2007-10-29 00:09:36 +00:00
|
|
|
/*
|
2010-03-29 17:36:59 +00:00
|
|
|
* include/proto/proto_tcp.h
|
|
|
|
* This file contains TCP socket protocol definitions.
|
|
|
|
*
|
MEDIUM: samples: move payload-based fetches and ACLs to their own file
The file acl.c is a real mess, it both contains functions to parse and
process ACLs, and some sample extraction functions which act on buffers.
Some other payload analysers were arbitrarily dispatched to proto_tcp.c.
So now we're moving all payload-based fetches and ACLs to payload.c
which is capable of extracting data from buffers and rely on everything
that is protocol-independant. That way we can safely inflate this file
and only use the other ones when some fetches are really specific (eg:
HTTP, SSL, ...).
As a result of this cleanup, the following new sample fetches became
available even if they're not really useful :
always_false, always_true, rep_ssl_hello_type, rdp_cookie_cnt,
req_len, req_ssl_hello_type, req_ssl_sni, req_ssl_ver, wait_end
The function 'acl_fetch_nothing' was wrong and never used anywhere so it
was removed.
The "rdp_cookie" sample fetch used to have a mandatory argument while it
was optional in ACLs, which are supposed to iterate over RDP cookies. So
we're making it optional as a fetch too, and it will return the first one.
2013-01-07 20:59:07 +00:00
|
|
|
* Copyright (C) 2000-2013 Willy Tarreau - w@1wt.eu
|
2010-03-29 17:36:59 +00:00
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation, version 2.1
|
|
|
|
* exclusively.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
|
*/
|
2007-10-29 00:09:36 +00:00
|
|
|
|
|
|
|
#ifndef _PROTO_PROTO_TCP_H
|
|
|
|
#define _PROTO_PROTO_TCP_H
|
|
|
|
|
|
|
|
#include <common/config.h>
|
[MAJOR] implement tcp request content inspection
Some people need to inspect contents of TCP requests before
deciding to forward a connection or not. A future extension
of this demand might consist in selecting a server farm
depending on the protocol detected in the request.
For this reason, a new state CL_STINSPECT has been added on
the client side. It is immediately entered upon accept() if
the statement "tcp-request inspect-delay <xxx>" is found in
the frontend configuration. Haproxy will then wait up to
this amount of time trying to find a matching ACL, and will
either accept or reject the connection depending on the
"tcp-request content <action> {if|unless}" rules, where
<action> is either "accept" or "reject".
Note that it only waits that long if no definitive verdict
can be found earlier. That generally implies calling a fetch()
function which does not have enough information to decode
some contents, or a match() function which only finds the
beginning of what it's looking for.
It is only at the ACL level that partial data may be processed
as such, because we need to distinguish between MISS and FAIL
*before* applying the term negation.
Thus it is enough to add "| ACL_PARTIAL" to the last argument
when calling acl_exec_cond() to indicate that we expect
ACL_PAT_MISS to be returned if some data is missing (for
fetch() or match()). This is the only case we may return
this value. For this reason, the ACL check in process_cli()
has become a lot simpler.
A new ACL "req_len" of type "int" has been added. Right now
it is already possible to drop requests which talk too early
(eg: for SMTP) or which don't talk at all (eg: HTTP/SSL).
Also, the acl fetch() functions have been extended in order
to permit reporting of missing data in case of fetch failure,
using the ACL_TEST_F_MAY_CHANGE flag.
The default behaviour is unchanged, and if no rule matches,
the request is accepted.
As a side effect, all layer 7 fetching functions have been
cleaned up so that they now check for the validity of the
layer 7 pointer before dereferencing it.
2008-07-14 21:54:42 +00:00
|
|
|
#include <types/proto_tcp.h>
|
2007-10-29 00:09:36 +00:00
|
|
|
#include <types/task.h>
|
2010-06-14 19:04:55 +00:00
|
|
|
#include <proto/stick_table.h>
|
2007-10-29 00:09:36 +00:00
|
|
|
|
2011-03-10 21:26:24 +00:00
|
|
|
int tcp_bind_socket(int fd, int flags, struct sockaddr_storage *local, struct sockaddr_storage *remote);
|
2007-10-29 00:09:36 +00:00
|
|
|
void tcpv4_add_listener(struct listener *listener);
|
|
|
|
void tcpv6_add_listener(struct listener *listener);
|
2012-11-24 09:24:27 +00:00
|
|
|
int tcp_connect_server(struct connection *conn, int data, int delack);
|
2012-07-23 16:53:03 +00:00
|
|
|
int tcp_connect_probe(struct connection *conn);
|
2012-05-11 14:16:40 +00:00
|
|
|
int tcp_get_src(int fd, struct sockaddr *sa, socklen_t salen, int dir);
|
|
|
|
int tcp_get_dst(int fd, struct sockaddr *sa, socklen_t salen, int dir);
|
MEDIUM: protocol: implement a "drain" function in protocol layers
Since commit cfd97c6f was merged into 1.5-dev14 (BUG/MEDIUM: checks:
prevent TIME_WAITs from appearing also on timeouts), some valid health
checks sometimes used to show some TCP resets. For example, this HTTP
health check sent to a local server :
19:55:15.742818 IP 127.0.0.1.16568 > 127.0.0.1.8000: S 3355859679:3355859679(0) win 32792 <mss 16396,nop,nop,sackOK,nop,wscale 7>
19:55:15.742841 IP 127.0.0.1.8000 > 127.0.0.1.16568: S 1060952566:1060952566(0) ack 3355859680 win 32792 <mss 16396,nop,nop,sackOK,nop,wscale 7>
19:55:15.742863 IP 127.0.0.1.16568 > 127.0.0.1.8000: . ack 1 win 257
19:55:15.745402 IP 127.0.0.1.16568 > 127.0.0.1.8000: P 1:23(22) ack 1 win 257
19:55:15.745488 IP 127.0.0.1.8000 > 127.0.0.1.16568: FP 1:146(145) ack 23 win 257
19:55:15.747109 IP 127.0.0.1.16568 > 127.0.0.1.8000: R 23:23(0) ack 147 win 257
After some discussion with Chris Huang-Leaver, it appeared clear that
what we want is to only send the RST when we have no other choice, which
means when the server has not closed. So we still keep SYN/SYN-ACK/RST
for pure TCP checks, but don't want to see an RST emitted as above when
the server has already sent the FIN.
The solution against this consists in implementing a "drain" function at
the protocol layer, which, when defined, causes as much as possible of
the input socket buffer to be flushed to make recv() return zero so that
we know that the server's FIN was received and ACKed. On Linux, we can make
use of MSG_TRUNC on TCP sockets, which has the benefit of draining everything
at once without even copying data. On other platforms, we read up to one
buffer of data before the close. If recv() manages to get the final zero,
we don't disable lingering. Same for hard errors. Otherwise we do.
In practice, on HTTP health checks we generally find that the close was
pending and is returned upon first recv() call. The network trace becomes
cleaner :
19:55:23.650621 IP 127.0.0.1.16561 > 127.0.0.1.8000: S 3982804816:3982804816(0) win 32792 <mss 16396,nop,nop,sackOK,nop,wscale 7>
19:55:23.650644 IP 127.0.0.1.8000 > 127.0.0.1.16561: S 4082139313:4082139313(0) ack 3982804817 win 32792 <mss 16396,nop,nop,sackOK,nop,wscale 7>
19:55:23.650666 IP 127.0.0.1.16561 > 127.0.0.1.8000: . ack 1 win 257
19:55:23.651615 IP 127.0.0.1.16561 > 127.0.0.1.8000: P 1:23(22) ack 1 win 257
19:55:23.651696 IP 127.0.0.1.8000 > 127.0.0.1.16561: FP 1:146(145) ack 23 win 257
19:55:23.652628 IP 127.0.0.1.16561 > 127.0.0.1.8000: F 23:23(0) ack 147 win 257
19:55:23.652655 IP 127.0.0.1.8000 > 127.0.0.1.16561: . ack 24 win 257
This change should be backported to 1.4 which is where Chris encountered
this issue. The code is different, so probably the tcp_drain() function
will have to be put in the checks only.
