/* Update polling on connection <c>'s file descriptor depending on its current * state as reported in the connection's CO_FL_CURR_* flags, reports of EAGAIN * in CO_FL_WAIT_*, and the sock layer expectations indicated by CO_FL_SOCK_*. * The connection flags are updated with the new flags at the end of the * operation. Polling is totally disabled if an error was reported. */ void conn_update_sock_polling(struct connection *c) { unsigned int f = c->flags; if (!conn_ctrl_ready(c)) return; /* update read status if needed */ if (unlikely((f & (CO_FL_CURR_RD_ENA|CO_FL_SOCK_RD_ENA)) == CO_FL_SOCK_RD_ENA)) { fd_want_recv(c->t.sock.fd); f |= CO_FL_CURR_RD_ENA; } else if (unlikely((f & (CO_FL_CURR_RD_ENA|CO_FL_SOCK_RD_ENA)) == CO_FL_CURR_RD_ENA)) { fd_stop_recv(c->t.sock.fd); f &= ~CO_FL_CURR_RD_ENA; } /* update write status if needed */ if (unlikely((f & (CO_FL_CURR_WR_ENA|CO_FL_SOCK_WR_ENA)) == CO_FL_SOCK_WR_ENA)) { fd_want_send(c->t.sock.fd); f |= CO_FL_CURR_WR_ENA; } else if (unlikely((f & (CO_FL_CURR_WR_ENA|CO_FL_SOCK_WR_ENA)) == CO_FL_CURR_WR_ENA)) { fd_stop_send(c->t.sock.fd); f &= ~CO_FL_CURR_WR_ENA; } c->flags = f; }
/* Drains possibly pending incoming data on the file descriptor attached to the * connection and update the connection's flags accordingly. This is used to * know whether we need to disable lingering on close. Returns non-zero if it * is safe to close without disabling lingering, otherwise zero. The SOCK_RD_SH * flag may also be updated if the incoming shutdown was reported by the drain() * function. */ int conn_sock_drain(struct connection *conn) { if (!conn_ctrl_ready(conn)) return 1; if (conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH)) return 1; if (fdtab[conn->t.sock.fd].ev & (FD_POLL_ERR|FD_POLL_HUP)) { fdtab[conn->t.sock.fd].linger_risk = 0; } else { if (!fd_recv_ready(conn->t.sock.fd)) return 0; /* disable draining if we were called and have no drain function */ if (!conn->ctrl->drain) { __conn_data_stop_recv(conn); return 0; } if (conn->ctrl->drain(conn->t.sock.fd) <= 0) return 0; } conn->flags |= CO_FL_SOCK_RD_SH; return 1; }
/* Send as many bytes as possible from the pipe to the connection's socket. */ int raw_sock_from_pipe(struct connection *conn, struct pipe *pipe) { int ret, done; if (!conn_ctrl_ready(conn)) return 0; if (!fd_send_ready(conn->t.sock.fd)) return 0; done = 0; while (pipe->data) { ret = splice(pipe->cons, NULL, conn->t.sock.fd, NULL, pipe->data, SPLICE_F_MOVE|SPLICE_F_NONBLOCK); if (ret <= 0) { if (ret == 0 || errno == EAGAIN) { fd_cant_send(conn->t.sock.fd); break; } else if (errno == EINTR) continue; /* here we have another error */ conn->flags |= CO_FL_ERROR; break; } done += ret; pipe->data -= ret; } if (unlikely(conn->flags & CO_FL_WAIT_L4_CONN) && done) conn->flags &= ~CO_FL_WAIT_L4_CONN; return done; }
/* Callback to be used by connection I/O handlers when some activity is detected * on an idle server connection. Its main purpose is to kill the connection once * a close was detected on it. It returns 0 if it did nothing serious, or -1 if * it killed the connection. */ static int si_idle_conn_wake_cb(struct connection *conn) { struct stream_interface *si = conn->owner; if (!conn_ctrl_ready(conn)) return 0; if (conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH)) { /* warning, we can't do anything on <conn> after this call ! */ si_release_endpoint(si); return -1; } return 0; }
/* * This function propagates a null read received on a socket-based connection. * It updates the stream interface. If the stream interface has SI_FL_NOHALF, * the close is also forwarded to the write side as an abort. This function is * still socket-specific as it handles a setsockopt() call to set the SO_LINGER * state on the socket. */ void stream_sock_read0(struct stream_interface *si) { struct connection *conn = __objt_conn(si->end); si->ib->flags &= ~CF_SHUTR_NOW; if (si->ib->flags & CF_SHUTR) return; si->ib->flags |= CF_SHUTR; si->ib->rex = TICK_ETERNITY; si->flags &= ~SI_FL_WAIT_ROOM; if (si->state != SI_ST_EST && si->state != SI_ST_CON) return; if (si->ob->flags & CF_SHUTW) goto do_close; if (si->flags & SI_FL_NOHALF) { /* we want to immediately forward this close to the write side */ /* force flag on ssl to keep session in cache */ if (conn->xprt->shutw) conn->xprt->shutw(conn, 0); goto do_close; } /* otherwise that's just a normal read shutdown */ if (conn_ctrl_ready(conn)) fdtab[conn->t.sock.fd].linger_risk = 0; __conn_data_stop_recv(conn); return; do_close: /* OK we completely close the socket here just as if we went through si_shut[rw]() */ conn_full_close(conn); si->ib->flags &= ~CF_SHUTR_NOW; si->ib->flags |= CF_SHUTR; si->ib->rex = TICK_ETERNITY; si->ob->flags &= ~CF_SHUTW_NOW; si->ob->flags |= CF_SHUTW; si->ob->wex = TICK_ETERNITY; si->flags &= ~(SI_FL_WAIT_DATA | SI_FL_WAIT_ROOM); si->state = SI_ST_DIS; si->exp = TICK_ETERNITY; return; }
/* Callback to be used by connection I/O handlers when some activity is detected * on an idle server connection. Its main purpose is to kill the connection once * a close was detected on it. It returns 0 if it did nothing serious, or -1 if * it killed the connection. */ static int si_idle_conn_wake_cb(struct connection *conn) { struct stream_interface *si = conn->owner; if (!conn_ctrl_ready(conn)) return 0; if (conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH)) { /* warning, we can't do anything on <conn> after this call ! */ conn_force_close(conn); conn_free(conn); si->end = NULL; return -1; } return 0; }
/* Send a message over an established connection. It makes use of send() and * returns the same return code and errno. If the socket layer is not ready yet * then -1 is returned and ENOTSOCK is set into errno. If the fd is not marked * as ready, or if EAGAIN or ENOTCONN is returned, then we return 0. It returns * EMSGSIZE if called with a zero length message. The purpose is to simplify * some rare attempts to directly write on the socket from above the connection * (typically send_proxy). In case of EAGAIN, the fd is marked as "cant_send". * It automatically retries on EINTR. Other errors cause the connection to be * marked as in error state. It takes similar arguments as send() except the * first one which is the connection instead of the file descriptor. Note, * MSG_DONTWAIT and MSG_NOSIGNAL are forced on the flags. */ int conn_sock_send(struct connection *conn, const void *buf, int len, int flags) { int ret; ret = -1; errno = ENOTSOCK; if (conn->flags & CO_FL_SOCK_WR_SH) goto fail; if (!conn_ctrl_ready(conn)) goto fail; errno = EMSGSIZE; if (!len) goto fail; if (!fd_send_ready(conn->t.sock.fd)) goto wait; do { ret = send(conn->t.sock.fd, buf, len, flags | MSG_DONTWAIT | MSG_NOSIGNAL); } while (ret < 0 && errno == EINTR); if (ret > 0) return ret; if (ret == 0 || errno == EAGAIN || errno == ENOTCONN) { wait: fd_cant_send(conn->t.sock.fd); return 0; } fail: conn->flags |= CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH | CO_FL_ERROR; return ret; }
/* This handshake handler waits a PROXY protocol header at the beginning of the * raw data stream. The header looks like this : * * "PROXY" <SP> PROTO <SP> SRC3 <SP> DST3 <SP> SRC4 <SP> <DST4> "\r\n" * * There must be exactly one space between each field. Fields are : * - PROTO : layer 4 protocol, which must be "TCP4" or "TCP6". * - SRC3 : layer 3 (eg: IP) source address in standard text form * - DST3 : layer 3 (eg: IP) destination address in standard text form * - SRC4 : layer 4 (eg: TCP port) source address in standard text form * - DST4 : layer 4 (eg: TCP port) destination address in standard text form * * This line MUST be at the beginning of the buffer and MUST NOT wrap. * * The header line is small and in all cases smaller than the smallest normal * TCP MSS. So it MUST always be delivered as one segment, which ensures we * can safely use MSG_PEEK and avoid buffering. * * Once the data is fetched, the values are set in the connection's address * fields, and data are removed from the socket's buffer. The function returns * zero if it needs to wait for more data or if it fails, or 1 if it completed * and removed itself. */ int conn_recv_proxy(struct connection *conn, int flag) { char *line, *end; /* we might have been called just after an asynchronous shutr */ if (conn->flags & CO_FL_SOCK_RD_SH) goto fail; if (!conn_ctrl_ready(conn)) goto fail; if (!fd_recv_ready(conn->t.sock.fd)) return 0; do { trash.len = recv(conn->t.sock.fd, trash.str, trash.size, MSG_PEEK); if (trash.len < 0) { if (errno == EINTR) continue; if (errno == EAGAIN) { fd_cant_recv(conn->t.sock.fd); return 0; } goto recv_abort; } } while (0); if (!trash.len) { /* client shutdown */ conn->err_code = CO_ER_PRX_EMPTY; goto fail; } if (trash.len < 6) goto missing; line = trash.str; end = trash.str + trash.len; /* Decode a possible proxy request, fail early if it does not match */ if (strncmp(line, "PROXY ", 6) != 0) { conn->err_code = CO_ER_PRX_NOT_HDR; goto fail; } line += 6; if (trash.len < 18) /* shortest possible line */ goto missing; if (!memcmp(line, "TCP4 ", 5) != 0) { u32 src3, dst3, sport, dport; line += 5; src3 = inetaddr_host_lim_ret(line, end, &line); if (line == end) goto missing; if (*line++ != ' ') goto bad_header; dst3 = inetaddr_host_lim_ret(line, end, &line); if (line == end) goto missing; if (*line++ != ' ') goto bad_header; sport = read_uint((const char **)&line, end); if (line == end) goto missing; if (*line++ != ' ') goto bad_header; dport = read_uint((const char **)&line, end); if (line > end - 2) goto missing; if (*line++ != '\r') goto bad_header; if (*line++ != '\n') goto bad_header; /* update the session's addresses and mark them set */ ((struct sockaddr_in *)&conn->addr.from)->sin_family = AF_INET; ((struct sockaddr_in *)&conn->addr.from)->sin_addr.s_addr = htonl(src3); ((struct sockaddr_in *)&conn->addr.from)->sin_port = htons(sport); ((struct sockaddr_in *)&conn->addr.to)->sin_family = AF_INET; ((struct sockaddr_in *)&conn->addr.to)->sin_addr.s_addr = htonl(dst3); ((struct sockaddr_in *)&conn->addr.to)->sin_port = htons(dport); conn->flags |= CO_FL_ADDR_FROM_SET | CO_FL_ADDR_TO_SET; } else if (!memcmp(line, "TCP6 ", 5) != 0) { u32 sport, dport; char *src_s; char *dst_s, *sport_s, *dport_s; struct in6_addr src3, dst3; line += 5; src_s = line; dst_s = sport_s = dport_s = NULL; while (1) { if (line > end - 2) { goto missing; } else if (*line == '\r') { *line = 0; line++; if (*line++ != '\n') goto bad_header; break; } if (*line == ' ') { *line = 0; if (!dst_s) dst_s = line + 1; else if (!sport_s) sport_s = line + 1; else if (!dport_s) dport_s = line + 1; } line++; } if (!dst_s || !sport_s || !dport_s) goto bad_header; sport = read_uint((const char **)&sport_s,dport_s - 1); if (*sport_s != 0) goto bad_header; dport = read_uint((const char **)&dport_s,line - 2); if (*dport_s != 0) goto bad_header; if (inet_pton(AF_INET6, src_s, (void *)&src3) != 1) goto bad_header; if (inet_pton(AF_INET6, dst_s, (void *)&dst3) != 1) goto bad_header; /* update the session's addresses and mark them set */ ((struct sockaddr_in6 *)&conn->addr.from)->sin6_family = AF_INET6; memcpy(&((struct sockaddr_in6 *)&conn->addr.from)->sin6_addr, &src3, sizeof(struct in6_addr)); ((struct sockaddr_in6 *)&conn->addr.from)->sin6_port = htons(sport); ((struct sockaddr_in6 *)&conn->addr.to)->sin6_family = AF_INET6; memcpy(&((struct sockaddr_in6 *)&conn->addr.to)->sin6_addr, &dst3, sizeof(struct in6_addr)); ((struct sockaddr_in6 *)&conn->addr.to)->sin6_port = htons(dport); conn->flags |= CO_FL_ADDR_FROM_SET | CO_FL_ADDR_TO_SET; } else { /* The protocol does not match something known (TCP4/TCP6) */ conn->err_code = CO_ER_PRX_BAD_PROTO; goto fail; } /* remove the PROXY line from the request. For this we re-read the * exact line at once. If we don't get the exact same result, we * fail. */ trash.len = line - trash.str; do { int len2 = recv(conn->t.sock.fd, trash.str, trash.len, 0); if (len2 < 0 && errno == EINTR) continue; if (len2 != trash.len) goto recv_abort; } while (0); conn->flags &= ~flag; return 1; missing: /* Missing data. Since we're using MSG_PEEK, we can only poll again if * we have not read anything. Otherwise we need to fail because we won't * be able to poll anymore. */ conn->err_code = CO_ER_PRX_TRUNCATED; goto fail; bad_header: /* This is not a valid proxy protocol header */ conn->err_code = CO_ER_PRX_BAD_HDR; goto fail; recv_abort: conn->err_code = CO_ER_PRX_ABORT; conn->flags |= CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH; goto fail; fail: __conn_sock_stop_both(conn); conn->flags |= CO_FL_ERROR; return 0; }
