net: filter proxy_protocol per socket

razvancrainea · razvancrainea · commit 40e9b70110c8 · 2026-02-24T10:53:25.000+02:00
diff --git a/cfg.lex b/cfg.lex
@@ -345,6 +345,7 @@ ANYCAST	("anycast"|"ANYCAST")
 ACCEPT_SUBDOMAIN ("accept_subdomain"|"ACCEPT_SUBDOMAIN")
 FRAG	("frag"|"FRAG")
 REUSE_PORT	("reuse_port"|"REUSE_PORT")
+PROXY_PROTOCOL	(("allow"|"ALLOW")[-_])?("proxy"|"PROXY")([-_]("protocol"|"PROXY_PROTOCOL"))?
 
 
 COM_LINE	#
@@ -620,6 +621,7 @@ SPACE		[ ]
 <INITIAL>{ANYCAST}	{ count(); return ANYCAST; }
 <INITIAL>{ACCEPT_SUBDOMAIN}	{ count(); return ACCEPT_SUBDOMAIN; }
 <INITIAL>{REUSE_PORT}	{ count(); return REUSE_PORT; }
+<INITIAL>{PROXY_PROTOCOL}		{ count(); return PROXY_PROTOCOL; }
 <INITIAL>{FRAG}		{ count(); return FRAG; }
 <INITIAL>{SLASH}	{ count(); return SLASH; }
 <INITIAL>{SCALE_UP_TO}		{ count(); return SCALE_UP_TO; }
diff --git a/cfg.y b/cfg.y
@@ -471,6 +471,7 @@ extern int cfg_parse_only_routes;
 %token ACCEPT_SUBDOMAIN
 %token FRAG
 %token REUSE_PORT
+%token PROXY_PROTOCOL
 %token SCRIPTVARERR
 %token SCALE_UP_TO
 %token SCALE_DOWN_TO
@@ -744,6 +745,9 @@ socket_def_param: ANYCAST { IFOR();
 				| ACCEPT_SUBDOMAIN { IFOR();
 					p_tmp.flags |= SI_ACCEPT_SUBDOMAIN_ALIAS;
 					}
+				| PROXY_PROTOCOL { IFOR();
+					p_tmp.flags |= SI_PROXY;
+					}
 				| USE_WORKERS NUMBER { IFOR();
 					p_tmp.workers=$2;
 					}
diff --git a/ip_addr.h b/ip_addr.h
@@ -101,7 +101,8 @@ struct proxy_protocol {
 
 
 enum si_flags { SI_NONE=0, SI_IS_IP=1, SI_IS_LO=2, SI_IS_MCAST=4,
-	SI_IS_ANYCAST=8, SI_FRAG=16, SI_REUSEPORT=32, SI_INTERNAL=64, SI_ACCEPT_SUBDOMAIN_ALIAS=128 };
+	SI_IS_ANYCAST=8, SI_FRAG=16, SI_REUSEPORT=32, SI_INTERNAL=64,
+	SI_ACCEPT_SUBDOMAIN_ALIAS=128, SI_PROXY=256 };
 
 struct receive_info {
 	struct ip_addr src_ip;
diff --git a/net/proxy_protocol.c b/net/proxy_protocol.c
@@ -25,6 +25,7 @@
 #include "../socket_info.h"
 #include "tcp_conn_defs.h"
 #include "../ut.h"
+#include "../socket_info.h"
 
 #define PROXY_PROTOCOL_V1_HDR "PROXY "
 #define PROXY_PROTOCOL_V1_HDR_LEN (sizeof(PROXY_PROTOCOL_V1_HDR) - 1)
@@ -302,9 +303,14 @@ int check_tcp_proxy_protocol(struct tcp_connection *c)
 	if (c->flags & F_CONN_DATA_READY)
 		return 1;
 
+	if (!c->rcv.bind_address || (c->rcv.bind_address->flags & SI_PROXY) == 0) {
+		c->flags |= F_CONN_DATA_READY;
+		return 1;
+	}
+
 	len = tcp_peek(c, pp_buf, PROXY_PROTOCOL_BUF_MAX);
 	if (len < 0)
-		return len;
+		return -1;
 
 	switch (is_net_proxy_protocol(pp_buf, len)) {
 		case -1:
@@ -351,6 +357,10 @@ int check_udp_proxy_protocol(char **buf, int *size, struct receive_info *ri)
 		return -1;
 
 	ri->real_ep.flags = PP_INIT;
+
+	if (!ri->bind_address || (ri->bind_address->flags & SI_PROXY) == 0)
+		return 1;
+
 	msg = *buf;
 	len = *size;
 
