mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 15:47:01 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: http-act/tcp-act: Add "set-mark" and "set-tos" for tcp content rules

Browse Source 
It is now possible to set the Netfilter MARK and the TOS field value in all
packets sent to the client from any tcp-request rulesets or the "tcp-response
content" one. To do so, the parsing of "set-mark" and "set-tos" actions are
moved in tcp_act.c and the actions evaluation is handled in dedicated functions.

This patch may be backported as far as 2.2 if necessary.
This commit is contained in:
Christopher Faulet 2021-06-25 15:11:35 +02:00
parent 1da374af2f
commit 469c06c30e
5 changed files with 138 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
doc/configuration.txt
View File

@ -11897,6 +11897,16 @@ tcp-request connection <action> [{if | unless} <condition>]
expected result is a boolean. If an error occurs, this action silently expected result is a boolean. If an error occurs, this action silently
fails and the actions evaluation continues. fails and the actions evaluation continues.
- set-mark <mark>:
Is used to set the Netfilter MARK in all packets sent to the client to
the value passed in <mark> on platforms which support it. This value is
an unsigned 32 bit value which can be matched by netfilter and by the
routing table. It can be expressed both in decimal or hexadecimal format
(prefixed by "0x"). This can be useful to force certain packets to take a
different route (for example a cheaper network path for bulk
downloads). This works on Linux kernels 2.6.32 and above and requires
admin privileges.
- set-src <expr> : - set-src <expr> :
Is used to set the source IP address to the value of specified Is used to set the source IP address to the value of specified
expression. Useful if you want to mask source IP for privacy. expression. Useful if you want to mask source IP for privacy.
@ -11963,6 +11973,17 @@ tcp-request connection <action> [{if | unless} <condition>]
long as the address family supports a port, otherwise it forces the long as the address family supports a port, otherwise it forces the
destination address to IPv4 "0.0.0.0" before rewriting the port. destination address to IPv4 "0.0.0.0" before rewriting the port.
- set-tos <tos>:
Is used to set the TOS or DSCP field value of packets sent to the client
to the value passed in <tos> on platforms which support this. This value
represents the whole 8 bits of the IP TOS field, and can be expressed
both in decimal or hexadecimal format (prefixed by "0x"). Note that only
the 6 higher bits are used in DSCP or TOS, and the two lower bits are
always 0. This can be used to adjust some routing behavior on border
routers based on some information from the request.
See RFC 2474, 2597, 3260 and 4594 for more information.
- "silent-drop" : - "silent-drop" :
This stops the evaluation of the rules and makes the client-facing This stops the evaluation of the rules and makes the client-facing
connection suddenly disappear using a system-dependent way that tries connection suddenly disappear using a system-dependent way that tries
@ -12057,9 +12078,11 @@ tcp-request content <action> [{if | unless} <condition>]
- set-dst <expr> - set-dst <expr>
- set-dst-port <expr> - set-dst-port <expr>
- set-log-level <level> - set-log-level <level>
- set-mark <mark>
- set-nice <nice> - set-nice <nice>
- set-src <expr> - set-src <expr>
- set-src-port <expr> - set-src-port <expr>
- set-tos <tos>
- set-var(<var-name>) <expr> - set-var(<var-name>) <expr>
- switch-mode http [ proto <name> ] - switch-mode http [ proto <name> ]
- unset-var(<var-name>) - unset-var(<var-name>)
@ -12113,12 +12136,18 @@ tcp-request content <action> [{if | unless} <condition>]
The "set-log-level" is used to set the log level of the current session. More The "set-log-level" is used to set the log level of the current session. More
information on how to use it at "http-request set-log-level". information on how to use it at "http-request set-log-level".
The "set-mark" is used to set the Netfilter MARK in all packets sent to the
client. More information on how to use it at "http-request set-mark".
The "set-nice" is used to set the "nice" factor of the current session. More The "set-nice" is used to set the "nice" factor of the current session. More
information on how to use it at "http-request set-nice". information on how to use it at "http-request set-nice".
The "set-src" and "set-src-port" are used to set respectively the source IP The "set-src" and "set-src-port" are used to set respectively the source IP
and port. More information on how to use it at "http-request set-src". and port. More information on how to use it at "http-request set-src".
The "set-tos" is used to set the TOS or DSCP field value of packets sent to
the client. More information on how to use it at "http-request set-tos".
The "set-var" is used to set the content of a variable. The variable is The "set-var" is used to set the content of a variable. The variable is
declared inline. For "tcp-request session" rules, only session-level declared inline. For "tcp-request session" rules, only session-level
variables can be used, without any layer7 contents. variables can be used, without any layer7 contents.
@ -12363,11 +12392,21 @@ tcp-response content <action> [{if | unless} <condition>]
session. More information on how to use it at "http-response session. More information on how to use it at "http-response
set-log-level". set-log-level".
- set-mark <mark>
The "set-mark" is used to set the Netfilter MARK in all packets sent to
the client. More information on how to use it at "http-response
set-mark".
- set-nice <nice> - set-nice <nice>
The "set-nice" is used to set the "nice" factor of the current The "set-nice" is used to set the "nice" factor of the current
session. More information on how to use it at "http-response session. More information on how to use it at "http-response
set-nice". set-nice".
- set-tos <tos>
The "set-tos" is used to set the TOS or DSCP field value of packets
sent to the client. More information on how to use it at "http-response
set-tos".
- set-var(<var-name>) <expr> - set-var(<var-name>) <expr>
Sets a variable. Sets a variable.
@ -12510,10 +12549,12 @@ tcp-request session <action> [{if | unless} <condition>]
- sc-inc-gpc0(<sc-id>) - sc-inc-gpc0(<sc-id>)
- sc-inc-gpc1(<sc-id>) - sc-inc-gpc1(<sc-id>)
- sc-set-gpt0(<sc-id>) { <int> | <expr> } - sc-set-gpt0(<sc-id>) { <int> | <expr> }
- set-mark <mark>
- set-dst <expr> - set-dst <expr>
- set-dst-port <expr> - set-dst-port <expr>
- set-src <expr> - set-src <expr>
- set-src-port <expr> - set-src-port <expr>
- set-tos <tos>
- set-var(<var-name>) <expr> - set-var(<var-name>) <expr>
- unset-var(<var-name>) - unset-var(<var-name>)
- silent-drop - silent-drop

