Re: 'set-dst' and 'set-dst-port' tcp/http actions

[Willy Tarreau]

On Wed, Jun 01, 2016 at 12:01:45AM +0200, William Lallemand wrote:
> Hello,
> 
> Here a set of patches implementing http/tcp set-{dst,src}[-port].
> 
> The feature can be useful to connect to a IP/port which is defined in a map.

Merged, thank you William.

I'm seeing that set-src/set-dst force the port to zero by default and
that it is what we used to have already in 1.6. I think it would have
been better to preserve the original value, in order to let src and
src-port be preformed in any order, but I guess we decided on forcing
to zero in 1.6 just because there was no action to set the port :-/

Maybe that's something we can change in 1.7 if nobody objects, as it
would make it more obvious what a configuration does (though the doc
is pretty clear about it).

Willy

Re: 'set-dst' and 'set-dst-port' tcp/http actions

[William Lallemand]

On Tue, May 31, 2016 at 05:28:13PM -0700, Derek Brown wrote:
> I'll give them a try.  Are they to be applied to the latest 1.7-dev branch?
> 

That's right.

-- 
William Lallemand

Re: 'set-dst' and 'set-dst-port' tcp/http actions

[Derek Brown]

I'll give them a try.  Are they to be applied to the latest 1.7-dev branch?

On Tue, May 31, 2016 at 3:01 PM, William Lallemand 
wrote:

> Hello,
>
> Here a set of patches implementing http/tcp set-{dst,src}[-port].
>
> The feature can be useful to connect to a IP/port which is defined in a
> map.
>
> Regards,
>
> --
> William Lallemand
>

'set-dst' and 'set-dst-port' tcp/http actions

[William Lallemand]

ruct session *sess, struct stream *strm, int flags)
 {
@@ -2061,7 +2087,7 @@ static int tcp_parse_tcp_req(char **args, int section_type, struct proxy *curpx,
 	return -1;
 }
 
-/* parse "set-src" action */
+/* parse "set-src" and "set-src-port" actions */
 enum act_parse_ret tcp_parse_set_src(const char **args, int *orig_arg, struct proxy *px, struct act_rule *rule, char **err)
 {
 	int cur_arg;
@@ -2091,6 +2117,8 @@ enum act_parse_ret tcp_parse_set_src(const char **args, int *orig_arg, struct pr
 
 	if (!strcmp(args[*orig_arg-1], "set-src")) {
 		rule->action_ptr = tcp_action_req_set_src;
+	} else if (!strcmp(args[*orig_arg-1], "set-src-port")) {
+		rule->action_ptr = tcp_action_req_set_src_port;
 	} else {
 		return ACT_RET_PRS_ERR;
 	}
@@ -2493,6 +2521,7 @@ static struct srv_kw_list srv_kws = { "TCP", { }, {
 static struct action_kw_list tcp_req_conn_actions = {ILH, {
 	{ "silent-drop",  tcp_parse_silent_drop },
 	{ "set-src",  tcp_parse_set_src },
+	{ "set-src-port", tcp_parse_set_src },
 	{ /* END */ }
 }};
 
@@ -2509,6 +2538,7 @@ static struct action_kw_list tcp_res_cont_actions = {ILH, {
 static struct action_kw_list http_req_actions = {ILH, {
 	{ "silent-drop",  tcp_parse_silent_drop },
 	{ "set-src",  tcp_parse_set_src },
+	{ "set-src-port", tcp_parse_set_src },
 	{ /* END */ }
 }};
 
-- 
2.7.3

>From 3daea1db5a18aeda04f7c8205a32a44d5a0d83a3 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallem...@irq6.net>
Date: Wed, 25 May 2016 02:34:07 +0200
Subject: [PATCH 4/4] MEDIUM: tcp/http: new set-dst/set-dst-port actions

Like 'set-src' and 'set-src-port' but for destination address and port.
It's available in 'tcp-request connection' and 'http-request' actions.
---
 doc/configuration.txt | 56 +++
 src/proto_tcp.c   | 73 ++-
 2 files changed, 123 insertions(+), 6 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index d3ff223..678be44 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -3860,6 +3860,34 @@ http-request { allow | deny | tarpit | auth [realm ] | redirect  |
   Be careful to use "set-src-port" after "set-src", because "set-src" sets
   the source port to 0.
 
+- set-dst  :
+  Is used to set the destination IP address to the value of specified
+  expression. Useful when a proxy in front of HAProxy rewrites destination
+  IP, but provides the correct IP in a HTTP header; or you want to mask
+  the IP for privacy. If you want to connect to the new address/port, use
+  '0.0.0.0:0' as a server address in the backend.
+
+ Is a standard HAProxy expression formed by a sample-fetch
+   followed by some converters.
+
+  Example:
+
+ http-request set-dst hdr(x-dst)
+ http-request set-dst dst,ipmask(24)
+
+- set-dst-port  :
+  Is used to set the destination port address to the value of specified
+  expression. If you want to connect to the new address/port, use
+  '0.0.0.0:0' as a server address in the backend.
+
+ Is a standard HAProxy expression formed by a sample-fetch
+   followed by some converters.
+
+  Example:
+
+ http-request set-dst-port hdr(x-port)
+ http-request set-dst-port int(4000)
+
 - "silent-drop" : this stops the evaluation of the rules and makes the
   client-facing connection suddenly disappear using a system-dependant way
   that tries to prevent the client from being notified. The effect it then
@@ -8718,6 +8746,34 @@ tcp-request connection  [{if | unless} ]
   Be careful to use "set-src-port" after "set-src", because "set-src" sets
   the source port to 0.
 
+- set-dst  :
+  Is used to set the destination IP address to the value of specified
+  expression. Useful if you want to mask IP for privacy in log.
+  If you want to provide an IP from a HTTP header use "http-request
+  set-dst". If you want to connect to the new address/port, use
+  '0.0.0.0:0' as a server address in the backend.
+
+ Is a standard HAProxy expression formed by a sample-fetch
+   followed by some converters.
+
+  Example:
+
+ tcp-request connection set-dst dst,ipmask(24)
+ tcp-request connection set-dst ipv4(10.0.0.1)
+
+- set-dst-port  :
+  Is used to set the destination port address to the value of specified
+  expression. If you want to connect to the new address/port, use
+  '0.0.0.0:0' as a server address in the backend.
+
+
+ Is a standard HAProxy expression formed by a sample-fetch
+   followed by some converters.
+
+  Example:
+
+ tcp-request connection set-dst-port int(400