329
334
proto_tcpv6.nb_listeners++;
337
/* This function performs the TCP request analysis on the current request. It
338
* returns 1 if the processing can continue on next analysers, or zero if it
339
* needs more data, encounters an error, or wants to immediately abort the
340
* request. It relies on buffers flags, and updates s->req->analysers. Its
341
* behaviour is rather simple:
342
* - the analyser should check for errors and timeouts, and react as expected.
343
* It does not have to close anything upon error, the caller will. Note that
344
* the caller also knows how to report errors and timeouts.
345
* - if the analyser does not have enough data, it must return 0 without calling
346
* other ones. It should also probably do a buffer_write_dis() to ensure
347
* that unprocessed data will not be forwarded. But that probably depends on
349
* - if an analyser has enough data, it just has to pass on to the next
350
* analyser without using buffer_write_dis() (enabled by default).
351
* - if an analyser thinks it has no added value anymore staying here, it must
352
* reset its bit from the analysers flags in order not to be called anymore.
354
* In the future, analysers should be able to indicate that they want to be
355
* called after XXX bytes have been received (or transfered), and the min of
356
* all's wishes will be used to ring back (unless a special condition occurs).
358
int tcp_inspect_request(struct session *s, struct buffer *req)
360
struct tcp_rule *rule;
363
DPRINTF(stderr,"[%u] %s: session=%p b=%p, exp(r,w)=%u,%u bf=%08x bl=%d analysers=%02x\n",
364
now_ms, __FUNCTION__,
372
/* We don't know whether we have enough data, so must proceed
374
* - iterate through all rules in their declaration order
375
* - if one rule returns MISS, it means the inspect delay is
376
* not over yet, then return immediately, otherwise consider
378
* - if one rule returns OK, then return OK
379
* - if one rule returns KO, then return KO
382
if (req->flags & BF_SHUTR || !s->fe->tcp_req.inspect_delay || tick_is_expired(req->analyse_exp, now_ms))
385
partial = ACL_PARTIAL;
387
list_for_each_entry(rule, &s->fe->tcp_req.inspect_rules, list) {
388
int ret = ACL_PAT_PASS;
391
ret = acl_exec_cond(rule->cond, s->fe, s, NULL, ACL_DIR_REQ | partial);
392
if (ret == ACL_PAT_MISS) {
393
buffer_write_dis(req);
394
/* just set the request timeout once at the beginning of the request */
395
if (!tick_isset(req->analyse_exp) && s->fe->tcp_req.inspect_delay)
396
req->analyse_exp = tick_add_ifset(now_ms, s->fe->tcp_req.inspect_delay);
401
if (rule->cond->pol == ACL_COND_UNLESS)
406
/* we have a matching rule. */
407
if (rule->action == TCP_ACT_REJECT) {
409
buffer_abort(s->rep);
412
if (!(s->flags & SN_ERR_MASK))
413
s->flags |= SN_ERR_PRXCOND;
414
if (!(s->flags & SN_FINST_MASK))
415
s->flags |= SN_FINST_R;
418
/* otherwise accept */
423
/* if we get there, it means we have no rule which matches, or
424
* we have an explicit accept, so we apply the default accept.
426
req->analysers &= ~AN_REQ_INSPECT;
427
req->analyse_exp = TICK_ETERNITY;
432
/* This function should be called to parse a line starting with the "tcp-request"
435
static int tcp_parse_tcp_req(char **args, int section_type, struct proxy *curpx,
436
struct proxy *defpx, char *err, int errlen)
438
const char *ptr = NULL;
443
snprintf(err, errlen, "missing argument for '%s' in %s '%s'",
444
args[0], proxy_type_str(proxy), curpx->id);
448
if (!strcmp(args[1], "inspect-delay")) {
449
if (curpx == defpx) {
450
snprintf(err, errlen, "%s %s is not allowed in 'defaults' sections",
455
if (!(curpx->cap & PR_CAP_FE)) {
456
snprintf(err, errlen, "%s %s will be ignored because %s '%s' has no %s capability",
457
args[0], args[1], proxy_type_str(proxy), curpx->id,
462
if (!*args[2] || (ptr = parse_time_err(args[2], &val, TIME_UNIT_MS))) {
463
retlen = snprintf(err, errlen,
464
"'%s %s' expects a positive delay in milliseconds, in %s '%s'",
465
args[0], args[1], proxy_type_str(proxy), curpx->id);
466
if (ptr && retlen < errlen)
467
retlen += snprintf(err+retlen, errlen - retlen,
468
" (unexpected character '%c')", *ptr);
472
if (curpx->tcp_req.inspect_delay) {
473
snprintf(err, errlen, "ignoring %s %s (was already defined) in %s '%s'",
474
args[0], args[1], proxy_type_str(proxy), curpx->id);
477
curpx->tcp_req.inspect_delay = val;
481
if (!strcmp(args[1], "content")) {
484
int pol = ACL_COND_NONE;
485
struct acl_cond *cond;
486
struct tcp_rule *rule;
488
if (curpx == defpx) {
489
snprintf(err, errlen, "%s %s is not allowed in 'defaults' sections",
494
if (!strcmp(args[2], "accept"))
495
action = TCP_ACT_ACCEPT;
496
else if (!strcmp(args[2], "reject"))
497
action = TCP_ACT_REJECT;
499
retlen = snprintf(err, errlen,
500
"'%s %s' expects 'accept' or 'reject', in %s '%s' (was '%s')",
501
args[0], args[1], proxy_type_str(curpx), curpx->id, args[2]);
508
if (!strcmp(args[3], "if"))
510
else if (!strcmp(args[3], "unless"))
511
pol = ACL_COND_UNLESS;
513
/* Note: we consider "if TRUE" when there is no condition */
514
if (pol != ACL_COND_NONE &&
515
(cond = parse_acl_cond((const char **)args+4, &curpx->acl, pol)) == NULL) {
516
retlen = snprintf(err, errlen,
517
"error detected in %s '%s' while parsing '%s' condition",
518
proxy_type_str(curpx), curpx->id, args[3]);
522
// FIXME: how to set this ?
