8462 Commits

Author SHA1 Message Date
Willy Tarreau
515393649c MINOR: acl: add the cook_val() match to match a cookie against an integer 2012-05-08 21:28:16 +02:00
Willy Tarreau
d04b1bce69 MEDIUM: http: improve error capture reports
A number of important information were missing from the error captures, so
let's improve them. Now we also log source port, session flags, transaction
flags, message flags, pending output bytes, expected buffer wrapping position,
total bytes transferred, message chunk length, and message body length.

As such, the output format has slightly evolved and the source address moved
to the third line :

[08/May/2012:11:14:36.341] frontend echo (#1): invalid request
  backend echo (#1), server <NONE> (#-1), event #1
  src 127.0.0.1:40616, session #4, session flags 0x00000000
  HTTP msg state 26, msg flags 0x00000000, tx flags 0x00000000
  HTTP chunk len 0 bytes, HTTP body len 0 bytes
  buffer flags 0x00909002, out 0 bytes, total 28 bytes
  pending 28 bytes, wrapping at 8030, error at position 7:

  00000  GET / /?t=20000 HTTP/1.1\r\n
  00026  \r\n

[08/May/2012:11:13:13.426] backend echo (#1) : invalid response
  frontend echo (#1), server local (#1), event #0
  src 127.0.0.1:40615, session #1, session flags 0x0000044e
  HTTP msg state 32, msg flags 0x0000000e, tx flags 0x08200000
  HTTP chunk len 0 bytes, HTTP body len 20 bytes
  buffer flags 0x00008002, out 81 bytes, total 92 bytes
  pending 11 bytes, wrapping at 7949, error at position 9:

  00000  Foo: bar\r\r\n
2012-05-08 21:28:16 +02:00
Willy Tarreau
69d8c5d99e BUG/MINOR: http: ensure that msg->err_pos is always relative to buf->p
Since the beginning of buffer&msg changes, the error position (err_pos)
had not completely been converted and some offsets still appear wrong.
Now we ensure that everywhere msg->err_pos is relative to buf->p and
we always report buf->i bytes starting at buf->p in all error captures,
which ensures that err_pos is there.

This is not exactly a bug and is specific to latest changes so no backport
is needed.
2012-05-08 21:28:15 +02:00
Willy Tarreau
d6c2e8c916 BUG/MINOR: http: error snapshots are wrong if buffer wraps
Commit 81f2fb added support for wrapping buffer captures, but unfortunately
the code used to perform two memcpy() over the same destination, causing a
loss of the start of the buffer rendering some error snapshots unusable.

This bug is present in 1.4 too and must be backported.
2012-05-08 21:28:15 +02:00
Willy Tarreau
22bca61404 MEDIUM: proto_tcp: remove src6 and dst6 pattern fetch methods
These methods have been superseded by src and dst which support
multiple families. There is no point keeping them since they appeared
in a development version anyway.

For configurations using "src6", please use "src" instead. For "dst6",
use "dst" instead.
2012-05-08 21:28:15 +02:00
Willy Tarreau
bbebbbff83 REORG/MEDIUM: move the default accept function from sockstream to protocols.c
The previous sockstream_accept() function uses nothing from sockstream, and
is totally irrelevant to stream interfaces. Move this to the protocols.c
file which handles listeners and protocols, and call it listener_accept().

It now makes much more sense that the code dealing with listen() also handles
accept() and passes it to upper layers.
2012-05-08 21:28:15 +02:00
Willy Tarreau
26d8c59f0b REORG/MEDIUM: replace stream interface protocol functions by a proto pointer
The stream interface now makes use of the socket protocol pointer instead
of the direct functions.
2012-05-08 21:28:15 +02:00
Willy Tarreau
5c979a9c71 REORG/MEDIUM: stream_interface: initialize socket ops from descriptors 2012-05-08 21:28:14 +02:00
Willy Tarreau
1b79bdee26 REORG/MEDIUM: move protocol->{read,write} to sock_ops
The protocol must not set the read and write callbacks, they're specific
to the socket layer. Move them to sock_ops instead.
2012-05-08 21:28:14 +02:00
Willy Tarreau
060781fb4a REORG: stream_interface: create a struct sock_ops to hold socket operations
These operators are used regardless of the socket protocol family. Move
them to a "sock_ops" struct. ->read and ->write have been moved there too
as they have no reason to remain at the protocol level.
2012-05-08 21:28:14 +02:00
Willy Tarreau
ceb4ac9c34 MEDIUM: acl: support IPv6 address matching
Make use of the new IPv6 pattern type so that acl_match_ip() knows how to
compare pattern and sample.

IPv6 may be entered in their usual form, with or without a netmask appended.
Only bit counts are accepted for IPv6 netmasks. In order to avoid any risk of
trouble with randomly resolved IP addresses, host names are never allowed in
IPv6 patterns.

HAProxy is also able to match IPv4 addresses with IPv6 addresses in the
following situations :
  - tested address is IPv4, pattern address is IPv4, the match applies
    in IPv4 using the supplied mask if any.
  - tested address is IPv6, pattern address is IPv6, the match applies
    in IPv6 using the supplied mask if any.
  - tested address is IPv6, pattern address is IPv4, the match applies in IPv4
    using the pattern's mask if the IPv6 address matches with 2002:IPV4::,
    ::IPV4 or ::ffff:IPV4, otherwise it fails.
  - tested address is IPv4, pattern address is IPv6, the IPv4 address is first
    converted to IPv6 by prefixing ::ffff: in front of it, then the match is
    applied in IPv6 using the supplied IPv6 mask.
2012-05-08 21:28:14 +02:00
Willy Tarreau
6d20e28556 MINOR: standard: add an IPv6 parsing function (str62net)
str62net returns an address and a netmask in number of bits.
2012-05-08 20:57:21 +02:00
Willy Tarreau
c92ddbc37d MINOR: acl: add types to ACL patterns
We cannot currently match IPv6 addresses in ACL simply because we don't
support types on the patterns. Let's introduce this notion. For now, we
rely on the SMP_TYPES though it doesn't seem like it will last forever
given that some types are not present there (eg: regex, meth). Still it
should be enough to support mixed matchings for most types.

We use the special impossible value SMP_TYPES for types that don't exist
in the SMP_T_* space.
2012-05-08 20:57:21 +02:00
Willy Tarreau
cd3b094618 REORG: rename "pattern" files
They're now called "sample" everywhere to match their description.
2012-05-08 20:57:21 +02:00
Willy Tarreau
1278578487 REORG: use the name "sample" instead of "pattern" to designate extracted data
This is mainly a massive renaming in the code to get it in line with the
calling convention. Next patch will rename a few files to complete this
operation.
2012-05-08 20:57:20 +02:00
Willy Tarreau
7dcb6480db MEDIUM: acl: extend the pattern parsers to report meaningful errors
By passing the error pointer to all ACL parsers, we can make them report
useful errors and not simply fail.
2012-05-08 20:57:20 +02:00
Willy Tarreau
08ad0b38c4 MINOR: acl: report errors encountered when loading patterns from files
This happens in acl_read_patterns_from_file(). Errors are still incomplete,
parsing functions must be improved to report parsing errors.
2012-05-08 20:57:20 +02:00
Willy Tarreau
4e6336fdfd MINOR: arg: improve error reporting on invalid arguments
It's important to report the faulty argument position and to distinguish
between empty arguments and wrong ones.

