Adding upstream version 2.9.5.upstream/2.9.5

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 749 insertions, 0 deletions

diff --git a/src/tcp_act.c b/src/tcp_act.c
new file mode 100644
index 0000000..8b44047
--- /dev/null
+++ b/src/tcp_act.c
@@ -0,0 +1,749 @@
+/*
+ * AF_INET/AF_INET6 SOCK_STREAM protocol layer (tcp)
+ *
+ * Copyright 2000-2013 Willy Tarreau <w@1wt.eu>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ */
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+
+#include <netinet/tcp.h>
+#include <netinet/in.h>
+
+#include <haproxy/action-t.h>
+#include <haproxy/api.h>
+#include <haproxy/arg.h>
+#include <haproxy/channel.h>
+#include <haproxy/connection.h>
+#include <haproxy/global.h>
+#include <haproxy/http_rules.h>
+#include <haproxy/proto_tcp.h>
+#include <haproxy/proxy.h>
+#include <haproxy/sample.h>
+#include <haproxy/sc_strm.h>
+#include <haproxy/server.h>
+#include <haproxy/session.h>
+#include <haproxy/tcp_rules.h>
+#include <haproxy/tools.h>
+
+static enum act_return tcp_action_attach_srv(struct act_rule *rule, struct proxy *px,
+                                             struct session *sess, struct stream *s, int flags)
+{
+	struct server *srv = rule->arg.attach_srv.srv;
+	struct sample *name_smp;
+	struct connection *conn = objt_conn(sess->origin);
+	if (!conn)
+		return ACT_RET_ABRT;
+
+	conn_set_reverse(conn, &srv->obj_type);
+
+	if (rule->arg.attach_srv.name) {
+		name_smp = sample_fetch_as_type(sess->fe, sess, s,
+		                                SMP_OPT_DIR_REQ | SMP_OPT_FINAL,
+		                                rule->arg.attach_srv.name, SMP_T_STR);
+		/* TODO strdup du buffer du sample */
+		if (name_smp) {
+			struct buffer *buf = &name_smp->data.u.str;
+			char *area = malloc(b_data(buf));
+
+			if (!area)
+				return ACT_RET_ERR;
+
+			conn->reverse.name = b_make(area, b_data(buf), 0, 0);
+			b_ncat(&conn->reverse.name, buf, b_data(buf));
+		}
+	}
+
+	return ACT_RET_CONT;
+}
+
+/*
+ * Execute the "set-src" action. May be called from {tcp,http}request.
+ * It only changes the address and tries to preserve the original port. If the
+ * previous family was neither AF_INET nor AF_INET6, the port is set to zero.
+ */
+static enum act_return tcp_action_req_set_src(struct act_rule *rule, struct proxy *px,
+                                              struct session *sess, struct stream *s, int flags)
+{
+	struct connection *cli_conn;
+	struct sockaddr_storage *src;
+	struct sample *smp;
+
+	switch (rule->from) {
+	case ACT_F_TCP_REQ_CON:
+		cli_conn = objt_conn(sess->origin);
+		if (!cli_conn || !conn_get_src(cli_conn))
+			goto end;
+		src = cli_conn->src;
+		break;
+
+	case ACT_F_TCP_REQ_SES:
+		if (!sess_get_src(sess))
+			goto end;
+		src = sess->src;
+		break;
+
+	case ACT_F_TCP_REQ_CNT:
+	case ACT_F_HTTP_REQ:
+		if (!sc_get_src(s->scf))
+			goto end;
+		src = s->scf->src;
+		break;
+
+	default:
+		goto end;
+	}
+
+	smp = sample_fetch_as_type(px, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->arg.expr, SMP_T_ADDR);
+	if (smp) {
+		int port = get_net_port(src);
+
+		if (smp->data.type == SMP_T_IPV4) {
+			((struct sockaddr_in *)src)->sin_family = AF_INET;
+			((struct sockaddr_in *)src)->sin_addr.s_addr = smp->data.u.ipv4.s_addr;
+			((struct sockaddr_in *)src)->sin_port = port;
+		} else if (smp->data.type == SMP_T_IPV6) {
+			((struct sockaddr_in6 *)src)->sin6_family = AF_INET6;
+			memcpy(&((struct sockaddr_in6 *)src)->sin6_addr, &smp->data.u.ipv6, sizeof(struct in6_addr));
+			((struct sockaddr_in6 *)src)->sin6_port = port;
+		}
+	}
+
+  end:
+	return ACT_RET_CONT;
+}
+
+/*
+ * Execute the "set-dst" action. May be called from {tcp,http}request.
+ * It only changes the address and tries to preserve the original port. If the
+ * previous family was neither AF_INET nor AF_INET6, the port is set to zero.
+ */
+static enum act_return tcp_action_req_set_dst(struct act_rule *rule, struct proxy *px,
+                                              struct session *sess, struct stream *s, int flags)
+{
+	struct connection *cli_conn;
+	struct sockaddr_storage *dst;
+	struct sample *smp;
+
+	switch (rule->from) {
+	case ACT_F_TCP_REQ_CON:
+		cli_conn = objt_conn(sess->origin);
+		if (!cli_conn || !conn_get_dst(cli_conn))
+			goto end;
+		dst = cli_conn->dst;
+		break;
+
+	case ACT_F_TCP_REQ_SES:
+		if (!sess_get_dst(sess))
+			goto end;
+		dst = sess->dst;
+		break;
+
+	case ACT_F_TCP_REQ_CNT:
+	case ACT_F_HTTP_REQ:
+		if (!sc_get_dst(s->scf))
+			goto end;
+		dst = s->scf->dst;
+		break;
+
+	default:
+		goto end;
+	}
+
+	smp = sample_fetch_as_type(px, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->arg.expr, SMP_T_ADDR);
+	if (smp) {
+		int port = get_net_port(dst);
+
+		if (smp->data.type == SMP_T_IPV4) {
+			((struct sockaddr_in *)dst)->sin_family = AF_INET;
+			((struct sockaddr_in *)dst)->sin_addr.s_addr = smp->data.u.ipv4.s_addr;
+			((struct sockaddr_in *)dst)->sin_port = port;
+		} else if (smp->data.type == SMP_T_IPV6) {
+			((struct sockaddr_in6 *)dst)->sin6_family = AF_INET6;
+			memcpy(&((struct sockaddr_in6 *)dst)->sin6_addr, &smp->data.u.ipv6, sizeof(struct in6_addr));
+			((struct sockaddr_in6 *)dst)->sin6_port = port;
+		}
+	}
+
+  end:
+	return ACT_RET_CONT;
+}
+
+/*
+ * Execute the "set-src-port" action. May be called from {tcp,http}request.
+ * We must test the sin_family before setting the port. If the address family
+ * is neither AF_INET nor AF_INET6, the address is forced to AF_INET "0.0.0.0"
+ * and the port is assigned.
+ */
+static enum act_return tcp_action_req_set_src_port(struct act_rule *rule, struct proxy *px,
+                                                   struct session *sess, struct stream *s, int flags)
+{
+	struct connection *cli_conn;
+	struct sockaddr_storage *src;
+	struct sample *smp;
+
+	switch (rule->from) {
+	case ACT_F_TCP_REQ_CON:
+		cli_conn = objt_conn(sess->origin);
+		if (!cli_conn || !conn_get_src(cli_conn))
+			goto end;
+		src = cli_conn->src;
+		break;
+
+	case ACT_F_TCP_REQ_SES:
+		if (!sess_get_src(sess))
+			goto end;
+		src = sess->src;
+		break;
+
+	case ACT_F_TCP_REQ_CNT:
+	case ACT_F_HTTP_REQ:
+		if (!sc_get_src(s->scf))
+			goto end;
+		src = s->scf->src;
+		break;
+
+	default:
+		goto end;
+	}
+
+	smp = sample_fetch_as_type(px, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->arg.expr, SMP_T_SINT);
+	if (smp) {
+		if (src->ss_family == AF_INET6) {
+			((struct sockaddr_in6 *)src)->sin6_port = htons(smp->data.u.sint);
+		} else {
+			if (src->ss_family != AF_INET) {
+				src->ss_family = AF_INET;
+				((struct sockaddr_in *)src)->sin_addr.s_addr = 0;
+			}
+			((struct sockaddr_in *)src)->sin_port = htons(smp->data.u.sint);
+		}
+	}
+
+  end:
+	return ACT_RET_CONT;
+}
+
+/*
+ * Execute the "set-dst-port" action. May be called from {tcp,http}request.
