From 533561896709e630d742d7c10467de3223478ec2 Mon Sep 17 00:00:00 2001 From: Aurelien DARRAGON Date: Thu, 16 Nov 2023 10:48:34 +0100 Subject: [PATCH] MINOR: log/backend: prevent tcp-{request,response} use with LOG mode We start implementing some postparsing compatibility checks for log backends. Here we report a warning if user tries to use tcp-{request,response} rules with log backend, and we properly ignore such rules when inherited from defaults section. --- src/log.c | 31 +++++++++++++++++++++++++++++++ src/tcp_rules.c | 10 ++++++---- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/src/log.c b/src/log.c index 88d3999263..bd95c0b8e5 100644 --- a/src/log.c +++ b/src/log.c @@ -41,6 +41,7 @@ #include #include #include +#include #include #include #include @@ -874,6 +875,32 @@ static void log_backend_srv_down(struct server *srv) HA_RWLOCK_WRUNLOCK(LBPRM_LOCK, &p->lbprm.lock); } +/* check that current configuration is compatible with "mode log" */ +static int _postcheck_log_backend_compat(struct proxy *be) +{ + int err_code = ERR_NONE; + + if (!LIST_ISEMPTY(&be->tcp_req.inspect_rules) || + !LIST_ISEMPTY(&be->tcp_req.l4_rules) || + !LIST_ISEMPTY(&be->tcp_req.l5_rules)) { + ha_warning("Cannot use tcp-request rules with 'mode log' in %s '%s'. They will be ignored.\n", + proxy_type_str(be), be->id); + + err_code |= ERR_WARN; + free_act_rules(&be->tcp_req.inspect_rules); + free_act_rules(&be->tcp_req.l4_rules); + free_act_rules(&be->tcp_req.l5_rules); + } + if (!LIST_ISEMPTY(&be->tcp_rep.inspect_rules)) { + ha_warning("Cannot use tcp-response rules with 'mode log' in %s '%s'. They will be ignored.\n", + proxy_type_str(be), be->id); + + err_code |= ERR_WARN; + free_act_rules(&be->tcp_rep.inspect_rules); + } + return err_code; +} + static int postcheck_log_backend(struct proxy *be) { char *msg = NULL; @@ -885,6 +912,10 @@ static int postcheck_log_backend(struct proxy *be) (be->flags & (PR_FL_DISABLED|PR_FL_STOPPED))) return ERR_NONE; /* nothing to do */ + err_code |= _postcheck_log_backend_compat(be); + if (err_code & ERR_CODE) + return err_code; + /* First time encoutering this log backend, perform some init */ be->lbprm.set_server_status_up = log_backend_srv_up; diff --git a/src/tcp_rules.c b/src/tcp_rules.c index c7bdddccaa..9ce6c90374 100644 --- a/src/tcp_rules.c +++ b/src/tcp_rules.c @@ -103,7 +103,9 @@ int tcp_inspect_request(struct stream *s, struct channel *req, int an_bit) DBG_TRACE_ENTER(STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s); - def_rules = ((s->be->defpx && (an_bit == AN_REQ_INSPECT_FE || s->be->defpx != sess->fe->defpx)) ? &s->be->defpx->tcp_req.inspect_rules : NULL); + def_rules = ((s->be->defpx && + (sess->fe->mode == PR_MODE_TCP || sess->fe->mode == PR_MODE_HTTP) && + (an_bit == AN_REQ_INSPECT_FE || s->be->defpx != sess->fe->defpx)) ? &s->be->defpx->tcp_req.inspect_rules : NULL); rules = &s->be->tcp_req.inspect_rules; /* We don't know whether we have enough data, so must proceed @@ -286,7 +288,7 @@ int tcp_inspect_response(struct stream *s, struct channel *rep, int an_bit) DBG_TRACE_ENTER(STRM_EV_STRM_ANA|STRM_EV_TCP_ANA, s); - def_rules = (s->be->defpx ? &s->be->defpx->tcp_rep.inspect_rules : NULL); + def_rules = (s->be->defpx && (s->be->mode == PR_MODE_TCP || s->be->mode == PR_MODE_HTTP) ? &s->be->defpx->tcp_rep.inspect_rules : NULL); rules = &s->be->tcp_rep.inspect_rules; /* We don't know whether we have enough data, so must proceed @@ -484,7 +486,7 @@ int tcp_exec_l4_rules(struct session *sess) if (!conn) return result; - if (sess->fe->defpx) + if (sess->fe->defpx && (sess->fe->mode == PR_MODE_TCP || sess->fe->mode == PR_MODE_HTTP)) px = sess->fe->defpx; restart: @@ -579,7 +581,7 @@ int tcp_exec_l5_rules(struct session *sess) int result = 1; enum acl_test_res ret; - if (sess->fe->defpx) + if (sess->fe->defpx && (sess->fe->mode == PR_MODE_TCP || sess->fe->mode == PR_MODE_HTTP)) px = sess->fe->defpx; restart: