summaryrefslogtreecommitdiffstats
path: root/src/http_ext.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/http_ext.c1881
1 files changed, 1881 insertions, 0 deletions
diff --git a/src/http_ext.c b/src/http_ext.c
new file mode 100644
index 0000000..a367519
--- /dev/null
+++ b/src/http_ext.c
@@ -0,0 +1,1881 @@
+/*
+ * HTTP extensions logic and helpers
+ *
+ * Copyright 2022 HAProxy Technologies
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2.1 of the License, or (at your option) any later version.
+ *
+ */
+
+#include <haproxy/sample.h>
+#include <haproxy/http_htx.h>
+#include <haproxy/http_ext.h>
+#include <haproxy/chunk.h>
+#include <haproxy/stream.h>
+#include <haproxy/proxy.h>
+#include <haproxy/sc_strm.h>
+#include <haproxy/obj_type.h>
+#include <haproxy/cfgparse.h>
+#include <haproxy/arg.h>
+#include <haproxy/initcall.h>
+#include <haproxy/tools.h>
+
+/*
+ * =========== ANALYZE ===========
+ * below are http process/ana helpers
+ */
+
+/* checks if <input> contains rfc7239 compliant port
+ * Returns 1 for success and 0 for failure
+ * if <port> is not NULL, it will be set to the extracted value contained
+ * in <input>
+ * <input> will be consumed accordingly (parsed/extracted characters are
+ * removed from <input>)
+ */
+static inline int http_7239_extract_port(struct ist *input, uint16_t *port)
+{
+ char *start = istptr(*input);
+ uint32_t port_cast = 0;
+ int it = 0;
+
+ /* strtol does not support non-null terminated str,
+ * we extract port ourselves
+ */
+ while (it < istlen(*input) &&
+ isdigit((unsigned char)start[it])) {
+ port_cast = (port_cast * 10) + (start[it] - '0');
+ if (port_cast > 65535)
+ return 0; /* invalid port */
+ it += 1;
+ }
+ if (!port_cast)
+ return 0; /* invalid port */
+ /* ok */
+ if (port)
+ *port = (uint16_t)port_cast;
+ *input = istadv(*input, it);
+ return 1;
+}
+
+/* check if char is a valid obfuscated identifier char
+ * (according to 7239 RFC)
+ * Returns non zero value for valid char
+ */
+static inline int http_7239_valid_obfsc(char c)
+{
+ return (isalnum((unsigned char)c) ||
+ (c == '.' || c == '-' || c == '_'));
+}
+
+/* checks if <input> contains rfc7239 compliant obfuscated identifier
+ * Returns 1 for success and 0 for failure
+ * if <obfs> is not NULL, it will be set to the extracted value contained
+ * in <input>
+ * <input> will be consumed accordingly (parsed/extracted characters are
+ * removed from <input>)
+ */
+static inline int http_7239_extract_obfs(struct ist *input, struct ist *obfs)
+{
+ int it = 0;
+
+ if (obfs)
+ obfs->ptr = input->ptr;
+
+ while (it < istlen(*input) && istptr(*input)[it] != ';') {
+ if (!http_7239_valid_obfsc(istptr(*input)[it]))
+ break; /* end of obfs token */
+ it += 1;
+ }
+ if (obfs)
+ obfs->len = it;
+ *input = istadv(*input, it);
+ return !!it;
+}
+
+/* checks if <input> contains rfc7239 compliant IPV4 address
+ * Returns 1 for success and 0 for failure
+ * if <ip> is not NULL, it will be set to the extracted value contained
+ * in <input>
+ * <input> will be consumed accordingly (parsed/extracted characters are
+ * removed from <input>)
+ */
+static inline int http_7239_extract_ipv4(struct ist *input, struct in_addr *ip)
+{
+ char ip4[INET_ADDRSTRLEN];
+ unsigned char buf[sizeof(struct in_addr)];
+ int it = 0;
+
+ /* extract ipv4 addr */
+ while (it < istlen(*input) && it < (sizeof(ip4) - 1)) {
+ if (!isdigit((unsigned char)istptr(*input)[it]) &&
+ istptr(*input)[it] != '.')
+ break; /* no more ip4 char */
+ ip4[it] = istptr(*input)[it];
+ it += 1;
+ }
+ ip4[it] = 0;
+ if (inet_pton(AF_INET, ip4, buf) != 1)
+ return 0; /* invalid ip4 addr */
+ /* ok */
+ if (ip)
+ memcpy(ip, buf, sizeof(buf));
+ *input = istadv(*input, it);
+ return 1;
+}
+
+/* checks if <input> contains rfc7239 compliant IPV6 address
+ * assuming input.len >= 1 and first char is '['
+ * Returns 1 for success and 0 for failure
+ * if <ip> is not NULL, it will be set to the extracted value contained
+ * in <input>
+ * <input> will be consumed accordingly (parsed/extracted characters are
+ * removed from <input>)
+ */
+static inline int http_7239_extract_ipv6(struct ist *input, struct in6_addr *ip)
+{
+ char ip6[INET6_ADDRSTRLEN];
+ unsigned char buf[sizeof(struct in6_addr)];
+ int it = 0;
+
+ *input = istnext(*input); /* skip '[' leading char */
+ /* extract ipv6 addr */
+ while (it < istlen(*input) &&
+ it < (sizeof(ip6) - 1)) {
+ if (!isalnum((unsigned char)istptr(*input)[it]) &&
+ istptr(*input)[it] != ':')
+ break; /* no more ip6 char */
+ ip6[it] = istptr(*input)[it];
+ it += 1;
+ }
+ ip6[it] = 0;
+ if ((istlen(*input)-it) < 1 || istptr(*input)[it] != ']')
+ return 0; /* missing ending "]" char */
+ it += 1;
+ if (inet_pton(AF_INET6, ip6, buf) != 1)
+ return 0; /* invalid ip6 addr */
+ /* ok */
+ if (ip)
+ memcpy(ip, buf, sizeof(buf));
+ *input = istadv(*input, it);
+ return 1;
+}
+
+/* checks if <input> contains rfc7239 compliant host
+ * <quoted> is used to determine if the current input is being extracted
+ * from a quoted (non zero) or unquoted (zero) token, as the parsing rules
+ * differ whether the input is quoted or not according to the rfc.
+ * Returns 1 for success and 0 for failure
+ * if <host> is not NULL, it will be set to the extracted value contained
+ * in <input>
+ * <input> will be consumed accordingly (parsed/extracted characters are
+ * removed from <input>)
+ */
+static inline int http_7239_extract_host(struct ist *input, struct ist *host, int quoted)
+{
+ if (istlen(*input) < 1)
+ return 0; /* invalid input */
+
+ if (host)
+ host->ptr = input->ptr;
+
+ if (quoted && *istptr(*input) == '[') {
+ /* raw ipv6 address */
+ if (!http_7239_extract_ipv6(input, NULL))
+ return 0; /* invalid addr */
+ }
+ else {
+ /* ipv4 or dns */
+ while (istlen(*input)) {
+ if (!isalnum((unsigned char)*istptr(*input)) &&
+ *istptr(*input) != '.')
+ break; /* end of hostname token */
+ *input = istnext(*input);
+ }
+ }
+ if (istlen(*input) < 1 || *istptr(*input) != ':') {
+ goto out; /* no optional port provided */
+ }
+ if (!quoted)
+ return 0; /* not supported */
+ *input = istnext(*input); /* skip ':' */
+ /* validate port */
+ if (!http_7239_extract_port(input, NULL))
+ return 0; /* invalid port */
+ out:
+ if (host)
+ host->len = (input->ptr - host->ptr);
+ return 1;
+}
+
+/* checks if <input> contains rfc7239 compliant nodename
+ * <quoted> is used to determine if the current input is being extracted
+ * from a quoted (non zero) or unquoted (zero) token, as the parsing rules
+ * differ whether the input is quoted or not according to the rfc.
+ * Returns 1 for success and 0 for failure
+ * if <nodename> is not NULL, it will be set to the extracted value contained
+ * in <input>
+ * <input> will be consumed accordingly (parsed/extracted characters are
+ * removed from <input>)
+ */
+static inline int http_7239_extract_nodename(struct ist *input, struct forwarded_header_nodename *nodename, int quoted)
+{
+ if (istlen(*input) < 1)
+ return 0; /* invalid input */
+ if (*istptr(*input) == '_') {
+ struct ist *obfs = NULL;
+
+ /* obfuscated nodename */
+ *input = istnext(*input); /* skip '_' */
+ if (nodename) {
+ nodename->type = FORWARDED_HEADER_OBFS;
+ obfs = &nodename->obfs;
+ }
+ if (!http_7239_extract_obfs(input, obfs))
+ return 0; /* invalid obfs */
+ } else if (*istptr(*input) == 'u') {
+ /* "unknown" nodename? */
+ if (istlen(*input) < 7 ||
+ strncmp("unknown", istptr(*input), 7))
+ return 0; /* syntax error */
+ *input = istadv(*input, 7); /* skip "unknown" */
+ if (nodename)
+ nodename->type = FORWARDED_HEADER_UNK;
+ } else if (quoted && *istptr(*input) == '[') {
+ struct in6_addr *ip6 = NULL;
+
+ /* ipv6 address */
+ if (nodename) {
+ struct sockaddr_in6 *addr = (void *)&nodename->ip;
+
+ ip6 = &addr->sin6_addr;
+ addr->sin6_family = AF_INET6;
+ nodename->type = FORWARDED_HEADER_IP;
+ }
+ if (!http_7239_extract_ipv6(input, ip6))
+ return 0; /* invalid ip6 */
+ } else if (*istptr(*input)) {
+ struct in_addr *ip = NULL;
+
+ /* ipv4 address */
+ if (nodename) {
+ struct sockaddr_in *addr = (void *)&nodename->ip;
+
+ ip = &addr->sin_addr;
+ addr->sin_family = AF_INET;
+ nodename->type = FORWARDED_HEADER_IP;
+ }
+ if (!http_7239_extract_ipv4(input, ip))
+ return 0; /* invalid ip */
+ } else
+ return 0; /* unexpected char */
+
+ /* ok */
+ return 1;
+}
+
+/* checks if <input> contains rfc7239 compliant nodeport
+ * <quoted> is used to determine if the current input is being extracted
+ * from a quoted (non zero) or unquoted (zero) token, as the parsing rules
+ * differ whether the input is quoted or not according to the rfc.
