BUG/MEDIUM: tcp: do not skip tracking rules on second pass

The track-sc* tcp rules are bogus. The test to verify if the
tracked counter was already assigned is performed in the same
condition as the test for the action. The effect is that a
rule which tracks a counter that is already being tracked
is implicitly converted to an accept because the default
rule is an accept.

This bug only affects 1.5-dev releases.

diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 56fa2a392d85ed2035d824244cd2d0463fc9532b..0f1dc370af3e144d09ff7e95c132cf7402efb505 100644 (file)
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -939,13 +939,15 @@ int tcp_inspect_request(struct session *s, struct channel *req, int an_bit)
                                        s->flags |= SN_FINST_R;
                                return 0;
                        }
-                       else if ((rule->action >= TCP_ACT_TRK_SC0 && rule->action <= TCP_ACT_TRK_SCMAX) &&
-                                !s->stkctr[tcp_trk_idx(rule->action)].entry) {
+                       else if (rule->action >= TCP_ACT_TRK_SC0 && rule->action <= TCP_ACT_TRK_SCMAX) {
                                /* Note: only the first valid tracking parameter of each
                                 * applies.
                                 */
                                struct stktable_key *key;
 
+                               if (s->stkctr[tcp_trk_idx(rule->action)].entry)
+                                       continue;
+
                                t = rule->act_prm.trk_ctr.table.t;
                                key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr);
 
@@ -1099,13 +1101,15 @@ int tcp_exec_req_rules(struct session *s)
                                result = 0;
                                break;
                        }
-                       else if ((rule->action >= TCP_ACT_TRK_SC0 && rule->action <= TCP_ACT_TRK_SCMAX) &&
-                                !s->stkctr[tcp_trk_idx(rule->action)].entry) {
+                       else if (rule->action >= TCP_ACT_TRK_SC0 && rule->action <= TCP_ACT_TRK_SCMAX) {
                                /* Note: only the first valid tracking parameter of each
                                 * applies.
                                 */
                                struct stktable_key *key;
 
+                               if (s->stkctr[tcp_trk_idx(rule->action)].entry)
+                                       continue;
+
                                t = rule->act_prm.trk_ctr.table.t;
                                key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr);