[MEDIUM] frontend: check for LI_O_TCP_RULES in the listener

The new LI_O_TCP_RULES listener option indicates that some TCP rules must be checked upon accept on this listener. It is now checked by the frontend and the L4 rules are evaluated only in this case. The flag is only set when at least one tcp-req rule is present in the frontend. The L4 rules check function has now been moved to proto_tcp.c where it ought to be.
2025-11-28 22:31:06 +01:00 · 2010-05-31 10:30:33 +02:00 · 2010-05-31 10:30:33 +02:00 · a5c0ab200b
commit a5c0ab200b
parent 2281b7fd12
5 changed files with 52 additions and 35 deletions
--- a/include/proto/proto_tcp.h
+++ b/include/proto/proto_tcp.h
@ -35,6 +35,7 @@ int tcpv4_connect_server(struct stream_interface *si,
 			 struct sockaddr *srv_addr, struct sockaddr *from_addr);
 int tcp_inspect_request(struct session *s, struct buffer *req, int an_bit);
 int tcp_persist_rdp_cookie(struct session *s, struct buffer *req, int an_bit);
+int tcp_exec_req_rules(struct session *s);

 #endif /* _PROTO_PROTO_TCP_H */

--- a/include/types/protocols.h
+++ b/include/types/protocols.h
@ -72,6 +72,7 @@
 #define LI_O_FOREIGN	0x0002	/* permit listening on foreing addresses */
 #define LI_O_NOQUICKACK	0x0004	/* disable quick ack of immediate data (linux) */
 #define LI_O_DEF_ACCEPT	0x0008	/* wait up to 1 second for data before accepting */
+#define LI_O_TCP_RULES  0x0010  /* run TCP rules checks on the incoming connection */

 /* The listener will be directly referenced by the fdtab[] which holds its
 * socket. The listener provides the protocol-specific accept() function to
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@ -5356,6 +5356,9 @@ out_uri_auth_compat:
 			listener->handler = process_session;
 			listener->analysers |= curproxy->fe_req_ana;

+			if (!LIST_ISEMPTY(&curproxy->tcp_req.l4_rules))
+				listener->options |= LI_O_TCP_RULES;
+
 			/* smart accept mode is automatic in HTTP mode */
 			if ((curproxy->options2 & PR_O2_SMARTACC) ||
 			    (curproxy->mode == PR_MODE_HTTP &&
--- a/src/frontend.c
+++ b/src/frontend.c
@ -63,7 +63,6 @@ int frontend_accept(struct listener *l, int cfd, struct sockaddr_storage *addr)
 	struct session *s;
 	struct http_txn *txn;
 	struct task *t;
-	struct tcp_rule *rule;

 	if (unlikely((s = pool_alloc2(pool2_session)) == NULL)) {
 		Alert("out of memory in event_accept().\n");
@ -134,42 +133,15 @@ int frontend_accept(struct listener *l, int cfd, struct sockaddr_storage *addr)
 	proxy_inc_fe_ctr(l, p);	/* note: cum_beconn will be increased once assigned */

 	/* now evaluate the tcp-request rules */
-	list_for_each_entry(rule, &p->tcp_req.l4_rules, list) {
-		int ret = ACL_PAT_PASS;
-
-		if (rule->cond) {
-			ret = acl_exec_cond(rule->cond, p, s, &s->txn, ACL_DIR_REQ);
-			ret = acl_pass(ret);
-			if (rule->cond->pol == ACL_COND_UNLESS)
-				ret = !ret;
-		}
-
-		if (ret) {
-			/* we have a matching rule. */
-			if (rule->action == TCP_ACT_REJECT) {
-				p->counters.denied_req++;
-				if (l->counters)
-					l->counters->denied_req++;
-
-				if (!(s->flags & SN_ERR_MASK))
-					s->flags |= SN_ERR_PRXCOND;
-				if (!(s->flags & SN_FINST_MASK))
-					s->flags |= SN_FINST_R;
-
+	if ((l->options & LI_O_TCP_RULES) && !tcp_exec_req_rules(s)) {
 		task_free(t);
 		LIST_DEL(&s->list);
 		pool_free2(pool2_session, s);
-
 		/* let's do a no-linger now to close with a single RST. */
 		setsockopt(cfd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger));
 		return 0;
 	}

-			/* otherwise it's an accept */
-			break;
-		}
-	}
-
 	/* pre-initialize the other side's stream interface */

 	s->si[1].state = s->si[1].prev_state = SI_ST_INI;
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@ -708,6 +708,46 @@ int tcp_inspect_request(struct session *s, struct buffer *req, int an_bit)
 	return 1;
 }

+/* This function performs the TCP layer4 analysis on the current request. It
+ * returns 0 if a reject rule matches, otherwise 1 if either an accept rule
+ * matches or if no more rule matches. It can only use rules which don't need
+ * any data.
+ */
+int tcp_exec_req_rules(struct session *s)
+{
+	struct tcp_rule *rule;
+	int ret;
+
+	list_for_each_entry(rule, &s->fe->tcp_req.l4_rules, list) {
+		ret = ACL_PAT_PASS;
+
+		if (rule->cond) {
+			ret = acl_exec_cond(rule->cond, s->fe, s, NULL, ACL_DIR_REQ);
+			ret = acl_pass(ret);
+			if (rule->cond->pol == ACL_COND_UNLESS)
+				ret = !ret;
+		}
+
+		if (ret) {
+			/* we have a matching rule. */
+			if (rule->action == TCP_ACT_REJECT) {
+				s->fe->counters.denied_req++;
+				if (s->listener->counters)
+					s->listener->counters->denied_req++;
+
+				if (!(s->flags & SN_ERR_MASK))
+					s->flags |= SN_ERR_PRXCOND;
+				if (!(s->flags & SN_FINST_MASK))
+					s->flags |= SN_FINST_R;
+				return 0;
+			}
+			/* otherwise it's an accept */
+			break;
+		}
+	}
+	return 1;
+}
+
 /* This function should be called to parse a line starting with the "tcp-request"
 * keyword.
 */