use ip from x-forwarded-for for searching a client

Author: avbelov23

tempesta_fw/client.c

@@ -83,7 +83,7 @@ tfw_client_addr_eq(TdbRec *rec, void *data)
 }
 
 /**
- * Find a client corresponding to the @sk by IP address.
+ * Find a client corresponding to @addr and @cli_addr (e.g. from X-Forwarded-For).
  * More advanced identification is possible based on User-Agent,
  * Cookie and other HTTP headers.
  *
@@ -92,22 +92,24 @@ tfw_client_addr_eq(TdbRec *rec, void *data)
  * TODO #515 employ eviction strategy for the table
  */
 TfwClient *
-tfw_client_obtain(struct sock *sk, void (*init)(TfwClient *))
+tfw_client_obtain(TfwAddr addr, TfwAddr *cli_addr, void (*init)(TfwClient *))
 {
 	TfwClientEntry *ent;
 	TfwClient *cli;
 	unsigned long key;
-	TfwAddr addr;
 	size_t len;
 	TdbRec *rec;
 	bool is_new;
 	int conn_users;
 	time_t curr_time = tfw_current_timestamp();
 
-	ss_getpeername(sk, &addr);
 	key = hash_calc((const char *)&addr.sin6_addr,
 			sizeof(addr.sin6_addr));
 
+	if (cli_addr)
+		key ^= hash_calc((const char *)&cli_addr->sin6_addr,
+				 sizeof(cli_addr->sin6_addr));
+
 	len = sizeof(*ent);
 	rec = tdb_rec_get_alloc(client_db, key, &len, &tfw_client_addr_eq,
 				&is_new, &addr.sin6_addr);

tempesta_fw/client.h

@@ -40,7 +40,7 @@ typedef struct {
 	TfwClassifierPrvt	class_prvt;
 } TfwClient;
 
-TfwClient *tfw_client_obtain(struct sock *sk, void (*init)(TfwClient *));
+TfwClient *tfw_client_obtain(TfwAddr addr, TfwAddr *cli_addr, void (*init)(TfwClient *));
 void tfw_client_put(TfwClient *cli);
 int tfw_client_for_each(int (*fn)(void *));
 void tfw_cli_conn_release(TfwCliConn *cli_conn);

tempesta_fw/connection.c

@@ -41,7 +41,7 @@ tfw_connection_init(TfwConn *conn)
 void
 tfw_connection_link_peer(TfwConn *conn, TfwPeer *peer)
 {
-	BUG_ON(conn->peer || !list_empty(&conn->list));
+	BUG_ON(!list_empty(&conn->list));
 	conn->peer = peer;
 	tfw_peer_add_conn(peer, &conn->list);
 }

tempesta_fw/http.c

@@ -1639,6 +1639,9 @@ tfw_http_req_destruct(void *msg)
 	tfw_vhost_put(req->vhost);
 	if (req->sess)
 		tfw_http_sess_put(req->sess);
+
+	if (req->peer)
+		tfw_client_put(req->peer);
 }
 
 /**
@@ -2812,6 +2815,29 @@ tfw_http_chop_skb(TfwHttpMsg *hm, struct sk_buff *skb,
 	return ss_skb_chop_head_tail(hm->msg.skb_head, skb, off, trail);
 }
 
+static TfwStr
+tfw_http_get_ip_from_xff(TfwHttpReq *req)
+{
+	TfwStr s_xff, s_ip, *c, *end;
+	unsigned int nchunks;
+
+	/*
+	 * If a client work through a forward proxy, then a proxy can pass it's
+	 * IP address by the first value in X-Forwarded-For
+	 */
+	s_xff = req->h_tbl->tbl[TFW_HTTP_HDR_X_FORWARDED_FOR];
+	s_ip = tfw_str_next_str_val(&s_xff);
+	nchunks = 0;
+	TFW_STR_FOR_EACH_CHUNK(c, &s_ip, end) {
+		if (!(c->flags & TFW_STR_VALUE))
+			break;
+		nchunks++;
+	}
+	s_ip.nchunks = nchunks;
+
+	return s_ip;
+}
+
 /**
  * @return zero on success and negative value otherwise.
  * TODO enter the function depending on current GFSM state.
@@ -2828,6 +2854,8 @@ tfw_http_req_process(TfwConn *conn, const TfwFsmData *data)
 	TfwHttpMsg *hmsib;
 	TfwHttpParser *parser;
 	TfwFsmData data_up;
+	TfwAddr addr;
+	TfwStr s_ip;
 
