delta/haproxy.git/include/haproxy/action-t.h, branch master github.com: haproxy/haproxy.git MINOR: stick-table: implement the sc-add-gpc() action 2023-01-07T08:11:22+00:00 Willy Tarreau w@1wt.eu 2023-01-02T17:15:20+00:00 5a72d03a58120fb5378e423dc8f97d32b28d7cdf This action increments the General Purpose Counter at the index <idx> of the array associated to the sticky counter designated by <sc-id> by the value of either integer <int> or the integer evaluation of expression <expr>. Integers and expressions are limited to unsigned 32-bit values. If an error occurs, this action silently fails and the actions evaluation continues. <idx> is an integer between 0 and 99 and <sc-id> is an integer between 0 and 2. It also silently fails if the there is no GPC stored at this index. The entry in the table is refreshed even if the value is zero. The 'gpc_rate' is automatically adjusted to reflect the average growth rate of the gpc value. The main use of this action is to count scores or total volumes (e.g. estimated danger per source IP reported by the server or a WAF, total uploaded bytes, etc). 
This action increments the General Purpose Counter at the index <idx> of
the array associated to the sticky counter designated by <sc-id> by the
value of either integer <int> or the integer evaluation of expression
<expr>. Integers and expressions are limited to unsigned 32-bit values.
If an error occurs, this action silently fails and the actions evaluation
continues. <idx> is an integer between 0 and 99 and <sc-id> is an integer
between 0 and 2. It also silently fails if the there is no GPC stored at
this index. The entry in the table is refreshed even if the value is zero.
The 'gpc_rate' is automatically adjusted to reflect the average growth
rate of the gpc value.

The main use of this action is to count scores or total volumes (e.g.
estimated danger per source IP reported by the server or a WAF, total
uploaded bytes, etc).
MINOR: vars: Parse optional conditions passed to the set-var actions 2021-12-16T16:31:57+00:00 Remi Tricot-Le Breton rlebreton@haproxy.com 2021-12-16T16:14:38+00:00 bb6bc95b1eb22b7239d4d75016fda8210bd5d492 This patch adds the parsing of the optional condition parameters that can be passed to the set-var and set-var-fmt actions (http as well as tcp). Those conditions will not be taken into account yet in the var_set function so conditions passed as parameters will not have any effect. Since actions do not benefit from the parameter preparsing that converters have, parsing conditions needed to be done by hand. 
This patch adds the parsing of the optional condition parameters that
can be passed to the set-var and set-var-fmt actions (http as well as
tcp). Those conditions will not be taken into account yet in the var_set
function so conditions passed as parameters will not have any effect.
Since actions do not benefit from the parameter preparsing that
converters have, parsing conditions needed to be done by hand.
MINOR: rules: add a file name and line number to act_rules 2021-10-12T05:38:30+00:00 Willy Tarreau w@1wt.eu 2021-10-11T07:13:07+00:00 c9e48685101f9d4db03a43a976154ffa2c2df666 These ones are passed on rule creation for the sole purpose of being reported in "show sess", which is not done yet. For now the entries are allocated upon rule creation and freed in free_act_rules(). 
These ones are passed on rule creation for the sole purpose of being
reported in "show sess", which is not done yet. For now the entries
are allocated upon rule creation and freed in free_act_rules().
BUILD: action: add the relevant structures for function arguments 2021-10-06T23:36:51+00:00 Willy Tarreau w@1wt.eu 2021-10-06T07:09:01+00:00 b70596df0a4e4f614d16e29e990974f51ba63e77 Some structures are inherited via intermediary includes (e.g. dns_counters comes from a long path). Let's define the missing ones and includes vars-t that is needed in the structure. 
Some structures are inherited via intermediary includes (e.g. dns_counters
comes from a long path). Let's define the missing ones and includes vars-t
that is needed in the structure.
MEDIUM: vars: replace the global name index with a hash 2021-09-08T13:06:11+00:00 Willy Tarreau w@1wt.eu 2021-08-31T06:51:02+00:00 3a4bedccc6023aa7ef155e6f9823aef4efeced71 The global table of known variables names can only grow and was designed for static names that are registered at boot. Nowadays it's possible to set dynamic variable names from Lua or from the CLI, which causes a real problem that was partially addressed in 2.2 with commit 4e172c93f ("MEDIUM: lua: Add `ifexist` parameter to `set_var`"). Please see github issue #624 for more context. This patch simplifies all this by removing the need for a central registry of known names, and storing 64-bit hashes instead. This is highly sufficient given the low number of variables in each context. The hash is calculated using XXH64() which is bijective over the 64-bit space thus is guaranteed collision-free for 1..8 chars. Above that the risk remains around 1/2^64 per extra 8 chars so in practice this is highly sufficient for our usage. A random seed is used at boot to seed the hash so that it's not attackable from Lua for example. There's one particular nit though. The "ifexist" hack mentioned above is now limited to variables of scope "proc" only, and will only match variables that were already created or declared, but will now verify the scope as well. This may affect some bogus Lua scripts and SPOE agents which used to accidentally work because a similarly named variable used to exist in a different scope. These ones may need to be fixed to comply with the doc. Now we can sum up the situation as this one: - ephemeral variables (scopes sess, txn, req, res) will always be usable, regardless of any prior declaration. This effectively addresses the most problematic change from the commit above that in order to work well could have required some script auditing ; - process-wide variables (scope proc) that are mentioned in the configuration, referenced in a "register-var-names" SPOE directive, or created via "set-var" in the global section or the CLI, are permanent and will always accept to be set, with or without the "ifexist" restriction (SPOE uses this internally as well). - process-wide variables (scope proc) that are only created via a set-var() tcp/http action, via Lua's set_var() calls, or via an SPOE with the "force-set-var" directive), will not be permanent but will always accept to be replaced once they are created, even if "ifexist" is present - process-wide variables (scope proc) that do not exist will only support being created via the set-var() tcp/http action, Lua's set_var() calls without "ifexist", or an SPOE declared with "force-set-var". This means that non-proc variables do not care about "ifexist" nor prior declaration, and that using "ifexist" should most often be reliable in Lua and that SPOE should most often work without any prior declaration. It may be doable to turn "ifexist" to 1 by default in Lua to further ease the transition. Note: regtests were adjusted. Cc: Tim Düsterhus <tim@bastelstu.be> 
The global table of known variables names can only grow and was designed
for static names that are registered at boot. Nowadays it's possible to
set dynamic variable names from Lua or from the CLI, which causes a real
problem that was partially addressed in 2.2 with commit 4e172c93f
("MEDIUM: lua: Add `ifexist` parameter to `set_var`"). Please see github
issue #624 for more context.

