diff --git a/doc/configuration.txt b/doc/configuration.txt index e37f84cf6..19f180884 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -969,6 +969,7 @@ The following keywords are supported in the "global" section : - deviceatlas-log-level - deviceatlas-separator - deviceatlas-properties-cookie + - expose-experimental-directives - external-check - gid - group @@ -1274,6 +1275,10 @@ deviceatlas-properties-cookie Client-side component was used during the request. This directive is optional and set to DAPROPS by default if not set. +expose-experimental-directives + This statement must appear before using directives tagged as experimental or + the config file will be rejected. + external-check Allows the use of an external agent to perform health checks. This is disabled by default as a security precaution, and even when enabled, checks diff --git a/include/haproxy/cfgparse.h b/include/haproxy/cfgparse.h index b32c90dca..83c031db8 100644 --- a/include/haproxy/cfgparse.h +++ b/include/haproxy/cfgparse.h @@ -43,7 +43,7 @@ enum kw_mod { }; enum cfg_keyword_flags { - KWF_UNIMPLEMENTED, // TO REMOVE once an enum value is implemented + KWF_EXPERIMENTAL = 0x1, }; struct cfg_keyword { diff --git a/include/haproxy/global.h b/include/haproxy/global.h index 20a0950ea..fb7b62b6c 100644 --- a/include/haproxy/global.h +++ b/include/haproxy/global.h @@ -98,11 +98,17 @@ static inline unsigned long thread_mask(unsigned long mask) /* handle 'tainted' status */ enum tainted_flags { - TAINTED_UNIMPLEMENTED, // TO REMOVE once an enum value is implemented + TAINTED_CONFIG_EXP_KW_DECLARED = 0x1, }; void mark_tainted(const enum tainted_flags flag); unsigned int get_tainted(); +extern unsigned int experimental_directives_allowed; + +struct cfg_keyword; +int check_kw_experimental(struct cfg_keyword *kw, const char *file, int linenum, + char **errmsg); + /* simplified way to declare static build options in a file */ #define REGISTER_BUILD_OPTS(str) \ INITCALL2(STG_REGISTER, hap_register_build_opts, (str), 0) diff --git a/src/cfgparse-global.c b/src/cfgparse-global.c index 384ad3c96..98012d164 100644 --- a/src/cfgparse-global.c +++ b/src/cfgparse-global.c @@ -70,6 +70,9 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm) alertif_too_many_args(0, file, linenum, args, &err_code); goto out; } + else if (strcmp(args[0], "expose-experimental-directives") == 0) { + experimental_directives_allowed = 1; + } else if (strcmp(args[0], "daemon") == 0) { if (alertif_too_many_args(0, file, linenum, args, &err_code)) goto out; @@ -1306,6 +1309,12 @@ int cfg_parse_global(const char *file, int linenum, char **args, int kwm) if (kwl->kw[index].section != CFG_GLOBAL) continue; if (strcmp(kwl->kw[index].kw, args[0]) == 0) { + if (check_kw_experimental(&kwl->kw[index], file, linenum, &errmsg)) { + ha_alert(errmsg); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } + rc = kwl->kw[index].parse(args, CFG_GLOBAL, NULL, NULL, file, linenum, &errmsg); if (rc < 0) { ha_alert("parsing [%s:%d] : %s\n", file, linenum, errmsg); diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c index 8a81b442d..78f1a5875 100644 --- a/src/cfgparse-listen.c +++ b/src/cfgparse-listen.c @@ -3040,6 +3040,12 @@ stats_error_parsing: if (kwl->kw[index].section != CFG_LISTEN) continue; if (strcmp(kwl->kw[index].kw, args[0]) == 0) { + if (check_kw_experimental(&kwl->kw[index], file, linenum, &errmsg)) { + ha_alert(errmsg); + err_code |= ERR_ALERT | ERR_FATAL; + goto out; + } + /* prepare error message just in case */ rc = kwl->kw[index].parse(args, CFG_LISTEN, curproxy, curr_defproxy, file, linenum, &errmsg); if (rc < 0) { diff --git a/src/haproxy.c b/src/haproxy.c index 4c7ff556e..0ca87802e 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -262,6 +262,23 @@ unsigned int warned = 0; /* set if experimental features have been used for the current process */ static unsigned int tainted = 0; +unsigned int experimental_directives_allowed = 0; + +int check_kw_experimental(struct cfg_keyword *kw, const char *file, int linenum, + char **errmsg) +{ + if (kw->flags & KWF_EXPERIMENTAL) { + if (!experimental_directives_allowed) { + memprintf(errmsg, "parsing [%s:%d] : '%s' directive is experimental, must be allowed via a global 'expose-experimental-directives'\n", + file, linenum, kw->kw); + return 1; + } + mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED); + } + + return 0; +} + /* master CLI configuration (-S flag) */ struct list mworker_cli_conf = LIST_HEAD_INIT(mworker_cli_conf);