Fix #235:

README.md

@@ -517,6 +517,20 @@ the client to the same URI and includes `Set-Cookie` header field,
 which prompts that Tempesta sticky cookie with the name `__cookie__` is set
 in requests from the client.
 
+Sticky cookie value is calculated on top of client IP, User-Agent, session
+timestamp and the **secret** used as a key for HMAC. `sticky_secret` config
+option sets the secret string used for HMAC calculation. It's desirable to
+keep this value in secret to prevent automatic cookies generation on attacker
+side. By default Tempesta generates a new random value for the secret on start.
+This means that all user HTTP sessions are invalidated on Tempesta restart.
+Maximum length of the key is 20 bytes.
+
+`sess_lifetime` config option defines HTTP session lifetime in seconds. Default
+value is `0`, i.e. unlimited life time. When HTTP session expires the client
+receives 302 redirect with new cookie value if enforced sticky cookie is used.
+This option doesn't affect sticky cookie expire time - it's a session, temporal,
+cookie.
+
 
 ### Frang
 
@@ -589,6 +603,7 @@ for a DoS attack. Frang's **http_host_required** option should be used in this
 case. That would leave handling of the `Host:` header field to Tempesta.
 Invalid requests would be denied before they reach a back end server.
 
+
 ### Filter
 
 Let's see a simple example to understand Tempesta filtering.

etc/tempesta_fw.conf

@@ -259,6 +259,40 @@
 #   sticky enforce;	# Enforce sticky cookie with default name.
 #   sticky name=__cookie__ enforce;
 
+# TAG: sticky_secret
+#
+# Secret string for sticky cookie.
+#
+# Syntax:
+#   sticky_secret <string>
+#
+# Default:
+#   Random bytes.
+#
+# This is secret (key) used for HMAC calculation for Sticky cookie value.
+# It's desirable to keep this value in secret to prevent automatic cookies
+# generation on attacker side. By default Tempesta generates a new random
+# value for the secret on start. This means that all user HTTP sessions are
+# invalidated on Tempesta restart. Maximum length of the key is 20 bytes.
+#
+# Example:
+#   sticky_secret "f00)9eR59*_/22";
+
+# TAG: sess_lifetime
+#
+# HTTP session life time in seconds. Zero value means unlimited life time.
+# This option doesn't affect sticky cookie expire time - it's a session,
+# temporal, cookie.
+#
+# Syntax:
+#   sess_lifetime NUM;
+#
+# Default:
+#   0
+#
+# Example:
+#   sess_lifetime 900;
+
 #
 # Frang configuration.
 #

tempesta_fw/Makefile

@@ -39,7 +39,7 @@ tempesta_fw-objs = \
 	http_match.o \
 	http_msg.o \
 	http_parser.o \
-	http_sticky.o \
+	http_sess.o \
 	main.o \
 	pool.o \
 	procfs.o \

tempesta_fw/addr.h

@@ -72,29 +72,6 @@ tfw_addr_sa_len(const TfwAddr *addr)
 	return (addr->family == AF_INET6) ? sizeof(addr->v6) : sizeof(addr->v4);
 }
 
-/**
- * All Tempesta internal operations are with IPv6 addresses only,
- * as with more scalable and backward compatible with IPv4.
- */
-static inline void
-tfw_addr_get_sk_saddr(struct sock *sk, TfwAddr *addr)
-{
-	addr->family = AF_INET6;
-	addr->v6.sin6_port = inet_sk(sk)->inet_sport;
-#if IS_ENABLED(CONFIG_IPV6)
-	if (inet6_sk(sk)) {
-		memcpy(&addr->v6.sin6_addr, &sk->sk_v6_daddr,
-		       sizeof(struct in6_addr));
-	} else
-#endif
-	{
-		ipv6_addr_set_v4mapped(inet_sk(sk)->inet_daddr,
-				       &addr->v6.sin6_addr);
-	}
-	addr->v6.sin6_flowinfo = 0;
-	addr->v6.sin6_scope_id = 0;
-}
-
 static inline unsigned short
 tfw_addr_get_sk_sport(struct sock *sk)
 {

tempesta_fw/cache.c

@@ -34,7 +34,7 @@
 #include "cache.h"
 #include "http_msg.h"
 #include "procfs.h"
-#include "ss_skb.h"
+#include "sync_socket.h"
 #include "work_queue.h"
 
 #if MAX_NUMNODES > ((1 << 16) - 1)
@@ -1162,7 +1162,7 @@ cache_req_process_node(TfwHttpReq *req, unsigned long key,
 	resp = tfw_cache_build_resp(ce);
 out:
 	if (!resp && (req->cache_ctl.flags & TFW_HTTP_CC_OIFCACHED))
-		tfw_http_send_504((TfwHttpMsg *)req);
+		tfw_http_send_504(req);
 	else
 		action(req, resp);
 
@@ -1199,26 +1199,26 @@ tfw_cache_purge_method(TfwHttpReq *req, unsigned long key)
 
 	/* Deny PURGE requests by default. */
 	if (!(cache_cfg.cache && vhost->cache_purge && vhost->cache_purge_acl))
-		return tfw_http_send_403((TfwHttpMsg *)req);
+		return tfw_http_send_403(req);
 
 	/* Accept requests from configured hosts only. */
-	tfw_addr_get_sk_saddr(req->conn->sk, &saddr);
+	ss_getpeername(req->conn->sk, &saddr);
 	if (!tfw_capuacl_match(vhost, &saddr))
-		return tfw_http_send_403((TfwHttpMsg *)req);
+		return tfw_http_send_403(req);
 
 	/* Only "invalidate" option is implemented at this time. */
 	switch (vhost->cache_purge_mode) {
 	case TFW_D_CACHE_PURGE_INVALIDATE:
 		ret = tfw_cache_purge_invalidate(req, key);
 		break;
 	default:
-		return tfw_http_send_403((TfwHttpMsg *)req);
+		return tfw_http_send_403(req);
 	}
 
 	if (ret)
-		return tfw_http_send_404((TfwHttpMsg *)req);
+		return tfw_http_send_404(req);
 	else
-		return tfw_http_send_200((TfwHttpMsg *)req);
+		return tfw_http_send_200(req);
 }
 
 static void

tempesta_fw/classifier.h

@@ -2,7 +2,7 @@
  *		Tempesta FW
  *
  * Copyright (C) 2014 NatSys Lab. ([email protected]).
- * Copyright (C) 2015 Tempesta Technologies, Inc.
+ * Copyright (C) 2015-2016 Tempesta Technologies, Inc.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by
@@ -28,6 +28,11 @@
 #include "tempesta_fw.h"
 #include "connection.h"
 
+/* Size of classifier private cliet accounting data. */
+#define TFW_CLASSIFIER_ACCSZ	256
+
+typedef struct { char _[TFW_CLASSIFIER_ACCSZ]; } TfwClassifierPrvt;
+
 /*
  * Classification module handler.
  *