Integers were not properly tested either, now their parsing has been improved
to report use of incorrect characters.
2012-05-08 20:57:20 +02:00
Willy Tarreau
b7451bb660 MEDIUM: acl: report parsing errors to the caller
All parsing errors were known but impossible to return. Now by making use
of memprintf(), we're able to build meaningful error messages that the
caller can display.
2012-05-08 20:57:20 +02:00
Willy Tarreau
28376d62cb MEDIUM: http: merge ACL and pattern cookie fetches into a single one
It's easy to merge pattern and ACL fetches of cookies. It allows us
to remove two distinct fetch functions. The new function internally
uses an occurrence number to serve both purposes, but it didn't appear
worth exposing it outside so there is no keyword argument to set it.
However one of the benefits is that the "cookie" fetch for stick tables
now automatically adapts to requests and responses, so there is no more
need for set-cookie().
2012-05-08 20:57:19 +02:00
Willy Tarreau
185b5c4a7b MEDIUM: http: merge acl and pattern header fetch functions
HTTP header fetch is now done using smp_fetch_hdr() for both ACLs and
patterns. This one also supports an occurrence number, making it possible
to specify explicit occurrences for ACLs and patterns.
2012-05-08 20:57:19 +02:00
Willy Tarreau
0d5fe144a1 MINOR: proto_tcp: validate arguments of payload and payload_lv ACLs
Now it's possible to control arguments, so let's do it.
2012-05-08 20:57:19 +02:00
Willy Tarreau
ae52f06da3 MINOR: acl: add a val_args field to keywords
This will make it possible to delegate argument validating to functions
shared with smp_fetch_*.
2012-05-08 20:57:19 +02:00
Willy Tarreau
7a777edbdf MINOR: acl: set SMP_OPT_ITERATE on fetch functions
This way, fetch functions will be able to tell if they're called for a single
request or as part of a loop. This is important for instance when we use
hdr(foo), because in an ACL this means that all hdr(foo) occurrences must
be checked while in a pattern it means only one of them (eg: last one).
2012-05-08 20:57:18 +02:00
Willy Tarreau
d6281ae046 MEDIUM: pattern: use smp_fetch_rdp_cookie instead of the pattern specific version
pattern_fetch_rdp_cookie() is useless now since it only used to add controls
on top of smp_fetch_rdp_cookie() which have now been integrated into the
pattern subsystem. Let's remove it.
2012-05-08 20:57:18 +02:00
Willy Tarreau
40aebd9239 MINOR: pattern: centralize handling of unstable data in pattern_process()
Pattern fetch functions currently check for unstable data and return 0
when SMP_F_MAY_CHANGE is set. Instead of doing this everywhere and having
to support specific fetch functions, better do that in pattern_process()
which is the one interested in having stable data.
2012-05-08 20:57:18 +02:00
Willy Tarreau
7fc1c6eefb MINOR: stick_table: centralize the handling of empty keys
Right now, it's up to each pattern fetch method to return NULL when an
empty string is returned, which is neither correct nor desirable as it
is only stick tables which need to ignore empty patterns. Let's perform
this check in stktable_fetch_key() instead.
2012-05-08 20:57:18 +02:00
Willy Tarreau
82ea800b0f CLEANUP: pattern: ensure that payload and payload_lv always stay in the buffer
A test was already performed which worked by pure luck due to integer types,
otherwise it would have been possible to start checking for an offset out of
the buffer's bounds if the buffer size was large enough to allow an integer
wrap. Let's perform explicit checks and use unsigned ints for offsets instead
of risking being hit later.
2012-05-08 20:57:18 +02:00
Willy Tarreau
0ce3aa0c66 MEDIUM: acl: implement payload and payload_lv
These ones were easy to adapt to ACL usage and may really be useful,
so let's make them available right now. It's likely that some extension
such as regex, string-to-IP and raw IP matching will be implemented in
the near future.
2012-05-08 20:57:17 +02:00
Willy Tarreau
4a12981c68 MEDIUM: acl/pattern: factor out the src/dst address fetches
Since pattern_process() is able to automatically cast returned types
into expected types, we can safely use the sample functions to fetch
addresses whatever their family. The lowest castable type must be
declared with the keyword so that config checks pass.

Right now this means that src/dst use the same fetch function for ACLs
and patterns. src6/dst6 have been kept so that configs which explicitly
rely on v6 are properly checked.
2012-05-08 20:57:17 +02:00
Willy Tarreau
12e5011a76 MEDIUM: pattern: ensure that sample types always cast into other types.
We want to ensure that a dynamically returned type will always have a
cast before calling the cast function. This is done in pattern_process()
and in stktable_fetch_key().
2012-05-08 20:57:17 +02:00
Willy Tarreau
25c1ebc0c9 MEDIUM: acl/pattern: start merging common sample fetch functions
src_port, dst_port and url_param have converged between ACLs and patterns.
This means that src_port is now available in patterns and that urlp_* has
been added to ACLs. Some code has moved to accommodate for static function
definitions, but there were little changes.
2012-05-08 20:57:17 +02:00
Willy Tarreau
32a6f2e572 MEDIUM: acl/pattern: use the same direction scheme
Patterns were using a bitmask to indicate if request or response was desired
in fetch functions and keywords. ACLs were using a bitmask in fetch keywords
and a single bit in fetch functions. ACLs were also using an ACL_PARTIAL bit
in fetch functions indicating that a non-final fetch was performed, which was
an abuse of the existing direction flag.

