use ip from x-forwarded-for for searching a client

Author: avbelov23

tempesta_fw/client.c

@@ -78,7 +78,7 @@ addr_eq(TdbRec *rec, void *data)
 }
 
 /**
- * Find a client corresponding to the @sk by IP address.
+ * Find a client corresponding to @addr.
  * More advanced identification is possible based on User-Agent,
  * Cookie and other HTTP headers.
  * TODO (#488,#598,#1054?) actually clients can be relatively reliably
@@ -88,19 +88,17 @@ addr_eq(TdbRec *rec, void *data)
  * when the @sk is closed.
  */
 TfwClient *
-tfw_client_obtain(struct sock *sk, void (*init)(TfwClient *))
+tfw_client_obtain(TfwAddr addr, void (*init)(TfwClient *))
 {
 	TfwClientEntry *ent;
 	TfwClient *cli;
 	unsigned long key;
-	TfwAddr addr;
 	size_t len;
 	TdbRec *rec;
 	bool is_new;
 	int conn_users;
 	time_t curr_time = tfw_current_timestamp();
 
-	ss_getpeername(sk, &addr);
 	key = hash_calc((const char *)&addr.sin6_addr,
 			sizeof(addr.sin6_addr));
 

tempesta_fw/client.h

@@ -40,7 +40,7 @@ typedef struct {
 	TfwClassifierPrvt	class_prvt;
 } TfwClient;
 
-TfwClient *tfw_client_obtain(struct sock *sk, void (*init)(TfwClient *));
+TfwClient *tfw_client_obtain(TfwAddr addr, void (*init)(TfwClient *));
 void tfw_client_put(TfwClient *cli);
 int tfw_client_for_each(int (*fn)(void *));
 void tfw_cli_conn_release(TfwCliConn *cli_conn);

tempesta_fw/connection.c

@@ -41,7 +41,7 @@ tfw_connection_init(TfwConn *conn)
 void
 tfw_connection_link_peer(TfwConn *conn, TfwPeer *peer)
 {
-	BUG_ON(conn->peer || !list_empty(&conn->list));
+	BUG_ON(!list_empty(&conn->list));
 	conn->peer = peer;
 	tfw_peer_add_conn(peer, &conn->list);
 }

tempesta_fw/http.c

@@ -2828,6 +2828,9 @@ tfw_http_req_process(TfwConn *conn, const TfwFsmData *data)
 	TfwHttpMsg *hmsib;
 	TfwHttpParser *parser;
 	TfwFsmData data_up;
+	TfwAddr addr;
+	TfwStr s_xff, s_ip, *c, *end;
+	unsigned int nchunks;
 
 	BUG_ON(!conn->msg);
 	BUG_ON(off >= skb->len);
@@ -2931,6 +2934,30 @@ tfw_http_req_process(TfwConn *conn, const TfwFsmData *data)
 		skb = NULL;
 	}
 
+	/*
+	 * If a client work through a forward proxy, then a proxy can pass it's
+	 * IP address by the first value in X-Forwarded-For
+	 */
+	s_xff = req->h_tbl->tbl[TFW_HTTP_HDR_X_FORWARDED_FOR];
+	s_ip = tfw_str_next_str_val(&s_xff);
+	nchunks = 0;
+	TFW_STR_FOR_EACH_CHUNK(c, &s_ip, end) {
+		if (!(c->flags & TFW_STR_VALUE))
+			break;
+		nchunks++;
+	}
+	s_ip.nchunks = nchunks;
+
+	if (!TFW_STR_EMPTY(&s_ip) && tfw_addr_pton(&s_ip, &addr) == 0) {
+		TfwClient *cli = tfw_client_obtain(addr, NULL);
+		TfwClient *conn_cli = (TfwClient *)conn->peer;
+		if (cli && conn_cli != cli) {
+			tfw_connection_unlink_from_peer(conn);
+			tfw_client_put(conn_cli);
+			tfw_connection_link_peer(conn, (TfwPeer *)cli);
+		}
+	}
+
 	/*
 	 * Sticky cookie module must be used before request can reach cache.
 	 * Unauthorised clients mustn't be able to get any resource on

tempesta_fw/http_limits.c

@@ -335,8 +335,10 @@ frang_conn_new(struct sock *sk)
 	FrangAcc *ra;
 	TfwClient *cli;
 	FrangCfg *conf = tfw_vhost_global_frang_cfg();
+	TfwAddr addr;
 
-	cli = tfw_client_obtain(sk, __frang_init_acc);
+	ss_getpeername(sk, &addr);
+	cli = tfw_client_obtain(addr, __frang_init_acc);
 	if (unlikely(!cli)) {
 		TFW_ERR("can't obtain a client for frang accounting\n");
 		return TFW_BLOCK;

tempesta_fw/http_parser.c

@@ -3223,27 +3223,27 @@ __req_parse_x_forwarded_for(TfwHttpMsg *hm, unsigned char *data, size_t len)
 	__FSM_STATE(Req_I_XFF) {
 		/* Eat OWS before the node ID. */
 		if (unlikely(IS_WS(c)))
-			__FSM_I_MOVE(Req_I_XFF);
+			__FSM_I_MOVE_fixup(Req_I_XFF, 1, 0);
 		/*
 		 * Eat IP address or host name.
 		 *
 		 * TODO: parse/validate IP addresses and textual IDs.
 		 * Currently we just validate separate characters, but the
 		 * whole value may be invalid (e.g. "---[_..[[").
 		 */
-		__FSM_I_MATCH_MOVE(xff, Req_I_XFF_Node_Id);
+		__FSM_I_MATCH_MOVE_fixup(xff, Req_I_XFF_Node_Id, TFW_STR_VALUE);
 		if (unlikely(!__fsm_sz))
 			return CSTR_NEQ;
-		__FSM_I_MOVE_n(Req_I_XFF_Sep, __fsm_sz);
+		__FSM_I_MOVE_fixup(Req_I_XFF_Sep, __fsm_sz, TFW_STR_VALUE);
 	}
 
 	/*
 	 * At this state we know that we saw at least one character as
 	 * a host address and now we can pass zero length token.
 	 */
 	__FSM_STATE(Req_I_XFF_Node_Id) {
-		__FSM_I_MATCH_MOVE(xff, Req_I_XFF_Node_Id);
-		__FSM_I_MOVE_n(Req_I_XFF_Sep, __fsm_sz);
+		__FSM_I_MATCH_MOVE_fixup(xff, Req_I_XFF_Node_Id, TFW_STR_VALUE);
+		__FSM_I_MOVE_fixup(Req_I_XFF_Sep, __fsm_sz, TFW_STR_VALUE);
 	}
 
 	__FSM_STATE(Req_I_XFF_Sep) {
@@ -3256,14 +3256,14 @@ __req_parse_x_forwarded_for(TfwHttpMsg *hm, unsigned char *data, size_t len)
 
 		/* OWS before comma or before EOL (is unusual). */
 		if (unlikely(IS_WS(c)))
-			__FSM_I_MOVE(Req_I_XFF_Sep);
+			__FSM_I_MOVE_fixup(Req_I_XFF_Sep, 1, 0);
 
 		/*
 		 * Multiple subsequent commas look suspicious, so we don't
 		 * stay in this state after the first comma is met.
 		 */
 		if (likely(c == ','))
-			__FSM_I_MOVE(Req_I_XFF);
+			__FSM_I_MOVE_fixup(Req_I_XFF, 1, 0);
 
 		return CSTR_NEQ;
 	}
@@ -4075,9 +4075,9 @@ tfw_http_parse_req(void *req_data, unsigned char *data, size_t len,
 				  TFW_HTTP_HDR_TRANSFER_ENCODING);
 
 	/* 'X-Forwarded-For:*OWS' is read, process field-value. */
-	TFW_HTTP_PARSE_SPECHDR_VAL(Req_HdrX_Forwarded_ForV, Req_I_XFF,
-				   msg, __req_parse_x_forwarded_for,
-				   TFW_HTTP_HDR_X_FORWARDED_FOR);
+	__TFW_HTTP_PARSE_SPECHDR_VAL(Req_HdrX_Forwarded_ForV, Req_I_XFF,
+				     msg, __req_parse_x_forwarded_for,
+				     TFW_HTTP_HDR_X_FORWARDED_FOR, 0);
 
 	/* 'User-Agent:*OWS' is read, process field-value. */
 	TFW_HTTP_PARSE_SPECHDR_VAL(Req_HdrUser_AgentV, Req_I_UserAgent,

tempesta_fw/sock_clnt.c

@@ -145,6 +145,7 @@ tfw_sock_clnt_new(struct sock *sk)
 	TfwClient *cli;
 	TfwConn *conn;
 	SsProto *listen_sock_proto;
+	TfwAddr addr;
 
 	TFW_DBG3("new client socket: sk=%p, state=%u\n", sk, sk->sk_state);
 	TFW_INC_STAT_BH(clnt.conn_attempts);
@@ -158,7 +159,8 @@ tfw_sock_clnt_new(struct sock *sk)
 	listen_sock_proto = sk->sk_user_data;
 	tfw_connection_unlink_from_sk(sk);
 
-	cli = tfw_client_obtain(sk, NULL);
+	ss_getpeername(sk, &addr);
+	cli = tfw_client_obtain(addr, NULL);
 	if (!cli) {
 		TFW_ERR("can't obtain a client for the new socket\n");
 		return -ENOENT;