mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-07 15:47:01 +02:00
[CLEANUP] acl: use 'L6' instead of 'L4' in ACL flags relying on contents
Just like we do on health checks, we should consider that ACLs that make use of buffer data are layer 6 and not layer 4, because we'll soon have to distinguish between pure layer 4 ACLs (without any buffer) and these ones.
This commit is contained in:
Willy Tarreau
parent
a4cda67323
commit
06457871a4
@ -126,15 +126,15 @@ enum {
|
||||
ACL_USE_TCP_VOLATILE = 1 << 8, /* volatile TCPv4/v6 data (eg: RTT) */
|
||||
ACL_USE_TCP_ANY = (ACL_USE_TCP_PERMANENT | ACL_USE_TCP_CACHEABLE | ACL_USE_TCP_VOLATILE),
|
||||
|
||||
ACL_USE_L4REQ_PERMANENT = 1 << 9, /* unchanged layer4 request data */
|
||||
ACL_USE_L4REQ_CACHEABLE = 1 << 10, /* cacheable layer4 request data (eg: length) */
|
||||
ACL_USE_L4REQ_VOLATILE = 1 << 11, /* volatile layer4 request data (eg: contents) */
|
||||
ACL_USE_L4REQ_ANY = (ACL_USE_L4REQ_PERMANENT | ACL_USE_L4REQ_CACHEABLE | ACL_USE_L4REQ_VOLATILE),
|
||||
ACL_USE_L6REQ_PERMANENT = 1 << 9, /* unchanged layer6 request data */
|
||||
ACL_USE_L6REQ_CACHEABLE = 1 << 10, /* cacheable layer6 request data (eg: length) */
|
||||
ACL_USE_L6REQ_VOLATILE = 1 << 11, /* volatile layer6 request data (eg: contents) */
|
||||
ACL_USE_L6REQ_ANY = (ACL_USE_L6REQ_PERMANENT | ACL_USE_L6REQ_CACHEABLE | ACL_USE_L6REQ_VOLATILE),
|
||||
|
||||
ACL_USE_L4RTR_PERMANENT = 1 << 12, /* unchanged layer4 response data */
|
||||
ACL_USE_L4RTR_CACHEABLE = 1 << 13, /* cacheable layer4 response data (eg: length) */
|
||||
ACL_USE_L4RTR_VOLATILE = 1 << 14, /* volatile layer4 response data (eg: contents) */
|
||||
ACL_USE_L4RTR_ANY = (ACL_USE_L4RTR_PERMANENT | ACL_USE_L4RTR_CACHEABLE | ACL_USE_L4RTR_VOLATILE),
|
||||
ACL_USE_L6RTR_PERMANENT = 1 << 12, /* unchanged layer6 response data */
|
||||
ACL_USE_L6RTR_CACHEABLE = 1 << 13, /* cacheable layer6 response data (eg: length) */
|
||||
ACL_USE_L6RTR_VOLATILE = 1 << 14, /* volatile layer6 response data (eg: contents) */
|
||||
ACL_USE_L6RTR_ANY = (ACL_USE_L6RTR_PERMANENT | ACL_USE_L6RTR_CACHEABLE | ACL_USE_L6RTR_VOLATILE),
|
||||
|
||||
ACL_USE_L7REQ_PERMANENT = 1 << 15, /* unchanged layer7 request data (eg: method) */
|
||||
ACL_USE_L7REQ_CACHEABLE = 1 << 16, /* cacheable layer7 request data (eg: content-length) */
|
||||
@ -153,22 +153,22 @@ enum {
|
||||
|
||||
/* information which remains during response */
|
||||
ACL_USE_REQ_PERMANENT = (ACL_USE_TCP4_PERMANENT | ACL_USE_TCP6_PERMANENT | ACL_USE_TCP_PERMANENT |
|
||||
ACL_USE_L4REQ_PERMANENT | ACL_USE_L7REQ_PERMANENT),
|
||||
ACL_USE_L6REQ_PERMANENT | ACL_USE_L7REQ_PERMANENT),
|
||||
ACL_USE_REQ_CACHEABLE = (ACL_USE_TCP4_CACHEABLE | ACL_USE_TCP6_CACHEABLE | ACL_USE_TCP_CACHEABLE |
|
||||
ACL_USE_L4REQ_CACHEABLE | ACL_USE_L7REQ_CACHEABLE | ACL_USE_HDR_CACHEABLE),
|
||||
ACL_USE_L6REQ_CACHEABLE | ACL_USE_L7REQ_CACHEABLE | ACL_USE_HDR_CACHEABLE),