+ * Returns 1 for success and 0 for failure
+ * if <nodeport> is not NULL, it will be set to the extracted value contained
+ * in <input>
+ * <input> will be consumed accordingly (parsed/extracted characters are
+ * removed from <input>)
+ */
+static inline int http_7239_extract_nodeport(struct ist *input, struct forwarded_header_nodeport *nodeport)
+{
+ if (*istptr(*input) == '_') {
+ struct ist *obfs = NULL;
+
+ /* obfuscated nodeport */
+ *input = istnext(*input); /* skip '_' */
+ if (nodeport) {
+ nodeport->type = FORWARDED_HEADER_OBFS;
+ obfs = &nodeport->obfs;
+ }
+ if (!http_7239_extract_obfs(input, obfs))
+ return 0; /* invalid obfs */
+ } else {
+ uint16_t *port = NULL;
+
+ /* normal port */
+ if (nodeport) {
+ nodeport->type = FORWARDED_HEADER_PORT;
+ port = &nodeport->port;
+ }
+ if (!http_7239_extract_port(input, port))
+ return 0; /* invalid port */
+ }
+ /* ok */
+ return 1;
+}
+
+/* checks if <input> contains rfc7239 compliant node (nodename:nodeport token)
+ * <quoted> is used to determine if the current input is being extracted
+ * from a quoted (non zero) or unquoted (zero) token, as the parsing rules
+ * differ whether the input is quoted or not according to the rfc.
+ * Returns 1 for success and 0 for failure
+ * if <node> is not NULL, it will be set to the extracted value contained
+ * in <input>
+ * <input> will be consumed accordingly (parsed/extracted characters are
+ * removed from <input>)
+ */
+static inline int http_7239_extract_node(struct ist *input, struct forwarded_header_node *node, int quoted)
+{
+ struct forwarded_header_nodename *nodename = NULL;
+ struct forwarded_header_nodeport *nodeport = NULL;
+
+ if (node) {
+ nodename = &node->nodename;
+ nodeport = &node->nodeport;
+ node->raw.ptr = input->ptr;
+ }
+ if (!http_7239_extract_nodename(input, nodename, quoted))
+ return 0; /* invalid nodename */
+ if (istlen(*input) < 1 || *istptr(*input) != ':') {
+ if (node)
+ node->nodeport.type = FORWARDED_HEADER_UNK;
+ goto out; /* no optional port provided */
+ }
+ if (!quoted)
+ return 0; /* not supported */
+ *input = istnext(*input);
+ if (!http_7239_extract_nodeport(input, nodeport))
+ return 0; /* invalid nodeport */
+ out:
+ /* ok */
+ if (node)
+ node->raw.len = input->ptr - node->raw.ptr;
+ return 1;
+}
+
+static inline int _forwarded_header_save_ctx(struct forwarded_header_ctx *ctx, int current_step, int required_steps)
+{
+ return (ctx && (current_step & required_steps));
+}
+
+static inline void _forwarded_header_quote_expected(struct ist *hdr, uint8_t *quoted)
+{
+ if (istlen(*hdr) > 0 && *istptr(*hdr) == '"') {
+ *quoted = 1;
+ /* node is quoted, we must find corresponding
+ * ending quote at the end of the token
+ */
+ *hdr = istnext(*hdr); /* skip quote */
+ }
+}
+
+/* checks if current header <hdr> is RFC 7239 compliant and can be "trusted".
+ * function will stop parsing as soon as every <required_steps> have
+ * been validated or error is encountered.
+ * Provide FORWARDED_HEADER_ALL for a full header validating spectrum.
+ * You may provide limited scope to perform quick searches on specific attributes
+ * If <ctx> is provided (not NULL), parsed attributes will be stored according to
+ * their types, allowing you to extract some useful information from the header.
+ * Returns 0 on failure and <validated_steps> bitfield on success.
+ */
+int http_validate_7239_header(struct ist hdr, int required_steps, struct forwarded_header_ctx *ctx)
+{
+ int validated_steps = 0;
+ int current_step = 0;
+ uint8_t first = 1;
+ uint8_t quoted = 0;
+
+ while (istlen(hdr) && (required_steps & ~validated_steps)) {
+ if (!first) {
+ if (*istptr(hdr) == ';')
+ hdr = istnext(hdr); /* skip ';' */
+ else
+ goto not_ok; /* unexpected char */
+ }
+ else
+ first = 0;
+
+ if (!(validated_steps & FORWARDED_HEADER_FOR) && istlen(hdr) > 4 &&
+ strncmp("for=", istptr(hdr), 4) == 0) {
+ struct forwarded_header_node *node = NULL;
+
+ /* for parameter */
+ current_step = FORWARDED_HEADER_FOR;
+ hdr = istadv(hdr, 4); /* skip "for=" */
+ _forwarded_header_quote_expected(&hdr, &quoted);
+ if (_forwarded_header_save_ctx(ctx, current_step, required_steps))
+ node = &ctx->nfor;
+ /* validate node */
+ if (!http_7239_extract_node(&hdr, node, quoted))
+ goto not_ok; /* invalid node */
+ }
+ else if (!(validated_steps & FORWARDED_HEADER_BY) && istlen(hdr) > 3 &&
+ strncmp("by=", istptr(hdr), 3) == 0) {
+ struct forwarded_header_node *node = NULL;
+
+ /* by parameter */
+ current_step = FORWARDED_HEADER_BY;
+ hdr = istadv(hdr, 3); /* skip "by=" */
+ _forwarded_header_quote_expected(&hdr, &quoted);
+ if (_forwarded_header_save_ctx(ctx, current_step, required_steps))
+ node = &ctx->nby;
+ /* validate node */
+ if (!http_7239_extract_node(&hdr, node, quoted))
+ goto not_ok; /* invalid node */
+ }
+ else if (!(validated_steps & FORWARDED_HEADER_HOST) && istlen(hdr) > 5 &&
+ strncmp("host=", istptr(hdr), 5) == 0) {
+ struct ist *host = NULL;
+
+ /* host parameter */
+ current_step = FORWARDED_HEADER_HOST;
+ hdr = istadv(hdr, 5); /* skip "host=" */
+ _forwarded_header_quote_expected(&hdr, &quoted);
+ if (_forwarded_header_save_ctx(ctx, current_step, required_steps))
+ host = &ctx->host;
+ /* validate host */
+ if (!http_7239_extract_host(&hdr, host, quoted))
+ goto not_ok; /* invalid host */
+ }
+ else if (!(validated_steps & FORWARDED_HEADER_PROTO) && istlen(hdr) > 6 &&
+ strncmp("proto=", istptr(hdr), 6) == 0) {
+ /* proto parameter */
+ current_step = FORWARDED_HEADER_PROTO;
+ hdr = istadv(hdr, 6); /* skip "proto=" */
+ /* validate proto (only common used http|https are supported for now) */
+ if (istlen(hdr) < 4 || strncmp("http", istptr(hdr), 4))
+ goto not_ok;
+ hdr = istadv(hdr, 4); /* skip "http" */
+ if (istlen(hdr) && *istptr(hdr) == 's') {
+ hdr = istnext(hdr);
+ if (_forwarded_header_save_ctx(ctx, current_step, required_steps))
+ ctx->proto = FORWARDED_HEADER_HTTPS;
+ } else if (_forwarded_header_save_ctx(ctx, current_step, required_steps))
+ ctx->proto = FORWARDED_HEADER_HTTP;
+ /* rfc allows for potential proto quoting, but we don't support
+ * it: it is not common usage
+ */
+ }
+ else {
+ /* not supported
+ * rfc allows for upcoming extensions
+ * but obviously, we can't trust them
+ * as they are not yet standardized
+ */
+
+ goto not_ok;
+ }
+ /* quote check */
+ if (quoted) {
+ if (istlen(hdr) < 1 || *istptr(hdr) != '"') {
+ /* matching ending quote not found */
+ goto not_ok;
+ }
+ hdr = istnext(hdr); /* skip ending quote */
+ quoted = 0; /* reset */
+ }
+ validated_steps |= current_step;
+ }
+
+ return validated_steps;
+
+ not_ok:
+ return 0;
+}
+
+static inline void _7239_print_ip6(struct buffer *out, struct in6_addr *ip6_addr, int quoted)
+{
+ char pn[INET6_ADDRSTRLEN];
+
+ inet_ntop(AF_INET6,
+ ip6_addr,
+ pn, sizeof(pn));
+ if (!quoted)
+ chunk_appendf(out, "\""); /* explicit quoting required for ipv6 */
+ chunk_appendf(out, "[%s]", pn);
+}
+
+static inline void http_build_7239_header_nodename(struct buffer *out,
+ struct stream *s, struct proxy *curproxy,
+ const struct sockaddr_storage *addr,
+ struct http_ext_7239_forby *forby)
+{
+ struct in6_addr *ip6_addr;
+ int quoted = !!forby->np_mode;
+
+ if (forby->nn_mode == HTTP_7239_FORBY_ORIG) {
+ if (addr && addr->ss_family == AF_INET) {
+ unsigned char *pn = (unsigned char *)&((struct sockaddr_in *)addr)->sin_addr;
+
+ chunk_appendf(out, "%d.%d.%d.%d", pn[0], pn[1], pn[2], pn[3]);
+ }
+ else if (addr && addr->ss_family == AF_INET6) {
+ ip6_addr = &((struct sockaddr_in6 *)addr)->sin6_addr;
+ _7239_print_ip6(out, ip6_addr, quoted);
+ }
+ /* else: not supported */
+ }
+ else if (forby->nn_mode == HTTP_7239_FORBY_SMP && forby->nn_expr) {
+ struct sample *smp;
+
+ smp = sample_process(curproxy, s->sess, s,
+ SMP_OPT_DIR_REQ | SMP_OPT_FINAL, forby->nn_expr, NULL);
+
+ if (smp) {
+ if (smp->data.type == SMP_T_IPV6) {
+ /* smp is valid IP6, print with RFC compliant output */
+ ip6_addr = &smp->data.u.ipv6;
+ _7239_print_ip6(out, ip6_addr, quoted);
+ }
+ else if (sample_casts[smp->data.type][SMP_T_STR] &&
+ sample_casts[smp->data.type][SMP_T_STR](smp)) {
+ struct ist validate_n = ist2(smp->data.u.str.area, smp->data.u.str.data);
+ struct ist validate_o = ist2(smp->data.u.str.area, smp->data.u.str.data);
+ struct forwarded_header_nodename nodename;
+
+ /* validate nodename */
+ if (http_7239_extract_nodename(&validate_n, &nodename, 1) &&
+ !istlen(validate_n)) {
+ if (nodename.type == FORWARDED_HEADER_IP &&
+ nodename.ip.ss_family == AF_INET6) {
+ /* special care needed for valid ip6 nodename (quoting) */
+ ip6_addr = &((struct sockaddr_in6 *)&nodename.ip)->sin6_addr;
+ _7239_print_ip6(out, ip6_addr, quoted);
+ } else {
+ /* no special care needed, input is already rfc compliant,
+ * just print as regular non quoted string
+ */
+ chunk_cat(out, &smp->data.u.str);
+ }
+ }
+ else if (http_7239_extract_obfs(&validate_o, NULL) &&
+ !istlen(validate_o)) {
+ /* raw user input that should be printed as 7239 obfs */
+ chunk_appendf(out, "_%.*s", (int)smp->data.u.str.data, smp->data.u.str.area);
+ }
+ /* else: not compliant */
+ }
+ /* else: cannot be casted to str */
+ }
+ /* else: smp error */
+ }
+}
+
+static inline void http_build_7239_header_nodeport(struct buffer *out,
+ struct stream *s, struct proxy *curproxy,
+ const struct sockaddr_storage *addr,
+ struct http_ext_7239_forby *forby)
+{
+ if (forby->np_mode == HTTP_7239_FORBY_ORIG) {
+ if (addr && addr->ss_family == AF_INET)
+ chunk_appendf(out, "%d", ntohs(((struct sockaddr_in *)addr)->sin_port));
+ else if (addr && addr->ss_family == AF_INET6)
+ chunk_appendf(out, "%d", ntohs(((struct sockaddr_in6 *)addr)->sin6_port));
+ /* else: not supported */
+ }
+ else if (forby->np_mode == HTTP_7239_FORBY_SMP && forby->np_expr) {
+ struct sample *smp;
+
+ smp = sample_fetch_as_type(curproxy, s->sess, s,
+ SMP_OPT_DIR_REQ | SMP_OPT_FINAL, forby->np_expr, SMP_T_STR);
+ if (smp) {
+ struct ist validate_n = ist2(smp->data.u.str.area, smp->data.u.str.data);
+ struct ist validate_o = ist2(smp->data.u.str.area, smp->data.u.str.data);
+
+ /* validate nodeport */
+ if (http_7239_extract_nodeport(&validate_n, NULL) &&
+ !istlen(validate_n)) {
+ /* no special care needed, input is already rfc compliant,
+ * just print as regular non quoted string
+ */
+ chunk_cat(out, &smp->data.u.str);
+ }
+ else if (http_7239_extract_obfs(&validate_o, NULL) &&
+ !istlen(validate_o)) {
+ /* raw user input that should be printed as 7239 obfs */
+ chunk_appendf(out, "_%.*s", (int)smp->data.u.str.data, smp->data.u.str.area);
+ }
+ /* else: not compliant */
+ }
+ /* else: smp error */
+ }
+}
+
+static inline void http_build_7239_header_node(struct buffer *out,
+ struct stream *s, struct proxy *curproxy,
+ const struct sockaddr_storage *addr,
+ struct http_ext_7239_forby *forby)
+{
+ size_t offset_start;
+ size_t offset_save;
+
+ offset_start = out->data;
+ if (forby->np_mode)
+ chunk_appendf(out, "\"");
+ offset_save = out->data;
+ http_build_7239_header_nodename(out, s, curproxy, addr, forby);
+ if (offset_save == out->data) {
+ /* could not build nodename, either because some
+ * data is not available or user is providing bad input
+ */
+ chunk_appendf(out, "unknown");
+ }
+ if (forby->np_mode) {
+ chunk_appendf(out, ":");
+ offset_save = out->data;
+ http_build_7239_header_nodeport(out, s, curproxy, addr, forby);
+ if (offset_save == out->data) {
+ /* could not build nodeport, either because some data is
+ * not available or user is providing bad input
+ */
+ out->data = offset_save - 1;
+ }
+ }
+ if (out->data != offset_start && out->area[offset_start] == '"')
+ chunk_appendf(out, "\""); /* add matching end quote */
+}
+
+static inline void http_build_7239_header_host(struct buffer *out,
+ struct stream *s, struct proxy *curproxy,
+ struct htx *htx, struct http_ext_7239_host *host)
+{
+ struct http_hdr_ctx ctx = { .blk = NULL };
+ char *str = NULL;
+ int str_len = 0;
+
+ if (host->mode == HTTP_7239_HOST_ORIG &&
+ http_find_header(htx, ist("host"), &ctx, 0)) {
+ str = ctx.value.ptr;
+ str_len = ctx.value.len;
+ print_host:
+ {
+ struct ist validate = ist2(str, str_len);
+ /* host check, to ensure rfc compliant output
+ * (assuming host is quoted/escaped)
+ */
+ if (http_7239_extract_host(&validate, NULL, 1) && !istlen(validate))
+ chunk_memcat(out, str, str_len);
+ /* else: not compliant or partially compliant */
+ }
+
+ }
+ else if (host->mode == HTTP_7239_HOST_SMP && host->expr) {
+ struct sample *smp;
+
+ smp = sample_fetch_as_type(curproxy, s->sess, s,
+ SMP_OPT_DIR_REQ | SMP_OPT_FINAL, host->expr, SMP_T_STR);
+ if (smp) {
+ str = smp->data.u.str.area;
+ str_len = smp->data.u.str.data;
+ goto print_host;
+ }
+ /* else: smp error */
+ }
+}
+
+/* Tries build 7239 header according to <curproxy> parameters and <s> context
+ * It both depends on <curproxy>->http_ext->fwd for config and <s> for request
+ * context data.
+ * The function will write output to <out> buffer
+ * Returns 1 for success and 0 for error (ie: not enough space in buffer)
+ */
+static int http_build_7239_header(struct buffer *out,
+ struct stream *s, struct proxy *curproxy, struct htx *htx)
+{
+ struct connection *cli_conn = objt_conn(strm_sess(s)->origin);
+
+ if (curproxy->http_ext->fwd->p_proto) {
+ chunk_appendf(out, "%sproto=%s", ((out->data) ? ";" : ""),
+ ((conn_is_ssl(cli_conn)) ? "https" : "http"));
+ }
+ if (curproxy->http_ext->fwd->p_host.mode) {
+ /* always add quotes for host parameter to make output compliance checks simpler */
+ chunk_appendf(out, "%shost=\"", ((out->data) ? ";" : ""));
+ /* ignore return value for now, but could be useful some day */
+ http_build_7239_header_host(out, s, curproxy, htx, &curproxy->http_ext->fwd->p_host);
+ chunk_appendf(out, "\"");
+ }
+
+ if (curproxy->http_ext->fwd->p_by.nn_mode) {
+ const struct sockaddr_storage *dst = sc_dst(s->scf);
+
+ chunk_appendf(out, "%sby=", ((out->data) ? ";" : ""));
+ http_build_7239_header_node(out, s, curproxy, dst, &curproxy->http_ext->fwd->p_by);
+ }
+
+ if (curproxy->http_ext->fwd->p_for.nn_mode) {
+ const struct sockaddr_storage *src = sc_src(s->scf);
+
+ chunk_appendf(out, "%sfor=", ((out->data) ? ";" : ""));
+ http_build_7239_header_node(out, s, curproxy, src, &curproxy->http_ext->fwd->p_for);
+ }
+ if (unlikely(out->data == out->size)) {
+ /* not enough space in buffer, error */
+ return 0;
+ }
+ return 1;
+}
+
+/* This function will try to inject RFC 7239 forwarded header if
+ * configured on the backend (ignored for frontends).
