use ip from x-forwarded-for for searching a client

Author: avbelov23

tempesta_fw/client.c

@@ -41,16 +41,18 @@ static struct {
 /**
  * Client tdb entry.
  *
- * @cli			- client descriptor
- * @expires		- expiration time for the client descriptor after all
- *			  connections are closed
+ * @cli			- client descriptor;
+ * @xff_addr		- peer IPv6 address from X-Forwarded-For;
+ * @expires		- expiration time for the client descriptor after all;
+ *			  connections are closed;
  * @lock		- lock for atomic change @expires and @users;
  * @users		- reference counter.
  * 			  Expiration state will begind, when the counter reaches
- *			  zero
+ *			  zero;
  */
 typedef struct {
 	TfwClient	cli;
+	TfwAddr		xff_addr;
 	time_t		expires;
 	spinlock_t	lock;
 	atomic_t	users;
@@ -88,21 +90,34 @@ tfw_client_put(TfwClient *cli)
 	TFW_DEC_STAT_BH(clnt.online);
 }
 
+typedef struct {
+	TfwAddr addr;
+	TfwAddr xff_addr;
+} TfwClientEqCtx;
+
+static struct in6_addr any_addr = IN6ADDR_ANY_INIT;
+
 static bool
 tfw_client_addr_eq(TdbRec *rec, void (*init)(void *), void *data)
 {
 	TfwClientEntry *ent = (TfwClientEntry *)rec->data;
 	TfwClient *cli = &ent->cli;
-	TfwAddr *addr = (TfwAddr *)data;
+	TfwClientEqCtx *ctx = (TfwClientEqCtx *)data;
 	time_t curr_time = tfw_current_timestamp();
 	int users;
 
-	if (memcmp_fast(&cli->addr.sin6_addr, &addr->sin6_addr,
+	if (memcmp_fast(&cli->addr.sin6_addr, &ctx->addr.sin6_addr,
 			sizeof(cli->addr.sin6_addr)))
 	{
 		return false;
 	}
 
+	if (memcmp_fast(&ent->xff_addr.sin6_addr, &ctx->xff_addr.sin6_addr,
+			sizeof(ent->xff_addr.sin6_addr)))
+	{
+		return false;
+	}
+
 	spin_lock(&ent->lock);
 
 	if (curr_time > ent->expires) {
@@ -130,7 +145,7 @@ tfw_client_ent_init(TdbRec *rec, void (*init)(void *), void *data)
 {
 	TfwClientEntry *ent = (TfwClientEntry *)rec->data;
 	TfwClient *cli = &ent->cli;
-	TfwAddr *addr = (TfwAddr *)data;
+	TfwClientEqCtx *ctx = (TfwClientEqCtx *)data;
 
 	spin_lock_init(&ent->lock);
 
@@ -142,15 +157,16 @@ tfw_client_ent_init(TdbRec *rec, void (*init)(void *), void *data)
 	atomic_set(&ent->users, 1);
 	TFW_INC_STAT_BH(clnt.online);
 
-	tfw_peer_init((TfwPeer *)cli, addr);
+	tfw_peer_init((TfwPeer *)cli, &ctx->addr);
+	ent->xff_addr = ctx->xff_addr;
 
 	TFW_DBG("new client: cli=%p\n", cli);
 	TFW_DBG_ADDR("client address", &cli->addr, TFW_NO_PORT);
 	TFW_DBG2("client %p, users=%d\n", cli, 1);
 }
 
 /**
- * Find a client corresponding to the @sk by IP address.
+ * Find a client corresponding to @addr and @xff_addr (e.g. from X-Forwarded-For).
  * More advanced identification is possible based on User-Agent,
  * Cookie and other HTTP headers.
  *
@@ -159,23 +175,32 @@ tfw_client_ent_init(TdbRec *rec, void (*init)(void *), void *data)
  * TODO #515 employ eviction strategy for the table.
  */
 TfwClient *
-tfw_client_obtain(struct sock *sk, void (*init)(void *))
+tfw_client_obtain(TfwAddr addr, TfwAddr *xff_addr, void (*init)(void *))
 {
 	TfwClientEntry *ent;
 	TfwClient *cli;
 	unsigned long key;
-	TfwAddr addr;
+	TfwClientEqCtx ctx;
 	size_t len;
 	TdbRec *rec;
 	bool is_new;
 
