MEDIUM: proxy: remove obsolete "monitor-net"

As discussed here during 2.1-dev, "monitor-net" is totally obsolete:

   https://www.mail-archive.com/haproxy@formilux.org/msg35204.html

It's fundamentally incompatible with usage of SSL, and imposes the
presence of file descriptors with hard-coded syscalls directly in the
generic accept path.

It's very unlikely that anyone has used it in the last 10 years for
anything beyond testing. In the worst case if anyone would depend
on it, replacing it with "http-request return status 200 if ..." and
"mode http" would certainly do the trick.

The keyword is still detected as special by the config parser to help
users update their configurations appropriately.

doc/configuration.txt

@@ -2985,7 +2985,6 @@ max-keep-alive-queue                      X          -         X         X
 maxconn                                   X          X         X         -
 mode                                      X          X         X         X
 monitor fail                              -          X         X         -
-monitor-net                               X          X         X         -
 monitor-uri                               X          X         X         -
 option abortonclose                  (*)  X          -         X         X
 option accept-invalid-http-request   (*)  X          X         X         -
@@ -7158,48 +7157,7 @@ monitor fail { if | unless } <condition>
         monitor-uri   /site_alive
         monitor fail  if site_dead
 
-  See also : "monitor-net", "monitor-uri", "errorfile", "errorloc"
-
-
-monitor-net <source>
-  Declare a source network which is limited to monitor requests
-  May be used in sections :   defaults | frontend | listen | backend
-                                 yes   |    yes   |   yes  |   no
-  Arguments :
-    <source>  is the source IPv4 address or network which will only be able to
-              get monitor responses to any request. It can be either an IPv4
-              address, a host name, or an address followed by a slash ('/')
-              followed by a mask.
-
-  In TCP mode, any connection coming from a source matching <source> will cause
-  the connection to be immediately closed without any log. This allows another
-  equipment to probe the port and verify that it is still listening, without
-  forwarding the connection to a remote server.
-
-  In HTTP mode, a connection coming from a source matching <source> will be
-  accepted, the following response will be sent without waiting for a request,
-  then the connection will be closed : "HTTP/1.0 200 OK". This is normally
-  enough for any front-end HTTP probe to detect that the service is UP and
-  running without forwarding the request to a backend server. Note that this
-  response is sent in raw format, without any transformation. This is important
-  as it means that it will not be SSL-encrypted on SSL listeners.
-
-  Monitor requests are processed very early, just after tcp-request connection
-  ACLs which are the only ones able to block them. These connections are short
-  lived and never wait for any data from the client. They cannot be logged, and
-  it is the intended purpose. They are only used to report HAProxy's health to
-  an upper component, nothing more. Please note that "monitor fail" rules do
-  not apply to connections intercepted by "monitor-net".
-
-  Last, please note that only one "monitor-net" statement can be specified in
-  a frontend. If more than one is found, only the last one will be considered.
-
-  Example :
-    # addresses .252 and .253 are just probing us.
-    frontend www
-        monitor-net 192.168.0.252/31
-
-  See also : "monitor fail", "monitor-uri"
+  See also : "monitor-uri", "errorfile", "errorloc"
 
 
 monitor-uri <uri>
@@ -7238,7 +7196,7 @@ monitor-uri <uri>
         mode http
         monitor-uri /haproxy_test
 
-  See also : "monitor fail", "monitor-net"
+  See also : "monitor fail"
 
 
 option abortonclose
@@ -7555,7 +7513,7 @@ no option dontlognull
   If this option has been enabled in a "defaults" section, it can be disabled
   in a specific instance by prepending the "no" keyword before it.
 
-  See also : "log", "http-ignore-probes", "monitor-net", "monitor-uri", and
+  See also : "log", "http-ignore-probes", "monitor-uri", and
              section 8 about logging.
 
 
@@ -19321,11 +19279,8 @@ ask how to disable logging for those checks. There are three possibilities :
     setting "option dontlognull" in the frontend. It also disables logging of
     port scans, which may or may not be desired.
 
-  - if the connection come from a known source network, use "monitor-net" to
-    declare this network as monitoring only. Any host in this network will then
-    only be able to perform health checks, and their requests will not be
-    logged. This is generally appropriate to designate a list of equipment
-    such as other load-balancers.
+  - it is possible to use the "http-request set-log-level silent" action using
+    a variety of conditions (source networks, paths, user-agents, etc).
 
   - if the tests are performed on a known URI, use "monitor-uri" to declare
     this URI as dedicated to monitoring. Any host sending this request will

include/haproxy/listener-t.h

@@ -90,7 +90,7 @@ enum li_state {
 #define LI_O_DEF_ACCEPT         0x0008  /* wait up to 1 second for data before accepting */
 #define LI_O_TCP_L4_RULES       0x0010  /* run TCP L4 rules checks on the incoming connection */
 #define LI_O_TCP_L5_RULES       0x0020  /* run TCP L5 rules checks on the incoming session */
-#define LI_O_CHK_MONNET         0x0040  /* check the source against a monitor-net rule */
+/* unused                       0x0040  */
 #define LI_O_ACC_PROXY          0x0080  /* find the proxied address in the first request line */
 #define LI_O_UNLIMITED          0x0100  /* listener not subject to global limits (peers & stats socket) */
 #define LI_O_TCP_FO             0x0200  /* enable TCP Fast Open (linux >= 3.7) */

include/haproxy/proxy-t.h

@@ -253,7 +253,6 @@ struct proxy {
 	int options;				/* PR_O_REDISP, PR_O_TRANSP, ... */
 	int options2;				/* PR_O2_* */
 	int max_out_conns;                      /* Max number of idling connections we keep for a session */
-	struct in_addr mon_net, mon_mask;	/* don't forward connections from this net (network order) FIXME: should support IPv6 */
 	unsigned int ck_opts;			/* PR_CK_* (cookie options) */
 	unsigned int fe_req_ana, be_req_ana;	/* bitmap of common request protocol analysers for the frontend and backend */
 	unsigned int fe_rsp_ana, be_rsp_ana;	/* bitmap of common response protocol analysers for the frontend and backend */

src/cfgparse-listen.c

@@ -369,8 +369,6 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
 			curproxy->timeout.tarpit = defproxy.timeout.tarpit;
 			curproxy->timeout.httpreq = defproxy.timeout.httpreq;
 			curproxy->timeout.httpka = defproxy.timeout.httpka;
-			curproxy->mon_net = defproxy.mon_net;
-			curproxy->mon_mask = defproxy.mon_mask;
 			if (defproxy.monitor_uri)
 				curproxy->monitor_uri = strdup(defproxy.monitor_uri);
 			curproxy->monitor_uri_len = defproxy.monitor_uri_len;
@@ -662,17 +660,8 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
 		goto out;
 	}
 	else if (!strcmp(args[0], "monitor-net")) {  /* set the range of IPs to ignore */
-		if (!*args[1] || !str2net(args[1], 1, &curproxy->mon_net, &curproxy->mon_mask)) {
-			ha_alert("parsing [%s:%d] : '%s' expects address[/mask].\n",
-				 file, linenum, args[0]);
-			err_code |= ERR_ALERT | ERR_FATAL;
-			goto out;
-		}
-		if (warnifnotcap(curproxy, PR_CAP_FE, file, linenum, args[0], NULL))
-			err_code |= ERR_WARN;
-
-		/* flush useless bits */
-		curproxy->mon_net.s_addr &= curproxy->mon_mask.s_addr;
+		ha_alert("parsing [%s:%d] : 'monitor-net' doesn't exist anymore. Please use 'http-request return status 200 if { src %s }' instead.\n", file, linenum, args[1]);
+		err_code |= ERR_ALERT | ERR_FATAL;
 		goto out;
 	}
 	else if (!strcmp(args[0], "monitor-uri")) {  /* set the URI to intercept */

src/cfgparse.c

@@ -3726,9 +3726,6 @@ out_uri_auth_compat:
 			if (!LIST_ISEMPTY(&curproxy->tcp_req.l5_rules))
 				listener->options |= LI_O_TCP_L5_RULES;
 
-			if (curproxy->mon_mask.s_addr)
-				listener->options |= LI_O_CHK_MONNET;
-
 			/* smart accept mode is automatic in HTTP mode */
 			if ((curproxy->options2 & PR_O2_SMARTACC) ||
 			    ((curproxy->mode == PR_MODE_HTTP || listener->bind_conf->is_ssl) &&

src/session.c

@@ -190,30 +190,6 @@ int session_accept_fd(struct listener *l, int cfd, struct sockaddr_storage *addr
 		goto out_free_sess;
 	}
 
-	/* monitor-net and health mode are processed immediately after TCP
-	 * connection rules. This way it's possible to block them, but they
-	 * never use the lower data layers, they send directly over the socket,
-	 * as they were designed for. We first flush the socket receive buffer
-	 * in order to avoid emission of an RST by the system. We ignore any
-	 * error.
-	 */
-	if (unlikely(((l->options & LI_O_CHK_MONNET) &&
-		      addr->ss_family == AF_INET &&
-		      (((struct sockaddr_in *)addr)->sin_addr.s_addr & p->mon_mask.s_addr) == p->mon_net.s_addr))) {
-		/* we have 4 possibilities here :
-		 *  - HTTP mode, from monitoring address => send "HTTP/1.0 200 OK"
-		 *  - HEALTH mode with HTTP check => send "HTTP/1.0 200 OK"
-		 *  - HEALTH mode without HTTP check => just send "OK"
-		 *  - TCP mode from monitoring address => just close
-		 */
-		if (l->rx.proto->drain)
-			l->rx.proto->drain(cfd);
-		if (p->mode == PR_MODE_HTTP)
-			send(cfd, "HTTP/1.0 200 OK\r\n\r\n", 19, MSG_DONTWAIT|MSG_NOSIGNAL|MSG_MORE);
-		ret = 0;
-		goto out_free_sess;
-	}
-
 	/* Adjust some socket options */
 	if (l->rx.addr.ss_family == AF_INET || l->rx.addr.ss_family == AF_INET6) {
 		setsockopt(cfd, IPPROTO_TCP, TCP_NODELAY, (char *) &one, sizeof(one));