37 #define XFF_CHAIN_MINLEN 7
39 #define XFF_CHAIN_MAXLEN 256
41 #define XFF_DEFAULT "X-Forwarded-For"
50 static int ParseXFFString(
char *input,
char *output,
int output_size)
52 size_t len = strlen(input);
56 if (input[0] ==
'[') {
57 char *end = strchr(input,
']');
61 if (end != input+(
len - 1)) {
83 if (d == 3 && c == 1) {
85 char *x = strchr(input,
':');
98 if (inet_pton(AF_INET, input, ip) == 1 ||
99 inet_pton(AF_INET6, input, ip) == 1)
101 strlcpy(output, input, output_size);
114 char *dstbuf,
int dstbuflen)
119 uint64_t total_txs = 0;
120 uint8_t *p_xff = NULL;
124 if (htp_state == NULL) {
125 SCLogDebug(
"no http state, XFF IP cannot be retrieved");
130 if (tx_id >= total_txs)
135 SCLogDebug(
"tx is NULL, XFF cannot be retrieved");
139 htp_header_t *h_xff = NULL;
140 if (tx->request_headers != NULL) {
141 h_xff = htp_table_get_c(tx->request_headers, xff_cfg->
header);
147 memcpy(xff_chain, bstr_ptr(h_xff->value), bstr_len(h_xff->value));
148 xff_chain[bstr_len(h_xff->value)]=0;
152 p_xff =
memrchr(xff_chain,
' ', bstr_len(h_xff->value));
161 p_xff = memchr(xff_chain,
',', bstr_len(h_xff->value));
167 return ParseXFFString((
char *)p_xff, dstbuf, dstbuflen);
181 uint64_t total_txs = 0;
184 if (htp_state == NULL) {
185 SCLogDebug(
"no http state, XFF IP cannot be retrieved");
190 for (; tx_id < total_txs; tx_id++) {
214 if (xff_mode != NULL && strcasecmp(xff_mode,
"overwrite") == 0) {
217 if (xff_mode == NULL) {
220 else if (strcasecmp(xff_mode,
"extra-data") != 0) {
229 if (xff_deployment != NULL && strcasecmp(xff_deployment,
"forward") == 0) {
232 if (xff_deployment == NULL) {
235 else if (strcasecmp(xff_deployment,
"reverse") != 0) {
244 if (xff_header != NULL) {
245 result->
header = (
char *) xff_header;
259 static int XFFTest01(
void) {
260 char input[] =
"1.2.3.4:5678";
262 int r = ParseXFFString(input, output,
sizeof(output));
263 FAIL_IF_NOT(r == 1 && strcmp(output,
"1.2.3.4") == 0);
267 static int XFFTest02(
void) {
268 char input[] =
"[12::34]:1234";
270 int r = ParseXFFString(input, output,
sizeof(output));
271 FAIL_IF_NOT(r == 1 && strcmp(output,
"12::34") == 0);
275 static int XFFTest03(
void) {
276 char input[] =
"[2a03:2880:1010:3f02:face:b00c:0:2]:80";
278 int r = ParseXFFString(input, output,
sizeof(output));
279 FAIL_IF_NOT(r == 1 && strcmp(output,
"2a03:2880:1010:3f02:face:b00c:0:2") == 0);
283 static int XFFTest04(
void) {
284 char input[] =
"[2a03:2880:1010:3f02:face:b00c:0:2]";
286 int r = ParseXFFString(input, output,
sizeof(output));
287 FAIL_IF_NOT(r == 1 && strcmp(output,
"2a03:2880:1010:3f02:face:b00c:0:2") == 0);
291 static int XFFTest05(
void) {
292 char input[] =
"[::ffff:1.2.3.4]:1234";
294 int r = ParseXFFString(input, output,
sizeof(output));
295 FAIL_IF_NOT(r == 1 && strcmp(output,
"::ffff:1.2.3.4") == 0);
299 static int XFFTest06(
void) {
300 char input[] =
"12::34";
302 int r = ParseXFFString(input, output,
sizeof(output));
303 FAIL_IF_NOT(r == 1 && strcmp(output,
"12::34") == 0);
307 static int XFFTest07(
void) {
308 char input[] =
"1.2.3.4";
310 int r = ParseXFFString(input, output,
sizeof(output));
311 FAIL_IF_NOT(r == 1 && strcmp(output,
"1.2.3.4") == 0);
315 static int XFFTest08(
void) {
316 char input[] =
"[1.2.3.4:1234";
318 int r = ParseXFFString(input, output,
sizeof(output));
323 static int XFFTest09(
void) {
324 char input[] =
"999.999.999.999:1234";
326 int r = ParseXFFString(input, output,
sizeof(output));