Don't cache and don't forward hop-by-hop headers

[vankoven]

Fix issue #409

• Parse Connection header during parsing HTTP message;
• Store raw headers listed in Connection header in temporary array allocated in message's pool: every raw header is marked as hop-by-hop if it's name present in that array. When connection header parsed in the first time, parser checks already parsed raw headers and mark them as hop-by-hop headers if needed. If Connection header does not contain any raw headers names no extra allocations or string comparison happen;
• Special headers have their own marking procedure which does not involve string comparisons. Some of the special headers are always hop-by-hop (Connection, we also mark Server in responses as hop-by-hop) and using generic comparison like for Raw headers will ruin performance;
• Unit tests for responses and requests with hop-by-hop marking checks;
• little optimisation of __hdr_lookup(): reduce string comparisons.

TBD:
When response contains Connection: keep-alive, Keep-alive header will be marked as hop-by-hop header and will not be saved in cache (that was the requirement in #409 ). RFC 7230 6.1 also say:

 A proxy or gateway MUST parse a received Connection header field before
   a message is forwarded and, for each connection-option in this field,
   remove any header field(s) from the message with the same name as the
   connection-option, and then remove the Connection header field itself
   (or replace it with the intermediary's own connection options for the
   forwarded message).

Currently we have no realised way to set default Keep-Alive header (not found in issues but here is corresponding TODO: https://github.com/tempesta-tech/tempesta/blob/master/tempesta_fw/http.c#L639 ). So question is: delete Keep-Alive header in forwarded messages or not? But messages served from cache will have no such header. Currently i remove it from both forwarded messages: response and request, disabling that is one-line patch.

[krizhanovsky]

raaw -> raw

[krizhanovsky]

Does RFC allow setting headers, mentioned in Connection, before Connection header? The code is dangerous, just consider the example:

    GET / HTTP/1.1\r\n
    Connection: keep-alive, Host, User-Agent\r\n
    Host: foo.com\r\n
    User-Agent: malicious client\r\n
    \r\n

So server will receive malformed request.

We should run the loop at least from TFW_HTTP_HDR_RAW. Probably there is some limitation which headers can be mentioned in Connection header... The other way (I think the safest one) is to remove Keep-Alive only and ignore any other mentioned headers in Connection. However, we still use current mechanism for the headers removal such that we'll be able to remove other headers which are known to be mentioned in Connection. I argue against blind headers removal.

[vankoven]

1. RFC does not have any restrictions where headers listed in Connection header must be placed. So both variants are ok: before or after Connection header. More over i tried to set up custom hop-by-hop headers in ngingx and apache, both allow setting custom headers before and after the header. Here example from RFC 6455 with hop-by-hop header before Connection header:

GET /chat HTTP/1.1
Host: server.example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Origin: http://example.com
Sec-WebSocket-Protocol: chat, superchat
Sec-WebSocket-Version: 13

2. Table you point to stores names for only raw headers. I agree, it could be confusing, but i used data structure which suit me perfectly. In situation you show user-agent and every other spec header listed in connection header (except keep-alive) will not be removed

Obsoleted now, in new revision this array is statically allocated

[krizhanovsky]

This isn't mentioned in our Coding Style, but FreeBSD KNF requires split variables definitions and code. It's bit hard to read when code immediately follows variable definitions immediately.

[krizhanovsky]

rable -> table

[krizhanovsky]

This is true and powerful headers parser. Do we really allow that Connection mentioning more than 16 header? I believe it has sense to block the header. Meantime it will make the code faster and easier and that's good.

[krizhanovsky]

There is MATCH_MOVE macroses which embody the code.

[krizhanovsky]

The discussed bug to fix

[krizhanovsky]

Please add test case described above for "Connection: Host\r\n' to mangled message.

[krizhanovsky]

Doesn't it taints kernel? The change is fine if not.

[krizhanovsky]

Please address the comment #409 (comment) or move the requirement to #634

[vankoven]

Changes since last review:

• rebased to current master
• fixed error in current master with Transfer-Encoding header: the header now is SPEC header but it missed in __http_msg_hdr_val()
• Connection header is limited to have less than 16 connection tokens for raw headers. Otherwise request or response will be filtered
• Drop message if some of connection tokens is end-to-end headers used by tempesta and parsed by TFW_HTTP_PARSE_RAWHDR_VAL macro. Comparing of connection tokens with all headers defined in RFC 7230, 7231 as end-to-end will lead to a lot of string comparisons inside of parsing of Connection header
• Unit tests updated to have more test cases for hop-by-hop headers marking

The feature have no special requirements for #634 . (Headers listed there are not hop-by-hop)

I tried to compare behaviour with nginx, but it support hop-by-hop headers in terms of obsoleted RFC 2616, not 7230

[keshonok]

Now that n is not used as an array index, perhaps it's best to postpone its calculation until the else if case.

if () {
} else if (field - resp->h_tbl->tbl < TFW_HTTP_HDR_RAW) {
} else {
}

[keshonok]

Please see the comment above regarding the use of n variable. In this case, n is not used anywhere else.