This patch simplifies all this by removing the need for a central
registry of known names, and storing 64-bit hashes instead. This is
highly sufficient given the low number of variables in each context.
The hash is calculated using XXH64() which is bijective over the 64-bit
space thus is guaranteed collision-free for 1..8 chars. Above that the
risk remains around 1/2^64 per extra 8 chars so in practice this is
highly sufficient for our usage. A random seed is used at boot to seed
the hash so that it's not attackable from Lua for example.

There's one particular nit though. The "ifexist" hack mentioned above
is now limited to variables of scope "proc" only, and will only match
variables that were already created or declared, but will now verify
the scope as well. This may affect some bogus Lua scripts and SPOE
agents which used to accidentally work because a similarly named
variable used to exist in a different scope. These ones may need to be
fixed to comply with the doc.

Now we can sum up the situation as this one:
  - ephemeral variables (scopes sess, txn, req, res) will always be
    usable, regardless of any prior declaration. This effectively
    addresses the most problematic change from the commit above that
    in order to work well could have required some script auditing ;

  - process-wide variables (scope proc) that are mentioned in the
    configuration, referenced in a "register-var-names" SPOE directive,
    or created via "set-var" in the global section or the CLI, are
    permanent and will always accept to be set, with or without the
    "ifexist" restriction (SPOE uses this internally as well).

  - process-wide variables (scope proc) that are only created via a
    set-var() tcp/http action, via Lua's set_var() calls, or via an
    SPOE with the "force-set-var" directive), will not be permanent
    but will always accept to be replaced once they are created, even
    if "ifexist" is present

  - process-wide variables (scope proc) that do not exist will only
    support being created via the set-var() tcp/http action, Lua's
    set_var() calls without "ifexist", or an SPOE declared with
    "force-set-var".

This means that non-proc variables do not care about "ifexist" nor
prior declaration, and that using "ifexist" should most often be
reliable in Lua and that SPOE should most often work without any
prior declaration. It may be doable to turn "ifexist" to 1 by default
in Lua to further ease the transition. Note: regtests were adjusted.

Cc: Tim Düsterhus <tim@bastelstu.be>
MEDIUM: vars: add a new "set-var-fmt" action 2021-09-02T19:22:22+00:00 Willy Tarreau w@1wt.eu 2021-09-02T19:00:38+00:00 9a621ae76dfbe94b44e1026752bf3cc77a903966 The set-var() action is convenient because it preserves the input type but it's a pain to deal with when trying to concatenate values. The most recurring example is when it's needed to build a variable composed of the source address and the source port. Usually it ends up like this: tcp-request session set-var(sess.port) src_port tcp-request session set-var(sess.addr) src,concat(":",sess.port) This is even worse when trying to aggregate multiple fields from stick-table data for example. Due to this a lot of users instead abuse headers from HTTP rules: http-request set-header(x-addr) %[src]:%[src_port] But this requires some careful cleanups to make sure they won't leak, and it's significantly more expensive to deal with. And generally speaking it's not clean. Plus it must be performed for each and every request, which is expensive for this common case of ip+port that doesn't change for the whole session. This patch addresses this limitation by implementing a new "set-var-fmt" action which performs the same work as "set-var" but takes a format string in argument instead of an expression. This way it becomes pretty simple to just write: tcp-request session set-var-fmt(sess.addr) %[src]:%[src_port] It is usable in all rulesets that already support the "set-var" action. It is not yet implemented for the global "set-var" directive (which already takes a string) and the CLI's "set var" command, which would definitely benefit from it but currently uses its own parser and engine, thus it must be reworked. The doc and regtests were updated. 
The set-var() action is convenient because it preserves the input type
but it's a pain to deal with when trying to concatenate values. The
most recurring example is when it's needed to build a variable composed
of the source address and the source port. Usually it ends up like this:

    tcp-request session set-var(sess.port) src_port
    tcp-request session set-var(sess.addr) src,concat(":",sess.port)

This is even worse when trying to aggregate multiple fields from stick-table
data for example. Due to this a lot of users instead abuse headers from HTTP
rules:

    http-request set-header(x-addr) %[src]:%[src_port]

But this requires some careful cleanups to make sure they won't leak, and
it's significantly more expensive to deal with. And generally speaking it's
not clean. Plus it must be performed for each and every request, which is
expensive for this common case of ip+port that doesn't change for the whole
session.

This patch addresses this limitation by implementing a new "set-var-fmt"
action which performs the same work as "set-var" but takes a format string
in argument instead of an expression. This way it becomes pretty simple to
just write:

    tcp-request session set-var-fmt(sess.addr) %[src]:%[src_port]

It is usable in all rulesets that already support the "set-var" action.
It is not yet implemented for the global "set-var" directive (which already
takes a string) and the CLI's "set var" command, which would definitely
benefit from it but currently uses its own parser and engine, thus it
must be reworked.

The doc and regtests were updated.
MEDIUM: stick-table: add the new arrays of gpc and gpc_rate 2021-07-06T05:24:42+00:00 Emeric Brun ebrun@haproxy.com 2021-06-30T17:04:16+00:00 4d7ada8f9e6253bbe0ae0ef06fc70c3de51066e0 This patch adds the definition of two new array data_types: 'gpc': This is an array of 32bits General Purpose Counters. 'gpc_rate': This is an array on increment rates of General Purpose Counters. Like for all arrays, they are limited to 100 elements. This patch also adds actions and fetches to handle elements of those arrays. Note: As documented, those new actions and fetches won't apply to the legacy 'gpc0', 'gpc1', 'gpc0_rate' nor 'gpc1_rate'. 
This patch adds the definition of two new array data_types:
'gpc': This is an array of 32bits General Purpose Counters.
'gpc_rate': This is an array on increment rates of General Purpose Counters.

Like for all arrays, they are limited to 100 elements.

This patch also adds actions and fetches to handle
elements of those arrays.

Note: As documented, those new actions and fetches won't
apply to the legacy 'gpc0', 'gpc1', 'gpc0_rate' nor 'gpc1_rate'.
MEDIUM: stick-table: add the new array of gpt data_type 2021-07-06T05:24:42+00:00 Emeric Brun ebrun@haproxy.com 2021-06-30T16:57:49+00:00 877b0b5a7b90f87d8801570e0560d33cab089af3 This patch adds the definition of a new array data_type 'gpt'. This is an array of 32bits General Purpose Tags. Like for all arrays, it is limited to 100 elements. This patch also adds actions and fetches to handle elements of this array. Note: As documented, those new actions and fetches won't apply to the legacy 'gpt0' data type. 
This patch adds the definition of a new array data_type
'gpt'. This is an array of 32bits General Purpose Tags.

Like for all arrays, it is limited to 100 elements.

This patch also adds actions and fetches to handle
elements of this array.

Note: As documented, those new actions and fetches won't
apply to the legacy 'gpt0' data type.
MINOR: http-act/tcp-act: Add "set-mark" and "set-tos" for tcp content rules 2021-06-25T14:11:58+00:00 Christopher Faulet cfaulet@haproxy.com 2021-06-25T13:11:35+00:00 469c06c30e3177ac5a0c62e4aa0db463ff49cfdd It is now possible to set the Netfilter MARK and the TOS field value in all packets sent to the client from any tcp-request rulesets or the "tcp-response content" one. To do so, the parsing of "set-mark" and "set-tos" actions are moved in tcp_act.c and the actions evaluation is handled in dedicated functions. This patch may be backported as far as 2.2 if necessary. 
It is now possible to set the Netfilter MARK and the TOS field value in all
packets sent to the client from any tcp-request rulesets or the "tcp-response
content" one. To do so, the parsing of "set-mark" and "set-tos" actions are
moved in tcp_act.c and the actions evaluation is handled in dedicated functions.

This patch may be backported as far as 2.2 if necessary.
MINOR: http-act/tcp-act: Add "set-nice" for tcp content rules 2021-06-25T14:11:53+00:00 Christopher Faulet cfaulet@haproxy.com 2021-06-25T12:46:02+00:00 1da374af2f98c0a5e41e6d99553d74426a45ffe0 It is now possible to set the "nice" factor of the current stream from a "tcp-request content" or "tcp-response content" ruleset. To do so, the action parsing is moved in stream.c and the action evaluation is handled in a dedicated function. This patch may be backported as far as 2.2 if necessary. 
It is now possible to set the "nice" factor of the current stream from a
"tcp-request content" or "tcp-response content" ruleset. To do so, the
action parsing is moved in stream.c and the action evaluation is handled in
a dedicated function.

This patch may be backported as far as 2.2 if necessary.