+ * We must test the sin_family before setting the port. If the address family
+ * is neither AF_INET nor AF_INET6, the address is forced to AF_INET "0.0.0.0"
+ * and the port is assigned.
+ */
+static enum act_return tcp_action_req_set_dst_port(struct act_rule *rule, struct proxy *px,
+                                                   struct session *sess, struct stream *s, int flags)
+{
+	struct connection *cli_conn;
+	struct sockaddr_storage *dst;
+	struct sample *smp;
+
+	switch (rule->from) {
+	case ACT_F_TCP_REQ_CON:
+		cli_conn = objt_conn(sess->origin);
+		if (!cli_conn || !conn_get_dst(cli_conn))
+			goto end;
+		dst = cli_conn->dst;
+		break;
+
+	case ACT_F_TCP_REQ_SES:
+		if (!sess_get_dst(sess))
+			goto end;
+		dst = sess->dst;
+		break;
+
+	case ACT_F_TCP_REQ_CNT:
+	case ACT_F_HTTP_REQ:
+		if (!sc_get_dst(s->scf))
+			goto end;
+		dst = s->scf->dst;
+		break;
+
+	default:
+		goto end;
+	}
+
+	smp = sample_fetch_as_type(px, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->arg.expr, SMP_T_SINT);
+	if (smp) {
+		if (dst->ss_family == AF_INET6) {
+			((struct sockaddr_in6 *)dst)->sin6_port = htons(smp->data.u.sint);
+		} else {
+			if (dst->ss_family != AF_INET) {
+				dst->ss_family = AF_INET;
+				((struct sockaddr_in *)dst)->sin_addr.s_addr = 0;
+			}
+			((struct sockaddr_in *)dst)->sin_port = htons(smp->data.u.sint);
+		}
+	}
+
+  end:
+	return ACT_RET_CONT;
+}
+
+/* Executes the "silent-drop" action. May be called from {tcp,http}{request,response}.
+ * If rule->arg.act.p[0] is 0, TCP_REPAIR is tried first, with a fallback to
+ * sending a RST with TTL 1 towards the client. If it is [1-255], we will skip
+ * TCP_REPAIR and prepare the socket to send a RST with the requested TTL when
+ * the connection is killed by channel_abort().
+ */
+static enum act_return tcp_exec_action_silent_drop(struct act_rule *rule, struct proxy *px,
+                                                   struct session *sess, struct stream *strm, int flags)
+{
+	struct connection *conn = objt_conn(sess->origin);
+	unsigned int ttl __maybe_unused = (uintptr_t)rule->arg.act.p[0];
+	char tcp_repair_enabled __maybe_unused;
+
+	if (ttl == 0) {
+		tcp_repair_enabled = 1;
+		ttl = 1;
+	} else {
+		tcp_repair_enabled = 0;
+	}
+
+	if (!conn)
+		goto out;
+
+	if (!conn_ctrl_ready(conn))
+		goto out;
+
+#ifdef TCP_QUICKACK
+	/* drain is needed only to send the quick ACK */
+	conn_ctrl_drain(conn);
+
+	/* re-enable quickack if it was disabled to ack all data and avoid
+	 * retransmits from the client that might trigger a real reset.
+	 */
+	setsockopt(conn->handle.fd, IPPROTO_TCP, TCP_QUICKACK, &one, sizeof(one));
+#endif
+	/* lingering must absolutely be disabled so that we don't send a
+	 * shutdown(), this is critical to the TCP_REPAIR trick. When no stream
+	 * is present, returning with ERR will cause lingering to be disabled.
+	 */
+	if (strm)
+		strm->scf->flags |= SC_FL_NOLINGER;
+
+	if (conn->flags & CO_FL_FDLESS)
+		goto out;
+
+	/* We're on the client-facing side, we must force to disable lingering to
+	 * ensure we will use an RST exclusively and kill any pending data.
