85c47b0630
- [PATCH 01/13] DOC: clearly state that the "show sess" output format - [PATCH 02/13] MINOR: stats: fix minor typo fix in - [PATCH 03/13] MEDIUM: Improve signal handling in systemd wrapper. - [PATCH 04/13] MINOR: Also accept SIGHUP/SIGTERM in systemd-wrapper - [PATCH 05/13] DOC: indicate in the doc that track-sc* can wait if - [PATCH 06/13] MEDIUM: http: enable header manipulation for 101 - [PATCH 07/13] BUG/MEDIUM: config: propagate frontend to backend - [PATCH 08/13] MEDIUM: config: properly propagate process binding - [PATCH 09/13] MEDIUM: config: make the frontends automatically bind - [PATCH 10/13] MEDIUM: config: compute the exact bind-process before - [PATCH 11/13] MEDIUM: config: only warn if stats are attached to - [PATCH 12/13] MEDIUM: config: report it when tcp-request rules are - [PATCH 13/13] MINOR: config: detect the case where a tcp-request Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
110 lines
4.4 KiB
Diff
110 lines
4.4 KiB
Diff
From 8b3c808c37dd5672f87e7b61085295e1316a6694 Mon Sep 17 00:00:00 2001
|
|
From: Willy Tarreau <w@1wt.eu>
|
|
Date: Tue, 16 Sep 2014 15:39:51 +0200
|
|
Subject: [PATCH 12/13] MEDIUM: config: report it when tcp-request rules are
|
|
misplaced
|
|
|
|
A config where a tcp-request rule appears after an http-request rule
|
|
might seem valid but it is not. So let's report a warning about this
|
|
since this case is hard to detect by the naked eye.
|
|
(cherry picked from commit 3986b9c14037f446f5f5bec6207a39e1bd753fae)
|
|
---
|
|
include/common/cfgparse.h | 2 ++
|
|
src/cfgparse.c | 38 ++++++++++++++++++++++++++++++++++++++
|
|
src/proto_tcp.c | 4 ++++
|
|
3 files changed, 44 insertions(+)
|
|
|
|
diff --git a/include/common/cfgparse.h b/include/common/cfgparse.h
|
|
index 80310ae..86a0035 100644
|
|
--- a/include/common/cfgparse.h
|
|
+++ b/include/common/cfgparse.h
|
|
@@ -73,6 +73,8 @@ int check_config_validity();
|
|
int str2listener(char *str, struct proxy *curproxy, struct bind_conf *bind_conf, const char *file, int line, char **err);
|
|
int cfg_register_section(char *section_name,
|
|
int (*section_parser)(const char *, int, char **, int));
|
|
+int warnif_misplaced_tcp_conn(struct proxy *proxy, const char *file, int line, const char *arg);
|
|
+int warnif_misplaced_tcp_cont(struct proxy *proxy, const char *file, int line, const char *arg);
|
|
|
|
/*
|
|
* Sends a warning if proxy <proxy> does not have at least one of the
|
|
diff --git a/src/cfgparse.c b/src/cfgparse.c
|
|
index 5668393..9ff44e9 100644
|
|
--- a/src/cfgparse.c
|
|
+++ b/src/cfgparse.c
|
|
@@ -317,6 +317,19 @@ int str2listener(char *str, struct proxy *curproxy, struct bind_conf *bind_conf,
|
|
return 0;
|
|
}
|
|
|
|
+/* Report a warning if a rule is placed after a 'tcp-request content' rule.
|
|
+ * Return 1 if the warning has been emitted, otherwise 0.
|
|
+ */
|
|
+int warnif_rule_after_tcp_cont(struct proxy *proxy, const char *file, int line, const char *arg)
|
|
+{
|
|
+ if (!LIST_ISEMPTY(&proxy->tcp_req.inspect_rules)) {
|
|
+ Warning("parsing [%s:%d] : a '%s' rule placed after a 'tcp-request content' rule will still be processed before.\n",
|
|
+ file, line, arg);
|
|
+ return 1;
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
+
|
|
/* Report a warning if a rule is placed after a 'block' rule.
|
|
* Return 1 if the warning has been emitted, otherwise 0.
|
|
*/
|
|
@@ -408,6 +421,31 @@ int warnif_rule_after_use_server(struct proxy *proxy, const char *file, int line
|
|
return 0;
|
|
}
|
|
|
|
+/* report a warning if a "tcp request connection" rule is dangerously placed */
|
|
+int warnif_misplaced_tcp_conn(struct proxy *proxy, const char *file, int line, const char *arg)
|
|
+{
|
|
+ return warnif_rule_after_tcp_cont(proxy, file, line, arg) ||
|
|
+ warnif_rule_after_block(proxy, file, line, arg) ||
|
|
+ warnif_rule_after_http_req(proxy, file, line, arg) ||
|
|
+ warnif_rule_after_reqxxx(proxy, file, line, arg) ||
|
|
+ warnif_rule_after_reqadd(proxy, file, line, arg) ||
|
|
+ warnif_rule_after_redirect(proxy, file, line, arg) ||
|
|
+ warnif_rule_after_use_backend(proxy, file, line, arg) ||
|
|
+ warnif_rule_after_use_server(proxy, file, line, arg);
|
|
+}
|
|
+
|
|
+/* report a warning if a "tcp request content" rule is dangerously placed */
|
|
+int warnif_misplaced_tcp_cont(struct proxy *proxy, const char *file, int line, const char *arg)
|
|
+{
|
|
+ return warnif_rule_after_block(proxy, file, line, arg) ||
|
|
+ warnif_rule_after_http_req(proxy, file, line, arg) ||
|
|
+ warnif_rule_after_reqxxx(proxy, file, line, arg) ||
|
|
+ warnif_rule_after_reqadd(proxy, file, line, arg) ||
|
|
+ warnif_rule_after_redirect(proxy, file, line, arg) ||
|
|
+ warnif_rule_after_use_backend(proxy, file, line, arg) ||
|
|
+ warnif_rule_after_use_server(proxy, file, line, arg);
|
|
+}
|
|
+
|
|
/* report a warning if a block rule is dangerously placed */
|
|
int warnif_misplaced_block(struct proxy *proxy, const char *file, int line, const char *arg)
|
|
{
|
|
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
|
|
index 72dc92b..940c3f1 100644
|
|
--- a/src/proto_tcp.c
|
|
+++ b/src/proto_tcp.c
|
|
@@ -1711,6 +1711,8 @@ static int tcp_parse_tcp_req(char **args, int section_type, struct proxy *curpx,
|
|
warn++;
|
|
}
|
|
|
|
+ /* the following function directly emits the warning */
|
|
+ warnif_misplaced_tcp_cont(curpx, file, line, args[0]);
|
|
LIST_ADDQ(&curpx->tcp_req.inspect_rules, &rule->list);
|
|
}
|
|
else if (strcmp(args[1], "connection") == 0) {
|
|
@@ -1754,6 +1756,8 @@ static int tcp_parse_tcp_req(char **args, int section_type, struct proxy *curpx,
|
|
warn++;
|
|
}
|
|
|
|
+ /* the following function directly emits the warning */
|
|
+ warnif_misplaced_tcp_conn(curpx, file, line, args[0]);
|
|
LIST_ADDQ(&curpx->tcp_req.l4_rules, &rule->list);
|
|
}
|
|
else {
|
|
--
|
|
1.8.5.5
|
|
|