+ * Will do nothing if the option is not enabled on the proxy.
+ * Returns 1 for success and 0 for failure
+ */
+int http_handle_7239_header(struct stream *s, struct channel *req)
+{
+ struct proxy *curproxy = s->be; /* ignore frontend */
+
+ if (curproxy->http_ext && curproxy->http_ext->fwd) {
+ struct htx *htx = htxbuf(&req->buf);
+ int validate = 1;
+ struct http_hdr_ctx find = { .blk = NULL };
+ struct http_hdr_ctx last = { .blk = NULL};
+ struct ist hdr = ist("forwarded");
+
+ /* ok, let's build forwarded header */
+ chunk_reset(&trash);
+ if (unlikely(!http_build_7239_header(&trash, s, curproxy, htx)))
+ return 0; /* error when building header (bad user conf or memory error) */
+
+ /* validate existing forwarded header (including multiple values),
+ * hard stop if error is encountered
+ */
+ while (http_find_header(htx, hdr, &find, 0)) {
+ /* validate current header chunk */
+ if (!http_validate_7239_header(find.value, FORWARDED_HEADER_ALL, NULL)) {
+ /* at least one error, existing forwarded header not OK, add our own
+ * forwarded header, so that it can be trusted
+ */
+ validate = 0;
+ break;
+ }
+ last = find;
+ }
+ /* no errors, append our data at the end of existing header */
+ if (last.blk && validate) {
+ if (unlikely(!http_append_header_value(htx, &last, ist2(trash.area, trash.data))))
+ return 0; /* htx error */
+ }
+ else {
+ if (unlikely(!http_add_header(htx, hdr, ist2(trash.area, trash.data))))
+ return 0; /* htx error */
+ }
+ }
+ return 1;
+}
+
+/*
+ * add X-Forwarded-For if either the frontend or the backend
+ * asks for it.
+ * Returns 1 for success and 0 for failure
+ */
+int http_handle_xff_header(struct stream *s, struct channel *req)
+{
+ struct session *sess = s->sess;
+ struct http_ext_xff *f_xff = NULL;
+ struct http_ext_xff *b_xff = NULL;
+
+ if (sess->fe->http_ext && sess->fe->http_ext->xff) {
+ /* frontend */
+ f_xff = sess->fe->http_ext->xff;
+ }
+ if (s->be->http_ext && s->be->http_ext->xff) {
+ /* backend */
+ b_xff = s->be->http_ext->xff;
+ }
+
+ if (f_xff || b_xff) {
+ struct htx *htx = htxbuf(&req->buf);
+ const struct sockaddr_storage *src = sc_src(s->scf);
+ struct http_hdr_ctx ctx = { .blk = NULL };
+ struct ist hdr = ((b_xff) ? b_xff->hdr_name : f_xff->hdr_name);
+
+ if ((!f_xff || f_xff->mode == HTTP_XFF_IFNONE) &&
+ (!b_xff || b_xff->mode == HTTP_XFF_IFNONE) &&
+ http_find_header(htx, hdr, &ctx, 0)) {
+ /* The header is set to be added only if none is present
+ * and we found it, so don't do anything.
+ */
+ }
+ else if (src && src->ss_family == AF_INET) {
+ /* Add an X-Forwarded-For header unless the source IP is
+ * in the 'except' network range.
+ */
+ if ((!f_xff || ipcmp2net(src, &f_xff->except_net)) &&
+ (!b_xff || ipcmp2net(src, &b_xff->except_net))) {
+ unsigned char *pn = (unsigned char *)&((struct sockaddr_in *)src)->sin_addr;
+
+ /* Note: we rely on the backend to get the header name to be used for
+ * x-forwarded-for, because the header is really meant for the backends.
+ * However, if the backend did not specify any option, we have to rely
+ * on the frontend's header name.
+ */
+ chunk_printf(&trash, "%d.%d.%d.%d", pn[0], pn[1], pn[2], pn[3]);
+ if (unlikely(!http_add_header(htx, hdr, ist2(trash.area, trash.data))))
+ return 0;
+ }
+ }
+ else if (src && src->ss_family == AF_INET6) {
+ /* Add an X-Forwarded-For header unless the source IP is
+ * in the 'except' network range.
+ */
+ if ((!f_xff || ipcmp2net(src, &f_xff->except_net)) &&
+ (!b_xff || ipcmp2net(src, &b_xff->except_net))) {
+ char pn[INET6_ADDRSTRLEN];
+
+ inet_ntop(AF_INET6,
+ (const void *)&((struct sockaddr_in6 *)(src))->sin6_addr,
+ pn, sizeof(pn));
+
+ /* Note: we rely on the backend to get the header name to be used for
+ * x-forwarded-for, because the header is really meant for the backends.
+ * However, if the backend did not specify any option, we have to rely
+ * on the frontend's header name.
+ */
+ chunk_printf(&trash, "%s", pn);
+ if (unlikely(!http_add_header(htx, hdr, ist2(trash.area, trash.data))))
+ return 0;
+ }
+ }
+ }
+ return 1;
+}
+
+/*
+ * add X-Original-To if either the frontend or the backend
+ * asks for it.
+ * Returns 1 for success and 0 for failure
+ */
+int http_handle_xot_header(struct stream *s, struct channel *req)
+{
+ struct session *sess = s->sess;
+ struct http_ext_xot *f_xot = NULL;
+ struct http_ext_xot *b_xot = NULL;
+
+ if (sess->fe->http_ext && sess->fe->http_ext->xot) {
+ /* frontend */
+ f_xot = sess->fe->http_ext->xot;
+ }
+ if (s->be->http_ext && s->be->http_ext->xot) {
+ /* backend */
+ BUG_ON(!s->be->http_ext);
+ b_xot = s->be->http_ext->xot;
+ }
+
+ if (f_xot || b_xot) {
+ struct htx *htx = htxbuf(&req->buf);
+ const struct sockaddr_storage *dst = sc_dst(s->scf);
+ struct ist hdr = ((b_xot) ? b_xot->hdr_name : f_xot->hdr_name);
+
+ if (dst && dst->ss_family == AF_INET) {
+ /* Add an X-Original-To header unless the destination IP is
+ * in the 'except' network range.
+ */
+ if ((!f_xot || ipcmp2net(dst, &f_xot->except_net)) &&
+ (!b_xot || ipcmp2net(dst, &b_xot->except_net))) {
+ unsigned char *pn = (unsigned char *)&((struct sockaddr_in *)dst)->sin_addr;
+
+ /* Note: we rely on the backend to get the header name to be used for
+ * x-original-to, because the header is really meant for the backends.
+ * However, if the backend did not specify any option, we have to rely
+ * on the frontend's header name.
+ */
+ chunk_printf(&trash, "%d.%d.%d.%d", pn[0], pn[1], pn[2], pn[3]);
+ if (unlikely(!http_add_header(htx, hdr, ist2(trash.area, trash.data))))
+ return 0;
+ }
+ }
+ else if (dst && dst->ss_family == AF_INET6) {
+ /* Add an X-Original-To header unless the source IP is
+ * in the 'except' network range.
+ */
+ if ((!f_xot || ipcmp2net(dst, &f_xot->except_net)) &&
+ (!b_xot || ipcmp2net(dst, &b_xot->except_net))) {
+ char pn[INET6_ADDRSTRLEN];
+
+ inet_ntop(AF_INET6,
+ (const void *)&((struct sockaddr_in6 *)dst)->sin6_addr,
+ pn, sizeof(pn));
+
+ /* Note: we rely on the backend to get the header name to be used for
+ * x-forwarded-for, because the header is really meant for the backends.
+ * However, if the backend did not specify any option, we have to rely
+ * on the frontend's header name.