-	ss_getpeername(sk, &addr);
+	ctx.addr = addr;
+
 	key = hash_calc((const char *)&addr.sin6_addr,
 			sizeof(addr.sin6_addr));
 
+	if (xff_addr) {
+		key ^= hash_calc((const char *)&xff_addr->sin6_addr,
+				 sizeof(xff_addr->sin6_addr));
+		ctx.xff_addr = *xff_addr;
+	} else {
+		ctx.xff_addr.sin6_addr = any_addr;
+	}
+
 	len = sizeof(TfwClientEntry);
 	rec = tdb_rec_get_alloc(client_db, key, &len, &tfw_client_addr_eq,
-				&tfw_client_ent_init, init, &addr, &is_new);
+				&tfw_client_ent_init, init, &ctx, &is_new);
 	BUG_ON(len < sizeof(TfwClientEntry));
 	if (!rec) {
 		TFW_WARN("cannot allocate TDB space for client\n");

tempesta_fw/client.h

@@ -36,7 +36,8 @@ typedef struct {
 	TfwClassifierPrvt	class_prvt;
 } TfwClient;
 
-TfwClient *tfw_client_obtain(struct sock *sk, void (*init)(void *));
+TfwClient *tfw_client_obtain(TfwAddr addr, TfwAddr *cli_addr,
+			     void (*init)(void *));
 void tfw_client_put(TfwClient *cli);
 int tfw_client_for_each(int (*fn)(void *));
 void tfw_client_set_expires_time(unsigned int expires_time);

tempesta_fw/connection.h

@@ -88,7 +88,7 @@ enum {
  * @refcnt	- number of users of the connection structure instance;
  * @timer	- The keep-alive/retry timer for the connection;
  * @msg		- message that is currently being processed;
- * @peer	- TfwClient or TfwServer handler;
+ * @peer	- TfwClient or TfwServer handler. Hop-by-hop peer;
  * @sk		- an appropriate sock handler;
  * @destructor	- called when a connection is destroyed;
  */

tempesta_fw/http.c

@@ -1810,6 +1810,9 @@ tfw_http_req_destruct(void *msg)
 	tfw_vhost_put(req->vhost);
 	if (req->sess)
 		tfw_http_sess_put(req->sess);
+
+	if (req->peer)
+		tfw_client_put(req->peer);
 }
 
 /**
@@ -2982,6 +2985,54 @@ tfw_http_chop_skb(TfwHttpMsg *hm, struct sk_buff *skb,
 	return ss_skb_chop_head_tail(hm->msg.skb_head, skb, off, trail);
 }
 
+static TfwStr
+tfw_http_get_ip_from_xff(TfwHttpReq *req)
+{
+	TfwStr s_xff, s_ip, *c, *end;
+	unsigned int nchunks;
+
+	/*
+	 * If a client works through a forward proxy, then a proxy can pass it's
+	 * IP address by the first value in X-Forwarded-For
+	 */
+	s_xff = req->h_tbl->tbl[TFW_HTTP_HDR_X_FORWARDED_FOR];
+	s_ip = tfw_str_next_str_val(&s_xff);
+	nchunks = 0;
+	TFW_STR_FOR_EACH_CHUNK(c, &s_ip, end) {
+		if (!(c->flags & TFW_STR_VALUE))
+			break;
+		nchunks++;
+	}
+	s_ip.nchunks = nchunks;
+
+	return s_ip;
+}
+
+static int
+tfw_http_req_client_link(TfwConn *conn, TfwHttpReq *req)
+{
+	TfwStr s_ip;
+	TfwAddr addr;
+	TfwClient *cli, *conn_cli;
+
+	s_ip = tfw_http_get_ip_from_xff(req);
+	if (!TFW_STR_EMPTY(&s_ip)) {
+		if (tfw_addr_pton(&s_ip, &addr) != 0)
+			return TFW_BLOCK;
+
+		conn_cli = (TfwClient *)conn->peer;
+		cli = tfw_client_obtain(conn_cli->addr, &addr, NULL);
+		if (cli) {
+			if (cli != conn_cli)
+				req->peer = cli;
+			else
+				tfw_client_put(cli);
+		}
+	}
+
+	return 0;
+}
+
 /**
  * @return zero on success and negative value otherwise.
  * TODO enter the function depending on current GFSM state.
@@ -3101,6 +3152,9 @@ tfw_http_req_process(TfwConn *conn, const TfwFsmData *data)
 		skb = NULL;
 	}
 
+	if ((r = tfw_http_req_client_link(conn, req)))
+		return r;
+
 	/*
 	 * Sticky cookie module must be used before request can reach cache.
 	 * Unauthorised clients mustn't be able to get any resource on

tempesta_fw/http.h

@@ -30,6 +30,7 @@
 #include "server.h"
 #include "str.h"
 #include "vhost.h"
+#include "client.h"
 
 /**
  * HTTP Generic FSM states.
@@ -367,6 +368,9 @@ typedef struct {
  * @vhost	- virtual host for the request;
  * @location	- URI location;
  * @sess	- HTTP session descriptor, required for scheduling;
+ * @peer	- end-to-end peer. The peer is not set if
+ *		  hop-by-hop peer (TfwConnection->peer) and end-to-end peer are
+ *		  the same;
  * @userinfo	- userinfo in URI, not mandatory.
  * @host	- host in URI, may differ from Host header;
  * @uri_path	- path + query + fragment from URI (RFC3986.3);
@@ -393,6 +397,7 @@ struct tfw_http_req_t {
 	TfwVhost		*vhost;
 	TfwLocation		*location;
 	TfwHttpSess		*sess;
+	TfwClient		*peer;
 	TfwHttpCond		cond;
 	TfwStr			userinfo;
 	TfwStr			host;

tempesta_fw/http_limits.c

@@ -336,8 +336,10 @@ frang_conn_new(struct sock *sk)
 	FrangAcc *ra;
 	TfwClient *cli;
 	FrangCfg *conf = tfw_vhost_global_frang_cfg();
+	TfwAddr addr;
 
-	cli = tfw_client_obtain(sk, __frang_init_acc);
+	ss_getpeername(sk, &addr);
+	cli = tfw_client_obtain(addr, NULL, __frang_init_acc);
 	if (unlikely(!cli)) {
 		TFW_ERR("can't obtain a client for frang accounting\n");
 		return TFW_BLOCK;
@@ -986,6 +988,10 @@ frang_http_req_handler(void *obj, TfwFsmData *data)
 	TfwConn *conn = (TfwConn *)obj;
 	FrangAcc *ra = conn->sk->sk_security;
 	bool ip_block = tfw_vhost_global_frang_cfg()->ip_block;
+	TfwHttpReq *req = (TfwHttpReq *)data->req;
+
+	if (req->peer)
+		ra = FRANG_CLI2ACC(req->peer);
 
 	if (test_bit(TFW_HTTP_B_WHITELIST, ((TfwHttpReq *)data->req)->flags))
 		return TFW_PASS;
@@ -1013,6 +1019,8 @@ frang_resp_process(TfwHttpResp *resp)
 		return TFW_PASS;
 
 	ra = (FrangAcc *)req->conn->sk->sk_security;
+	if (req->peer)
+		ra = FRANG_CLI2ACC(req->peer);
 
 	/* Ensure message body size doesn't overcome acceptable limits. */
 	if ((resp->content_length > body_len) || (resp->body.len > body_len)) {
@@ -1044,6 +1052,8 @@ frang_resp_fwd_process(TfwHttpResp *resp)
 		return TFW_PASS;
 
 	ra = (FrangAcc *)req->conn->sk->sk_security;
+	if (req->peer)
+		ra = FRANG_CLI2ACC(req->peer);
 	stat = ra->resp_code_stat;
 	frang_dbg("client %s check response %d, acc=%p\n",
 		  &FRANG_ACC2CLI(ra)->addr, resp->status, ra);

