mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-12 22:44:32 +00:00
3a103c5a6b
With this split, the pattern indexation can apply to any source. The map feature needs this functionality because the map cannot be loaded with the same file format as the ones supported by acl_read_patterns_from_file(). The code was only moved to its own function, no functional changes were made.
250 lines
9.6 KiB
C
250 lines
9.6 KiB
C
/*
|
|
* include/proto/acl.h
|
|
* This file provides interface definitions for ACL manipulation.
|
|
*
|
|
* Copyright (C) 2000-2013 Willy Tarreau - w@1wt.eu
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation, version 2.1
|
|
* exclusively.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
|
|
#ifndef _PROTO_ACL_H
|
|
#define _PROTO_ACL_H
|
|
|
|
#include <common/config.h>
|
|
#include <types/acl.h>
|
|
#include <proto/sample.h>
|
|
|
|
/*
|
|
* FIXME: we need destructor functions too !
|
|
*/
|
|
|
|
/* Negate an acl result. This turns (ACL_PAT_FAIL, ACL_PAT_MISS, ACL_PAT_PASS)
|
|
* into (ACL_PAT_PASS, ACL_PAT_MISS, ACL_PAT_FAIL).
|
|
*/
|
|
static inline int acl_neg(int res)
|
|
{
|
|
return (3 >> res);
|
|
}
|
|
|
|
/* Convert an acl result to a boolean. Only ACL_PAT_PASS returns 1. */
|
|
static inline int acl_pass(int res)
|
|
{
|
|
return (res >> 1);
|
|
}
|
|
|
|
/* Return a pointer to the ACL <name> within the list starting at <head>, or
|
|
* NULL if not found.
|
|
*/
|
|
struct acl *find_acl_by_name(const char *name, struct list *head);
|
|
|
|
/* Return a pointer to the ACL keyword <kw> within the list starting at <head>,
|
|
* or NULL if not found. Note that if <kw> contains an opening parenthesis,
|
|
* only the left part of it is checked.
|
|
*/
|
|
struct acl_keyword *find_acl_kw(const char *kw);
|
|
|
|
/* Parse an ACL expression starting at <args>[0], and return it.
|
|
* Right now, the only accepted syntax is :
|
|
* <subject> [<value>...]
|
|
*/
|
|
struct acl_expr *parse_acl_expr(const char **args, char **err, struct arg_list *al);
|
|
|
|
/* Purge everything in the acl <acl>, then return <acl>. */
|
|
struct acl *prune_acl(struct acl *acl);
|
|
|
|
/* Parse an ACL with the name starting at <args>[0], and with a list of already
|
|
* known ACLs in <acl>. If the ACL was not in the list, it will be added.
|
|
* A pointer to that ACL is returned.
|
|
*
|
|
* args syntax: <aclname> <acl_expr>
|
|
*/
|
|
struct acl *parse_acl(const char **args, struct list *known_acl, char **err, struct arg_list *al);
|
|
|
|
/* Purge everything in the acl_cond <cond>, then return <cond>. */
|
|
struct acl_cond *prune_acl_cond(struct acl_cond *cond);
|
|
|
|
/* Parse an ACL condition starting at <args>[0], relying on a list of already
|
|
* known ACLs passed in <known_acl>. The new condition is returned (or NULL in
|
|
* case of low memory). Supports multiple conditions separated by "or".
|
|
*/
|
|
struct acl_cond *parse_acl_cond(const char **args, struct list *known_acl, int pol, char **err, struct arg_list *al);
|
|
|
|
/* Builds an ACL condition starting at the if/unless keyword. The complete
|
|
* condition is returned. NULL is returned in case of error or if the first
|
|
* word is neither "if" nor "unless". It automatically sets the file name and
|
|
* the line number in the condition for better error reporting, and sets the
|
|
* HTTP initialization requirements in the proxy. If <err> is not NULL, it will
|
|
* be set to an error message upon errors, that the caller will have to free.