/* Returns : * -1 if splice() is not supported * >= 0 to report the amount of spliced bytes. * connection flags are updated (error, read0, wait_room, wait_data). * The caller must have previously allocated the pipe. */ int raw_sock_to_pipe(struct connection *conn, struct pipe *pipe, unsigned int count) { #ifndef ASSUME_SPLICE_WORKS static int splice_detects_close; #endif int ret; int retval = 0; if (!conn_ctrl_ready(conn)) return 0; if (!fd_recv_ready(conn->t.sock.fd)) return 0; errno = 0; /* Under Linux, if FD_POLL_HUP is set, we have reached the end. * Since older splice() implementations were buggy and returned * EAGAIN on end of read, let's bypass the call to splice() now. */ if (unlikely(!(fdtab[conn->t.sock.fd].ev & FD_POLL_IN))) { /* stop here if we reached the end of data */ if ((fdtab[conn->t.sock.fd].ev & (FD_POLL_ERR|FD_POLL_HUP)) == FD_POLL_HUP) goto out_read0; /* report error on POLL_ERR before connection establishment */ if ((fdtab[conn->t.sock.fd].ev & FD_POLL_ERR) && (conn->flags & CO_FL_WAIT_L4_CONN)) { conn->flags |= CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH; errno = 0; /* let the caller do a getsockopt() if it wants it */ return retval; } } while (count) { if (count > MAX_SPLICE_AT_ONCE) count = MAX_SPLICE_AT_ONCE; ret = splice(conn->t.sock.fd, NULL, pipe->prod, NULL, count, SPLICE_F_MOVE|SPLICE_F_NONBLOCK); if (ret <= 0) { if (ret == 0) { /* connection closed. This is only detected by * recent kernels (>= 2.6.27.13). If we notice * it works, we store the info for later use. */ #ifndef ASSUME_SPLICE_WORKS splice_detects_close = 1; #endif goto out_read0; } if (errno == EAGAIN) { /* there are two reasons for EAGAIN : * - nothing in the socket buffer (standard) * - pipe is full * - the connection is closed (kernel < 2.6.27.13) * The last case is annoying but know if we can detect it * and if we can't then we rely on the call to recv() to * get a valid verdict. The difference between the first * two situations is problematic. Since we don't know if * the pipe is full, we'll stop if the pipe is not empty. * Anyway, we will almost always fill/empty the pipe. */ if (pipe->data) { /* alway stop reading until the pipe is flushed */ conn->flags |= CO_FL_WAIT_ROOM; break; } /* We don't know if the connection was closed, * but if we know splice detects close, then we * know it for sure. * But if we're called upon POLLIN with an empty * pipe and get EAGAIN, it is suspect enough to * try to fall back to the normal recv scheme * which will be able to deal with the situation. */ #ifndef ASSUME_SPLICE_WORKS if (splice_detects_close) #endif fd_cant_recv(conn->t.sock.fd); /* we know for sure that it's EAGAIN */ break; } else if (errno == ENOSYS || errno == EINVAL || errno == EBADF) { /* splice not supported on this end, disable it. * We can safely return -1 since there is no * chance that any data has been piped yet. */ return -1; } else if (errno == EINTR) { /* try again */ continue; } /* here we have another error */ conn->flags |= CO_FL_ERROR; break; } /* ret <= 0 */ retval += ret; pipe->data += ret; count -= ret; if (pipe->data >= SPLICE_FULL_HINT || ret >= global.tune.recv_enough) { /* We've read enough of it for this time, let's stop before * being asked to poll. */ conn->flags |= CO_FL_WAIT_ROOM; fd_done_recv(conn->t.sock.fd); break; } } /* while */ if (unlikely(conn->flags & CO_FL_WAIT_L4_CONN) && retval) conn->flags &= ~CO_FL_WAIT_L4_CONN; return retval; out_read0: conn_sock_read0(conn); conn->flags &= ~CO_FL_WAIT_L4_CONN; return retval; }