tempesta_fw/http_parser.c

@@ -3223,27 +3223,27 @@ __req_parse_x_forwarded_for(TfwHttpMsg *hm, unsigned char *data, size_t len)
 	__FSM_STATE(Req_I_XFF) {
 		/* Eat OWS before the node ID. */
 		if (unlikely(IS_WS(c)))
-			__FSM_I_MOVE(Req_I_XFF);
+			__FSM_I_MOVE_fixup(Req_I_XFF, 1, 0);
 		/*
 		 * Eat IP address or host name.
 		 *
 		 * TODO: parse/validate IP addresses and textual IDs.
 		 * Currently we just validate separate characters, but the
 		 * whole value may be invalid (e.g. "---[_..[[").
 		 */
-		__FSM_I_MATCH_MOVE(xff, Req_I_XFF_Node_Id);
+		__FSM_I_MATCH_MOVE_fixup(xff, Req_I_XFF_Node_Id, TFW_STR_VALUE);
 		if (unlikely(!__fsm_sz))
 			return CSTR_NEQ;
-		__FSM_I_MOVE_n(Req_I_XFF_Sep, __fsm_sz);
+		__FSM_I_MOVE_fixup(Req_I_XFF_Sep, __fsm_sz, TFW_STR_VALUE);
 	}
 
 	/*
 	 * At this state we know that we saw at least one character as
 	 * a host address and now we can pass zero length token.
 	 */
 	__FSM_STATE(Req_I_XFF_Node_Id) {
-		__FSM_I_MATCH_MOVE(xff, Req_I_XFF_Node_Id);
-		__FSM_I_MOVE_n(Req_I_XFF_Sep, __fsm_sz);
+		__FSM_I_MATCH_MOVE_fixup(xff, Req_I_XFF_Node_Id, TFW_STR_VALUE);
+		__FSM_I_MOVE_fixup(Req_I_XFF_Sep, __fsm_sz, TFW_STR_VALUE);
 	}
 
 	__FSM_STATE(Req_I_XFF_Sep) {
@@ -3256,14 +3256,14 @@ __req_parse_x_forwarded_for(TfwHttpMsg *hm, unsigned char *data, size_t len)
 
 		/* OWS before comma or before EOL (is unusual). */
 		if (unlikely(IS_WS(c)))
-			__FSM_I_MOVE(Req_I_XFF_Sep);
+			__FSM_I_MOVE_fixup(Req_I_XFF_Sep, 1, 0);
 
 		/*
 		 * Multiple subsequent commas look suspicious, so we don't
 		 * stay in this state after the first comma is met.
 		 */
 		if (likely(c == ','))
-			__FSM_I_MOVE(Req_I_XFF);
+			__FSM_I_MOVE_fixup(Req_I_XFF, 1, 0);
 
 		return CSTR_NEQ;
 	}
@@ -4075,9 +4075,9 @@ tfw_http_parse_req(void *req_data, unsigned char *data, size_t len,
 				  TFW_HTTP_HDR_TRANSFER_ENCODING);
 
 	/* 'X-Forwarded-For:*OWS' is read, process field-value. */
-	TFW_HTTP_PARSE_SPECHDR_VAL(Req_HdrX_Forwarded_ForV, Req_I_XFF,
-				   msg, __req_parse_x_forwarded_for,
-				   TFW_HTTP_HDR_X_FORWARDED_FOR);
+	__TFW_HTTP_PARSE_SPECHDR_VAL(Req_HdrX_Forwarded_ForV, Req_I_XFF,
+				     msg, __req_parse_x_forwarded_for,
+				     TFW_HTTP_HDR_X_FORWARDED_FOR, 0);
 
 	/* 'User-Agent:*OWS' is read, process field-value. */
 	TFW_HTTP_PARSE_SPECHDR_VAL(Req_HdrUser_AgentV, Req_I_UserAgent,

tempesta_fw/sock_clnt.c

@@ -145,6 +145,7 @@ tfw_sock_clnt_new(struct sock *sk)
 	TfwClient *cli;
 	TfwConn *conn;
 	SsProto *listen_sock_proto;
+	TfwAddr addr;
 
 	TFW_DBG3("new client socket: sk=%p, state=%u\n", sk, sk->sk_state);
 	TFW_INC_STAT_BH(clnt.conn_attempts);
@@ -158,7 +159,8 @@ tfw_sock_clnt_new(struct sock *sk)
 	listen_sock_proto = sk->sk_user_data;
 	tfw_connection_unlink_from_sk(sk);
 
-	cli = tfw_client_obtain(sk, NULL);
+	ss_getpeername(sk, &addr);
+	cli = tfw_client_obtain(addr, NULL, NULL);
 	if (!cli) {
 		TFW_ERR("can't obtain a client for the new socket\n");
 		return -ENOENT;