Commit Graph

13419 Commits

Author SHA1 Message Date
Christopher Faulet
c20ad0d8db BUG/MINOR: tools: make parse_time_err() more strict on the timer validity
First, an error is now reported if the first character is not a digit. Thus,
"timeout client s" triggers an error now. Then 'u' is also rejected
now. 'us' is valid and should be used set the timer in microseconds. However
'u' alone is not a valid unit. It was just ignored before (default to
milliseconds). Now, it is an error. Finally, a warning is reported if the
end of the text is not reached after the timer parsing. This warning will
probably be switched to an error in a futur version.

This patch must be backported to all stable versions.
2020-12-11 12:01:04 +01:00
Christopher Faulet
cad5f5e1ed MINOR: tcpcheck: Only wait for more payload data on HTTP expect rules
For HTTP expect rules, if the buffer is not empty, it is guarantee that all
responses headers are received, with the start-line. Thus, except for
payload matching, there is no reason to wait for more data from the moment
the htx message is not empty.

This patch may be backported as far as 2.2.
2020-12-11 11:48:15 +01:00
Christopher Faulet
c878f56f7c BUG/MINOR: tcpcheck: Don't rearm the check timeout on each read
The check timeout is used to limit a health-check execution. By default
inter timeout is used. But when defined the check timeout is used. In this
case, the inter timeout (or connect timeout) is used for the connection
establishment only. And the check timeout for the health-check
execution. Thus, it must be set after a successfull connect. It means it is
rearm at the end of each connect rule.

This patch with the previous one (BUG/MINOR: http-check: Use right condition
to consider HTX message as full) should solve the issue #991. It must be
backported as far as 2.2. On the 2.3 and 2.2, there are 2 places were the
connection establishement is handled. The check timeout must be set on both.
2020-12-11 11:48:15 +01:00
Christopher Faulet
3f527197cd BUG/MINOR: http-check: Use right condition to consider HTX message as full
When an HTTP expect rule is evaluated, we must know if more data is expected
or not to wait if the matching fails. If the whole response is received or
if the HTX message is full, we must not wait. In this context,
htx_free_data_space() must be used instead of htx_free_space(). The fisrt
one count down the block size. Otherwise at the edge, when only the block
size remains free (8 bytes), we may think there is some place for more data
while the mux is unable to add more block.

This bug explains the loop described on the GH issue #991. It should be
backported as far as 2.2.
2020-12-11 11:48:15 +01:00
Willy Tarreau
343d0356a5 CLEANUP: connection: remove the unused conn_{stop,cond_update}_polling()
These functions are not used anymore and were quite confusing given that
their names reflected their original role and not the current ones. Let's
kill them before they inspire anyone.
2020-12-11 11:21:53 +01:00
Willy Tarreau
8b250ba738 CLEANUP: connection: open-code conn_cond_update_polling() and update the comment
This last call to conn_cond_update_polling() is now totally misleading as
the function only stops polling in case of unrecoverable connection error.
Let's open-code the test to make it more prominent and explain what we're
trying to do there. It's even almost certain this code is never executed
anymore, as the only remaining case should be a mux's wake function setting
CO_FL_ERROR without disabling the polling, but they need to be audited first
to make sure this is the case.
2020-12-11 11:19:24 +01:00
Willy Tarreau
f7e4a6fc07 MINOR: checks: don't call conn_cond_update_polling() anymore
This was a leftover of the pre-mux v1.8-dev3 era. It makes no sense anymore
to try to disable polling on a connection we don't own, it's the mux's job
and it's properly done upon shutdowns and closes.
2020-12-11 11:11:06 +01:00
Willy Tarreau
30bd4efb1b MINOR: checks: use cs_drain_and_close() instead of draining the connection
As explained in previous commit, the situation is absurd as we try to
cleanly drain pending data before impolitely shutting down, and it could
be counter productive on real muxes. Let's use cs_drain_and_close() instead.
2020-12-11 11:09:29 +01:00
Willy Tarreau
7d7b11cf93 MINOR: mux-pt: take care of CS_SHR_DRAIN in shutr()
When the shutr() requests CS_SHR_DRAIN and there's no particular shutr
implemented on the underlying transport layer, we must drain pending data.
This is what happens when cs_drain_and_close() is called. It is important
for TCP checks to drain large responses and close cleanly.
2020-12-11 11:07:19 +01:00
Willy Tarreau
6aee5b9a4c MINOR: connection: implement cs_drain_and_close()
We had cs_close() which forces a CS_SHR_RESET mode on the read side,
and due to this there are a few call places in the checks which
perform a manual call to conn_sock_drain() before calling cs_close().
This is absurd by principle, and it can be counter-productive in the
case of a mux where this could even cause the opposite of the desired
effect by deleting pending frames on the socket before closing.