523
// cond->line = linenum;
524
if (cond && cond->requires & (ACL_USE_RTR_ANY | ACL_USE_L7_ANY)) {
528
acl = cond_find_require(cond, ACL_USE_RTR_ANY|ACL_USE_L7_ANY);
529
name = acl ? acl->name : "(unknown)";
531
retlen = snprintf(err, errlen,
532
"acl '%s' involves some %s criteria which will be ignored.",
534
(acl->requires & ACL_USE_RTR_ANY) ? "response-only" : "layer 7");
537
rule = (struct tcp_rule *)calloc(1, sizeof(*rule));
539
rule->action = action;
540
LIST_INIT(&rule->list);
541
LIST_ADDQ(&curpx->tcp_req.inspect_rules, &rule->list);
545
snprintf(err, errlen, "unknown argument '%s' after '%s' in %s '%s'",
546
args[1], args[0], proxy_type_str(proxy), curpx->id);
550
/* return the number of bytes in the request buffer */
552
acl_fetch_req_len(struct proxy *px, struct session *l4, void *l7, int dir,
553
struct acl_expr *expr, struct acl_test *test)
558
test->i = l4->req->l;
559
test->flags = ACL_TEST_F_VOLATILE | ACL_TEST_F_MAY_CHANGE;
563
/* Return the version of the SSL protocol in the request. It supports both
564
* SSLv3 (TLSv1) header format for any message, and SSLv2 header format for
565
* the hello message. The SSLv3 format is described in RFC 2246 p49, and the
566
* SSLv2 format is described here, and completed p67 of RFC 2246 :
567
* http://wp.netscape.com/eng/security/SSL_2.html
569
* Note: this decoder only works with non-wrapping data.
572
acl_fetch_req_ssl_ver(struct proxy *px, struct session *l4, void *l7, int dir,
573
struct acl_expr *expr, struct acl_test *test)
575
int version, bleft, msg_len;
576
const unsigned char *data;
586
data = (const unsigned char *)l4->req->w;
587
if ((*data >= 0x14 && *data <= 0x17) || (*data == 0xFF)) {
588
/* SSLv3 header format */
592
version = (data[1] << 16) + data[2]; /* version: major, minor */
593
msg_len = (data[3] << 8) + data[4]; /* record length */
595
/* format introduced with SSLv3 */
596
if (version < 0x00030000)
599
/* message length between 1 and 2^14 + 2048 */
600
if (msg_len < 1 || msg_len > ((1<<14) + 2048))
603
bleft -= 5; data += 5;
605
/* SSLv2 header format, only supported for hello (msg type 1) */
606
int rlen, plen, cilen, silen, chlen;
611
/* short header format : 15 bits for length */
612
rlen = ((data[0] & 0x7F) << 8) | data[1];
614
bleft -= 2; data += 2;
618
/* long header format : 14 bits for length + pad length */
619
rlen = ((data[0] & 0x3F) << 8) | data[1];
621
bleft -= 3; data += 2;
630
version = (data[0] << 16) + data[1]; /* version: major, minor */
631
cilen = (data[2] << 8) + data[3]; /* cipher len, multiple of 3 */
632
silen = (data[4] << 8) + data[5]; /* session_id_len: 0 or 16 */
633
chlen = (data[6] << 8) + data[7]; /* 16<=challenge length<=32 */
635
bleft -= 8; data += 8;
638
if (silen && silen != 16)
640
if (chlen < 16 || chlen > 32)
642
if (rlen != 9 + cilen + silen + chlen)
645
/* focus on the remaining data length */
646
msg_len = cilen + silen + chlen + plen;
648
/* We could recursively check that the buffer ends exactly on an SSL
649
* fragment boundary and that a possible next segment is still SSL,
650
* but that's a bit pointless. However, we could still check that
651
* all the part of the request which fits in a buffer is already
654
if (msg_len > l4->req->max_len + l4->req->data - l4->req->w)
655
msg_len = l4->req->max_len + l4->req->data - l4->req->w;
660
/* OK that's enough. We have at least the whole message, and we have
661
* the protocol version.
664
test->flags = ACL_TEST_F_VOLATILE;
668
test->flags = ACL_TEST_F_MAY_CHANGE;
674
static struct cfg_kw_list cfg_kws = {{ },{
675
{ CFG_LISTEN, "tcp-request", tcp_parse_tcp_req },
679
static struct acl_kw_list acl_kws = {{ },{
680
{ "req_len", acl_parse_int, acl_fetch_req_len, acl_match_int, ACL_USE_L4REQ_VOLATILE },
681
{ "req_ssl_ver", acl_parse_dotted_ver, acl_fetch_req_ssl_ver, acl_match_int, ACL_USE_L4REQ_VOLATILE },
682
{ NULL, NULL, NULL, NULL },
332
685
__attribute__((constructor))
333
686
static void __tcp_protocol_init(void)
335
688
protocol_register(&proto_tcpv4);
336
689
protocol_register(&proto_tcpv6);
690
cfg_register_keywords(&cfg_kws);
691
acl_register_keywords(&acl_kws);