|
||||
|
||||
/* information which does not remain during response */
|
||||
ACL_USE_REQ_VOLATILE = (ACL_USE_TCP4_VOLATILE | ACL_USE_TCP6_VOLATILE | ACL_USE_TCP_VOLATILE |
|
||||
ACL_USE_L4REQ_VOLATILE | ACL_USE_L7REQ_VOLATILE),
|
||||
ACL_USE_L6REQ_VOLATILE | ACL_USE_L7REQ_VOLATILE),
|
||||
|
||||
/* any type of layer 4 contents information */
|
||||
ACL_USE_L4_ANY = (ACL_USE_L4REQ_ANY | ACL_USE_L4RTR_ANY),
|
||||
/* any type of layer 6 contents information (random data available in a buffer) */
|
||||
ACL_USE_L6_ANY = (ACL_USE_L6REQ_ANY | ACL_USE_L6RTR_ANY),
|
||||
|
||||
/* any type of layer 7 information */
|
||||
ACL_USE_L7_ANY = (ACL_USE_L7REQ_ANY | ACL_USE_L7RTR_ANY | ACL_USE_HDR_ANY),
|
||||
|
||||
/* any type of response information */
|
||||
ACL_USE_RTR_ANY = (ACL_USE_L4RTR_ANY | ACL_USE_L7RTR_ANY),
|
||||
ACL_USE_RTR_ANY = (ACL_USE_L6RTR_ANY | ACL_USE_L7RTR_ANY),
|
||||
|
||||
/* some flags indicating if a keyword supports exact pattern matching,
|
||||
* so that patterns may be arranged in lookup trees. Let's put those
|
||||
|
||||
30
src/acl.c
30
src/acl.c
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* ACL management functions.
|
||||
*
|
||||
* Copyright 2000-2008 Willy Tarreau <w@1wt.eu>
|
||||
* Copyright 2000-2010 Willy Tarreau <w@1wt.eu>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
@ -33,21 +33,21 @@
|
||||
*/
|
||||
const unsigned int filt_cap[] = {
|
||||
[ACL_HOOK_REQ_FE_TCP] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY,
|
||||
[ACL_HOOK_REQ_FE_TCP_CONTENT] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L4REQ_ANY,
|
||||
[ACL_HOOK_REQ_FE_HTTP_IN] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L4REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
[ACL_HOOK_REQ_FE_SWITCH] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L4REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
[ACL_HOOK_REQ_BE_TCP_CONTENT] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L4REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
[ACL_HOOK_REQ_BE_HTTP_IN] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L4REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
[ACL_HOOK_REQ_BE_SWITCH] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L4REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
[ACL_HOOK_REQ_FE_HTTP_OUT] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L4REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
[ACL_HOOK_REQ_BE_HTTP_OUT] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L4REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
[ACL_HOOK_REQ_FE_TCP_CONTENT] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY,
|
||||
[ACL_HOOK_REQ_FE_HTTP_IN] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
[ACL_HOOK_REQ_FE_SWITCH] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
[ACL_HOOK_REQ_BE_TCP_CONTENT] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
[ACL_HOOK_REQ_BE_HTTP_IN] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
[ACL_HOOK_REQ_BE_SWITCH] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
[ACL_HOOK_REQ_FE_HTTP_OUT] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
[ACL_HOOK_REQ_BE_HTTP_OUT] = ACL_USE_TCP4_ANY|ACL_USE_TCP6_ANY|ACL_USE_TCP_ANY|ACL_USE_L6REQ_ANY|ACL_USE_L7REQ_ANY|ACL_USE_HDR_ANY,
|
||||
|
||||
[ACL_HOOK_RTR_BE_TCP_CONTENT] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L4RTR_ANY,
|
||||
[ACL_HOOK_RTR_BE_HTTP_IN] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L4RTR_ANY|ACL_USE_L7RTR_ANY,
|
||||
[ACL_HOOK_RTR_FE_TCP_CONTENT] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L4RTR_ANY|ACL_USE_L7RTR_ANY,
|
||||
[ACL_HOOK_RTR_FE_HTTP_IN] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L4RTR_ANY|ACL_USE_L7RTR_ANY,
|
||||
[ACL_HOOK_RTR_BE_HTTP_OUT] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L4RTR_ANY|ACL_USE_L7RTR_ANY,
|
||||
[ACL_HOOK_RTR_FE_HTTP_OUT] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L4RTR_ANY|ACL_USE_L7RTR_ANY,
|
||||
[ACL_HOOK_RTR_BE_TCP_CONTENT] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L6RTR_ANY,
|
||||
[ACL_HOOK_RTR_BE_HTTP_IN] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L6RTR_ANY|ACL_USE_L7RTR_ANY,
|
||||
[ACL_HOOK_RTR_FE_TCP_CONTENT] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L6RTR_ANY|ACL_USE_L7RTR_ANY,
|
||||
[ACL_HOOK_RTR_FE_HTTP_IN] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L6RTR_ANY|ACL_USE_L7RTR_ANY,
|
||||
[ACL_HOOK_RTR_BE_HTTP_OUT] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L6RTR_ANY|ACL_USE_L7RTR_ANY,
|
||||
[ACL_HOOK_RTR_FE_HTTP_OUT] = ACL_USE_REQ_PERMANENT|ACL_USE_REQ_CACHEABLE|ACL_USE_L6RTR_ANY|ACL_USE_L7RTR_ANY,
|
||||
};
|
||||
|
||||
/* List head of all known ACL keywords */
|
||||
|
||||
@ -1136,10 +1136,10 @@ static struct cfg_kw_list cfg_kws = {{ },{
|
||||
}};
|
||||
|
||||
static struct acl_kw_list acl_kws = {{ },{
|
||||
{ "req_len", acl_parse_int, acl_fetch_req_len, acl_match_int, ACL_USE_L4REQ_VOLATILE },
|
||||
{ "req_ssl_ver", acl_parse_dotted_ver, acl_fetch_req_ssl_ver, acl_match_int, ACL_USE_L4REQ_VOLATILE },
|
||||
{ "req_rdp_cookie", acl_parse_str, acl_fetch_rdp_cookie, acl_match_str, ACL_USE_L4REQ_VOLATILE|ACL_MAY_LOOKUP },
|
||||
{ "req_rdp_cookie_cnt", acl_parse_int, acl_fetch_rdp_cookie_cnt, acl_match_int, ACL_USE_L4REQ_VOLATILE },
|
||||
{ "req_len", acl_parse_int, acl_fetch_req_len, acl_match_int, ACL_USE_L6REQ_VOLATILE },
|
||||
{ "req_ssl_ver", acl_parse_dotted_ver, acl_fetch_req_ssl_ver, acl_match_int, ACL_USE_L6REQ_VOLATILE },
|
||||
{ "req_rdp_cookie", acl_parse_str, acl_fetch_rdp_cookie, acl_match_str, ACL_USE_L6REQ_VOLATILE|ACL_MAY_LOOKUP },
|
||||
{ "req_rdp_cookie_cnt", acl_parse_int, acl_fetch_rdp_cookie_cnt, acl_match_int, ACL_USE_L6REQ_VOLATILE },
|
||||
{ NULL, NULL, NULL, NULL },
|
||||
}};
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user