From: Willy Tarreau Date: Sat, 4 Jul 2015 09:36:30 +0000 (+0200) Subject: BUG/MAJOR: tcp: tcp rulesets were still broken X-Git-Tag: v1.6-dev3~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=27f78241e6bb3256fafe853e49a0f3e85d8fd933;p=thirdparty%2Fhaproxy.git BUG/MAJOR: tcp: tcp rulesets were still broken Commit cc87a11 ("MEDIUM: tcp: add register keyword system.") broke the TCP ruleset by merging custom rules and accept. It was fixed a first time by commit e91ffd0 ("BUG/MAJOR: tcp: only call registered actions when they're registered") but the accept action still didn't work anymore and was causing the matching rule to simply be ignored. Since the code introduced a very fragile behaviour by not even mentionning that accept and custom were silently merged, let's fix this once for all by adding an explicit check for the accept action. Nevertheless, as previously mentionned, the action should be changed so that custom is the only action and the continue vs break indication directly comes from the callee. No backport is needed, this bug only affects 1.6-dev. --- diff --git a/src/proto_tcp.c b/src/proto_tcp.c index 737a32ee09..6d1ec03a99 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -1158,7 +1158,10 @@ int tcp_inspect_request(struct stream *s, struct channel *req, int an_bit) if (ret) { resume_execution: /* we have a matching rule. */ - if (rule->action == TCP_ACT_REJECT) { + if (rule->action == TCP_ACT_ACCEPT) { + break; + } + else if (rule->action == TCP_ACT_REJECT) { channel_abort(req); channel_abort(&s->res); req->analysers = 0; @@ -1323,7 +1326,10 @@ int tcp_inspect_response(struct stream *s, struct channel *rep, int an_bit) if (ret) { resume_execution: /* we have a matching rule. */ - if (rule->action == TCP_ACT_REJECT) { + if (rule->action == TCP_ACT_ACCEPT) { + break; + } + else if (rule->action == TCP_ACT_REJECT) { channel_abort(rep); channel_abort(&s->req); rep->analysers = 0; @@ -1399,7 +1405,10 @@ int tcp_exec_req_rules(struct session *sess) if (ret) { /* we have a matching rule. */ - if (rule->action == TCP_ACT_REJECT) { + if (rule->action == TCP_ACT_ACCEPT) { + break; + } + else if (rule->action == TCP_ACT_REJECT) { sess->fe->fe_counters.denied_conn++; if (sess->listener->counters) sess->listener->counters->denied_conn++;