USE_REQ_PERMANENT = (ACL_USE_TCP4_PERMANENT | ACL_USE_TCP6_PERMANENT | ACL_USE_TCP_PERMANENT |
156
ACL_USE_L4REQ_PERMANENT | ACL_USE_L7REQ_PERMANENT),
157
ACL_USE_REQ_CACHEABLE = (ACL_USE_TCP4_CACHEABLE | ACL_USE_TCP6_CACHEABLE | ACL_USE_TCP_CACHEABLE |
158
ACL_USE_L4REQ_CACHEABLE | ACL_USE_L7REQ_CACHEABLE | ACL_USE_HDR_CACHEABLE),
160
/* information which does not remain during response */
161
ACL_USE_REQ_VOLATILE = (ACL_USE_TCP4_VOLATILE | ACL_USE_TCP6_VOLATILE | ACL_USE_TCP_VOLATILE |
162
ACL_USE_L4REQ_VOLATILE | ACL_USE_L7REQ_VOLATILE),
164
/* any type of layer 4 contents information */
165
ACL_USE_L4_ANY = (ACL_USE_L4REQ_ANY | ACL_USE_L4RTR_ANY),
167
/* any type of layer 7 information */
168
ACL_USE_L7_ANY = (ACL_USE_L7REQ_ANY | ACL_USE_L7RTR_ANY | ACL_USE_HDR_ANY),
170
/* any type of response information */
171
ACL_USE_RTR_ANY = (ACL_USE_L4RTR_ANY | ACL_USE_L7RTR_ANY),
173
/* some flags indicating if a keyword supports exact pattern matching,
174
* so that patterns may be arranged in lookup trees. Let's put those
175
* flags at the end to leave some space for the other ones above.
177
ACL_MAY_LOOKUP = 1 << 31, /* exact pattern lookup */
180
/* filtering hooks */
182
/* hooks on the request path */
183
ACL_HOOK_REQ_FE_TCP = 0,
184
ACL_HOOK_REQ_FE_TCP_CONTENT,
185
ACL_HOOK_REQ_FE_HTTP_IN,
186
ACL_HOOK_REQ_FE_SWITCH,
187
ACL_HOOK_REQ_BE_TCP_CONTENT,
188
ACL_HOOK_REQ_BE_HTTP_IN,
189
ACL_HOOK_REQ_BE_SWITCH,
190
ACL_HOOK_REQ_FE_HTTP_OUT,
191
ACL_HOOK_REQ_BE_HTTP_OUT,
192
/* hooks on the response path */
193
ACL_HOOK_RTR_BE_TCP_CONTENT,
194
ACL_HOOK_RTR_BE_HTTP_IN,
195
ACL_HOOK_RTR_FE_TCP_CONTENT,
196
ACL_HOOK_RTR_FE_HTTP_IN,
197
ACL_HOOK_RTR_BE_HTTP_OUT,
198
ACL_HOOK_RTR_FE_HTTP_OUT,
201
/* How to store a time range and the valid days in 29 bits */
203
int dow:7; /* 1 bit per day of week: 0-6 */
204
int h1:5, m1:6; /* 0..24:0..60. Use 0:0 for all day. */
205
int h2:5, m2:6; /* 0..24:0..60. Use 24:0 for all day. */
208
/* The acl will be linked to from the proxy where it is declared */
210
struct list list; /* chaining */
212
int i; /* integer value */
214
signed long long min, max;
217
} range; /* integer range */
221
} ipv4; /* IPv4 address */
222
struct acl_time time; /* valid hours and days */
223
unsigned int group_mask;
224
struct eb_root *tree; /* tree storing all values if any */
225
} val; /* direct value */
227
void *ptr; /* any data */
228
char *str; /* any string */
229
regex_t *reg; /* a compiled regex */
230
} ptr; /* indirect values, allocated */
231
void(*freeptrbuf)(void *ptr); /* a destructor able to free objects from the ptr */
232
int len; /* data length when required */
233
int flags; /* expr or pattern flags. */
236
/* The structure exchanged between an acl_fetch_* function responsible for
237
* retrieving a value, and an acl_match_* function responsible for testing it.
240
int i; /* integer value */
241
char *ptr; /* pointer to beginning of value */
242
int len; /* length of value at ptr, otherwise ignored */
243
int flags; /* ACL_TEST_F_* set to 0 on first call */
244
union { /* fetch_* functions context for any purpose */
245
void *p; /* any pointer */
246
int i; /* any integer */
247
long long ll; /* any long long or smaller */
248
double d; /* any float or double */
249
void *a[8]; /* any array of up to 8 pointers */
255
* ACL keyword: Associates keywords with parsers, methods to retrieve the value and testers.
258
75
/* some dummy declarations to silent the compiler */
80
* ACL keyword: Associates keywords with parsers, methods to retrieve the value and testers.
264
84
* The 'parse' function is called to parse words in the configuration. It must
265
85
* return the number of valid words read. 0 = error. The 'opaque' argument may