 	BUG_ON(!conn->msg);
 	BUG_ON(off >= skb->len);
@@ -2931,6 +2959,21 @@ tfw_http_req_process(TfwConn *conn, const TfwFsmData *data)
 		skb = NULL;
 	}
 
+	s_ip = tfw_http_get_ip_from_xff(req);
+	if (!TFW_STR_EMPTY(&s_ip)) {
+		TfwClient *cli, *conn_cli;
+
+		if (tfw_addr_pton(&s_ip, &addr) != 0)
+			return TFW_BLOCK;
+
+		conn_cli = (TfwClient *)conn->peer;
+		cli = tfw_client_obtain(conn_cli->addr, &addr, NULL);
+		if (cli && cli != conn_cli)
+			req->peer = cli;
+		else
+			tfw_client_put(cli);
+	}
+
 	/*
 	 * Sticky cookie module must be used before request can reach cache.
 	 * Unauthorised clients mustn't be able to get any resource on

tempesta_fw/http.h

@@ -30,6 +30,7 @@
 #include "server.h"
 #include "str.h"
 #include "vhost.h"
+#include "client.h"
 
 /**
  * HTTP Generic FSM states.
@@ -367,6 +368,7 @@ typedef struct {
  * @vhost	- virtual host for the request;
  * @location	- URI location;
  * @sess	- HTTP session descriptor, required for scheduling;
+ * @peer	- end-to-end peer;
  * @userinfo	- userinfo in URI, not mandatory.
  * @host	- host in URI, may differ from Host header;
  * @uri_path	- path + query + fragment from URI (RFC3986.3);
@@ -393,6 +395,7 @@ struct tfw_http_req_t {
 	TfwVhost		*vhost;
 	TfwLocation		*location;
 	TfwHttpSess		*sess;
+	TfwClient		*peer;
 	TfwHttpCond		cond;
 	TfwStr			userinfo;
 	TfwStr			host;

tempesta_fw/http_limits.c

@@ -335,8 +335,10 @@ frang_conn_new(struct sock *sk)
 	FrangAcc *ra;
 	TfwClient *cli;
 	FrangCfg *conf = tfw_vhost_global_frang_cfg();
+	TfwAddr addr;
 
-	cli = tfw_client_obtain(sk, __frang_init_acc);
+	ss_getpeername(sk, &addr);
+	cli = tfw_client_obtain(addr, NULL, __frang_init_acc);
 	if (unlikely(!cli)) {
 		TFW_ERR("can't obtain a client for frang accounting\n");
 		return TFW_BLOCK;
@@ -980,6 +982,10 @@ frang_http_req_handler(void *obj, TfwFsmData *data)
 	TfwConn *conn = (TfwConn *)obj;
 	FrangAcc *ra = conn->sk->sk_security;
 	bool ip_block = tfw_vhost_global_frang_cfg()->ip_block;
+	TfwHttpReq *req = (TfwHttpReq *)data->req;
+
+	if (req->peer)
+		ra = FRANG_CLI2ACC(req->peer);
 
 	if (test_bit(TFW_HTTP_B_WHITELIST, ((TfwHttpReq *)data->req)->flags))
 		return TFW_PASS;
@@ -1012,6 +1018,8 @@ frang_resp_handler(void *obj, TfwFsmData *data)
 
 	resp = (TfwHttpResp *)data->resp;
 	ra = (FrangAcc *)req->conn->sk->sk_security;
+	if (req->peer)
+		ra = FRANG_CLI2ACC(req->peer);
 	stat = ra->resp_code_stat;
 	frang_dbg("client %s check response %d, acc=%p\n",
 		  &FRANG_ACC2CLI(ra)->addr, resp->status, ra);

tempesta_fw/http_parser.c

@@ -3223,27 +3223,27 @@ __req_parse_x_forwarded_for(TfwHttpMsg *hm, unsigned char *data, size_t len)
 	__FSM_STATE(Req_I_XFF) {
 		/* Eat OWS before the node ID. */
 		if (unlikely(IS_WS(c)))
-			__FSM_I_MOVE(Req_I_XFF);
+			__FSM_I_MOVE_fixup(Req_I_XFF, 1, 0);
 		/*
 		 * Eat IP address or host name.
 		 *
 		 * TODO: parse/validate IP addresses and textual IDs.
 		 * Currently we just validate separate characters, but the
 		 * whole value may be invalid (e.g. "---[_..[[").
 		 */
-		__FSM_I_MATCH_MOVE(xff, Req_I_XFF_Node_Id);
+		__FSM_I_MATCH_MOVE_fixup(xff, Req_I_XFF_Node_Id, TFW_STR_VALUE);
 		if (unlikely(!__fsm_sz))
 			return CSTR_NEQ;
-		__FSM_I_MOVE_n(Req_I_XFF_Sep, __fsm_sz);
+		__FSM_I_MOVE_fixup(Req_I_XFF_Sep, __fsm_sz, TFW_STR_VALUE);
 	}
 
 	/*
 	 * At this state we know that we saw at least one character as
 	 * a host address and now we can pass zero length token.
 	 */
 	__FSM_STATE(Req_I_XFF_Node_Id) {
-		__FSM_I_MATCH_MOVE(xff, Req_I_XFF_Node_Id);
-		__FSM_I_MOVE_n(Req_I_XFF_Sep, __fsm_sz);
+		__FSM_I_MATCH_MOVE_fixup(xff, Req_I_XFF_Node_Id, TFW_STR_VALUE);
+		__FSM_I_MOVE_fixup(Req_I_XFF_Sep, __fsm_sz, TFW_STR_VALUE);
 	}
 
 	__FSM_STATE(Req_I_XFF_Sep) {
@@ -3256,14 +3256,14 @@ __req_parse_x_forwarded_for(TfwHttpMsg *hm, unsigned char *data, size_t len)
 
 		/* OWS before comma or before EOL (is unusual). */
 		if (unlikely(IS_WS(c)))
-			__FSM_I_MOVE(Req_I_XFF_Sep);
+			__FSM_I_MOVE_fixup(Req_I_XFF_Sep, 1, 0);
 
 		/*
 		 * Multiple subsequent commas look suspicious, so we don't
 		 * stay in this state after the first comma is met.
 		 */
 		if (likely(c == ','))
-			__FSM_I_MOVE(Req_I_XFF);
+			__FSM_I_MOVE_fixup(Req_I_XFF, 1, 0);
 
 		return CSTR_NEQ;
 	}
@@ -4075,9 +4075,9 @@ tfw_http_parse_req(void *req_data, unsigned char *data, size_t len,
 				  TFW_HTTP_HDR_TRANSFER_ENCODING);
 
 	/* 'X-Forwarded-For:*OWS' is read, process field-value. */
-	TFW_HTTP_PARSE_SPECHDR_VAL(Req_HdrX_Forwarded_ForV, Req_I_XFF,
-				   msg, __req_parse_x_forwarded_for,
-				   TFW_HTTP_HDR_X_FORWARDED_FOR);
+	__TFW_HTTP_PARSE_SPECHDR_VAL(Req_HdrX_Forwarded_ForV, Req_I_XFF,
+				     msg, __req_parse_x_forwarded_for,
+				     TFW_HTTP_HDR_X_FORWARDED_FOR, 0);
 
 	/* 'User-Agent:*OWS' is read, process field-value. */
 	TFW_HTTP_PARSE_SPECHDR_VAL(Req_HdrUser_AgentV, Req_I_UserAgent,

tempesta_fw/sock_clnt.c

@@ -145,6 +145,7 @@ tfw_sock_clnt_new(struct sock *sk)
 	TfwClient *cli;
 	TfwConn *conn;
 	SsProto *listen_sock_proto;
+	TfwAddr addr;
 
 	TFW_DBG3("new client socket: sk=%p, state=%u\n", sk, sk->sk_state);
 	TFW_INC_STAT_BH(clnt.conn_attempts);
@@ -158,7 +159,8 @@ tfw_sock_clnt_new(struct sock *sk)
 	listen_sock_proto = sk->sk_user_data;
 	tfw_connection_unlink_from_sk(sk);
 
-	cli = tfw_client_obtain(sk, NULL);
+	ss_getpeername(sk, &addr);
+	cli = tfw_client_obtain(addr, NULL, NULL);
 	if (!cli) {
 		TFW_ERR("can't obtain a client for the new socket\n");
 		return -ENOENT;