+ */
+ chunk_printf(&trash, "%s", pn);
+ if (unlikely(!http_add_header(htx, hdr, ist2(trash.area, trash.data))))
+ return 0;
+ }
+ }
+ }
+ return 1;
+}
+
+/*
+ * =========== CONFIG ===========
+ * below are helpers to parse http ext options from the config
+ */
+static int proxy_http_parse_oom(const char *file, int linenum)
+{
+ int err_code = 0;
+
+ ha_alert("parsing [%s:%d]: out of memory.\n", file, linenum);
+ err_code |= ERR_ALERT | ERR_ABORT;
+ return err_code;
+}
+
+static inline int _proxy_http_parse_7239_expr(char **args, int *cur_arg,
+ const char *file, int linenum,
+ char **expr_s)
+{
+ int err_code = 0;
+
+ if (!*args[*cur_arg + 1]) {
+ ha_alert("parsing [%s:%d]: '%s' expects <expr> as argument.\n",
+ file, linenum, args[*cur_arg]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+ *cur_arg += 1;
+ ha_free(expr_s);
+ *expr_s = strdup(args[*cur_arg]);
+ if (!*expr_s)
+ return proxy_http_parse_oom(file, linenum);
+ *cur_arg += 1;
+ out:
+ return err_code;
+}
+
+/* forwarded/7239 RFC: tries to parse "option forwarded" config keyword
+ * Returns a composition of ERR_ABORT, ERR_ALERT, ERR_FATAL, ERR_WARN
+ */
+int proxy_http_parse_7239(char **args, int cur_arg,
+ struct proxy *curproxy, const struct proxy *defpx,
+ const char *file, int linenum)
+{
+ struct http_ext_7239 *fwd;
+ int err_code = 0;
+
+ if (warnifnotcap(curproxy, PR_CAP_BE, file, linenum, "option forwarded", NULL)) {
+ /* option is ignored for frontends */
+ err_code |= ERR_WARN;
+ goto out;
+ }
+
+ if (!http_ext_7239_prepare(curproxy))
+ return proxy_http_parse_oom(file, linenum);
+
+ fwd = curproxy->http_ext->fwd;
+
+ fwd->p_proto = 0;
+ fwd->p_host.mode = 0;
+ fwd->p_for.nn_mode = 0;
+ fwd->p_for.np_mode = 0;
+ fwd->p_by.nn_mode = 0;
+ fwd->p_by.np_mode = 0;
+ ha_free(&fwd->c_file);
+ fwd->c_file = strdup(file);
+ fwd->c_line = linenum;
+
+ /* start at 2, since 0+1 = "option" "forwarded" */
+ cur_arg = 2;
+ if (!*(args[cur_arg])) {
+ /* no optional argument provided, use default settings */
+ fwd->p_for.nn_mode = HTTP_7239_FORBY_ORIG; /* enable for and mimic xff */
+ fwd->p_proto = 1; /* enable proto */
+ goto out;
+ }
+ /* loop to go through optional arguments */
+ while (*(args[cur_arg])) {
+ if (strcmp(args[cur_arg], "proto") == 0) {
+ fwd->p_proto = 1;
+ cur_arg += 1;
+ } else if (strcmp(args[cur_arg], "host") == 0) {
+ fwd->p_host.mode = HTTP_7239_HOST_ORIG;
+ cur_arg += 1;
+ } else if (strcmp(args[cur_arg], "host-expr") == 0) {
+ fwd->p_host.mode = HTTP_7239_HOST_SMP;
+ err_code |= _proxy_http_parse_7239_expr(args, &cur_arg, file, linenum,
+ &fwd->p_host.expr_s);
+ if (err_code & ERR_CODE)
+ goto out;
+ } else if (strcmp(args[cur_arg], "by") == 0) {
+ fwd->p_by.nn_mode = HTTP_7239_FORBY_ORIG;
+ cur_arg += 1;
+ } else if (strcmp(args[cur_arg], "by-expr") == 0) {
+ fwd->p_by.nn_mode = HTTP_7239_FORBY_SMP;
+ err_code |= _proxy_http_parse_7239_expr(args, &cur_arg, file, linenum,
+ &fwd->p_by.nn_expr_s);
+ if (err_code & ERR_CODE)
+ goto out;
+ } else if (strcmp(args[cur_arg], "for") == 0) {
+ fwd->p_for.nn_mode = HTTP_7239_FORBY_ORIG;
+ cur_arg += 1;
+ } else if (strcmp(args[cur_arg], "for-expr") == 0) {
+ fwd->p_for.nn_mode = HTTP_7239_FORBY_SMP;
+ err_code |= _proxy_http_parse_7239_expr(args, &cur_arg, file, linenum,
+ &fwd->p_for.nn_expr_s);
+ if (err_code & ERR_CODE)
+ goto out;
+ } else if (strcmp(args[cur_arg], "by_port") == 0) {
+ fwd->p_by.np_mode = HTTP_7239_FORBY_ORIG;
+ cur_arg += 1;
+ } else if (strcmp(args[cur_arg], "by_port-expr") == 0) {
+ fwd->p_by.np_mode = HTTP_7239_FORBY_SMP;
+ err_code |= _proxy_http_parse_7239_expr(args, &cur_arg, file, linenum,
+ &fwd->p_by.np_expr_s);
+ if (err_code & ERR_CODE)
+ goto out;
+ } else if (strcmp(args[cur_arg], "for_port") == 0) {
+ fwd->p_for.np_mode = HTTP_7239_FORBY_ORIG;
+ cur_arg += 1;
+ } else if (strcmp(args[cur_arg], "for_port-expr") == 0) {
+ fwd->p_for.np_mode = HTTP_7239_FORBY_SMP;
+ err_code |= _proxy_http_parse_7239_expr(args, &cur_arg, file, linenum,
+ &fwd->p_for.np_expr_s);
+ if (err_code & ERR_CODE)
+ goto out;
+ } else {
+ /* unknown suboption - catchall */
+ ha_alert("parsing [%s:%d] : '%s %s' only supports optional values: 'proto', 'host', "
+ "'host-expr', 'by', 'by-expr', 'by_port', 'by_port-expr', "
+ "'for', 'for-expr', 'for_port' and 'for_port-expr'.\n",
+ file, linenum, args[0], args[1]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+ } /* end while loop */
+
+ /* consistency check */
+ if (fwd->p_by.np_mode &&
+ !fwd->p_by.nn_mode) {
+ fwd->p_by.np_mode = 0;
+ ha_free(&fwd->p_by.np_expr_s);
+ ha_warning("parsing [%s:%d] : '%s %s' : '%s' will be ignored because both 'by' "
+ "and 'by-expr' are unset\n",
+ file, linenum, args[0], args[1],
+ ((fwd->p_by.np_mode == HTTP_7239_FORBY_ORIG) ? "by_port" : "by_port-expr"));
+ err_code |= ERR_WARN;
+ }
+ if (fwd->p_for.np_mode &&
+ !fwd->p_for.nn_mode) {
+ fwd->p_for.np_mode = 0;
+ ha_free(&fwd->p_for.np_expr_s);
+ ha_warning("parsing [%s:%d] : '%s %s' : '%s' will be ignored because both 'for' "
+ "and 'for-expr' are unset\n",
+ file, linenum, args[0], args[1],
+ ((fwd->p_for.np_mode == HTTP_7239_FORBY_ORIG) ? "for_port" : "for_port-expr"));
+ err_code |= ERR_WARN;
+ }
+
+ out:
+ return err_code;
+}
+
+/* rfc7239 forwarded option needs a postparsing step
+ * to convert parsing hints into runtime usable sample expressions
+ * Returns a composition of ERR_NONE, ERR_FATAL, ERR_ALERT, ERR_WARN
+ */
+int proxy_http_compile_7239(struct proxy *curproxy)
+{
+ struct http_ext_7239 *fwd;
+ int err = ERR_NONE;
+ int loop;
+
+ if (!(curproxy->cap & PR_CAP_BE)) {
+ /* no backend cap: not supported (ie: frontend) */
+ goto out;
+ }
+
+ /* should not happen (test should be performed after BE cap test) */
+ BUG_ON(!curproxy->http_ext || !curproxy->http_ext->fwd);
+
+ curproxy->conf.args.ctx = ARGC_OPT; /* option */
+ curproxy->conf.args.file = curproxy->http_ext->fwd->c_file;
+ curproxy->conf.args.line = curproxy->http_ext->fwd->c_line;
+ fwd = curproxy->http_ext->fwd;
+
+ /* it is important that we keep iterating on error to make sure
+ * all fwd config fields are in the same state (post-parsing state)
+ */
+ for (loop = 0; loop < 5; loop++) {
+ char **expr_str = NULL;
+ struct sample_expr **expr = NULL;
+ struct sample_expr *cur_expr;
+ char *err_str = NULL;
+ int smp = 0;
+ int idx = 0;
+
+ switch (loop) {
+ case 0:
+ /* host */
+ expr_str = &fwd->p_host.expr_s;
+ expr = &fwd->p_host.expr;
+ smp = (fwd->p_host.mode == HTTP_7239_HOST_SMP);
+ break;
+ case 1:
+ /* by->node */
+ expr_str = &fwd->p_by.nn_expr_s;
+ expr = &fwd->p_by.nn_expr;
+ smp = (fwd->p_by.nn_mode == HTTP_7239_FORBY_SMP);
+ break;
+ case 2:
+ /* by->nodeport */
+ expr_str = &fwd->p_by.np_expr_s;
+ expr = &fwd->p_by.np_expr;
+ smp = (fwd->p_by.np_mode == HTTP_7239_FORBY_SMP);
+ break;
+ case 3:
+ /* for->node */
+ expr_str = &fwd->p_for.nn_expr_s;
+ expr = &fwd->p_for.nn_expr;
+ smp = (fwd->p_for.nn_mode == HTTP_7239_FORBY_SMP);
+ break;
+ case 4:
+ /* for->nodeport */
+ expr_str = &fwd->p_for.np_expr_s;
+ expr = &fwd->p_for.np_expr;
+ smp = (fwd->p_for.np_mode == HTTP_7239_FORBY_SMP);
+ break;
+ }
+ if (!smp)
+ continue; /* no expr */
+
+ /* expr and expr_str cannot be NULL past this point */
+ BUG_ON(!expr || !expr_str);
+
+ if (!*expr_str) {
+ /* should not happen unless system memory exhaustion */
+ ha_alert("%s '%s' [%s:%d]: failed to parse 'option forwarded' expression : %s.\n",
+ proxy_type_str(curproxy), curproxy->id,
+ fwd->c_file, fwd->c_line,
+ "memory error");
+ err |= ERR_ALERT | ERR_FATAL;
+ continue;
+ }
+
+ cur_expr =
+ sample_parse_expr((char*[]){*expr_str, NULL}, &idx,
+ fwd->c_file,
+ fwd->c_line,
+ &err_str, &curproxy->conf.args, NULL);
+
+ if (!cur_expr) {
+ ha_alert("%s '%s' [%s:%d]: failed to parse 'option forwarded' expression '%s' in : %s.\n",
+ proxy_type_str(curproxy), curproxy->id,
+ fwd->c_file, fwd->c_line,
+ *expr_str, err_str);
+ ha_free(&err_str);
+ err |= ERR_ALERT | ERR_FATAL;
+ }
+ else if (!(cur_expr->fetch->val & SMP_VAL_BE_HRQ_HDR)) {
+ /* fetch not available in this context: sample expr is resolved
+ * within backend right after headers are processed.
+ * (in http_process_request())
+ * -> we simply warn the user about the misuse
+ */
+ ha_warning("%s '%s' [%s:%d]: in 'option forwarded' sample expression '%s' : "
+ "some args extract information from '%s', "
+ "none of which is available here.\n",
+ proxy_type_str(curproxy), curproxy->id,
+ fwd->c_file, fwd->c_line,
+ *expr_str, sample_ckp_names(cur_expr->fetch->use));
+ err |= ERR_WARN;
+ }
+ /* post parsing individual expr cleanup */
+ ha_free(expr_str);
+
+ /* expr assignment */
+ *expr = cur_expr;
+ }
+ curproxy->conf.args.file = NULL;
+ curproxy->conf.args.line = 0;
+
+ /* post parsing general cleanup */
+ ha_free(&fwd->c_file);
+ fwd->c_line = 0;
+
+ fwd->c_mode = 1; /* parsing completed */
+
+ out:
+ return err;
+}
+
+/* x-forwarded-for: tries to parse "option forwardfor" config keyword
+ * Returns a composition of ERR_NONE, ERR_FATAL, ERR_ALERT
+ */
+int proxy_http_parse_xff(char **args, int cur_arg,
+ struct proxy *curproxy, const struct proxy *defpx,
+ const char *file, int linenum)
+{
+ struct http_ext_xff *xff;
+ int err_code = 0;
+
+ if (!http_ext_xff_prepare(curproxy))
+ return proxy_http_parse_oom(file, linenum);
+
+ xff = curproxy->http_ext->xff;
+
+ /* insert x-forwarded-for field, but not for the IP address listed as an except.
+ * set default options (ie: bitfield, header name, etc)
+ */
+
+ xff->mode = HTTP_XFF_ALWAYS;
+
+ istfree(&xff->hdr_name);
+ xff->hdr_name = istdup(ist(DEF_XFORWARDFOR_HDR));
+ if (!isttest(xff->hdr_name))
+ return proxy_http_parse_oom(file, linenum);
+ xff->except_net.family = AF_UNSPEC;
+
+ /* loop to go through arguments - start at 2, since 0+1 = "option" "forwardfor" */
+ cur_arg = 2;
+ while (*(args[cur_arg])) {
+ if (strcmp(args[cur_arg], "except") == 0) {
+ unsigned char mask;
+ int i;
+
+ /* suboption except - needs additional argument for it */
+ if (*(args[cur_arg+1]) &&
+ str2net(args[cur_arg+1], 1, &xff->except_net.addr.v4.ip, &xff->except_net.addr.v4.mask)) {
+ xff->except_net.family = AF_INET;
+ xff->except_net.addr.v4.ip.s_addr &= xff->except_net.addr.v4.mask.s_addr;
+ }
+ else if (*(args[cur_arg+1]) &&
+ str62net(args[cur_arg+1], &xff->except_net.addr.v6.ip, &mask)) {
+ xff->except_net.family = AF_INET6;
+ len2mask6(mask, &xff->except_net.addr.v6.mask);
+ for (i = 0; i < 16; i++)
+ xff->except_net.addr.v6.ip.s6_addr[i] &= xff->except_net.addr.v6.mask.s6_addr[i];
+ }
+ else {
+ ha_alert("parsing [%s:%d] : '%s %s %s' expects <address>[/mask] as argument.\n",
+ file, linenum, args[0], args[1], args[cur_arg]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+ /* flush useless bits */
+ cur_arg += 2;
+ } else if (strcmp(args[cur_arg], "header") == 0) {
+ /* suboption header - needs additional argument for it */
+ if (*(args[cur_arg+1]) == 0) {
+ ha_alert("parsing [%s:%d] : '%s %s %s' expects <header_name> as argument.\n",
+ file, linenum, args[0], args[1], args[cur_arg]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+ istfree(&xff->hdr_name);
+ xff->hdr_name = istdup(ist(args[cur_arg+1]));
+ if (!isttest(xff->hdr_name))
+ return proxy_http_parse_oom(file, linenum);
+ cur_arg += 2;
+ } else if (strcmp(args[cur_arg], "if-none") == 0) {
+ xff->mode = HTTP_XFF_IFNONE;
+ cur_arg += 1;
+ } else {
+ /* unknown suboption - catchall */
+ ha_alert("parsing [%s:%d] : '%s %s' only supports optional values: 'except', 'header' and 'if-none'.\n",
+ file, linenum, args[0], args[1]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+ } /* end while loop */
+ out:
+ return err_code;
+}
+
+/* x-original-to: tries to parse "option originalto" config keyword
+ * Returns a composition of ERR_NONE, ERR_FATAL, ERR_ALERT
+ */
+int proxy_http_parse_xot(char **args, int cur_arg,
+ struct proxy *curproxy, const struct proxy *defpx,
+ const char *file, int linenum)
+{
+ struct http_ext_xot *xot;
+ int err_code = 0;
+
+ if (!http_ext_xot_prepare(curproxy))
+ return proxy_http_parse_oom(file, linenum);
+
+ xot = curproxy->http_ext->xot;
+
+ /* insert x-original-to field, but not for the IP address listed as an except.
+ * set default options (ie: bitfield, header name, etc)
+ */
+
+ istfree(&xot->hdr_name);
+ xot->hdr_name = istdup(ist(DEF_XORIGINALTO_HDR));
+ if (!isttest(xot->hdr_name))
+ return proxy_http_parse_oom(file, linenum);
+ xot->except_net.family = AF_UNSPEC;
+
+ /* loop to go through arguments - start at 2, since 0+1 = "option" "originalto" */
+ cur_arg = 2;
+ while (*(args[cur_arg])) {
+ if (strcmp(args[cur_arg], "except") == 0) {
+ unsigned char mask;
+ int i;
+
+ /* suboption except - needs additional argument for it */
+ if (*(args[cur_arg+1]) &&
+ str2net(args[cur_arg+1], 1, &xot->except_net.addr.v4.ip, &xot->except_net.addr.v4.mask)) {
+ xot->except_net.family = AF_INET;
+ xot->except_net.addr.v4.ip.s_addr &= xot->except_net.addr.v4.mask.s_addr;
+ }
+ else if (*(args[cur_arg+1]) &&
+ str62net(args[cur_arg+1], &xot->except_net.addr.v6.ip, &mask)) {
+ xot->except_net.family = AF_INET6;
+ len2mask6(mask, &xot->except_net.addr.v6.mask);
+ for (i = 0; i < 16; i++)
+ xot->except_net.addr.v6.ip.s6_addr[i] &= xot->except_net.addr.v6.mask.s6_addr[i];
+ }
+ else {
+ ha_alert("parsing [%s:%d] : '%s %s %s' expects <address>[/mask] as argument.\n",
+ file, linenum, args[0], args[1], args[cur_arg]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+ cur_arg += 2;
+ } else if (strcmp(args[cur_arg], "header") == 0) {
+ /* suboption header - needs additional argument for it */
+ if (*(args[cur_arg+1]) == 0) {
+ ha_alert("parsing [%s:%d] : '%s %s %s' expects <header_name> as argument.\n",
+ file, linenum, args[0], args[1], args[cur_arg]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+ istfree(&xot->hdr_name);
+ xot->hdr_name = istdup(ist(args[cur_arg+1]));
+ if (!isttest(xot->hdr_name))
+ return proxy_http_parse_oom(file, linenum);
+ cur_arg += 2;
+ } else {
+ /* unknown suboption - catchall */
+ ha_alert("parsing [%s:%d] : '%s %s' only supports optional values: 'except' and 'header'.\n",
+ file, linenum, args[0], args[1]);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ goto out;
+ }
+ } /* end while loop */
+
+ out:
+ return err_code;
+}
+
+/*
+ * =========== MGMT ===========
+ * below are helpers to manage http ext options
+ */
+
+/* Ensure http_ext->fwd is properly allocated and
+ * initialized for <curproxy>.
+ * The function will leverage http_ext_prepare() to make
+ * sure http_ext is properly allocated and initialized as well.
+ * Returns 1 for success and 0 for failure (memory error)
+ */
+int http_ext_7239_prepare(struct proxy *curproxy)
+{
+ struct http_ext_7239 *fwd;
+
+ if (!http_ext_prepare(curproxy))
+ return 0;
+ if (curproxy->http_ext->fwd)
+ return 1; /* nothing to do */
+
+ fwd = malloc(sizeof(*fwd));
+ if (!fwd)
+ return 0;
+ /* initialize fwd mandatory fields */
+ fwd->c_mode = 0; /* pre-compile (parse) time */
+ fwd->c_file = NULL;
+ fwd->p_host.expr_s = NULL;
+ fwd->p_by.nn_expr_s = NULL;
+ fwd->p_by.np_expr_s = NULL;
+ fwd->p_for.nn_expr_s = NULL;
+ fwd->p_for.np_expr_s = NULL;
+ /* assign */
+ curproxy->http_ext->fwd = fwd;
+ return 1;
+}
+
+/* Ensure http_ext->xff is properly allocated and
+ * initialized for <curproxy>.