Let's add cs_drain_and_close() which uses the CS_SHR_DRAIN mode to
prepare this.
2020-12-11 11:04:51 +01:00
Willy Tarreau
a5ea751922 MINOR: stream-int: don't touch polling anymore on shutdown
Not only it's become totally useless with muxes, in addition it's
dangerous to play with the mux's FD while shutting a stream down for
writes. It's already done *if necessary* by the cs_shutw() code at the
mux layer. Fortunately it doesn't seem to have any impact, most likely
the polling updates used to immediately revert this operation.
2020-12-11 10:29:11 +01:00
Willy Tarreau
5a1d439225 CLEANUP: connection: use fd_stop_both() instead of conn_stop_polling()
conn_stop_polling() in fact only calls fd_stop_both() after checking
that the ctrl layer is ready. It's the case in conn_fd_check() so
let's get rid of this next-to-last user of this function.
2020-12-11 09:56:53 +01:00
Remi Tricot-Le Breton
e3e1e5f34b MINOR: cache: Dump secondary entries in "show cache"
The duplicated entries (in case of vary) were not taken into account by
the "show cache" command. They are now dumped too.
A new "vary" column is added to the output. It contains the complete
seocndary key (in hex format).
2020-12-10 15:59:49 +01:00
David Carlier
1470b9d045 DOC: email change of the DeviceAtlas maintainer 2020-12-10 11:00:18 +01:00
Gilchrist Dadaglo
bdd034947c BUG/MEDIUM: spoa/python: Fixing references to None
As per https://docs.python.org/3/c-api/none.html, None has to be treated
exactly like other objects for reference counting.
So, when we use it, we need to INCREF and when we are done, DECREF

This patch must be backported as far as 2.0.
2020-12-09 08:39:31 +01:00
Gilchrist Dadaglo
042f697a0f BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments
As per https://docs.python.org/3/c-api/object.html#c.PyObject_Call,
positional arguments should be an empty tuple when not used.
Previously the code had a dictionary instead of tuple. This commit is to
fix it and use tuple to avoid unexpected consequences

This patch must be backported as far as 2.0.
2020-12-09 08:39:31 +01:00
Gilchrist Dadaglo
d1c0cf80bc BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails
This change is to ensure objects from the ipaddress module are cleaned
up when spoa module initialization fails.
In general the interpreter would just crash, but in a code where import
is conditional (try/except), then we would keep those objects around

This patch must be backported as far as 2.0.
2020-12-09 08:39:31 +01:00
Gilchrist Dadaglo
132d8f61e9 BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations
As per https://docs.python.org/3/c-api/module.html#c.PyModule_AddObject,
references are stolen by the function only for success. We must do
cleanup manually if there is a failure

This patch must be backported as far as 2.0.
2020-12-09 08:39:31 +01:00
Gilchrist Dadaglo
c7485ac101 DOC: spoa/python: Fixing typos in comments
Fixing a missing letter in a comment

This patch must be backported as far as 2.0.
2020-12-09 08:39:31 +01:00
Gilchrist Dadaglo
85b25829bc DOC: spoa/python: Rephrasing memory related error messages
The old message "No more space left available" was redundant with "left
available". This commit is to rephrase that sentence and make it more
explicit we are talking about memory

This patch must be backported as far as 2.0.
2020-12-09 08:39:31 +01:00
Gilchrist Dadaglo
6884742c65 DOC: spoa/python: Fixing typo in IP related error messages
This commit fixes typos in the ps_python_set_var_ip* byte manipulation error
messages

This patch must be backported as far as 2.0.
2020-12-09 08:39:31 +01:00
Gilchrist Dadaglo
d5c428e761 BUG/MAJOR: spoa/python: Fixing return None
As per https://docs.python.org/3/c-api/none.html, None requires to be
incremented before being returned to prevent deallocating none