/* Receive up to <count> bytes from connection <conn>'s socket and store them * into buffer <buf>. Only one call to recv() is performed, unless the * buffer wraps, in which case a second call may be performed. The connection's * flags are updated with whatever special event is detected (error, read0, * empty). The caller is responsible for taking care of those events and * avoiding the call if inappropriate. The function does not call the * connection's polling update function, so the caller is responsible for this. * errno is cleared before starting so that the caller knows that if it spots an * error without errno, it's pending and can be retrieved via getsockopt(SO_ERROR). */ static int raw_sock_to_buf(struct connection *conn, struct buffer *buf, int count) { int ret, done = 0; int try; if (!conn_ctrl_ready(conn)) return 0; if (!fd_recv_ready(conn->t.sock.fd)) return 0; errno = 0; if (unlikely(!(fdtab[conn->t.sock.fd].ev & FD_POLL_IN))) { /* stop here if we reached the end of data */ if ((fdtab[conn->t.sock.fd].ev & (FD_POLL_ERR|FD_POLL_HUP)) == FD_POLL_HUP) goto read0; /* report error on POLL_ERR before connection establishment */ if ((fdtab[conn->t.sock.fd].ev & FD_POLL_ERR) && (conn->flags & CO_FL_WAIT_L4_CONN)) { conn->flags |= CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH; return done; } } /* let's realign the buffer to optimize I/O */ if (buffer_empty(buf)) buf->p = buf->data; /* read the largest possible block. For this, we perform only one call * to recv() unless the buffer wraps and we exactly fill the first hunk, * in which case we accept to do it once again. A new attempt is made on * EINTR too. */ while (count > 0) { /* first check if we have some room after p+i */ try = buf->data + buf->size - (buf->p + buf->i); /* otherwise continue between data and p-o */ if (try <= 0) { try = buf->p - (buf->data + buf->o); if (try <= 0) break; } if (try > count) try = count; ret = recv(conn->t.sock.fd, bi_end(buf), try, 0); if (ret > 0) { buf->i += ret; done += ret; if (ret < try) { /* unfortunately, on level-triggered events, POLL_HUP * is generally delivered AFTER the system buffer is * empty, so this one might never match. */ if (fdtab[conn->t.sock.fd].ev & FD_POLL_HUP) goto read0; fd_done_recv(conn->t.sock.fd); break; } count -= ret; } else if (ret == 0) { goto read0; } else if (errno == EAGAIN) { fd_cant_recv(conn->t.sock.fd); break; } else if (errno != EINTR) { conn->flags |= CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH; break; } }
/* This handshake handler waits a PROXY protocol header at the beginning of the * raw data stream. The header looks like this : * * "PROXY" <SP> PROTO <SP> SRC3 <SP> DST3 <SP> SRC4 <SP> <DST4> "\r\n" * * There must be exactly one space between each field. Fields are : * - PROTO : layer 4 protocol, which must be "TCP4" or "TCP6". * - SRC3 : layer 3 (eg: IP) source address in standard text form * - DST3 : layer 3 (eg: IP) destination address in standard text form * - SRC4 : layer 4 (eg: TCP port) source address in standard text form * - DST4 : layer 4 (eg: TCP port) destination address in standard text form * * This line MUST be at the beginning of the buffer and MUST NOT wrap. * * The header line is small and in all cases smaller than the smallest normal * TCP MSS. So it MUST always be delivered as one segment, which ensures we * can safely use MSG_PEEK and avoid buffering. * * Once the data is fetched, the values are set in the connection's address * fields, and data are removed from the socket's buffer. The function returns * zero if it needs to wait for more data or if it fails, or 1 if it completed * and removed itself. */ int conn_recv_proxy(struct connection *conn, int flag) { char *line, *end; struct proxy_hdr_v2 *hdr_v2; const char v2sig[] = PP2_SIGNATURE; /* we might have been called just after an asynchronous shutr */ if (conn->flags & CO_FL_SOCK_RD_SH) goto fail; if (!conn_ctrl_ready(conn)) goto fail; if (!fd_recv_ready(conn->t.sock.fd)) return 0; do { trash.len = recv(conn->t.sock.fd, trash.str, trash.size, MSG_PEEK); if (trash.len < 0) { if (errno == EINTR) continue; if (errno == EAGAIN) { fd_cant_recv(conn->t.sock.fd); return 0; } goto recv_abort; } } while (0); if (!trash.len) { /* client shutdown */ conn->err_code = CO_ER_PRX_EMPTY; goto fail; } if (trash.len < 6) goto missing; line = trash.str; end = trash.str + trash.len; /* Decode a possible proxy request, fail early if it does not match */ if (strncmp(line, "PROXY ", 6) != 0) goto not_v1; line += 6; if (trash.len < 9) /* shortest possible line */ goto missing; if (!memcmp(line, "TCP4 ", 5) != 0) { u32 src3, dst3, sport, dport; line += 5; src3 = inetaddr_host_lim_ret(line, end, &line); if (line == end) goto missing; if (*line++ != ' ') goto bad_header; dst3 = inetaddr_host_lim_ret(line, end, &line); if (line == end) goto missing; if (*line++ != ' ') goto bad_header; sport = read_uint((const char **)&line, end); if (line == end) goto missing; if (*line++ != ' ') goto bad_header; dport = read_uint((const char **)&line, end); if (line > end - 2) goto missing; if (*line++ != '\r') goto bad_header; if (*line++ != '\n') goto bad_header; /* update the session's addresses and mark them set */ ((struct sockaddr_in *)&conn->addr.from)->sin_family = AF_INET; ((struct sockaddr_in *)&conn->addr.from)->sin_addr.s_addr = htonl(src3); ((struct sockaddr_in *)&conn->addr.from)->sin_port = htons(sport); ((struct sockaddr_in *)&conn->addr.to)->sin_family = AF_INET; ((struct sockaddr_in *)&conn->addr.to)->sin_addr.s_addr = htonl(dst3); ((struct sockaddr_in *)&conn->addr.to)->sin_port = htons(dport); conn->flags |= CO_FL_ADDR_FROM_SET | CO_FL_ADDR_TO_SET; } else if (!memcmp(line, "TCP6 ", 5) != 0) { u32 sport, dport; char *src_s; char *dst_s, *sport_s, *dport_s; struct in6_addr src3, dst3; line += 5; src_s = line; dst_s = sport_s = dport_s = NULL; while (1) { if (line > end - 2) { goto missing; } else if (*line == '\r') { *line = 0; line++; if (*line++ != '\n') goto bad_header; break; } if (*line == ' ') { *line = 0; if (!dst_s) dst_s = line + 1; else if (!sport_s) sport_s = line + 1; else if (!dport_s) dport_s = line + 1; } line++; } if (!dst_s || !sport_s || !dport_s) goto bad_header; sport = read_uint((const char **)&sport_s,dport_s - 1); if (*sport_s != 0) goto bad_header; dport = read_uint((const char **)&dport_s,line - 2); if (*dport_s != 0) goto bad_header; if (inet_pton(AF_INET6, src_s, (void *)&src3) != 1) goto bad_header; if (inet_pton(AF_INET6, dst_s, (void *)&dst3) != 1) goto bad_header; /* update the session's addresses and mark them set */ ((struct sockaddr_in6 *)&conn->addr.from)->sin6_family = AF_INET6; memcpy(&((struct sockaddr_in6 *)&conn->addr.from)->sin6_addr, &src3, sizeof(struct in6_addr)); ((struct sockaddr_in6 *)&conn->addr.from)->sin6_port = htons(sport); ((struct sockaddr_in6 *)&conn->addr.to)->sin6_family = AF_INET6; memcpy(&((struct sockaddr_in6 *)&conn->addr.to)->sin6_addr, &dst3, sizeof(struct in6_addr)); ((struct sockaddr_in6 *)&conn->addr.to)->sin6_port = htons(dport); conn->flags |= CO_FL_ADDR_FROM_SET | CO_FL_ADDR_TO_SET; } else if (memcmp(line, "UNKNOWN\r\n", 9) == 0) { /* This can be a UNIX socket forwarded by an haproxy upstream */ line += 9; } else { /* The protocol does not match something known (TCP4/TCP6/UNKNOWN) */ conn->err_code = CO_ER_PRX_BAD_PROTO; goto fail; } trash.len = line - trash.str; goto eat_header; not_v1: /* try PPv2 */ if (trash.len < PP2_HEADER_LEN) goto missing; hdr_v2 = (struct proxy_hdr_v2 *)trash.str; if (memcmp(hdr_v2->sig, v2sig, PP2_SIGNATURE_LEN) != 0 || (hdr_v2->ver_cmd & PP2_VERSION_MASK) != PP2_VERSION) { conn->err_code = CO_ER_PRX_NOT_HDR; goto fail; } if (trash.len < PP2_HEADER_LEN + ntohs(hdr_v2->len)) goto missing; switch (hdr_v2->ver_cmd & PP2_CMD_MASK) { case 0x01: /* PROXY command */ switch (hdr_v2->fam) { case 0x11: /* TCPv4 */ if (ntohs(hdr_v2->len) < PP2_ADDR_LEN_INET) goto bad_header; ((struct sockaddr_in *)&conn->addr.from)->sin_family = AF_INET; ((struct sockaddr_in *)&conn->addr.from)->sin_addr.s_addr = hdr_v2->addr.ip4.src_addr; ((struct sockaddr_in *)&conn->addr.from)->sin_port = hdr_v2->addr.ip4.src_port; ((struct sockaddr_in *)&conn->addr.to)->sin_family = AF_INET; ((struct sockaddr_in *)&conn->addr.to)->sin_addr.s_addr = hdr_v2->addr.ip4.dst_addr; ((struct sockaddr_in *)&conn->addr.to)->sin_port = hdr_v2->addr.ip4.dst_port; conn->flags |= CO_FL_ADDR_FROM_SET | CO_FL_ADDR_TO_SET; break; case 0x21: /* TCPv6 */ if (ntohs(hdr_v2->len) < PP2_ADDR_LEN_INET6) goto bad_header; ((struct sockaddr_in6 *)&conn->addr.from)->sin6_family = AF_INET6; memcpy(&((struct sockaddr_in6 *)&conn->addr.from)->sin6_addr, hdr_v2->addr.ip6.src_addr, 16); ((struct sockaddr_in6 *)&conn->addr.from)->sin6_port = hdr_v2->addr.ip6.src_port; ((struct sockaddr_in6 *)&conn->addr.to)->sin6_family = AF_INET6; memcpy(&((struct sockaddr_in6 *)&conn->addr.to)->sin6_addr, hdr_v2->addr.ip6.dst_addr, 16); ((struct sockaddr_in6 *)&conn->addr.to)->sin6_port = hdr_v2->addr.ip6.dst_port; conn->flags |= CO_FL_ADDR_FROM_SET | CO_FL_ADDR_TO_SET; break; } /* unsupported protocol, keep local connection address */ break; case 0x00: /* LOCAL command */ /* keep local connection address for LOCAL */ break; default: goto bad_header; /* not a supported command */ } trash.len = PP2_HEADER_LEN + ntohs(hdr_v2->len); goto eat_header; eat_header: /* remove the PROXY line from the request. For this we re-read the * exact line at once. If we don't get the exact same result, we * fail. */ do { int len2 = recv(conn->t.sock.fd, trash.str, trash.len, 0); if (len2 < 0 && errno == EINTR) continue; if (len2 != trash.len) goto recv_abort; } while (0); conn->flags &= ~flag; return 1; missing: /* Missing data. Since we're using MSG_PEEK, we can only poll again if * we have not read anything. Otherwise we need to fail because we won't * be able to poll anymore. */ conn->err_code = CO_ER_PRX_TRUNCATED; goto fail; bad_header: /* This is not a valid proxy protocol header */ conn->err_code = CO_ER_PRX_BAD_HDR; goto fail; recv_abort: conn->err_code = CO_ER_PRX_ABORT; conn->flags |= CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH; goto fail; fail: __conn_sock_stop_both(conn); conn->flags |= CO_FL_ERROR; return 0; }
/* * This function performs a shutdown-write on a stream interface attached to * a connection in a connected or init state (it does nothing for other * states). It either shuts the write side or marks itself as closed. The * buffer flags are updated to reflect the new state. It does also close * everything if the SI was marked as being in error state. If there is a * data-layer shutdown, it is called. If a control layer is defined, then it is * supposed to be a socket layer and file descriptors are then shutdown or * closed accordingly. The function automatically disables polling if needed. * Note: at the moment, we continue to check conn->ctrl eventhough we *know* it * is valid. This will help selecting the proper shutdown() and setsockopt() * calls if/when we implement remote sockets later. */ static void stream_int_shutw_conn(struct stream_interface *si) { struct connection *conn = __objt_conn(si->end); si->ob->flags &= ~CF_SHUTW_NOW; if (si->ob->flags & CF_SHUTW) return; si->ob->flags |= CF_SHUTW; si->ob->wex = TICK_ETERNITY; si->flags &= ~SI_FL_WAIT_DATA; switch (si->state) { case SI_ST_EST: /* we have to shut before closing, otherwise some short messages * may never leave the system, especially when there are remaining * unread data in the socket input buffer, or when nolinger is set. * However, if SI_FL_NOLINGER is explicitly set, we know there is * no risk so we close both sides immediately. */ if (si->flags & SI_FL_ERR) { /* quick close, the socket is alredy shut anyway */ } else if (si->flags & SI_FL_NOLINGER) { /* unclean data-layer shutdown */ if (conn->xprt && conn->xprt->shutw) conn->xprt->shutw(conn, 0); } else { /* clean data-layer shutdown */ if (conn->xprt && conn->xprt->shutw) conn->xprt->shutw(conn, 1); /* If the stream interface is configured to disable half-open * connections, we'll skip the shutdown(), but only if the * read size is already closed. Otherwise we can't support * closed write with pending read (eg: abortonclose while * waiting for the server). */ if (!(si->flags & SI_FL_NOHALF) || !