[keshonok]

The whole comment should be reworked to clearly state which arrays and where must be updated when adding a certain type of an HTTP header field.

[keshonok]

Perhaps a corresponding proper BUILD_BUG_ON() is justified to ensure that the type used for the structure member can accommodate the necessary number of headers (has the required number of bits).

[keshonok]

The timeout specified in the Keep-Alive header field? Or something else?

[keshonok]

If you want to exclude this header from further comparisons, then why not use the same TFW_STR_HBH_HDR flag on headers in hbh->raw[] and skip those headers in the comparison loop? That is easier and faster than doing a memmove().

[keshonok]

I believe this should be made an inline function to complement mark_raw_hbh().

[keshonok]

I believe that there should be the current index into the array - analogous to ht->off. You don't have to search for the current entry.

[keshonok]

Do we really need to mark each duplicate as HBH? I don't think so, but maybe there's a case to prove otherwise?

[keshonok]

I believe that this function (under a better name) belongs in http_parser.c.
If I understand correctly, the reason for placing it here was that __hdr_lookup() was located here, and it's a local (static) function to this sub-module. In my opinion though it should be the other way around: __hdr_lookup() should be made public (and given a proper name for that) and used from http_parser.c

[keshonok]

Looks good to me. Only minor changes requested.

[keshonok]

This should be called once per a message. However here it's called each time the parsing function is called. If a message is transferred one byte at a time, then this will be executed for each byte. That's unnecessary. I would suggest to call it in Req_0 state, and make another state Req_0_CRLF for skipping empty lines at the start of a message. What do you think?

[keshonok]

Please see the comment above.

[keshonok]

TfwStr *hdr = &ht->tbl[id];

Or perhaps even

TfwStr *hdr = &hm->h_tbl->tbl[id];

[keshonok]

Extra space.

TfwStr *hbh_name;

[keshonok]

TfwStr *hbh_name = &hbh->raw[i];

[keshonok]

The body of this if statement is better visible in this case when the opening bracket is on a separate line.

[keshonok]

This should be an one-time operation per whole Tempesta run. Please take a look at BUILD_BUG_ON() macro which is a compile-time check.

[keshonok]

As this should be performed only once per message, shouldn't this be a direct assignment, not an OR operation?

[keshonok]

Please see the comment above regarding direct assignment vs OR operation.

[keshonok]

In my opinion, this may appear too generic. Something like Req_0_CRLF may visibly clarify that this is one of the initial states.

[keshonok]

I suspect that it's not correct to move from one parser state to another by just falling through. Generally speaking, let's suppose there are no more bytes to process. The parser still believes it's in the state where it came from, while it should be in the new state already, and it should return to the new state when more bytes are available.

All moves from one FSM state to another must be done via a macro that moves the parser to the new state. Please check a few other occurrences of this fall through use.

[vankoven]

I have checked out all the places in code, where fall through used instead of FSM_MOVE directives. No errors there and fall through can be replaced with __FSM_JMP. Since desired state is the next one fall through is used in order not to make jump. I have no idea if jump could be optimized out, so fall through is the best option here.

__FSM_STATE saves current parser state to __fsm_const_state: https://github.com/tempesta-tech/tempesta/blob/master/tempesta_fw/http_parser.c#L120. In all the places in parser fall through is used only when we do not move our current position in message and we want to work with the same data in next stage or stages.

Any flavour of FSM_MOVE* is not an option here since parser->to_go will be set to 0 for situation you are describing ( https://github.com/tempesta-tech/tempesta/blob/master/tempesta_fw/http_parser.c#L137 ). And next stage will take next character, not the same one.

[keshonok]

Looks good to me.

[krizhanovsky]

No need to issue a special fix now, but comments are written in English, so they should obey English rules: start from capital letter and finish with dot. Exception is same-line comments which are continuation of C operators, i.e.

     a += b; /* this is same-line comment */

[krizhanovsky]

It seems the comment is outdated since there is no function with name __hbh_parser_init().

[krizhanovsky]

"they was" -> "they were"

[krizhanovsky]

No need to initialize hdr.

[krizhanovsky]

The macro is used in only one place, so the code would be more readable if you place the macro as inline code at the appropriate place.

[krizhanovsky]

The macro is not used at all.

[krizhanovsky]

Why did you create a new parser state for the initialization routine? It seems you can call _hbh_parser_init*() functions in tfw_http_msg_alloc() where base parser is initialized.

[krizhanovsky]

The same as for request

[krizhanovsky]

I believe the request must be blocked since there is special header in Connection