+	 */
+	HA_ATOMIC_OR(&fdtab[conn->handle.fd].state, FD_LINGER_RISK);
+
+#ifdef TCP_REPAIR
+	/* try to put socket in repair mode if sending a RST was not requested by
+	 * config. this often fails due to missing permissions (CAP_NET_ADMIN capability)
+	 */
+	if (tcp_repair_enabled && (setsockopt(conn->handle.fd, IPPROTO_TCP, TCP_REPAIR, &one, sizeof(one)) == 0)) {
+		/* socket will be quiet now */
+		goto out;
+	}
+#endif
+
+	/* Either TCP_REPAIR is not defined, it failed (eg: permissions), or was
+	 * not executed because a RST with a specific TTL was requested to be sent.
+	 * Set the TTL of the client connection before the connection is killed
+	 * by channel_abort and a RST packet will be emitted by the TCP/IP stack.
+	 */
+#ifdef IP_TTL
+	if (conn->src && conn->src->ss_family == AF_INET)
+		setsockopt(conn->handle.fd, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl));
+#endif
+#ifdef IPV6_UNICAST_HOPS
+	if (conn->src && conn->src->ss_family == AF_INET6)
+		setsockopt(conn->handle.fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &ttl, sizeof(ttl));
+#endif
+ out:
+	/* kill the stream if any */
+	if (strm) {
+		stream_abort(strm);
+		strm->req.analysers &= AN_REQ_FLT_END;
+		strm->res.analysers &= AN_RES_FLT_END;
+		if (strm->flags & SF_BE_ASSIGNED)
+			_HA_ATOMIC_INC(&strm->be->be_counters.denied_req);
+		if (!(strm->flags & SF_ERR_MASK))
+			strm->flags |= SF_ERR_PRXCOND;
+		if (!(strm->flags & SF_FINST_MASK))
+			strm->flags |= SF_FINST_R;
+	}
+
+	_HA_ATOMIC_INC(&sess->fe->fe_counters.denied_req);
+	if (sess->listener && sess->listener->counters)
+		_HA_ATOMIC_INC(&sess->listener->counters->denied_req);
+
+	return ACT_RET_ABRT;
+}
+
+
+#if defined(SO_MARK) || defined(SO_USER_COOKIE) || defined(SO_RTABLE)
+static enum act_return tcp_action_set_mark(struct act_rule *rule, struct proxy *px,
+					   struct session *sess, struct stream *s, int flags)
+{
+	conn_set_mark(objt_conn(sess->origin), (uintptr_t)rule->arg.act.p[0]);
+	return ACT_RET_CONT;
+}
+#endif
+
+#ifdef IP_TOS
+static enum act_return tcp_action_set_tos(struct act_rule *rule, struct proxy *px,
+					  struct session *sess, struct stream *s, int flags)
+{
+	conn_set_tos(objt_conn(sess->origin), (uintptr_t)rule->arg.act.p[0]);
+	return ACT_RET_CONT;
+}
+#endif
+
+/*
+ * Release the sample expr when releasing attach-srv action
+ */
+static void release_attach_srv_action(struct act_rule *rule)
+{
+	ha_free(&rule->arg.attach_srv.srvname);
+	release_sample_expr(rule->arg.attach_srv.name);
+}
+
+/*
+ * Release the sample expr when releasing a set src/dst action
+ */
+static void release_set_src_dst_action(struct act_rule *rule)
+{
+	release_sample_expr(rule->arg.expr);
+}
+
+static int tcp_check_attach_srv(struct act_rule *rule, struct proxy *px, char **err)
+{
+	struct proxy *be = NULL;
+	struct server *srv = NULL;
+	char *name = rule->arg.attach_srv.srvname;
+	struct ist be_name, sv_name;
+
+	if (px->mode != PR_MODE_HTTP) {
+		memprintf(err, "attach-srv rule requires HTTP proxy mode");
+		return 0;
+	}
+
+	sv_name = ist(name);
+	be_name = istsplit(&sv_name, '/');
+	if (!istlen(sv_name)) {
