RE: [PATCH 1/4] MEDIUM: server: Parse generic type-value pairs as proxy-v2-options
From fb8714c5aebd7fe957264d0f2234182f55f952fe Mon Sep 17 00:00:00 2001 From: Alexander Stephan Date: Fri, 15 Sep 2023 12:38:46 +0200 Subject: [PATCH 1/4] MEDIUM: server: Parse generic type-value pairs as proxy-v2-options This commit introduces a generic server-side parsing of type-value pair arguments and allocation of a TLV list. This allows to 1) forward any TLV type, 2) generally send out any TLV type, and 3) allows to specify concrete values via an '=' after the type and a log fmt expression. If there is no TLV found in the remote connection, an empty TLV is sent out. --- include/haproxy/server-t.h | 10 + src/server.c | 76 +++--- 2 files changed, 81 insertions(+), 5 deletions(-) diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h index 1175a470e..7b93bf48f 100644 --- a/include/haproxy/server-t.h +++ b/include/haproxy/server-t.h @@ -256,6 +256,15 @@ enum __attribute__((__packed__)) srv_ws_mode { SRV_WS_H2, }; +/* Server-side TLV list, contains the types of the TLVs that should be sent out. + * Additionally, it can contain data, if specified in the config. + */ +struct srv_pp_tlv_list { + struct list list; + struct list fmt; + unsigned char type; +}; + struct proxy; struct server { /* mostly config or admin stuff, doesn't change often */ @@ -421,6 +430,7 @@ struct server { struct list srv_rec_item; /* to attach server to a srv record item */ struct list ip_rec_item;/* to attach server to a A or record item */ struct ebpt_node host_dn; /* hostdn store for srvrq and state file matching*/ + struct list pp_tlvs;/* to send out PROXY protocol v2 TLVs */ struct task *srvrq_check; /* Task testing SRV record expiration date for this server */ struct { const char *file; /* file where the section appears */ diff --git a/src/server.c b/src/server.c index 3673340d1..08f86d030 100644 --- a/src/server.c +++ b/src/server.c @@ -1036,7 +1036,13 @@ static int srv_parse_proto(char **args, int *cur_arg, static int srv_parse_proxy_v2_options(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) { - char *p, *n; + char *p = NULL, *n = NULL, *m = NULL; + char *key = NULL, *val = NULL; + char *endp = NULL; + unsigned char idx = 0; + size_t key_length = 0, val_length = 0; + struct srv_pp_tlv_list *srv_tlv = NULL; + for (p = args[*cur_arg+1]; p; p = n) { n = strchr(p, ','); if (n) @@ -1061,13 +1067,61 @@ static int srv_parse_proxy_v2_options(char **args, int *cur_arg, newsrv->pp_opts |= SRV_PP_V2_CRC32C; } else if (strcmp(p, "unique-id") == 0) { newsrv->pp_opts |= SRV_PP_V2_UNIQUE_ID; - } else - goto fail; + } else { + /* reset val in case it was set before */ + val = NULL; + + /* try to split by '=' into generic pair key value pair (=) */ + m = strchr(p, '='); + if (m) { + key_length = m - p; + key = (char *) malloc(key_length + 1); + if (unlikely(!key)) + goto fail; + snprintf(key, key_length + 1, "%s", p); + + val_length = strlen(p) - key_length; + val = (char *) malloc(val_length + 1); + if (unlikely(!val)) + goto fail; + snprintf(val, val_length + 1, "%s", m + 1); + } + else { + key = (char *) malloc(strlen(p) + 1); + if (unlikely(!key)) + goto fail; + snprintf(key, strlen(p) + 1, "%s", p); + } + + errno = 0; + idx = strtoul(key, &endp, 0); + if (unlikely((endp && *endp) != '\0' || (key == endp) || (errno != 0))) + goto fail; + + /* processing is done in connection.c */ + srv_tlv = malloc(sizeof(struct srv_pp_tlv_list)); + if (unlikely(!srv_tlv)) + goto fail; + + srv_tlv->type = idx; + LIST_INIT(&srv_tlv->fmt); + if (val && unlikely(!parse_logformat_string(val, px, &srv_tlv->fmt, LOG_OPT_HTTP, PR_CAP_LISTEN, err))) + goto fail; + + LIST_APPEND(&newsrv->pp_tlvs, &srv_tlv->list); + free(key); + free(val); + } } return 0; - fail: +fail: + free(key); + free(val); + free(srv_tlv); + errno = 0; + if (err) - memprintf(err, "'%s' : proxy v2 option not implemented", p); + memprintf(err, "'%s' : failed to set proxy v2 option", p); return ERR_ALERT | ERR_FATAL; } @@ -2428,6 +2482,7 @@ struct server *new_server(struct proxy *proxy) LIST_APPEND(&servers_list, &srv->global_list); LIST_INIT(&srv->srv_rec_item); LIST_INIT(&srv->ip_rec_item); + LIST_INIT(&srv->pp_tlvs); MT_LIST_INIT(&srv->prev_deleted); event_hdl_sub_list_init(&s
RE: [PATCH 2/4] MEDIUM: connection: Send out generically allocated proxy-v2-options
From 84608ed754c1a92e85e03036e8b0cd0949721ffb Mon Sep 17 00:00:00 2001 From: Alexander Stephan mailto:alexander.step...@sap.com>> Date: Fri, 15 Sep 2023 12:42:36 +0200 Subject: [PATCH 2/4] MEDIUM: connection: Send out generically allocated proxy-v2-options This commit removes the previous limitations on the existing, fixed PPv2 TLV types that can be sent out. This is done by leveraging the previously implemented parsing. We iterate over the server TLV list and either forward or send a new TLV, depending on whether a TLV exists in the remote connection. --- doc/configuration.txt | 20 .../proxy_protocol_send_generic.vtc | 35 + src/connection.c | 51 +-- 3 files changed, 103 insertions(+), 3 deletions(-) create mode 100644 reg-tests/connection/proxy_protocol_send_generic.vtc diff --git a/doc/configuration.txt b/doc/configuration.txt index 14f6b906d..aeff9e4db 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -16671,6 +16671,26 @@ proxy-v2-options [,]* generated unique ID is also used for the first HTTP request within a Keep-Alive connection. + Besides, you can specify the type of TLV numerically instead. + + Example 1: + server example 127.0.0.1:2319 send-proxy-v2 proxy-v2-options crc32c,0xEE + + The following logic applies: By default, the remote frontend connection is + searched for the value 0xEE. If found, it is simply forwarded. Otherwise, + a TLV with the ID "0xEE" and empty payload is sent out. In addition, crc32c + is also set here. + + You can also specify a key-value pair = syntax. represents the + 8 bit TLV type field in the range of 0 to 255. It can be expressed in decimal + or hexadecimal format (prefixed by "0x"). + + Example 2: + server example_server 127.0.0.1:2319 send-proxy-v2 proxy-v2-options 0xEE=%[str("foo")] + + This will always send out the value "foo". Another common use case would be to + reference a variable. + send-proxy-v2-ssl The "send-proxy-v2-ssl" parameter enforces use of the PROXY protocol version 2 over any connection established to this server. The PROXY protocol informs diff --git a/reg-tests/connection/proxy_protocol_send_generic.vtc b/reg-tests/connection/proxy_protocol_send_generic.vtc new file mode 100644 index 0..e0bd15a1b --- /dev/null +++ b/reg-tests/connection/proxy_protocol_send_generic.vtc @@ -0,0 +1,35 @@ +varnishtest "Check that generic TLV IDs are sent properly" + +#REQUIRE_VERSION=2.2 + +feature ignore_unknown_macro + +haproxy h1 -conf { +defaults +mode http +log global + +listen sender +bind "fd@${feS}" +server example ${h1_feR_addr}:${h1_feR_port} send-proxy-v2 proxy-v2-options 0xE1=%[str("foo")],0xE2 + +listen receiver +bind "fd@${feR}" accept-proxy + +# Check that the TLV value is set in the backend. +http-request set-var(txn.custom_tlv_a) fc_pp_tlv(0xE1) +http-after-response set-header proxy_custom_tlv_a %[var(txn.custom_tlv_a)] + +# Check that TLVs without an value are sent out. +http-request set-var(txn.custom_tlv_b) fc_pp_tlv(0xE2) +http-after-response set-header proxy_custom_tlv_b %[var(txn.custom_tlv_b)] + +http-request return status 200 +} -start + +client c1 -connect ${h1_feS_sock} { +txreq -url "/" +rxresp +expect resp.http.proxy_custom_tlv_a == "foo" +expect resp.http.proxy_custom_tlv_b == "" +} -run diff --git a/src/connection.c b/src/connection.c index 5f7226aae..51584b1ed 100644 --- a/src/connection.c +++ b/src/connection.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include #include @@ -548,7 +549,7 @@ struct connection *conn_new(void *target) /* Releases a connection previously allocated by conn_new() */ void conn_free(struct connection *conn) { - struct conn_tlv_list *tlv, *tlv_back = NULL; + struct conn_tlv_list *tlv = NULL, *tlv_back = NULL; if (conn_is_back(conn)) conn_backend_deinit(conn); @@ -1920,10 +1921,12 @@ static int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct int ret = 0; struct proxy_hdr_v2 *hdr = (struct proxy_hdr_v2 *)buf; struct sockaddr_storage null_addr = { .ss_family = 0 }; + struct srv_pp_tlv_list *srv_tlv = NULL; const struct sockaddr_storage *src = &null_addr; const struct sockaddr_storage *dst = &null_addr; - const char *value; - int value_len; + const char *value = ""; + int value_len = 0; + int found = 0; if (buf_len < PP2_HEADER_LEN) return 0; @@ -1993,6 +1996,48 @@ static int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct } } + if (strm) { + struct buffer *replace = NULL; + + list_for_each_entry(srv_tlv, &srv->pp_tlvs, list) { + replace = NULL; + + if (!LIST_ISEMPTY(&srv_tlv->fmt)) { + replace
RE: [PATCH 3/4] LOW: connection: Add TLV update function
From cc8fe58a8d2f8d47b03d03fd1048fe1b9babca70 Mon Sep 17 00:00:00 2001 From: Alexander Stephan mailto:alexander.step...@sap.com>> Date: Fri, 15 Sep 2023 12:18:10 +0200 Subject: [PATCH 3/4] LOW: connection: Add TLV update function Until now, it was not possible to deliberatily change received TLVs that are stored within a connection. An HAProxy backend server reads TLVs out the (remote) connection. This function allows us to update TLVs in-place before they are forwarded, given that the new and the old value map to the same pool. Besides, if a TLV does not already exist, it is created and added to the list. As TLV values often have similiar length this is more efficient than allocating a new TLV for each value. --- include/haproxy/connection.h | 73 1 file changed, 73 insertions(+) diff --git a/include/haproxy/connection.h b/include/haproxy/connection.h index fb14eed12..b775996ba 100644 --- a/include/haproxy/connection.h +++ b/include/haproxy/connection.h @@ -451,6 +451,79 @@ static inline void conn_set_tos(const struct connection *conn, int tos) #endif } +/* Adds or updates a TLV item on an existing connection. + * The connection is tested and if it is null, nothing is done. + */ +static inline int conn_set_tlv(struct connection *conn, int type, void *value, int len) +{ + struct conn_tlv_list *tlv = NULL, *tlv_back = NULL; + int reuse = 0, found = 0; + + if (!conn || !conn_ctrl_ready(conn) || len > HA_PP2_MAX_ALLOC) + return -1; + /* search whether we already have a TLV of the requested type */ + list_for_each_entry(tlv, &conn->tlv_list, list) { + if (tlv->type != type) + continue; + /* Set reuse flag according to whether both, new and old TLV, +* are in the same interval. +*/ + if (len >= 0) { + if (tlv->len <= HA_PP2_TLV_VALUE_128 && len <= HA_PP2_TLV_VALUE_128) + reuse = 1; + else if (tlv->len > HA_PP2_TLV_VALUE_128 && len > HA_PP2_TLV_VALUE_128) { + if ((tlv->len <= HA_PP2_TLV_VALUE_256 && len <= HA_PP2_TLV_VALUE_256) || + (tlv->len > HA_PP2_TLV_VALUE_256 && len > HA_PP2_TLV_VALUE_256)) + reuse = 1; + } + } + found = 1; + break; + } + if (found && reuse) { + /* We have found the TLV and it fits in the already allocated +* memory, in-place editing is enough. freeing logic stays +* identical since the length still maps to the old pool. +*/ + memcpy(tlv->value, value, len); + tlv->len = len; + return 0; + } + + if (found) { + /* first, we need to free the previous TLV item */ + list_for_each_entry_safe(tlv, tlv_back, &conn->tlv_list, list) { + if (tlv->type != type) + continue; + + LIST_DELETE(&tlv->list); + if (tlv->len > HA_PP2_TLV_VALUE_256) + free(tlv); + else if (tlv->len < HA_PP2_TLV_VALUE_128) + pool_free(pool_head_pp_tlv_128, tlv); + else + pool_free(pool_head_pp_tlv_256, tlv); + } + } + + if (len > HA_PP2_TLV_VALUE_256) + tlv = malloc(len + sizeof(struct conn_tlv_list)); + else if (len <= HA_PP2_TLV_VALUE_128) + tlv = pool_alloc(pool_head_pp_tlv_128); + else + tlv = pool_alloc(pool_head_pp_tlv_256); + + if (unlikely(!tlv)) + return -1; + + tlv->len = len; + tlv->type = type; + memcpy(tlv->value, value, len); + + LIST_APPEND(&conn->tlv_list, &tlv->list); + return 0; +} + /* Sets the netfilter mark on the connection's socket. The connection is tested * and if it is null, nothing is done. */ -- 2.35.3
RE: [PATCH 4/4] MEDIUM: tcp-act: Add new set-tlv TCP action for PPv2 TLVs
From da4dc50153fe6cc7e562b63439dd8be4846e0dcf Mon Sep 17 00:00:00 2001 From: Alexander Stephan mailto:alexander.step...@sap.com>> Date: Fri, 15 Sep 2023 12:25:03 +0200 Subject: [PATCH 4/4] MEDIUM: tcp-act: Add new set-tlv TCP action for PPv2 TLVs This commit adds an action called set-tlv() that allows to directly update the TLV data structure within a connection for all type of connection events. It can be used to modify TLVs before they are forwarded (if specified in proxy-v2-options) while keeping the previously allocated memory, if the new and the old value map to the same pool. This function can also be used to enhance readability if setting many TLVs at once, as an alternative to specifying type and value directly in the server. --- doc/configuration.txt | 25 +++- .../proxy_protocol_send_generic.vtc | 31 + src/tcp_act.c | 120 -- 3 files changed, 161 insertions(+), 15 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index aeff9e4db..a0317f005 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -7011,6 +7011,7 @@ http-request [options...] [ { if | unless } ] - set-src - set-src-port - set-timeout { server | tunnel } { | } +- set-tlv() - set-tos - set-uri - set-var([,...]) @@ -7943,6 +7944,22 @@ http-request set-timeout { server | tunnel } { | } http-request set-timeout tunnel 5s http-request set-timeout server req.hdr(host),map_int(host.lst) +http-request set-tlv() [ { if | unless } ] + + This is used to alter a PROXY protocol v2 TLV that has been sent by the client. + It can be used to efficiently alter already allocated TLVs in-place. If no TLV with + the specified TLV ID has been received yet, a new TLV with and the current + value of is added. + + The parameter represents the 8 bit TLV type field in the range 0 to 255. + It can be expressed in decimal, hexadecimal format (prefixed by "0x") or octal + (prefixed by "0"). + + Typically, it is used together with generic proxy-v2-options. + + Example: +http-request set-tlv(0xE1) str("foo") + http-request set-tos [ { if | unless } ] This is used to set the TOS or DSCP field value of packets sent to the client @@ -13502,6 +13519,7 @@ tcp-request content [{if | unless} ] - set-priority-offset - set-src - set-src-port +- set-tlv() - set-tos - set-var([,...]) - set-var-fmt([,...]) @@ -13741,6 +13759,11 @@ tcp-request content set-src-port [ { if | unless } ] specified expression. Please refer to "http-request set-src" and "http-request set-src-port" for a complete description. +tcp-request content set-tlv() [ { if | unless } ] + + This is used to alter a PROXY protocol v2 TLV that has been sent by the client. + Please refer to "http-request set-tlv" for a complete description. + tcp-request content set-tos [ { if | unless } ] This is used to set the TOS or DSCP field value of packets sent to the client @@ -16686,7 +16709,7 @@ proxy-v2-options [,]* or hexadecimal format (prefixed by "0x"). Example 2: - server example_server 127.0.0.1:2319 send-proxy-v2 proxy-v2-options 0xEE=%[str("foo")] + server example 127.0.0.1:2319 send-proxy-v2 proxy-v2-options 0xEE=%[str("foo")] This will always send out the value "foo". Another common use case would be to reference a variable. diff --git a/reg-tests/connection/proxy_protocol_send_generic.vtc b/reg-tests/connection/proxy_protocol_send_generic.vtc index e0bd15a1b..1c48964be 100644 --- a/reg-tests/connection/proxy_protocol_send_generic.vtc +++ b/reg-tests/connection/proxy_protocol_send_generic.vtc @@ -24,6 +24,33 @@ haproxy h1 -conf { http-request set-var(txn.custom_tlv_b) fc_pp_tlv(0xE2) http-after-response set-header proxy_custom_tlv_b %[var(txn.custom_tlv_b)] +http-request set-tlv(0xE3) str("bar") +http-request set-var(txn.custom_tlv_c) fc_pp_tlv(0xE3) +http-after-response set-header proxy_custom_tlv_c %[var(txn.custom_tlv_c)] + +# Check that we can alter the TLV in the connection on http-request level. +http-request set-tlv(0xE3) str("bar") +http-request set-var(txn.custom_tlv_c) fc_pp_tlv(0xE3) +http-after-response set-header proxy_custom_tlv_c %[var(txn.custom_tlv_c)] + +# Check that we can alter the TLV in the connection on tcp-content level. +tcp-request content set-tlv(0xE4) str("bar") +http-request set-var(txn.custom_tlv_d) fc_pp_tlv(0xE4) +http-after-response set-header proxy_custom_tlv_d %[var(txn.custom_tlv_d)] + +# Check that we can overwrite an existing TLV. +tcp-request content set-tlv(0xE5) str("bar") +http-request set-var(txn.custom_tlv_e) fc_pp_tlv(0xE5) +http-after-response set-header proxy_custom_tlv_e %[var(txn.custom_tlv_e)] + +# Check that we can m
RE: [PATCH 0/4] Support server-side sending and forwarding of arbitrary PPv2 TLVs
Hi Willy, Ah, what a pity. Anyway, I sent them again with you in CC. Does it look alright now? Best, Alexander -Original Message- From: Willy Tarreau Sent: Wednesday, October 4, 2023 3:21 PM To: Stephan, Alexander Cc: haproxy@formilux.org Subject: Re: [PATCH 0/4] Support server-side sending and forwarding of arbitrary PPv2 TLVs Hi Alexander, On Wed, Oct 04, 2023 at 12:56:07PM +, Stephan, Alexander wrote: > Can you find them if you search for the text that is shown in the archive? Not at all, not even in the spam logs :-( Please note that we've had a short outage from an haproxy core filling the whole FS ~10 days ago, I don't know if that could have matched, but in any case at least you should have received a delivery error. > If not, I can of course send them again. Yes please do and CC me so that I know when they're sent and can compare if I continue not to see them on the ML. Thank you! Willy
Re: [PATCH 0/4] Support server-side sending and forwarding of arbitrary PPv2 TLVs
Hi Alexander, On Thu, Oct 05, 2023 at 11:13:16AM +, Stephan, Alexander wrote: > Hi Willy, > > Ah, what a pity. Anyway, I sent them again with you in CC. Does it look > alright now? Yep, received both ways this time, thank you! Willy