2
include/haproxy/action-t.h
View File

@ -81,8 +81,6 @@ enum act_name {
/* common http actions .*/ /* common http actions .*/
ACT_HTTP_REDIR, ACT_HTTP_REDIR,
ACT_HTTP_SET_TOS,
ACT_HTTP_SET_MARK,
/* http request actions. */ /* http request actions. */
ACT_HTTP_REQ_TARPIT, ACT_HTTP_REQ_TARPIT,

69
src/http_act.c
View File

@ -1315,71 +1315,6 @@ static enum act_parse_ret parse_http_auth(const char **args, int *orig_arg, stru
return ACT_RET_PRS_OK; return ACT_RET_PRS_OK;
} }
/* Parse a "set-tos" action. It takes the TOS value as argument. It returns
* ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_set_tos(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
#ifdef IP_TOS
char *endp;
int cur_arg;
rule->action = ACT_HTTP_SET_TOS;
cur_arg = *orig_arg;
if (!*args[cur_arg]) {
memprintf(err, "expects exactly 1 argument (integer/hex value)");
return ACT_RET_PRS_ERR;
}
rule->arg.http.i = strtol(args[cur_arg], &endp, 0);
if (endp && *endp != '\0') {
memprintf(err, "invalid character starting at '%s' (integer/hex value expected)", endp);
return ACT_RET_PRS_ERR;
}
LIST_INIT(&rule->arg.http.fmt);
*orig_arg = cur_arg + 1;
return ACT_RET_PRS_OK;
#else
memprintf(err, "not supported on this platform (IP_TOS undefined)");
return ACT_RET_PRS_ERR;
#endif
}
/* Parse a "set-mark" action. It takes the MARK value as argument. It returns
* ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret parse_http_set_mark(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
#ifdef SO_MARK
char *endp;
int cur_arg;
rule->action = ACT_HTTP_SET_MARK;
cur_arg = *orig_arg;
if (!*args[cur_arg]) {
memprintf(err, "expects exactly 1 argument (integer/hex value)");
return ACT_RET_PRS_ERR;
}
rule->arg.http.i = strtoul(args[cur_arg], &endp, 0);
if (endp && *endp != '\0') {
memprintf(err, "invalid character starting at '%s' (integer/hex value expected)", endp);
return ACT_RET_PRS_ERR;
}
LIST_INIT(&rule->arg.http.fmt);
*orig_arg = cur_arg + 1;
global.last_checks |= LSTCHK_NETADM;
return ACT_RET_PRS_OK;
#else
memprintf(err, "not supported on this platform (SO_MARK undefined)");
return ACT_RET_PRS_ERR;
#endif
}
/* This function executes a early-hint action. It adds an HTTP Early Hint HTTP /* This function executes a early-hint action. It adds an HTTP Early Hint HTTP
* 103 response header with <.arg.http.str> name and with a value built * 103 response header with <.arg.http.str> name and with a value built
* according to <.arg.http.fmt> log line format. If it is the first early-hint * according to <.arg.http.fmt> log line format. If it is the first early-hint
@ -2458,11 +2393,9 @@ static struct action_kw_list http_req_actions = {
{ "set-header", parse_http_set_header, 0 }, { "set-header", parse_http_set_header, 0 },
{ "set-map", parse_http_set_map, KWF_MATCH_PREFIX }, { "set-map", parse_http_set_map, KWF_MATCH_PREFIX },
{ "set-method", parse_set_req_line, 0 }, { "set-method", parse_set_req_line, 0 },
{ "set-mark", parse_http_set_mark, 0 },
{ "set-path", parse_set_req_line, 0 }, { "set-path", parse_set_req_line, 0 },
{ "set-pathq", parse_set_req_line, 0 }, { "set-pathq", parse_set_req_line, 0 },
{ "set-query", parse_set_req_line, 0 }, { "set-query", parse_set_req_line, 0 },
{ "set-tos", parse_http_set_tos, 0 },
{ "set-uri", parse_set_req_line, 0 }, { "set-uri", parse_set_req_line, 0 },
{ "strict-mode", parse_http_strict_mode, 0 }, { "strict-mode", parse_http_strict_mode, 0 },
{ "tarpit", parse_http_deny, 0 }, { "tarpit", parse_http_deny, 0 },
@ -2491,9 +2424,7 @@ static struct action_kw_list http_res_actions = {
{ "return", parse_http_return, 0 }, { "return", parse_http_return, 0 },
{ "set-header", parse_http_set_header, 0 }, { "set-header", parse_http_set_header, 0 },
{ "set-map", parse_http_set_map, KWF_MATCH_PREFIX }, { "set-map", parse_http_set_map, KWF_MATCH_PREFIX },
{ "set-mark", parse_http_set_mark, 0 },
{ "set-status", parse_http_set_status, 0 }, { "set-status", parse_http_set_status, 0 },
{ "set-tos", parse_http_set_tos, 0 },
{ "strict-mode", parse_http_strict_mode, 0 }, { "strict-mode", parse_http_strict_mode, 0 },
{ "track-sc", parse_http_track_sc, KWF_MATCH_PREFIX }, { "track-sc", parse_http_track_sc, KWF_MATCH_PREFIX },
{ "wait-for-body", parse_http_wait_for_body, 0 }, { "wait-for-body", parse_http_wait_for_body, 0 },

16
src/http_ana.c
View File

@ -2831,14 +2831,6 @@ static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct lis
rule_ret = HTTP_RULE_RES_ERROR; rule_ret = HTTP_RULE_RES_ERROR;
goto end; goto end;
case ACT_HTTP_SET_TOS:
conn_set_tos(objt_conn(sess->origin), rule->arg.http.i);
break;
case ACT_HTTP_SET_MARK:
conn_set_mark(objt_conn(sess->origin), rule->arg.http.i);
break;
/* other flags exists, but normally, they never be matched. */ /* other flags exists, but normally, they never be matched. */
default: default:
break; break;
@ -2958,14 +2950,6 @@ static enum rule_result http_res_get_intercept_rule(struct proxy *px, struct lis
rule_ret = HTTP_RULE_RES_DENY; rule_ret = HTTP_RULE_RES_DENY;
goto end; goto end;
case ACT_HTTP_SET_TOS:
conn_set_tos(objt_conn(sess->origin), rule->arg.http.i);
break;
case ACT_HTTP_SET_MARK:
conn_set_mark(objt_conn(sess->origin), rule->arg.http.i);
break;
case ACT_HTTP_REDIR: case ACT_HTTP_REDIR:
rule_ret = HTTP_RULE_RES_ABRT; rule_ret = HTTP_RULE_RES_ABRT;
if (!http_apply_redirect_rule(rule->arg.redir, s, txn)) if (!http_apply_redirect_rule(rule->arg.redir, s, txn))

97
src/tcp_act.c
View File

@ -236,6 +236,22 @@ static enum act_return tcp_exec_action_silent_drop(struct act_rule *rule, struct
return ACT_RET_ABRT; return ACT_RET_ABRT;
} }
static enum act_return tcp_action_set_mark(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
conn_set_mark(objt_conn(sess->origin), (uintptr_t)rule->arg.act.p[0]);
return ACT_RET_CONT;
}
static enum act_return tcp_action_set_tos(struct act_rule *rule, struct proxy *px,
struct session *sess, struct stream *s, int flags)
{
conn_set_tos(objt_conn(sess->origin), (uintptr_t)rule->arg.act.p[0]);
return ACT_RET_CONT;
}
/* parse "set-{src,dst}[-port]" action */ /* parse "set-{src,dst}[-port]" action */
static enum act_parse_ret tcp_parse_set_src_dst(const char **args, int *orig_arg, struct proxy *px, static enum act_parse_ret tcp_parse_set_src_dst(const char **args, int *orig_arg, struct proxy *px,
struct act_rule *rule, char **err) struct act_rule *rule, char **err)
@ -283,6 +299,75 @@ static enum act_parse_ret tcp_parse_set_src_dst(const char **args, int *orig_arg
} }
/* Parse a "set-mark" action. It takes the MARK value as argument. It returns
* ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret tcp_parse_set_mark(const char **args, int *cur_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
#ifdef SO_MARK
char *endp;
unsigned int mark;
if (!*args[*cur_arg]) {
memprintf(err, "expects exactly 1 argument (integer/hex value)");
return ACT_RET_PRS_ERR;
}
mark = strtoul(args[*cur_arg], &endp, 0);
if (endp && *endp != '\0') {
memprintf(err, "invalid character starting at '%s' (integer/hex value expected)", endp);
return ACT_RET_PRS_ERR;
}
(*cur_arg)++;
/* Register processing function. */
rule->action_ptr = tcp_action_set_mark;
rule->action = ACT_CUSTOM;
rule->arg.act.p[0] = (void *)(uintptr_t)mark;
global.last_checks |= LSTCHK_NETADM;
return ACT_RET_PRS_OK;
#else
memprintf(err, "not supported on this platform (SO_MARK undefined)");
return ACT_RET_PRS_ERR;
#endif
}
/* Parse a "set-tos" action. It takes the TOS value as argument. It returns
* ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
*/
static enum act_parse_ret tcp_parse_set_tos(const char **args, int *cur_arg, struct proxy *px,
struct act_rule *rule, char **err)
{
#ifdef IP_TOS
char *endp;
int tos;
if (!*args[*cur_arg]) {
memprintf(err, "expects exactly 1 argument (integer/hex value)");
return ACT_RET_PRS_ERR;
}
tos = strtol(args[*cur_arg], &endp, 0);
if (endp && *endp != '\0') {
memprintf(err, "invalid character starting at '%s' (integer/hex value expected)", endp);
return ACT_RET_PRS_ERR;
}
(*cur_arg)++;
/* Register processing function. */
rule->action_ptr = tcp_action_set_tos;
rule->action = ACT_CUSTOM;
rule->arg.act.p[0] = (void *)(uintptr_t)tos;
return ACT_RET_PRS_OK;
#else
memprintf(err, "not supported on this platform (IP_TOS undefined)");
return ACT_RET_PRS_ERR;
#endif
}
/* Parse a "silent-drop" action. It takes no argument. It returns ACT_RET_PRS_OK on /* Parse a "silent-drop" action. It takes no argument. It returns ACT_RET_PRS_OK on
* success, ACT_RET_PRS_ERR on error. * success, ACT_RET_PRS_ERR on error.
*/ */
@ -296,10 +381,12 @@ static enum act_parse_ret tcp_parse_silent_drop(const char **args, int *orig_arg
static struct action_kw_list tcp_req_conn_actions = {ILH, { static struct action_kw_list tcp_req_conn_actions = {ILH, {
{ "set-mark", tcp_parse_set_mark },
{ "set-src", tcp_parse_set_src_dst }, { "set-src", tcp_parse_set_src_dst },
{ "set-src-port", tcp_parse_set_src_dst }, { "set-src-port", tcp_parse_set_src_dst },
{ "set-dst" , tcp_parse_set_src_dst }, { "set-dst" , tcp_parse_set_src_dst },
{ "set-dst-port", tcp_parse_set_src_dst }, { "set-dst-port", tcp_parse_set_src_dst },
{ "set-tos", tcp_parse_set_tos },