The change now consists in using :
  - a capabilities field for fetch keywords => SMP_CAP_REQ/RES to indicate
    if a keyword supports requests, responses, both, etc...
  - an option field for fetch functions to indicate what the caller expects
    (request/response, final/non-final)

The ACL_PARTIAL bit was reversed to get SMP_OPT_FINAL as it's more explicit
to know we're working on a final buffer than on a non-final one.

ACL_DIR_* were removed, as well as PATTERN_FETCH_*. L4 fetches were improved
to support being called on responses too since they're still available.

The <dir> field of all fetch functions was changed to <opt> which is now
unsigned.

The patch is large but mostly made of cosmetic changes to accomodate this, as
almost no logic change happened.
2012-05-08 20:57:17 +02:00
Willy Tarreau
9fb4bc7f43 MINOR: tcp: replace acl_fetch_rdp_cookie with smp_fetch_rdp_cookie
The former was only a wrapper to the second, let's remove it now that
the calling convention is exactly the same. This is the first function
to be unified between ACLs and samples.
2012-05-08 20:57:16 +02:00
Willy Tarreau
24e32d8c6b MEDIUM: acl: replace acl_expr with args in acl fetch_* functions
Having the args everywhere will make it easier to share fetch functions
between patterns and ACLs. The only place where we could have needed
the expr was in the http_prefetch function which can do well without.
2012-05-08 20:57:16 +02:00
Willy Tarreau
32389b7d04 MEDIUM: acl/pattern: switch rdp_cookie functions stack up-down
Previously, both pattern, backend and persist_rdp_cookie would build fake
ACL expressions to fetch an RDP cookie by calling acl_fetch_rdp_cookie().

Now we switch roles. The RDP cookie fetch function is provided as a sample
fetch function that all others rely on, including ACL. The code is exactly
the same, only the args handling moved from expr->args to args. The code
was moved to proto_tcp.c, but probably that a dedicated file would be more
suited to content handling.
2012-05-08 20:57:16 +02:00
Willy Tarreau
b8c8f1f611 MEDIUM: pattern: retrieve the sample type in the sample, not in the keyword description
We need the pattern fetchers and converters to correctly set the output type
so that they can be used by ACL fetchers. By using the sample type instead of
the keyword type, we also open the possibility to create some multi-type
pattern fetch methods later (eg: "src" being v4/v6). Right now the type in
the keyword is used to validate the configuration.
2012-05-08 20:57:16 +02:00
Willy Tarreau
342acb4775 MEDIUM: pattern: integrate pattern_data into sample and use sample everywhere
Now there is no more reference to union pattern_data. All pattern fetch and
conversion functions now make use of the common sample type. Note: none of
them adjust the type right now so it's important to do it next otherwise
we would risk sharing such functions with ACLs and seeing them fail.
2012-05-08 20:57:15 +02:00
Willy Tarreau
b4a88f0672 MINOR: pattern: replace struct pattern with struct sample
This change is pretty minor. Struct pattern is only used for
pattern_process() now so changing it to use the common type is
quite obvious. It's worth noting that the last argument of
pattern_process() is never used so the function is self-sufficient.