+ * The function will leverage http_ext_prepare() to make
+ * sure http_ext is properly allocated and initialized as well.
+ * Returns 1 for success and 0 for failure (memory error)
+ */
+int http_ext_xff_prepare(struct proxy *curproxy)
+{
+ struct http_ext_xff *xff;
+
+ if (!http_ext_prepare(curproxy))
+ return 0;
+ if (curproxy->http_ext->xff)
+ return 1; /* nothing to do */
+
+ xff = malloc(sizeof(*xff));
+ if (!xff)
+ return 0;
+ /* initialize xff mandatory fields */
+ xff->hdr_name = IST_NULL;
+ /* assign */
+ curproxy->http_ext->xff = xff;
+ return 1;
+}
+
+/* Ensure http_ext->xot is properly allocated and
+ * initialized for <curproxy>.
+ * The function will leverage http_ext_prepare() to make
+ * sure http_ext is properly allocated and initialized as well.
+ * Returns 1 for success and 0 for failure (memory error)
+ */
+int http_ext_xot_prepare(struct proxy *curproxy)
+{
+ struct http_ext_xot *xot;
+
+ if (!http_ext_prepare(curproxy))
+ return 0;
+ if (curproxy->http_ext->xot)
+ return 1; /* nothing to do */
+
+ xot = malloc(sizeof(*xot));
+ if (!xot)
+ return 0;
+ /* initialize xot mandatory fields */
+ xot->hdr_name = IST_NULL;
+ /* assign */
+ curproxy->http_ext->xot = xot;
+ return 1;
+}
+
+/* deep clean http_ext->fwd parameter for <curproxy>
+ * http_ext->fwd will be freed
+ * clean behavior will differ depending on http_ext->fwd
+ * state. If fwd is in 'parsed' state, parsing hints will be
+ * cleaned. Else, it means fwd is in 'compiled' state, in this
+ * case we're cleaning compiled results.
+ * This is because parse and compile memory areas are shared in
+ * a single union to optimize struct http_ext_7239 size.
+ */
+void http_ext_7239_clean(struct proxy *curproxy)
+{
+ struct http_ext_7239 *clean;
+
+ if (!curproxy->http_ext)
+ return;
+ clean = curproxy->http_ext->fwd;
+ if (!clean)
+ return; /* nothing to do */
+ if (!clean->c_mode) {
+ /* parsed */
+ ha_free(&clean->c_file);
+ ha_free(&clean->p_host.expr_s);
+ ha_free(&clean->p_by.nn_expr_s);
+ ha_free(&clean->p_by.np_expr_s);
+ ha_free(&clean->p_for.nn_expr_s);
+ ha_free(&clean->p_for.np_expr_s);
+ }
+ else {
+ /* compiled */
+ release_sample_expr(clean->p_host.expr);
+ clean->p_host.expr = NULL;
+ release_sample_expr(clean->p_by.nn_expr);
+ clean->p_by.nn_expr = NULL;
+ release_sample_expr(clean->p_by.np_expr);
+ clean->p_by.np_expr = NULL;
+ release_sample_expr(clean->p_for.nn_expr);
+ clean->p_for.nn_expr = NULL;
+ release_sample_expr(clean->p_for.np_expr);
+ clean->p_for.np_expr = NULL;
+ }
+ /* free fwd */
+ ha_free(&curproxy->http_ext->fwd);
+}
+
+/* deep clean http_ext->xff parameter for <curproxy>
+ * http_ext->xff will be freed
+ */
+void http_ext_xff_clean(struct proxy *curproxy)
+{
+ struct http_ext_xff *clean;
+
+ if (!curproxy->http_ext)
+ return;
+ clean = curproxy->http_ext->xff;
+ if (!clean)
+ return; /* nothing to do */
+ istfree(&clean->hdr_name);
+ /* free xff */
+ ha_free(&curproxy->http_ext->xff);
+}
+
+/* deep clean http_ext->xot parameter for <curproxy>
+ * http_ext->xot will be freed
+ */
+void http_ext_xot_clean(struct proxy *curproxy)
+{
+ struct http_ext_xot *clean;
+
+ if (!curproxy->http_ext)
+ return;
+ clean = curproxy->http_ext->xot;
+ if (!clean)
+ return; /* nothing to do */
+ istfree(&clean->hdr_name);
+ /* free xot */
+ ha_free(&curproxy->http_ext->xot);
+}
+
+/* duplicate http_ext->fwd parameters from <def> to <cpy>
+ * performs the required memory allocation and initialization
+ */
+void http_ext_7239_dup(const struct proxy *def, struct proxy *cpy)
+{
+ struct http_ext_7239 *dest = NULL;
+ struct http_ext_7239 *orig = NULL;
+
+ /* feature requires backend cap */
+ if (!(cpy->cap & PR_CAP_BE))
+ return;
+
+ if (def->http_ext == NULL || def->http_ext->fwd == NULL)
+ return;
+
+ orig = def->http_ext->fwd;
+
+ if (orig->c_mode)
+ return; /* copy not supported once compiled */
+
+ if (!http_ext_7239_prepare(cpy))
+ return;
+
+ dest = cpy->http_ext->fwd;
+
+ if (orig->c_file)
+ dest->c_file = strdup(orig->c_file);
+ dest->c_line = orig->c_line;
+ /* proto */
+ dest->p_proto = orig->p_proto;
+ /* host */
+ dest->p_host.mode = orig->p_host.mode;
+ if (orig->p_host.expr_s)
+ dest->p_host.expr_s = strdup(orig->p_host.expr_s);
+ /* by - nodename */
+ dest->p_by.nn_mode = orig->p_by.nn_mode;
+ if (orig->p_by.nn_expr_s)
+ dest->p_by.nn_expr_s = strdup(orig->p_by.nn_expr_s);
+ /* by - nodeport */
+ dest->p_by.np_mode = orig->p_by.np_mode;
+ if (orig->p_by.np_expr_s)
+ dest->p_by.np_expr_s = strdup(orig->p_by.np_expr_s);
+ /* for - nodename */
+ dest->p_for.nn_mode = orig->p_for.nn_mode;
+ if (orig->p_for.nn_expr_s)
+ dest->p_for.nn_expr_s = strdup(orig->p_for.nn_expr_s);
+ /* for - nodeport */
+ dest->p_for.np_mode = orig->p_for.np_mode;
+ if (orig->p_for.np_expr_s)
+ dest->p_for.np_expr_s = strdup(orig->p_for.np_expr_s);
+}
+
+/* duplicate http_ext->xff parameters from <def> to <cpy>
+ * performs the required memory allocation and initialization
+ */
+void http_ext_xff_dup(const struct proxy *def, struct proxy *cpy)
+{
+ struct http_ext_xff *dest = NULL;
+ struct http_ext_xff *orig = NULL;
+
+ if (def->http_ext == NULL || def->http_ext->xff == NULL ||
+ !http_ext_xff_prepare(cpy))
+ return;
+
+ orig = def->http_ext->xff;
+ dest = cpy->http_ext->xff;
+
+ if (isttest(orig->hdr_name))
+ dest->hdr_name = istdup(orig->hdr_name);
+ dest->mode = orig->mode;
+ dest->except_net = orig->except_net;
+}
+
+/* duplicate http_ext->xot parameters from <def> to <cpy>
+ * performs the required memory allocation and initialization
+ */
+void http_ext_xot_dup(const struct proxy *def, struct proxy *cpy)
+{
+ struct http_ext_xot *dest = NULL;
+ struct http_ext_xot *orig = NULL;
+
+ if (def->http_ext == NULL || def->http_ext->xot == NULL ||
+ !http_ext_xot_prepare(cpy))
+ return;
+
+ orig = def->http_ext->xot;
+ dest = cpy->http_ext->xot;
+
+ if (isttest(orig->hdr_name))
+ dest->hdr_name = istdup(orig->hdr_name);
+ dest->except_net = orig->except_net;
+}
+
+/* Allocate new http_ext and initialize it
+ * if needed
+ * Returns 1 for success and 0 for failure
+ */
+int http_ext_prepare(struct proxy *curproxy)
+{
+ if (curproxy->http_ext)
+ return 1; /* nothing to do */
+
+ curproxy->http_ext = malloc(sizeof(*curproxy->http_ext));
+ if (!curproxy->http_ext)
+ return 0; /* failure */
+ /* first init, set supported ext to NULL */
+ curproxy->http_ext->fwd = NULL;
+ curproxy->http_ext->xff = NULL;
+ curproxy->http_ext->xot = NULL;
+ return 1;
+}
+
+/* duplicate existing http_ext from <defproxy> to <curproxy>
+ */
+void http_ext_dup(const struct proxy *defproxy, struct proxy *curproxy)
+{
+ /* copy defproxy.http_ext members */
+ http_ext_7239_dup(defproxy, curproxy);
+ http_ext_xff_dup(defproxy, curproxy);
+ http_ext_xot_dup(defproxy, curproxy);
+}
+
+/* deep clean http_ext for <curproxy> (if previously allocated)
+ */
+void http_ext_clean(struct proxy *curproxy)
+{
+ if (!curproxy->http_ext)
+ return; /* nothing to do */
+ /* first, free supported ext */
+ http_ext_7239_clean(curproxy);
+ http_ext_xff_clean(curproxy);
+ http_ext_xot_clean(curproxy);
+
+ /* then, free http_ext */
+ ha_free(&curproxy->http_ext);
+}
+
+/* soft clean (only clean http_ext if no more options are used) */
+void http_ext_softclean(struct proxy *curproxy)
+{
+ if (!curproxy->http_ext)
+ return; /* nothing to do */
+ if (!curproxy->http_ext->fwd &&
+ !curproxy->http_ext->xff &&
+ !curproxy->http_ext->xot) {
+ /* no more use for http_ext, all options are disabled */
+ http_ext_clean(curproxy);
+ }
+}
+
+/* Perform some consistency checks on px.http_ext after parsing
+ * is completed.