+		memprintf(err, "attach-srv rule: invalid server name '%s'", name);
+		return 0;
+	}
+
+	if (!(be = proxy_be_by_name(ist0(be_name)))) {
+		memprintf(err, "attach-srv rule: no such backend '%s/%s'", ist0(be_name), ist0(sv_name));
+		return 0;
+	}
+	if (!(srv = server_find_by_name(be, ist0(sv_name)))) {
+		memprintf(err, "attach-srv rule: no such server '%s/%s'", ist0(be_name), ist0(sv_name));
+		return 0;
+	}
+
+	if ((rule->arg.attach_srv.name && (!srv->use_ssl || !srv->sni_expr)) ||
+	    (!rule->arg.attach_srv.name && srv->use_ssl && srv->sni_expr)) {
+		memprintf(err, "attach-srv rule: connection will never be used; either specify name argument in conjunction with defined SSL SNI on targeted server or none of these");
+		return 0;
+	}
+
+	rule->arg.attach_srv.srv = srv;
+
+	return 1;
+}
+
+static enum act_parse_ret tcp_parse_attach_srv(const char **args, int *cur_arg, struct proxy *px,
+                                               struct act_rule *rule, char **err)
+{
+	char *srvname;
+	struct sample_expr *expr;
+
+	/* TODO duplicated code from check_kw_experimental() */
+	if (!experimental_directives_allowed) {
+		memprintf(err, "parsing [%s:%d] : '%s' action is experimental, must be allowed via a global 'expose-experimental-directives'",
+		          px->conf.args.file, px->conf.args.line, args[2]);
+		return ACT_RET_PRS_ERR;
+	}
+	mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
+
+	rule->action      = ACT_CUSTOM;
+	rule->action_ptr  = tcp_action_attach_srv;
+	rule->release_ptr = release_attach_srv_action;
+	rule->check_ptr   = tcp_check_attach_srv;
+	rule->arg.attach_srv.srvname = NULL;
+	rule->arg.attach_srv.name = NULL;
+
+	srvname = my_strndup(args[*cur_arg], strlen(args[*cur_arg]));
+	if (!srvname)
+		goto err;
+	rule->arg.attach_srv.srvname = srvname;
+
+	++(*cur_arg);
+
+	if (strcmp(args[*cur_arg], "name") == 0) {
+		if (!*args[*cur_arg + 1]) {
+			memprintf(err, "missing name value");
+			return ACT_RET_PRS_ERR;
+		}
+		++(*cur_arg);
+
+		expr = sample_parse_expr((char **)args, cur_arg, px->conf.args.file, px->conf.args.line,
+		                         err, &px->conf.args, NULL);
+		if (!expr)
+			return ACT_RET_PRS_ERR;
+
+		rule->arg.attach_srv.name = expr;
+		rule->release_ptr = release_attach_srv_action;
+	}
+
+	return ACT_RET_PRS_OK;
+
+ err:
+	ha_free(&rule->arg.attach_srv.srvname);
+	release_sample_expr(rule->arg.attach_srv.name);
+	return ACT_RET_PRS_ERR;
+}
+
+/* parse "set-{src,dst}[-port]" action */
+static enum act_parse_ret tcp_parse_set_src_dst(const char **args, int *orig_arg, struct proxy *px,
+                                                struct act_rule *rule, char **err)
+{
+	int cur_arg;
+	struct sample_expr *expr;
+	unsigned int where;
+
+	cur_arg = *orig_arg;
+	expr = sample_parse_expr((char **)args, &cur_arg, px->conf.args.file, px->conf.args.line, err, &px->conf.args, NULL);
+	if (!expr)
+		return ACT_RET_PRS_ERR;
+
+	where = 0;
+	if (px->cap & PR_CAP_FE)
+		where |= SMP_VAL_FE_HRQ_HDR;
+	if (px->cap & PR_CAP_BE)
+		where |= SMP_VAL_BE_HRQ_HDR;
+
+	if (!(expr->fetch->val & where)) {
