From dd863a44ba1e15eefda2d26eb04798b24168684c Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Tue, 19 Apr 2016 11:30:24 +0200 Subject: [PATCH] net/haproxy: Actions with no ACLs may still be valid --- .../templates/OPNsense/HAProxy/haproxy.conf | 385 +++++++++--------- 1 file changed, 195 insertions(+), 190 deletions(-) diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index 8716b2c0b..ebb6657ec 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -38,7 +38,7 @@ {% set action_acls = [] %} {# # collect ACL errors (may disable Action) #} {% set acl_errors = '0' %} -{# # An action with no ACLs is invalid #} +{# # An action with no ACLs may still be valid #} {% if action_data.linkedAcls|default("") != "" %} {% for acl in action_data.linkedAcls.split(",") %} {% set acl_data = helpers.getUUID(acl) %} @@ -218,197 +218,205 @@ # ACL INVALID: {{acl_data.name}} {% endif %} {% endfor %} -{# # NOTE: We're ignoring actions if any ACL is erroneous, #} -{# # because doing otherwise would lead to unpredictable behaviour. #} -{% if acl_errors == '0' %} -{% set action_enabled = '1' %} -{% set action_options = [] %} -{% if action_data.type == 'use_backend' %} -{% if action_data.useBackend|default("") != "" %} -{% set acl_backend_data = helpers.getUUID(action_data.useBackend) %} -{% do action_options.append('use_backend ' ~ acl_backend_data.name) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'use_server' %} -{% if action_data.useServer|default("") != "" %} -{% set server_data = helpers.getUUID(action_data.useServer) %} -{% do action_options.append('use-server ' ~ server_data.name) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-request_allow' %} -{% do action_options.append('http-request allow') %} -{% elif action_data.type == 'http-request_deny' %} -{% do action_options.append('http-request deny') %} -{% elif action_data.type == 'http-request_tarpit' %} -{% do action_options.append('http-request tarpit') %} -{% elif action_data.type == 'http-request_auth' %} -{% if action_data.actionValue|default("") != "" %} -{% do action_options.append('http-request auth ' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-request_redirect' %} -{% if action_data.actionValue|default("") != "" %} -{% do action_options.append('http-request redirect ' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-request_lua' %} -{% if action_data.actionValue|default("") != "" %} -{% do action_options.append('http-request lua.' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-request_use-service' %} -{% if action_data.actionValue|default("") != "" %} -{% do action_options.append('http-request use-service lua.' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-request_add-header' %} -{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" %} -{% do action_options.append('http-request add-header ' ~ action_data.actionName ~ ' ' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-request_set-header' %} -{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" %} -{% do action_options.append('http-request set-header ' ~ action_data.actionName ~ ' ' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-request_del-header' %} -{% if action_data.actionName|default("") != "" %} -{% do action_options.append('http-request del-header' ~ action_data.actionName) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-request_replace-header' %} -{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" and action_data.actionFind|default("") != "" %} -{% do action_options.append('http-request replace-header ' ~ action_data.actionName ~ ' ' ~ action_data.actionFind ~ ' ' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-request_replace-value' %} -{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" and action_data.actionFind|default("") != "" %} -{% do action_options.append('http-request replace-value ' ~ action_data.actionName ~ ' ' ~ action_data.actionFind ~ ' ' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-response_allow' %} -{% do action_options.append('http-response allow') %} -{% elif action_data.type == 'http-response_deny' %} -{% do action_options.append('http-response deny') %} -{% elif action_data.type == 'http-response_lua' %} -{% if action_data.actionValue|default("") != "" %} -{% do action_options.append('http-response lua.' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-response_add-header' %} -{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" %} -{% do action_options.append('http-response add-header ' ~ action_data.actionName ~ ' ' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-response_set-header' %} -{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" %} -{% do action_options.append('http-response set-header ' ~ action_data.actionName ~ ' ' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-response_del-header' %} -{% if action_data.actionName|default("") != "" %} -{% do action_options.append('http-response del-header' ~ action_data.actionName) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-response_replace-header' %} -{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" and action_data.actionFind|default("") != "" %} -{% do action_options.append('http-response replace-header ' ~ action_data.actionName ~ ' ' ~ action_data.actionFind ~ ' ' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'http-response_replace-value' %} -{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" and action_data.actionFind|default("") != "" %} -{% do action_options.append('http-response replace-value ' ~ action_data.actionName ~ ' ' ~ action_data.actionFind ~ ' ' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'tcp-request_connection_accept' %} -{% do action_options.append('tcp-request connection accept') %} -{% elif action_data.type == 'tcp-request_connection_reject' %} -{% do action_options.append('tcp-request connection reject') %} -{% elif action_data.type == 'tcp-request_content_accept' %} -{% do action_options.append('tcp-request content accept') %} -{% elif action_data.type == 'tcp-request_content_reject' %} -{% do action_options.append('tcp-request content reject') %} -{% elif action_data.type == 'tcp-request_content_lua' %} -{% if action_data.actionValue|default("") != "" %} -{% do action_options.append('tcp-request content lua.' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'tcp-request_content_use-service' %} -{% if action_data.actionValue|default("") != "" %} -{% do action_options.append('tcp-request content use-service lua.' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'tcp-response_content_accept' %} -{% do action_options.append('tcp-response content accept') %} -{% elif action_data.type == 'tcp-response_content_close' %} -{% do action_options.append('tcp-response content close') %} -{% elif action_data.type == 'tcp-response_content_reject' %} -{% do action_options.append('tcp-response content reject') %} -{% elif action_data.type == 'tcp-response_content_lua' %} -{% if action_data.actionValue|default("") != "" %} -{% do action_options.append('tcp-response content lua.' ~ action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif action_data.type == 'custom' %} -{% if action_data.actionValue|default("") != "" %} -{% do action_options.append(action_data.actionValue) %} -{% else %} -{% set action_enabled = '0' %} - # ERROR: missing parameters -{% endif %} +{% endif %} +{# # NOTE: We're ignoring actions if any ACL is erroneous, #} +{# # because doing otherwise would lead to unpredictable behaviour. #} +{% if acl_errors == '0' %} +{% set action_enabled = '1' %} +{% set action_options = [] %} +{% if action_data.type == 'use_backend' %} +{% if action_data.useBackend|default("") != "" %} +{% set acl_backend_data = helpers.getUUID(action_data.useBackend) %} +{% do action_options.append('use_backend ' ~ acl_backend_data.name) %} {% else %} {% set action_enabled = '0' %} - # ERROR: unsupported action type + # ERROR: missing parameters {% endif %} -{# # check if action is valid #} -{% if action_enabled == '1' %} -{% if action_data.operator == 'or' %} -{% set join_operator = ' || ' %} -{% else %} -{% set join_operator = ' ' %} -{% endif %} +{% elif action_data.type == 'use_server' %} +{% if action_data.useServer|default("") != "" %} +{% set server_data = helpers.getUUID(action_data.useServer) %} +{% do action_options.append('use-server ' ~ server_data.name) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-request_allow' %} +{% do action_options.append('http-request allow') %} +{% elif action_data.type == 'http-request_deny' %} +{% do action_options.append('http-request deny') %} +{% elif action_data.type == 'http-request_tarpit' %} +{% do action_options.append('http-request tarpit') %} +{% elif action_data.type == 'http-request_auth' %} +{% if action_data.actionValue|default("") != "" %} +{% do action_options.append('http-request auth ' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-request_redirect' %} +{% if action_data.actionValue|default("") != "" %} +{% do action_options.append('http-request redirect ' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-request_lua' %} +{% if action_data.actionValue|default("") != "" %} +{% do action_options.append('http-request lua.' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-request_use-service' %} +{% if action_data.actionValue|default("") != "" %} +{% do action_options.append('http-request use-service lua.' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-request_add-header' %} +{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" %} +{% do action_options.append('http-request add-header ' ~ action_data.actionName ~ ' ' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-request_set-header' %} +{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" %} +{% do action_options.append('http-request set-header ' ~ action_data.actionName ~ ' ' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-request_del-header' %} +{% if action_data.actionName|default("") != "" %} +{% do action_options.append('http-request del-header' ~ action_data.actionName) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-request_replace-header' %} +{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" and action_data.actionFind|default("") != "" %} +{% do action_options.append('http-request replace-header ' ~ action_data.actionName ~ ' ' ~ action_data.actionFind ~ ' ' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-request_replace-value' %} +{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" and action_data.actionFind|default("") != "" %} +{% do action_options.append('http-request replace-value ' ~ action_data.actionName ~ ' ' ~ action_data.actionFind ~ ' ' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-response_allow' %} +{% do action_options.append('http-response allow') %} +{% elif action_data.type == 'http-response_deny' %} +{% do action_options.append('http-response deny') %} +{% elif action_data.type == 'http-response_lua' %} +{% if action_data.actionValue|default("") != "" %} +{% do action_options.append('http-response lua.' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-response_add-header' %} +{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" %} +{% do action_options.append('http-response add-header ' ~ action_data.actionName ~ ' ' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-response_set-header' %} +{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" %} +{% do action_options.append('http-response set-header ' ~ action_data.actionName ~ ' ' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-response_del-header' %} +{% if action_data.actionName|default("") != "" %} +{% do action_options.append('http-response del-header' ~ action_data.actionName) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-response_replace-header' %} +{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" and action_data.actionFind|default("") != "" %} +{% do action_options.append('http-response replace-header ' ~ action_data.actionName ~ ' ' ~ action_data.actionFind ~ ' ' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'http-response_replace-value' %} +{% if action_data.actionValue|default("") != "" and action_data.actionName|default("") != "" and action_data.actionFind|default("") != "" %} +{% do action_options.append('http-response replace-value ' ~ action_data.actionName ~ ' ' ~ action_data.actionFind ~ ' ' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'tcp-request_connection_accept' %} +{% do action_options.append('tcp-request connection accept') %} +{% elif action_data.type == 'tcp-request_connection_reject' %} +{% do action_options.append('tcp-request connection reject') %} +{% elif action_data.type == 'tcp-request_content_accept' %} +{% do action_options.append('tcp-request content accept') %} +{% elif action_data.type == 'tcp-request_content_reject' %} +{% do action_options.append('tcp-request content reject') %} +{% elif action_data.type == 'tcp-request_content_lua' %} +{% if action_data.actionValue|default("") != "" %} +{% do action_options.append('tcp-request content lua.' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'tcp-request_content_use-service' %} +{% if action_data.actionValue|default("") != "" %} +{% do action_options.append('tcp-request content use-service lua.' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'tcp-response_content_accept' %} +{% do action_options.append('tcp-response content accept') %} +{% elif action_data.type == 'tcp-response_content_close' %} +{% do action_options.append('tcp-response content close') %} +{% elif action_data.type == 'tcp-response_content_reject' %} +{% do action_options.append('tcp-response content reject') %} +{% elif action_data.type == 'tcp-response_content_lua' %} +{% if action_data.actionValue|default("") != "" %} +{% do action_options.append('tcp-response content lua.' ~ action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif action_data.type == 'custom' %} +{% if action_data.actionValue|default("") != "" %} +{% do action_options.append(action_data.actionValue) %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: unsupported action type +{% endif %} +{# # check if action is valid #} +{% if action_enabled == '1' %} +{% if action_data.operator == 'or' %} +{% set join_operator = ' || ' %} +{% else %} +{% set join_operator = ' ' %} +{% endif %} +{# # check if action depends on ACLs #} +{% if action_acls|length > 0 %} # ACTION: {{action_data.name}} {{action_options|join(' ')}} {{action_data.testType}} {{action_acls|join(join_operator)}} +{% else %} + # NOTE: actions with no ACLs/conditions will always match + # ACTION: {{action_data.name}} + {{action_options|join(' ')}} +{% endif %} {% else %} # ACTION INVALID: {{action_data.name}} {% endif %} @@ -416,9 +424,6 @@ # ACTION INVALID: {{action_data.name}} # ACL ERROR COUNT: {{acl_errors}} {% endif %} -{% else %} - # ERROR: got action with empty linkedAcls -{% endif %} {% endfor %} {% else %} # ERROR: AclsAndActions called with empty data