2013-06-10 17:56:38 +00:00
|
|
|
int tcp_drain(int fd);
|
2012-07-02 13:11:27 +00:00
|
|
|
int tcp_inspect_request(struct session *s, struct channel *req, int an_bit);
|
|
|
|
int tcp_inspect_response(struct session *s, struct channel *rep, int an_bit);
|
2010-05-31 08:30:33 +00:00
|
|
|
int tcp_exec_req_rules(struct session *s);
|
2007-10-29 00:09:36 +00:00
|
|
|
|
2012-08-30 20:59:48 +00:00
|
|
|
/* Converts the INET/INET6 source address to a stick_table key usable for table
|
2014-04-14 12:35:40 +00:00
|
|
|
* lookups. <type> can be STKTABLE_TYPE_IP or STKTABLE_TYPE_IPV6. The function
|
|
|
|
* try to convert the incoming IP to the type expected by the sticktable.
|
|
|
|
* Returns either NULL if the source cannot be converted (eg: not IPv4) or a
|
|
|
|
* pointer to the converted result in static_table_key in the appropriate format
|
|
|
|
* (IP).
|
2010-06-14 19:04:55 +00:00
|
|
|
*/
|
2014-04-14 12:35:40 +00:00
|
|
|
static inline struct stktable_key *addr_to_stktable_key(struct sockaddr_storage *addr, long type)
|
2010-06-14 19:04:55 +00:00
|
|
|
{
|
2012-08-30 20:59:48 +00:00
|
|
|
switch (addr->ss_family) {
|
2011-03-24 10:09:31 +00:00
|
|
|
case AF_INET:
|
2014-04-14 12:35:40 +00:00
|
|
|
/* Convert IPv4 to IPv4 key. */
|
|
|
|
if (type == STKTABLE_TYPE_IP) {
|
|
|
|
static_table_key->key = (void *)&((struct sockaddr_in *)addr)->sin_addr;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
/* Convert IPv4 to IPv6 key. */
|
|
|
|
if (type == STKTABLE_TYPE_IPV6) {
|
|
|
|
v4tov6(&static_table_key->data.ipv6, &((struct sockaddr_in *)addr)->sin_addr);
|
|
|
|
static_table_key->key = &static_table_key->data.ipv6;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
|
2011-03-24 10:09:31 +00:00
|
|
|
case AF_INET6:
|
2014-04-14 12:35:40 +00:00
|
|
|
/* Convert IPv6 to IPv4 key. This conversion can be failed. */
|
|
|
|
if (type == STKTABLE_TYPE_IP) {
|
|
|
|
if (!v6tov4(&static_table_key->data.ip, &((struct sockaddr_in6 *)addr)->sin6_addr))
|
|
|
|
return NULL;
|
|
|
|
static_table_key->key = &static_table_key->data.ip;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
/* Convert IPv6 to IPv6 key. */
|
|
|
|
if (type == STKTABLE_TYPE_IPV6) {
|
|
|
|
static_table_key->key = (void *)&((struct sockaddr_in6 *)addr)->sin6_addr;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return NULL;
|
2012-08-30 20:52:28 +00:00
|
|
|
default:
|
|
|
|
return NULL;
|
2011-03-24 10:09:31 +00:00
|
|
|
}
|
2012-10-29 20:56:59 +00:00
|
|
|
return static_table_key;
|
2010-06-14 19:04:55 +00:00
|
|
|
}
|
|
|
|
|
2013-05-28 15:40:25 +00:00
|
|
|
/* for a tcp-request action TCP_ACT_TRK_*, return a tracking index starting at
|
2013-12-02 22:29:05 +00:00
|
|
|
* zero for SC0. Unknown actions also return zero.
|
2013-05-28 15:40:25 +00:00
|
|
|
*/
|
|
|
|
static inline int tcp_trk_idx(int trk_action)
|
|
|
|
{
|
2013-06-17 13:04:07 +00:00
|
|
|
return trk_action - TCP_ACT_TRK_SC0;
|
2013-05-28 15:40:25 +00:00
|
|
|
}
|
2010-06-14 19:04:55 +00:00
|
|
|
|
2007-10-29 00:09:36 +00:00
|
|
|
#endif /* _PROTO_PROTO_TCP_H */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Local variables:
|
|
|
|
* c-indent-level: 8
|
|
|
|
* c-basic-offset: 8
|
|
|
|
* End:
|
|
|
|
*/
|