+		memprintf(err,
+			  "fetch method '%s' extracts information from '%s', none of which is available here",
+			  args[cur_arg-1], sample_src_names(expr->fetch->use));
+		free(expr);
+		return ACT_RET_PRS_ERR;
+	}
+	rule->arg.expr = expr;
+	rule->action = ACT_CUSTOM;
+
+	if (strcmp(args[*orig_arg - 1], "set-src") == 0) {
+		rule->action_ptr = tcp_action_req_set_src;
+	} else if (strcmp(args[*orig_arg - 1], "set-src-port") == 0) {
+		rule->action_ptr = tcp_action_req_set_src_port;
+	} else if (strcmp(args[*orig_arg - 1], "set-dst") == 0) {
+		rule->action_ptr = tcp_action_req_set_dst;
+	} else if (strcmp(args[*orig_arg - 1], "set-dst-port") == 0) {
+		rule->action_ptr = tcp_action_req_set_dst_port;
+	} else {
+		return ACT_RET_PRS_ERR;
+	}
+
+	rule->release_ptr = release_set_src_dst_action;
+	(*orig_arg)++;
+
+	return ACT_RET_PRS_OK;
+}
+
+
+/* Parse a "set-mark" action. It takes the MARK value as argument. It returns
+ * ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
+ */
+static enum act_parse_ret tcp_parse_set_mark(const char **args, int *cur_arg, struct proxy *px,
+					     struct act_rule *rule, char **err)
+{
+#if defined(SO_MARK) || defined(SO_USER_COOKIE) || defined(SO_RTABLE)
+	char *endp;
+	unsigned int mark;
+
+	if (!*args[*cur_arg]) {
+		memprintf(err, "expects exactly 1 argument (integer/hex value)");
+		return ACT_RET_PRS_ERR;
+	}
+	mark = strtoul(args[*cur_arg], &endp, 0);
+	if (endp && *endp != '\0') {
+		memprintf(err, "invalid character starting at '%s' (integer/hex value expected)", endp);
+		return ACT_RET_PRS_ERR;
+	}
+
+	(*cur_arg)++;
+
+	/* Register processing function. */
+	rule->action_ptr = tcp_action_set_mark;
+	rule->action = ACT_CUSTOM;
+	rule->arg.act.p[0] = (void *)(uintptr_t)mark;
+	global.last_checks |= LSTCHK_NETADM;
+	return ACT_RET_PRS_OK;
+#else
+	memprintf(err, "not supported on this platform (SO_MARK|SO_USER_COOKIE|SO_RTABLE undefined)");
+	return ACT_RET_PRS_ERR;
+#endif
+}
+
+
+/* Parse a "set-tos" action. It takes the TOS value as argument. It returns
+ * ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR on error.
+ */
+static enum act_parse_ret tcp_parse_set_tos(const char **args, int *cur_arg, struct proxy *px,
+					     struct act_rule *rule, char **err)
+{
+#ifdef IP_TOS
+	char *endp;
+	int tos;
+
+	if (!*args[*cur_arg]) {
+		memprintf(err, "expects exactly 1 argument (integer/hex value)");
+		return ACT_RET_PRS_ERR;
+	}
+	tos = strtol(args[*cur_arg], &endp, 0);
+	if (endp && *endp != '\0') {
+		memprintf(err, "invalid character starting at '%s' (integer/hex value expected)", endp);
+		return ACT_RET_PRS_ERR;
+	}
+
+	(*cur_arg)++;
+
+	/* Register processing function. */
+	rule->action_ptr = tcp_action_set_tos;
+	rule->action = ACT_CUSTOM;
+	rule->arg.act.p[0] = (void *)(uintptr_t)tos;
+	return ACT_RET_PRS_OK;
+#else
+	memprintf(err, "not supported on this platform (IP_TOS undefined)");
+	return ACT_RET_PRS_ERR;
+#endif
+}
+
+/* Parse a "silent-drop" action. It may take 2 optional arguments to define a
+ * "rst-ttl" parameter. It returns ACT_RET_PRS_OK on success, ACT_RET_PRS_ERR
+ * on error.