+ * We make sure to perform a softclean in case some options were
+ * to be disabled in this check. This way we can release some memory.
+ * Returns a composition of ERR_NONE, ERR_ALERT, ERR_FATAL, ERR_WARN
+ */
+static int check_http_ext_postconf(struct proxy *px) {
+ int err = ERR_NONE;
+
+ if (px->http_ext) {
+ /* consistency check for http_ext */
+ if (px->mode != PR_MODE_HTTP && !(px->options & PR_O_HTTP_UPG)) {
+ /* http is disabled on px, yet it is required by http_ext */
+ if (px->http_ext->fwd) {
+ ha_warning("'option %s' ignored for %s '%s' as it requires HTTP mode.\n",
+ "forwarded", proxy_type_str(px), px->id);
+ err |= ERR_WARN;
+ http_ext_7239_clean(px);
+ }
+ if (px->http_ext->xff) {
+ ha_warning("'option %s' ignored for %s '%s' as it requires HTTP mode.\n",
+ "forwardfor", proxy_type_str(px), px->id);
+ err |= ERR_WARN;
+ http_ext_xff_clean(px);
+ }
+ if (px->http_ext->xot) {
+ ha_warning("'option %s' ignored for %s '%s' as it requires HTTP mode.\n",
+ "originalto", proxy_type_str(px), px->id);
+ err |= ERR_WARN;
+ http_ext_xot_clean(px);
+ }
+ } else if (px->http_ext->fwd) {
+ /* option "forwarded" may need to compile its expressions */
+ err |= proxy_http_compile_7239(px);
+ }
+ /* http_ext post init early cleanup */
+ http_ext_softclean(px);
+
+ }
+ return err;
+}
+
+REGISTER_POST_PROXY_CHECK(check_http_ext_postconf);
+/*
+ * =========== CONV ===========
+ * related converters
+ */
+
+/* input: string representing 7239 forwarded header single value
+ * does not take arguments
+ * output: 1 if header is RFC compliant, 0 otherwise
+ */
+static int sample_conv_7239_valid(const struct arg *args, struct sample *smp, void *private)
+{
+ struct ist input = ist2(smp->data.u.str.area, smp->data.u.str.data);
+
+ smp->data.type = SMP_T_BOOL;
+ smp->data.u.sint = !!http_validate_7239_header(input, FORWARDED_HEADER_ALL, NULL);
+ return 1;
+}
+
+/* input: string representing 7239 forwarded header single value
+ * argument: parameter name to look for in the header
+ * output: header parameter raw value, as a string
+ */
+static int sample_conv_7239_field(const struct arg *args, struct sample *smp, void *private)
+{
+ struct ist input = ist2(smp->data.u.str.area, smp->data.u.str.data);
+ struct buffer *output;
+ struct forwarded_header_ctx ctx;
+ int validate;
+ int field = 0;
+
+ if (strcmp(args->data.str.area, "proto") == 0)
+ field = FORWARDED_HEADER_PROTO;
+ else if (strcmp(args->data.str.area, "host") == 0)
+ field = FORWARDED_HEADER_HOST;
+ else if (strcmp(args->data.str.area, "for") == 0)
+ field = FORWARDED_HEADER_FOR;
+ else if (strcmp(args->data.str.area, "by") == 0)
+ field = FORWARDED_HEADER_BY;
+
+ validate = http_validate_7239_header(input, FORWARDED_HEADER_ALL, &ctx);
+ if (!(validate & field))
+ return 0; /* invalid header or header does not contain field */
+ output = get_trash_chunk();
+ switch (field) {
+ case FORWARDED_HEADER_PROTO:
+ if (ctx.proto == FORWARDED_HEADER_HTTP)
+ chunk_appendf(output, "http");
+ else if (ctx.proto == FORWARDED_HEADER_HTTPS)
+ chunk_appendf(output, "https");
+ break;
+ case FORWARDED_HEADER_HOST:
+ chunk_istcat(output, ctx.host);
+ break;
+ case FORWARDED_HEADER_FOR:
+ chunk_istcat(output, ctx.nfor.raw);
+ break;
+ case FORWARDED_HEADER_BY:
+ chunk_istcat(output, ctx.nby.raw);
+ break;
+ default:
+ break;
+ }
+ smp->flags &= ~SMP_F_CONST;
+ smp->data.type = SMP_T_STR;
+ smp->data.u.str = *output;
+ return 1;
+}
+
+/* input: substring representing 7239 forwarded header node
+ * output: forwarded header nodename translated to either
+ * ipv4 address, ipv6 address or str
+ * ('_' prefix if obfuscated, or "unknown" if unknown)
+ */
+static int sample_conv_7239_n2nn(const struct arg *args, struct sample *smp, void *private)
+{
+ struct ist input = ist2(smp->data.u.str.area, smp->data.u.str.data);
+ struct forwarded_header_node ctx;
+ struct buffer *output;
+
+ if (http_7239_extract_node(&input, &ctx, 1) == 0)
+ return 0; /* could not extract node */
+ switch (ctx.nodename.type) {
+ case FORWARDED_HEADER_UNK:
+ output = get_trash_chunk();
+ chunk_appendf(output, "unknown");
+ smp->flags &= ~SMP_F_CONST;
+ smp->data.type = SMP_T_STR;
+ smp->data.u.str = *output;
+ break;
+ case FORWARDED_HEADER_OBFS:
+ output = get_trash_chunk();
+ chunk_appendf(output, "_"); /* append obfs prefix */
+ chunk_istcat(output, ctx.nodename.obfs);
+ smp->flags &= ~SMP_F_CONST;
+ smp->data.type = SMP_T_STR;
+ smp->data.u.str = *output;
+ break;
+ case FORWARDED_HEADER_IP:
+ if (ctx.nodename.ip.ss_family == AF_INET) {
+ smp->data.type = SMP_T_IPV4;
+ smp->data.u.ipv4 = ((struct sockaddr_in *)&ctx.nodename.ip)->sin_addr;
+ }
+ else if (ctx.nodename.ip.ss_family == AF_INET6) {
+ smp->data.type = SMP_T_IPV6;
+ smp->data.u.ipv6 = ((struct sockaddr_in6 *)&ctx.nodename.ip)->sin6_addr;
+ }
+ else
+ return 0; /* unsupported */
+ break;
+ default:
+ return 0; /* unsupported */
+ }
+ return 1;
+}
+
+/* input: substring representing 7239 forwarded header node
+ * output: forwarded header nodeport translated to either
+ * integer or str for obfuscated ('_' prefix)
+ */
+static int sample_conv_7239_n2np(const struct arg *args, struct sample *smp, void *private)
+{
+ struct ist input = ist2(smp->data.u.str.area, smp->data.u.str.data);
+ struct forwarded_header_node ctx;
+ struct buffer *output;
+
+ if (http_7239_extract_node(&input, &ctx, 1) == 0)
+ return 0; /* could not extract node */
+
+ switch (ctx.nodeport.type) {
+ case FORWARDED_HEADER_UNK:
+ return 0; /* not provided */
+ case FORWARDED_HEADER_OBFS:
+ output = get_trash_chunk();
+ chunk_appendf(output, "_"); /* append obfs prefix */
+ chunk_istcat(output, ctx.nodeport.obfs);
+ smp->flags &= ~SMP_F_CONST;
+ smp->data.type = SMP_T_STR;
+ smp->data.u.str = *output;
+ break;
+ case FORWARDED_HEADER_PORT:
+ smp->data.type = SMP_T_SINT;
+ smp->data.u.sint = ctx.nodeport.port;
+ break;
+ default:
+ return 0; /* unsupported */
+ }
+
+ return 1;
+}
+
+/* Note: must not be declared <const> as its list will be overwritten */
+static struct sample_conv_kw_list sample_conv_kws = {ILH, {
+ { "rfc7239_is_valid", sample_conv_7239_valid, 0, NULL, SMP_T_STR, SMP_T_BOOL},
+ { "rfc7239_field", sample_conv_7239_field, ARG1(1,STR), NULL, SMP_T_STR, SMP_T_STR},
+ { "rfc7239_n2nn", sample_conv_7239_n2nn, 0, NULL, SMP_T_STR, SMP_T_ANY},
+ { "rfc7239_n2np", sample_conv_7239_n2np, 0, NULL, SMP_T_STR, SMP_T_ANY},
+ { NULL, NULL, 0, 0, 0 },
+}};
+
+INITCALL1(STG_REGISTER, sample_register_convs, &sample_conv_kws);