{ "silent-drop", tcp_parse_silent_drop }, { "silent-drop", tcp_parse_silent_drop },
{ /* END */ } { /* END */ }
}}; }};
@ -307,10 +394,12 @@ static struct action_kw_list tcp_req_conn_actions = {ILH, {
INITCALL1(STG_REGISTER, tcp_req_conn_keywords_register, &tcp_req_conn_actions); INITCALL1(STG_REGISTER, tcp_req_conn_keywords_register, &tcp_req_conn_actions);
static struct action_kw_list tcp_req_sess_actions = {ILH, { static struct action_kw_list tcp_req_sess_actions = {ILH, {
{ "set-mark", tcp_parse_set_mark },
{ "set-src", tcp_parse_set_src_dst }, { "set-src", tcp_parse_set_src_dst },
{ "set-src-port", tcp_parse_set_src_dst }, { "set-src-port", tcp_parse_set_src_dst },
{ "set-dst" , tcp_parse_set_src_dst }, { "set-dst" , tcp_parse_set_src_dst },
{ "set-dst-port", tcp_parse_set_src_dst }, { "set-dst-port", tcp_parse_set_src_dst },
{ "set-tos", tcp_parse_set_tos },
{ "silent-drop", tcp_parse_silent_drop }, { "silent-drop", tcp_parse_silent_drop },
{ /* END */ } { /* END */ }
}}; }};
@ -318,10 +407,12 @@ static struct action_kw_list tcp_req_sess_actions = {ILH, {
INITCALL1(STG_REGISTER, tcp_req_sess_keywords_register, &tcp_req_sess_actions); INITCALL1(STG_REGISTER, tcp_req_sess_keywords_register, &tcp_req_sess_actions);
static struct action_kw_list tcp_req_cont_actions = {ILH, { static struct action_kw_list tcp_req_cont_actions = {ILH, {
{ "set-mark", tcp_parse_set_mark },
{ "set-src", tcp_parse_set_src_dst }, { "set-src", tcp_parse_set_src_dst },
{ "set-src-port", tcp_parse_set_src_dst }, { "set-src-port", tcp_parse_set_src_dst },
{ "set-dst" , tcp_parse_set_src_dst }, { "set-dst" , tcp_parse_set_src_dst },
{ "set-dst-port", tcp_parse_set_src_dst }, { "set-dst-port", tcp_parse_set_src_dst },
{ "set-tos", tcp_parse_set_tos },
{ "silent-drop", tcp_parse_silent_drop }, { "silent-drop", tcp_parse_silent_drop },
{ /* END */ } { /* END */ }
}}; }};
@ -329,6 +420,8 @@ static struct action_kw_list tcp_req_cont_actions = {ILH, {
INITCALL1(STG_REGISTER, tcp_req_cont_keywords_register, &tcp_req_cont_actions); INITCALL1(STG_REGISTER, tcp_req_cont_keywords_register, &tcp_req_cont_actions);
static struct action_kw_list tcp_res_cont_actions = {ILH, { static struct action_kw_list tcp_res_cont_actions = {ILH, {
{ "set-mark", tcp_parse_set_mark },
{ "set-tos", tcp_parse_set_tos },
{ "silent-drop", tcp_parse_silent_drop }, { "silent-drop", tcp_parse_silent_drop },
{ /* END */ } { /* END */ }
}}; }};
@ -336,17 +429,21 @@ static struct action_kw_list tcp_res_cont_actions = {ILH, {
INITCALL1(STG_REGISTER, tcp_res_cont_keywords_register, &tcp_res_cont_actions); INITCALL1(STG_REGISTER, tcp_res_cont_keywords_register, &tcp_res_cont_actions);
static struct action_kw_list http_req_actions = {ILH, { static struct action_kw_list http_req_actions = {ILH, {
{ "set-mark", tcp_parse_set_mark },
{ "silent-drop", tcp_parse_silent_drop }, { "silent-drop", tcp_parse_silent_drop },
{ "set-src", tcp_parse_set_src_dst }, { "set-src", tcp_parse_set_src_dst },
{ "set-src-port", tcp_parse_set_src_dst }, { "set-src-port", tcp_parse_set_src_dst },
{ "set-dst", tcp_parse_set_src_dst }, { "set-dst", tcp_parse_set_src_dst },
{ "set-dst-port", tcp_parse_set_src_dst }, { "set-dst-port", tcp_parse_set_src_dst },
{ "set-tos", tcp_parse_set_tos },
{ /* END */ } { /* END */ }
}}; }};
INITCALL1(STG_REGISTER, http_req_keywords_register, &http_req_actions); INITCALL1(STG_REGISTER, http_req_keywords_register, &http_req_actions);
static struct action_kw_list http_res_actions = {ILH, { static struct action_kw_list http_res_actions = {ILH, {
{ "set-mark", tcp_parse_set_mark },
{ "set-tos", tcp_parse_set_tos },
{ "silent-drop", tcp_parse_silent_drop }, { "silent-drop", tcp_parse_silent_drop },
{ /* END */ } { /* END */ }
}}; }};