MINOR: rhttp: mark reverse HTTP as experimental

Mark the reverse HTTP feature as experimental. This will allow to adjust
if needed the configuration mechanism with future developments without
maintaining retro-compatibility.

Concretely, each config directives linked to it now requires to specify
first global expose-experimental-directives before. This is the case for
the following directives :
- rhttp@ prefix uses in bind and server lines
- nbconn bind keyword
- attach-srv tcp rule

Each documentation section refering to these keywords are updated to
highlight this new requirement.

Note that this commit has duplicated on several places the code from the
global function check_kw_experimental(). This is because the latter only
work with cfg_keyword type. This is not adapted with bind_kw or
action_kw types. This should be improve in a future patch.

doc/configuration.txt

@@ -5085,11 +5085,14 @@ bind /<path> [, ...] [param*]
                     - 'quic6@' -> address is resolved as IPv6 and protocol UDP
                       is used. The performance note for QUIC over IPv4 applies
                       as well.
-                    - 'rhttp@' -> used for reverse HTTP. Address must be a
-                      server with the format '<backend>/<server>'. The server
-                      will be used to instantiate connections to a remote
-                      address. The listener will try to maintain "nbconn"
-                      connections.
+                    - 'rhttp@' [ EXPERIMENTAL ] -> used for reverse HTTP.
+                      Address must be a server with the format
+                      '<backend>/<server>'. The server will be used to
+                      instantiate connections to a remote address. The listener
+                      will try to maintain "nbconn" connections. This is an
+                      experimental features which requires
+                      "expose-experimental-directives" on a line before this
+                      bind.
 
                   You may want to reference some environment variables in the
                   address parameter, see section 2.3 about environment
@@ -9980,8 +9983,11 @@ server <name> <address>[:[port]] [param*]
                       one of them over the FD. The bind part will use the
                       received socket as the client FD. Should be used
                       carefully.
-                    - 'rhttp@' -> custom address family for a passive server in
-                      HTTP reverse context.
+                    - 'rhttp@' [ EXPERIMENTAL ] -> custom address family for a
+                      passive server in HTTP reverse context. This is an
+                      experimental features which requires
+                      "expose-experimental-directives" on a line before this
+                      server.
               You may want to reference some environment variables in the
               address parameter, see section 2.3 about environment
               variables. The "init-addr" setting can be used to modify the way
@@ -12904,7 +12910,7 @@ allow
   above.
 
 
-attach-srv <srv> [name <expr>]
+attach-srv <srv> [name <expr>] [ EXPERIMENTAL ]
   Usable in:  TCP RqCon| RqSes| RqCnt| RsCnt|    HTTP Req| Res| Aft
                     -  |   X  |   -  |   -  |          - |  - |  -
 
@@ -12922,6 +12928,10 @@ attach-srv <srv> [name <expr>]
   This rule is only valid for frontend in HTTP mode. Also all listeners must
   not require a protocol different from HTTP/2.
 
+  Reverse HTTP is currently still in active development. Configuration
+  mechanism may change in the future. For this reason it is internally marked
+  as experimental, meaning that "expose-experimental-directives" must appear on
+  a line before this directive.
 
 auth [realm <realm>]
   Usable in:  TCP RqCon| RqSes| RqCnt| RsCnt|    HTTP Req| Res| Aft
@@ -14750,11 +14760,16 @@ namespace <name>
   a namespace different from the default one. Please refer to your operating
   system's documentation to find more details about network namespaces.
 
-nbconn <nbconn>
+nbconn <nbconn> [ EXPERIMENTAL ]
   This setting is only valid for listener instances which uses reverse HTTP.
   This will define the count of connections which will be mounted in parallel.
   If not specified, a default value of 1 is used.
 
+  Reverse HTTP is currently still in active development. Configuration
+  mechanism may change in the future. For this reason it is internally marked
+  as expirmental, meaning that "expose-experimental-directives" must appear on
+  a line before this directive.
+
 nice <nice>
   Sets the 'niceness' of connections initiated from the socket. Value must be
   in the range -1024..1024 inclusive, and defaults to zero. Positive values

reg-tests/connection/reverse_connect_full.vtc

@@ -9,6 +9,9 @@ server s1 {
 } -start
 
 haproxy h_edge -conf {
+global
+	expose-experimental-directives
+
 defaults
 	log global
 	timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
@@ -29,6 +32,9 @@ frontend priv
 } -start
 
 haproxy h_dev -conf {
+global
+	expose-experimental-directives
+
 defaults
 	log global
 	timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"

reg-tests/connection/reverse_server.vtc

@@ -6,6 +6,9 @@ feature ignore_unknown_macro
 barrier b1 cond 2
 
 haproxy h_edge -conf {
+global
+	expose-experimental-directives
+
 defaults
 	log global
 	timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"

reg-tests/connection/reverse_server_name.vtc

@@ -7,6 +7,9 @@ feature ignore_unknown_macro
 barrier b1 cond 2
 
 haproxy h_edge -conf {
+global
+	expose-experimental-directives
+
 defaults
 	log global
 	timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"

src/listener.c

@@ -2259,6 +2259,14 @@ static int bind_parse_nbconn(char **args, int cur_arg, struct proxy *px, struct
 	int val;
 	const struct listener *l;
 
+	/* TODO duplicated code from check_kw_experimental() */
+	if (!experimental_directives_allowed) {
+		memprintf(err, "'%s' is experimental, must be allowed via a global 'expose-experimental-directives'",
+		          args[cur_arg]);
+		return ERR_ALERT | ERR_FATAL;
+	}
+	mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
+
 	l = LIST_NEXT(&conf->listeners, struct listener *, by_bind);
 	if (l->rx.addr.ss_family != AF_CUST_RHTTP_SRV) {
 		memprintf(err, "'%s' : only valid for reverse HTTP listeners.", args[cur_arg]);

src/tcp_act.c

@@ -468,6 +468,14 @@ static enum act_parse_ret tcp_parse_attach_srv(const char **args, int *cur_arg,
 	char *srvname;
 	struct sample_expr *expr;
 
+	/* TODO duplicated code from check_kw_experimental() */
+	if (!experimental_directives_allowed) {
+		memprintf(err, "parsing [%s:%d] : '%s' action is experimental, must be allowed via a global 'expose-experimental-directives'",
+		          px->conf.args.file, px->conf.args.line, args[2]);
+		return ACT_RET_PRS_ERR;
+	}
+	mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
+
 	rule->action      = ACT_CUSTOM;
 	rule->action_ptr  = tcp_action_attach_srv;
 	rule->release_ptr = release_attach_srv_action;

src/tools.c

@@ -1104,6 +1104,13 @@ struct sockaddr_storage *str2sa_range(const char *str, int *port, int *low, int
 		ss.ss_family = AF_CUST_SOCKPAIR;
 	}
 	else if (strncmp(str2, "rhttp@", 3) == 0) {
+		/* TODO duplicated code from check_kw_experimental() */
+		if (!experimental_directives_allowed) {
+			memprintf(err, "Address '%s' is experimental, must be allowed via a global 'expose-experimental-directives'", str2);
+			goto out;
+		}
+		mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
+
 		str2 += 4;
 		ss.ss_family = AF_CUST_RHTTP_SRV;
 	}