|
|
*/
|
|
struct acl_cond *build_acl_cond(const char *file, int line, struct proxy *px, const char **args, char **err);
|
|
|
|
/* Execute condition <cond> and return either ACL_PAT_FAIL, ACL_PAT_MISS or
|
|
* ACL_PAT_PASS depending on the test results. This function only computes the
|
|
* condition, it does not apply the polarity required by IF/UNLESS, it's up to
|
|
* the caller to do this.
|
|
*/
|
|
int acl_exec_cond(struct acl_cond *cond, struct proxy *px, struct session *l4, void *l7, unsigned int opt);
|
|
|
|
/* Returns a pointer to the first ACL conflicting with usage at place <where>
|
|
* which is one of the SMP_VAL_* bits indicating a check place, or NULL if
|
|
* no conflict is found. Only full conflicts are detected (ACL is not usable).
|
|
* Use the next function to check for useless keywords.
|
|
*/
|
|
const struct acl *acl_cond_conflicts(const struct acl_cond *cond, unsigned int where);
|
|
|
|
/* Returns a pointer to the first ACL and its first keyword to conflict with
|
|
* usage at place <where> which is one of the SMP_VAL_* bits indicating a check
|
|
* place. Returns true if a conflict is found, with <acl> and <kw> set (if non
|
|
* null), or false if not conflict is found. The first useless keyword is
|
|
* returned.
|
|
*/
|
|
int acl_cond_kw_conflicts(const struct acl_cond *cond, unsigned int where, struct acl const **acl, char const **kw);
|
|
|
|
/* parse the <text> with <expr> compliant parser. <pattern> is a context for
|
|
* the current parsed acl. It must initialized at NULL:
|
|
*
|
|
* struct acl_pattern *pattern = NULL
|
|
* acl_register_pattern(..., &pattern, ...);
|
|
*
|
|
* patflag are a combination of 'ACL_PAT_F_*' flags pattern compatible. see
|
|
* <types/acl.h>.
|
|
*
|
|
* The function returns 1 if the processing is ok, return -1 if the parser
|
|
* fails, with <err> message filled. It returns -2 in "out of memory"
|
|
* error case.
|
|
*/
|
|
int acl_register_pattern(struct acl_expr *expr, char *text, struct acl_pattern **pattern, int patflags, char **err);
|
|
|
|
/*
|
|
* Find targets for userlist and groups in acl. Function returns the number
|
|
* of errors or OK if everything is fine.
|
|
*/
|
|
int acl_find_targets(struct proxy *p);
|
|
|
|
/* Return a pointer to the ACL <name> within the list starting at <head>, or
|
|
* NULL if not found.
|
|
*/
|
|
struct acl *find_acl_by_name(const char *name, struct list *head);
|
|
|
|
/*
|
|
* Registers the ACL keyword list <kwl> as a list of valid keywords for next
|
|
* parsing sessions.
|
|
*/
|
|
void acl_register_keywords(struct acl_kw_list *kwl);
|
|
|
|
/*
|
|
* Unregisters the ACL keyword list <kwl> from the list of valid keywords.
|
|
*/
|
|
void acl_unregister_keywords(struct acl_kw_list *kwl);
|
|
|
|
/* initializes ACLs by resolving the sample fetch names they rely upon.
|
|
* Returns 0 on success, otherwise an error.
|
|
*/
|
|
int init_acl();
|
|
|
|
|
|
/*
|
|
*
|
|
* The following functions are general purpose ACL matching functions.