Note that pattern_process() does not initialize the pattern at all
before calling fetch->process(), and that minimal initialization
will be required when we later change the argument for the sample.
2012-05-08 20:57:15 +02:00
Willy Tarreau
21e5b0e3cb MEDIUM: get rid of SMP_F_READ_ONLY and SMP_F_MUST_FREE
These ones were either unused or improperly used. Some integers were marked
read-only, which does not make much sense. Buffers are not read-only, they're
"constant" in that they must be kept intact after any possible change.
2012-05-08 20:57:15 +02:00
Willy Tarreau
197e10aaae MEDIUM: acl: get rid of the SET_RES flags
We now simply rely on a boolean result from a fetch to declare a match.
Booleans are not compared against patterns, they fix the result.
2012-05-08 20:57:15 +02:00
Willy Tarreau
f853c46bc3 MEDIUM: pattern/acl: get rid of temp_pattern in ACLs
This one is not needed anymore as we can return the data and its type in the
sample provided by the caller. ACLs now always return the proper type. BOOL
is already returned when the result is expected to be processed as a boolean.

temp_pattern has been unexported now.
2012-05-08 20:57:14 +02:00
Willy Tarreau
3740635b88 MAJOR: acl: make use of the new sample struct and get rid of acl_test
This change is invasive in lines of code but not much in terms of
functionalities as it's mainly a replacement of struct acl_test
with struct sample.
2012-05-08 20:57:14 +02:00
Willy Tarreau
422aa0792d MEDIUM: pattern: add new sample types to replace pattern types
The new sample types are necessary for the acl-pattern convergence.
These types are boolean and signed int. Some types were renamed for
less ambiguity (ip->ipv4, integer->uint).
2012-05-08 20:57:14 +02:00
Willy Tarreau
8f7406e9b4 MEDIUM: acl: remove the ACL_TEST_F_NULL_MATCH flag
This flag was used to force a boolean match even if there was no pattern
to match. It was used only by http_auth() and designed only for this one.
It's easier and cleaner to make the fetch function perform the test and
report the boolean result as a few other functions already do. It simplifies
the acl_exec_cond() logic and will help merging ACLs and patterns.
2012-05-08 20:57:13 +02:00
Willy Tarreau
b27c0d35dd MEDIUM: pattern: report the precise argument parsing error when known.
The argument parser knows what exact error it has faced, and the pattern
parser is able to report errors, so let's make use of it. From now on, it
becomes possible to detect such things :

$ ./haproxy -db -f echo5.cfg
[ALERT] 110/160344 (4791) : parsing [echo5.cfg:38] : 'stick': invalid arg 2 in fetch method 'payload' : Missing arguments (got 1/2), type 'unsigned integer' expected.
[ALERT] 110/160344 (4791) : parsing [echo5.cfg:39] : 'stick': invalid args in fetch method 'payload' : payload length must be > 0.
[ALERT] 110/160344 (4791) : parsing [echo5.cfg:40] : 'stick': invalid arg 3 in fetch method 'payload_lv' : Failed to parse 'x' as type 'signed integer'.
[ALERT] 110/160344 (4791) : parsing [echo5.cfg:41] : 'stick': invalid arg 4 in fetch method 'payload_lv' : End of arguments expected at ',13'.
[ALERT] 110/160344 (4791) : Error(s) found in configuration file : echo5.cfg
[ALERT] 110/160344 (4791) : Fatal errors found in configuration.
2012-05-08 20:57:13 +02:00
Willy Tarreau
21d68a6895 MEDIUM: pattern: add an argument validation callback to pattern descriptors
This is used to validate that arguments are coherent. For instance,
payload_lv expects that the last arg (if any) is not more negative
than the sum of the first two. The error is reported if any.
2012-05-08 20:57:13 +02:00
Willy Tarreau
9fcb984b17 MEDIUM: pattern: use the standard arg parser
We don't need the pattern-specific args parsers anymore, make use of the
common parser instead. We still need to improve this by adding a validation
function to report abnormal argument values or combinations. We don't report
precise parsing errors yet but this was not previously done either.
2012-05-08 20:57:13 +02:00
Willy Tarreau
f995410355 MEDIUM: pattern: get rid of arg_i in all functions making use of arguments
arg_i was almost unused, and since we migrated to use struct arg everywhere,
the rare cases where arg_i was needed could be replaced by switching to
arg->type = ARGT_STOP.
2012-05-08 20:57:12 +02:00
Willy Tarreau
ecfb8e8ff9 MEDIUM: pattern: replace type pattern_arg with type arg
arg is more complete than pattern_arg since it also covers ACL args,
so let's use this one instead.
2012-05-08 20:57:12 +02:00