This patch must be backported as far as 2.0.
2020-12-09 08:39:31 +01:00
Willy Tarreau
29885f0308 MINOR: udp: export udp_suspend_receiver() and udp_resume_receiver()
QUIC will rely on UDP at the receiver level, and will need these functions
to suspend/resume the receivers. In the future, protocol chaining may
simplify this.
2020-12-08 18:10:18 +01:00
Willy Tarreau
c14e7ae744 MINOR: connection: use the control layer's init/close
In conn_ctrl_init() and conn_ctrl_close() we now use the control layer's
functions instead of manipulating the FD directly. This is safe since the
control layer is always present when done. Note that now we also adjust
the flag before calling the function to make things cleaner in case such
a layer would need to call the same functions again for any reason.
2020-12-08 15:53:45 +01:00
Willy Tarreau
de471c4655 MINOR: protocol: add a set of ctrl_init/ctrl_close methods for setup/teardown
Currnetly conn_ctrl_init() does an fd_insert() and conn_ctrl_close() does an
fd_delete(). These are the two only short-term obstacles against using a
non-fd handle to set up a connection. Let's have pur these into the protocol
layer, along with the other connection-level stuff so that the generic
connection code uses them instead. This will allow to define new ones for
other protocols (e.g. QUIC).

Since we only support regular sockets at the moment, the code was placed
into sock.c and shared with proto_tcp, proto_uxst and proto_sockpair.
2020-12-08 15:50:56 +01:00
Willy Tarreau
b366c9a59a CLEANUP: protocol: group protocol struct members by usage
For the sake of an improved readability, let's group the protocol
field members according to where they're supposed to be defined:
  - connection layer (note: for now even UDP needs one)
  - binding layer
  - address family
  - socket layer
Nothing else was changed.
2020-12-08 14:58:24 +01:00
Willy Tarreau
b9b2fd7cf4 MINOR: protocol: export protocol definitions
The various protocols were made static since there was no point in
exporting them in the past. Nowadays with QUIC relying on UDP we'll
significantly benefit from UDP being exported and more generally from
being able to declare some functions as being the same as other
protocols'.

In an ideal world it should not be these protocols which should be
exported, but the intermediary levels:
  - socket layer (sock.c only right now), already exported as functions
    but nothing structured at the moment ;
  - family layer (sock_inet, sock_unix, sockpair etc): already structured
    and exported
  - binding layer (the part that relies on the receiver): currently fused
    within the protocol
  - connectiong layer (the part that manipulates connections): currently
    fused within the protocol
  - protocol (connection's control): shouldn't need to be exposed
    ultimately once the elements above are in an easily sharable way.
2020-12-08 14:54:08 +01:00
Willy Tarreau
f9ad06cb26 MINOR: protocol: remove the redundant ->sock_domain field
This field used to be needed before commit 2b5e0d8b6 ("MEDIUM: proto_udp:
replace last AF_CUST_UDP* with AF_INET*") as it was used as a protocol
entry selector. Since this commit it's always equal to the socket family's
value so it's entirely redundant. Let's remove it now to simplify the
protocol definition a little bit.
2020-12-08 12:13:54 +01:00
Christopher Faulet
c43fca0139 BUG/MINOR: stream: Don't use input buffer after the ownership xfer
At the end of stream_new(), once the input buffer is transfer to the request
channel, it must not be used anymore. The previous patch (16df178b6 "BUG/MEDIUM:
stream: Xfer the input buffer to a fully created stream") was pushed to quickly.

No backport needed.
2020-12-04 17:22:50 +01:00
Christopher Faulet
16df178b6e BUG/MEDIUM: stream: Xfer the input buffer to a fully created stream
The input buffer passed as argument to create a new stream must not be
transferred when the request channel is initialized because the channel
flags are not set at this stage. In addition, the API is a bit confusing
regarding the buffer owner when an error occurred. The caller remains the
owner, but reading the code it is not obvious.

So, first of all, to avoid any ambiguities, comments are added on the
calling chain to make it clear. The buffer owner is the caller if any error
occurred. And the ownership is transferred to the stream on success.

Then, to make things simple, the ownership is transferred at the end of
stream_new(), in case of success. And the input buffer is updated to point
on BUF_NULL. Thus, in all cases, if the caller try to release it calling
b_free() on it, it is not a problem. Of course, it remains the caller
responsibility to release it on error.

The patch fixes a bug introduced by the commit 26256f86e ("MINOR: stream:
Pass an optional input buffer when a stream is created"). No backport is
needed.
2020-12-04 17:15:03 +01:00
William Lallemand
b7fdfdfd92 MEDIUM: ssl: fatal error with bundle + openssl < 1.1.1
Since HAProxy 2.3, OpenSSL 1.1.1 is a requirement for using a
multi-certificate bundle in the configuration. This patch emits a fatal
error when HAProxy tries to load a bundle with an older version of
HAProxy.

This problem was encountered by an user in issue #990.

This must be backported in 2.3.
2020-12-04 15:45:02 +01:00
Willy Tarreau
d1f250f87b MINOR: listener: now use a generic add_listener() function
With the removal of the family-specific port setting, all protocol had
exactly the same implementation of ->add(). A generic one was created
with the name "default_add_listener" so that all other ones can now be
removed. The API was slightly adjusted so that the protocol and the
listener are passed instead of the listener and the port.

Note that all protocols continue to provide this ->add() method instead
of routinely calling default_add_listener() from create_listeners(). This
makes sure that any non-standard protocol will still be able to intercept
the listener addition if needed.

This could be backported to 2.3 along with the few previous patches on
listners as a pure code cleanup.
2020-12-04 15:08:00 +01:00
Willy Tarreau
07400c56bb MINOR: listener: automatically set the port when creating listeners
In create_listeners() we iterate over a port range and call the
protocol's ->add() function to add a new listener on the specified
port. Only tcp4/tcp6/udp4/udp6 support a port, the other ones ignore
it. Now that we can rely on the address family to properly set the
port, better do it this way directly from create_listeners() and
remove the family-specific case from the protocol layer.
2020-12-04 15:08:00 +01:00
Willy Tarreau
73bed9ff13 MINOR: protocol: add a ->set_port() helper to address families
At various places we need to set a port on an IPv4 or IPv6 address, and
it requires casts that are easy to get wrong. Let's add a new set_port()
helper to the address family to assist in this. It will be directly
accessible from the protocol and will make the operation seamless.
Right now this is only implemented for sock_inet as other families do
not need a port.
2020-12-04 15:08:00 +01:00
Christopher Faulet
c31bc724d4 MINOR: h1-htx/http-ana: Set BODYLESS flag on message in TUNNEL state
When a H1 message is parsed, if the parser state is switched to TUNNEL mode
just after the header parsing, the BODYLESS flag is set on the HTX
start-line. By transitivity, the corresponding flag is set on the message in
HTTP analysers.  Thus it is possible to rely on it to not wait for the
request body.
2020-12-04 14:41:49 +01:00
Christopher Faulet
2a40854244 MINOR: http-ana: Properly set message flags from the start-line flags
CNT_LEN and TE_CHNK flags must be set on the message only when the
corresponding flag is set on the HTX start-line. Before, when the transfer
length was known XFER_LEN set), the HTTP_MSGF_TE_CHNK was the default. But
it is not appropriate. Now, it is only set if the message is chunked. Thus,
it is now possible to have a known transfer length without CNT_LEN or
TE_CHNK.

In addition, the BODYLESS flags may be set, independently on XFER_LEN one.
2020-12-04 14:41:49 +01:00
Christopher Faulet
6ade861305 REGTESTS: Fix proxy_protocol_tlv_validation
Remaining data after the PROXYv2 header now trigger a parsing error in the
H1 multiplexer Thus the required version for this test is now set to 2.4.
2020-12-04 14:41:49 +01:00
Christopher Faulet
6ad06066cd CLEANUP: connection: Remove CS_FL_READ_PARTIAL flag
Since the recent refactoring of the H1 multiplexer, this flag is no more
used. Thus it is removed.
2020-12-04 14:41:49 +01:00
Christopher Faulet
da831fa068 CLEANUP: http-ana: Remove TX_WAIT_NEXT_RQ unsued flag
This flags is now unused. It was used in REQ_WAIT_HTTP analyser, when a
stream was waiting for a request, to set the keep-alive timeout or to avoid
to send HTTP errors to client.
2020-12-04 14:41:49 +01:00
Christopher Faulet
8bebd2fe52 MEDIUM: http-ana: Don't process partial or empty request anymore
It is now impossible to start the HTTP request processing in the stream
analysers with a partial or empty request message. The mux-h2 was already
waiting of the request headers before creating the stream. Now the mux-h1
does the same. All errors (aborts, timeout or invalid requests) waiting for
the request headers are now handled by the multiplexers. So there is no
reason to still handle them in the REQ_WAIT_HTTP (http_wait_for_request)
analyser.

To ensure there is no ambiguity, a BUG_ON() was added to exit if a partial
request is received in this analyser.
2020-12-04 14:41:49 +01:00
Christopher Faulet
2afd874704 CLEANUP: htx: Remove HTX_FL_UPGRADE unsued flag
Now the H1 to H2 upgrade is handled before the stream
creation. HTX_FL_UPGRADE flag is now unused.
2020-12-04 14:41:49 +01:00
Christopher Faulet
4a8779f808 MINOR: http-ana: Remove useless update of t_idle duration of the stream
Becaues the stream is now created after the request headers parsing, the
idle duration from the session is always up-to-date.
2020-12-04 14:41:49 +01:00
Christopher Faulet
3ced1d1db4 CLEANUP: mux-h1: Rename H1C_F_CS_* flags and reorder H1C flags
H1C_F_CS_* flags are renamed into H1C_F_ST_*. They reflect the connection
state. So "ST" is well suited. "CS" is confusing because it is also the
abbreviation for conn-stream.

In addition, H1C flags are reordered.
2020-12-04 14:41:49 +01:00
Christopher Faulet
d5ac6de74a DOC: config: Add notes about errors emitted by H1 mux
Now, some errors are handled by the H1 multiplexer. During the headers
parsing request, there is no stream attached to the H1 mux. Thus, if an
error is reported at this stage, it is handled by the mux itself. If
possible the corresponding frontend errorfile is used, but it should be a
static message. Custom error messages are not supported. Otherwise, default
error messages are used.

In addition, the http analysis has not started yet, so http-after-response
ruleset is not evaluated and cannot alter these early responses.
2020-12-04 14:41:49 +01:00
Christopher Faulet
c4bfa59f1d MAJOR: mux-h1: Create the client stream as later as possible
This is the reason for all previous patches. The conn-stream and the
associated stream are created as later as possible. It only concerns the
frontend connections. But it means the request headers, and possibly the
first data block, are received and parsed before the conn-stream
creation. To do so, an embryonic H1 stream, with no conn-stream, is
created. The result of this "early parsing" is stored in its rx buffer, used
to fill the request channel when the stream is created. During this step,
some HTTP errors may be returned by the mux. It must also handle
http-request/keep-alive timeouts. A significative change is about H1 to H2
upgrade. It happens very early now, and no H1 stream are created (and thus
of course no conn-stream).

The most important part of this patch is located to the h1_process()
function. Because it must trigger the parsing when there is no H1
stream. h1_recv() function has also been simplified.
2020-12-04 14:41:49 +01:00
Christopher Faulet
c18fc234d9 MINOR: mux-h1: Add functions to send HTTP errors from the mux
For now, this part is unsued. But this patch adds functions to handle errors
on idle and embryonic H1 connections and send corresponding HTTP error
messages to the client (400, 408 or 500). Thanks to previous patches, these
functions take care to update the right stats counters, but also the
counters tracked by the session.

A field to store the HTTP error code has been added in the H1C structure. It
is used for error retransmits, if any, and to get it in http logs. It is
used to return the mux exit status code when the MUX_EXIT_STATUS ctl
parameter is requested.
2020-12-04 14:41:49 +01:00
Christopher Faulet
ce5e6bcb04 MINOR: logs: Get the multiplexer exist status when no stream is provided
When a log message is emitted from the session level, by a multiplexer,
there is no stream. Thus for HTTP session, there no status code and the
termination flags are not correctly set.

Thanks to previous patch, the HTTP status code is deduced from the mux exist
status, using the MUX_EXIT_STATE ctl param. This is only done for HTTP
frontends. If it is defined ( != 0), it is used to deduce the termination
flags.
2020-12-04 14:41:49 +01:00
Christopher Faulet
4c8ad84232 MINOR: mux: Add a ctl parameter to get the exit status of the multiplexers
The ctl param MUX_EXIT_STATUS can be request to get the exit status of a
multiplexer. For instance, it may be an HTTP status code or an H2 error. For
now, 0 is always returned. When the mux h1 will be able to return HTTP
errors itself, this ctl param will be used to get the HTTP status code from
the logs.

the mux_exit_status enum has been created to map internal mux exist status
to generic one. Thus there is 5 possible status for now: success, invalid
error, timeout error, internal error and unknown.
2020-12-04 14:41:49 +01:00
Christopher Faulet
7d0c19e82d MINOR: session: Add functions to increase http values of tracked counters
cumulative numbers of http request and http errors of counters tracked at
the session level and their rates can now be updated at the session level
thanks to two new functions. These functions are not used for now, but it
will be called to keep tracked counters up-to-date if an error occurs before
the stream creation.
2020-12-04 14:41:49 +01:00
Christopher Faulet
84600631cd MINOR: stick-tables: Add functions to update some values of a tracked counter
The cumulative numbers of http requests, http errors, bytes received and
sent and their respective rates for a tracked counters are now updated using
specific stream independent functions. These functions are used by the
stream but the aim is to allow the session to do so too. For now, there is
no reason to perform these updates from the session, except from the mux-h2
maybe. But, the mux-h1, on the frontend side, will be able to return some
errors to the client, before the stream creation. In this case, it will be
mandatory to update counters tracked at the session level.
2020-12-04 14:41:49 +01:00