|
|
*
|
|
*/
|
|
|
|
|
|
/* ignore the current line */
|
|
int acl_parse_nothing(const char **text, struct acl_pattern *pattern, int *opaque, char **err);
|
|
|
|
/* NB: For two strings to be identical, it is required that their lengths match */
|
|
int acl_match_str(struct sample *smp, struct acl_pattern *pattern);
|
|
|
|
/* NB: For two binary buffers to be identical, it is required that their lengths match */
|
|
int acl_match_bin(struct sample *smp, struct acl_pattern *pattern);
|
|
|
|
/* Checks that the length of the pattern in <test> is included between min and max */
|
|
int acl_match_len(struct sample *smp, struct acl_pattern *pattern);
|
|
|
|
/* Checks that the integer in <test> is included between min and max */
|
|
int acl_match_int(struct sample *smp, struct acl_pattern *pattern);
|
|
|
|
/* Parse an integer. It is put both in min and max. */
|
|
int acl_parse_int(const char **text, struct acl_pattern *pattern, int *opaque, char **err);
|
|
|
|
/* Parse an version. It is put both in min and max. */
|
|
int acl_parse_dotted_ver(const char **text, struct acl_pattern *pattern, int *opaque, char **err);
|
|
|
|
/* Parse a range of integers delimited by either ':' or '-'. If only one
|
|
* integer is read, it is set as both min and max.
|
|
*/
|
|
int acl_parse_range(const char **text, struct acl_pattern *pattern, int *opaque, char **err);
|
|
|
|
/* Parse a string. It is allocated and duplicated. */
|
|
int acl_parse_str(const char **text, struct acl_pattern *pattern, int *opaque, char **err);
|
|
|
|
/* Parse a hexa binary definition. It is allocated and duplicated. */
|
|
int acl_parse_bin(const char **text, struct acl_pattern *pattern, int *opaque, char **err);
|
|
|
|
/* Parse and concatenate strings into one. It is allocated and duplicated. */
|
|
int acl_parse_strcat(const char **text, struct acl_pattern *pattern, int *opaque, char **err);
|
|
|
|
/* Parse a regex. It is allocated. */
|
|
int acl_parse_reg(const char **text, struct acl_pattern *pattern, int *opaque, char **err);
|
|
|
|
/* Parse an IP address and an optional mask in the form addr[/mask].
|
|
* The addr may either be an IPv4 address or a hostname. The mask
|
|
* may either be a dotted mask or a number of bits. Returns 1 if OK,
|
|
* otherwise 0.
|
|
*/
|
|
int acl_parse_ip(const char **text, struct acl_pattern *pattern, int *opaque, char **err);
|
|
|
|
/* always return false */
|
|
int acl_match_nothing(struct sample *smp, struct acl_pattern *pattern);
|
|
|
|
/* Checks that the pattern matches the end of the tested string. */
|
|
int acl_match_end(struct sample *smp, struct acl_pattern *pattern);
|
|
|
|
/* Checks that the pattern matches the beginning of the tested string. */
|
|
int acl_match_beg(struct sample *smp, struct acl_pattern *pattern);
|
|
|
|
/* Checks that the pattern is included inside the tested string. */
|
|
int acl_match_sub(struct sample *smp, struct acl_pattern *pattern);
|
|
|
|
/* Checks that the pattern is included inside the tested string, but enclosed
|
|
* between slashes or at the beginning or end of the string. Slashes at the
|
|
* beginning or end of the pattern are ignored.
|
|
*/
|
|
int acl_match_dir(struct sample *smp, struct acl_pattern *pattern);
|
|
|
|
/* Checks that the pattern is included inside the tested string, but enclosed
|
|
* between dots or at the beginning or end of the string. Dots at the beginning
|
|
* or end of the pattern are ignored.
|
|
*/
|
|
int acl_match_dom(struct sample *smp, struct acl_pattern *pattern);
|
|
|
|
/* Check that the IPv4 address in <test> matches the IP/mask in pattern */
|
|
int acl_match_ip(struct sample *smp, struct acl_pattern *pattern);
|
|
|
|
/* Executes a regex. It temporarily changes the data to add a trailing zero,
|
|
* and restores the previous character when leaving.
|
|
*/
|
|
int acl_match_reg(struct sample *smp, struct acl_pattern *pattern);
|
|
|
|
#endif /* _PROTO_ACL_H */
|
|
|
|
/*
|
|
* Local variables:
|
|
* c-indent-level: 8
|
|
* c-basic-offset: 8
|
|
* End:
|
|
*/
|