+ */
+static enum act_parse_ret tcp_parse_silent_drop(const char **args, int *cur_arg, struct proxy *px,
+                                                struct act_rule *rule, char **err)
+{
+	unsigned int rst_ttl  = 0;
+	char *endp;
+
+	rule->action     = ACT_CUSTOM;
+	rule->action_ptr = tcp_exec_action_silent_drop;
+
+	if (strcmp(args[*cur_arg], "rst-ttl") == 0) {
+		if (!*args[*cur_arg + 1]) {
+			memprintf(err, "missing rst-ttl value\n");
+			return ACT_RET_PRS_ERR;
+		}
+
+		rst_ttl = (unsigned int)strtoul(args[*cur_arg + 1], &endp, 0);
+
+		if (endp && *endp != '\0') {
+			memprintf(err, "invalid character starting at '%s' (value 1-255 expected)\n",
+					endp);
+			return ACT_RET_PRS_ERR;
+		}
+		if ((rst_ttl == 0) || (rst_ttl > 255) ) {
+			memprintf(err, "valid rst-ttl values are [1-255]\n");
+			return ACT_RET_PRS_ERR;
+		}
+
+		*cur_arg += 2;
+	}
+
+	rule->arg.act.p[0] = (void *)(uintptr_t)rst_ttl;
+	return ACT_RET_PRS_OK;
+}
+
+
+static struct action_kw_list tcp_req_conn_actions = {ILH, {
+	{ "set-dst"     , tcp_parse_set_src_dst },
+	{ "set-dst-port", tcp_parse_set_src_dst },
+	{ "set-mark",     tcp_parse_set_mark    },
+	{ "set-src",      tcp_parse_set_src_dst },
+	{ "set-src-port", tcp_parse_set_src_dst },
+	{ "set-tos",      tcp_parse_set_tos     },
+	{ "silent-drop",  tcp_parse_silent_drop },
+	{ /* END */ }
+}};
+
+INITCALL1(STG_REGISTER, tcp_req_conn_keywords_register, &tcp_req_conn_actions);
+
+static struct action_kw_list tcp_req_sess_actions = {ILH, {
+	{ "attach-srv"  , tcp_parse_attach_srv  },
+	{ "set-dst"     , tcp_parse_set_src_dst },
+	{ "set-dst-port", tcp_parse_set_src_dst },
+	{ "set-mark",     tcp_parse_set_mark    },
+	{ "set-src",      tcp_parse_set_src_dst },
+	{ "set-src-port", tcp_parse_set_src_dst },
+	{ "set-tos",      tcp_parse_set_tos     },
+	{ "silent-drop",  tcp_parse_silent_drop },
+	{ /* END */ }
+}};
+
+INITCALL1(STG_REGISTER, tcp_req_sess_keywords_register, &tcp_req_sess_actions);
+
+static struct action_kw_list tcp_req_cont_actions = {ILH, {
+	{ "set-src",      tcp_parse_set_src_dst },
+	{ "set-src-port", tcp_parse_set_src_dst },
+	{ "set-dst"     , tcp_parse_set_src_dst },
+	{ "set-dst-port", tcp_parse_set_src_dst },
+	{ "set-mark",     tcp_parse_set_mark    },
+	{ "set-tos",      tcp_parse_set_tos     },
+	{ "silent-drop",  tcp_parse_silent_drop },
+	{ /* END */ }
+}};
+
+INITCALL1(STG_REGISTER, tcp_req_cont_keywords_register, &tcp_req_cont_actions);
+
+static struct action_kw_list tcp_res_cont_actions = {ILH, {
+	{ "set-mark",     tcp_parse_set_mark   },
+	{ "set-tos",      tcp_parse_set_tos     },
+	{ "silent-drop", tcp_parse_silent_drop },
+	{ /* END */ }
+}};
+
+INITCALL1(STG_REGISTER, tcp_res_cont_keywords_register, &tcp_res_cont_actions);
+
+static struct action_kw_list http_req_actions = {ILH, {
+	{ "set-dst",      tcp_parse_set_src_dst },
+	{ "set-dst-port", tcp_parse_set_src_dst },
+	{ "set-mark",     tcp_parse_set_mark    },
+	{ "set-src",      tcp_parse_set_src_dst },
+	{ "set-src-port", tcp_parse_set_src_dst },
+	{ "set-tos",      tcp_parse_set_tos     },
+	{ "silent-drop",  tcp_parse_silent_drop },
+	{ /* END */ }
+}};
+
+INITCALL1(STG_REGISTER, http_req_keywords_register, &http_req_actions);
+
+static struct action_kw_list http_res_actions = {ILH, {
+	{ "set-mark",    tcp_parse_set_mark    },
+	{ "set-tos",     tcp_parse_set_tos    },
+	{ "silent-drop", tcp_parse_silent_drop },
+	{ /* END */ }
+}};
+
+INITCALL1(STG_REGISTER, http_res_keywords_register, &http_res_actions);
+
+
+/*
+ * Local variables:
+ *  c-indent-level: 8
+ *  c-basic-offset: 8
+ * End:
+ */