(si->ib->flags & (CF_SHUTR|CF_DONT_READ))) { /* We shutdown transport layer */ if (conn_ctrl_ready(conn)) shutdown(conn->t.sock.fd, SHUT_WR); if (!(si->ib->flags & (CF_SHUTR|CF_DONT_READ))) { /* OK just a shutw, but we want the caller * to disable polling on this FD if exists. */ if (conn->ctrl) conn_data_stop_send(conn); return; } } } /* fall through */ case SI_ST_CON: /* we may have to close a pending connection, and mark the * response buffer as shutr */ conn_full_close(conn); /* fall through */ case SI_ST_CER: case SI_ST_QUE: case SI_ST_TAR: si->state = SI_ST_DIS; /* fall through */ default: si->flags &= ~(SI_FL_WAIT_ROOM | SI_FL_NOLINGER); si->ib->flags &= ~CF_SHUTR_NOW; si->ib->flags |= CF_SHUTR; si->ib->rex = TICK_ETERNITY; si->exp = TICK_ETERNITY; } }
/* This callback is used to send a valid PROXY protocol line to a socket being * established. It returns 0 if it fails in a fatal way or needs to poll to go * further, otherwise it returns non-zero and removes itself from the connection's * flags (the bit is provided in <flag> by the caller). It is designed to be * called by the connection handler and relies on it to commit polling changes. * Note that it can emit a PROXY line by relying on the other end's address * when the connection is attached to a stream interface, or by resolving the * local address otherwise (also called a LOCAL line). */ int conn_si_send_proxy(struct connection *conn, unsigned int flag) { /* we might have been called just after an asynchronous shutw */ if (conn->flags & CO_FL_SOCK_WR_SH) goto out_error; if (!conn_ctrl_ready(conn)) goto out_error; if (!fd_send_ready(conn->t.sock.fd)) goto out_wait; /* If we have a PROXY line to send, we'll use this to validate the * connection, in which case the connection is validated only once * we've sent the whole proxy line. Otherwise we use connect(). */ while (conn->send_proxy_ofs) { int ret; /* The target server expects a PROXY line to be sent first. * If the send_proxy_ofs is negative, it corresponds to the * offset to start sending from then end of the proxy string * (which is recomputed every time since it's constant). If * it is positive, it means we have to send from the start. * We can only send a "normal" PROXY line when the connection * is attached to a stream interface. Otherwise we can only * send a LOCAL line (eg: for use with health checks). */ if (conn->data == &si_conn_cb) { struct stream_interface *si = conn->owner; struct connection *remote = objt_conn(si->ob->prod->end); ret = make_proxy_line(trash.str, trash.size, objt_server(conn->target), remote); } else { /* The target server expects a LOCAL line to be sent first. Retrieving * local or remote addresses may fail until the connection is established. */ conn_get_from_addr(conn); if (!(conn->flags & CO_FL_ADDR_FROM_SET)) goto out_wait; conn_get_to_addr(conn); if (!(conn->flags & CO_FL_ADDR_TO_SET)) goto out_wait; ret = make_proxy_line(trash.str, trash.size, objt_server(conn->target), conn); } if (!ret) goto out_error; if (conn->send_proxy_ofs > 0) conn->send_proxy_ofs = -ret; /* first call */ /* we have to send trash from (ret+sp for -sp bytes). If the * data layer has a pending write, we'll also set MSG_MORE. */ ret = send(conn->t.sock.fd, trash.str + ret + conn->send_proxy_ofs, -conn->send_proxy_ofs, (conn->flags & CO_FL_DATA_WR_ENA) ? MSG_MORE : 0); if (ret == 0) goto out_wait; if (ret < 0) { if (errno == EAGAIN || errno == ENOTCONN) goto out_wait; if (errno == EINTR) continue; conn->flags |= CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH; goto out_error; } conn->send_proxy_ofs += ret; /* becomes zero once complete */ if (conn->send_proxy_ofs != 0) goto out_wait; /* OK we've sent the whole line, we're connected */ break; } /* The connection is ready now, simply return and let the connection * handler notify upper layers if needed. */ if (conn->flags & CO_FL_WAIT_L4_CONN) conn->flags &= ~CO_FL_WAIT_L4_CONN; conn->flags &= ~flag; return 1; out_error: /* Write error on the file descriptor */ conn->flags |= CO_FL_ERROR; return 0; out_wait: __conn_sock_stop_recv(conn); fd_cant_send(conn->t.sock.fd); return 0; }