BUG/MINOR: http-ana: Don't eval front after-response rules if stopped on back

http-after-response rules evaluation must be stopped after a "allow". It
means the frontend ruleset must not be evaluated if a "allow" was performed
in the backend ruleset. Internally, the evaluation must be stopped if on
HTTP_RULE_RES_STOP return value. Only the "allow" action is concerned by
this change.

Thanks to this patch, http-response and http-after-response behave in the
same way.

This patch should be backported as far as 2.2.

diff --git a/reg-tests/http-rules/http_after_response.vtc b/reg-tests/http-rules/http_after_response.vtc
index af66498503ce9e7c51283721e02479617561a912..0a37daa5ffff59e043f14184cc0f7111621dc46a 100644 (file)
--- a/reg-tests/http-rules/http_after_response.vtc
+++ b/reg-tests/http-rules/http_after_response.vtc
@@ -182,11 +182,11 @@ client c4 -connect ${h1_feh1_sock} {
 client c5 -connect ${h1_feh1_sock} {
         txreq -req GET -url /deny-srv
         rxresp
-        expect resp.status == 200
-        expect resp.http.be-sl1 == ""
-        expect resp.http.be-sl2 == ""
-        expect resp.http.be-hdr == ""
-        expect resp.http.fe-sl1-crc == 3104968915
-        expect resp.http.fe-sl2-crc == 561949791
-        expect resp.http.fe-hdr-crc == 623352154
+        expect resp.status == 502
+        expect resp.http.be-sl1 == <undef>
+        expect resp.http.be-sl2 == <undef>
+        expect resp.http.be-hdr == <undef>
+        expect resp.http.sl1 == <undef>
+        expect resp.http.sl2 == <undef>
+        expect resp.http.hdr == <undef>
 } -run

diff --git a/src/http_ana.c b/src/http_ana.c
index 7e32fb8ead2bca0417fd598349f4c7cafd550d4c..2033d46615ce7ae672eb1f9dedb0fa0afd837911 100644 (file)
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -2950,7 +2950,7 @@ int http_eval_after_res_rules(struct stream *s)
        }
 
        ret = http_res_get_intercept_rule(s->be, &s->be->http_after_res_rules, s);
-       if ((ret == HTTP_RULE_RES_CONT || ret == HTTP_RULE_RES_STOP) && sess->fe != s->be)
+       if (ret == HTTP_RULE_RES_CONT && sess->fe != s->be)
                ret = http_res_get_intercept_rule(sess->fe, &sess->fe->http_after_res_rules, s);
 
   end: