[MINOR] tcp-inspect: permit the use of no-delay inspection

Sometimes it may make sense to be able to immediately apply a verdict
without waiting at all. It was not possible because no inspect-delay
meant no inspection at all. This is now fixed.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 3949764cb5edab397cd06707672aaf49bafb9a5e..324b424fb7ea7e71c07983717781a254b68ee14e 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -3627,7 +3627,10 @@ tcp-request inspect-delay <timeout>
   rules for every new chunk which gets in, taking into account the fact that
   those data are partial. If no rule matches before the aforementionned delay,
   a last check is performed upon expiration, this time considering that the
-  contents are definitive.
+  contents are definitive. If no delay is set, haproxy will not wait at all
+  and will immediately apply a verdict based on the available information.
+  Obviously this is unlikely to be very useful and might even be racy, so such
+  setups are not recommended.
 
   As soon as a rule matches, the request is released and continues as usual. If
   the timeout is reached and no rule matches, the default policy will be to let

diff --git a/src/cfgparse.c b/src/cfgparse.c
index 08fad67793f3c9192941d6502678b4f712479507..1158988ffedda6df3ab9283e500ecdfbb21c5ec6 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -3469,7 +3469,8 @@ int readcfgfile(const char *file)
                        if (curproxy->mode == PR_MODE_HTTP)
                                listener->analysers |= AN_REQ_HTTP_HDR;
 
-                       if (curproxy->tcp_req.inspect_delay)
+                       if (curproxy->tcp_req.inspect_delay ||
+                           !LIST_ISEMPTY(&curproxy->tcp_req.inspect_rules))
                                listener->analysers |= AN_REQ_INSPECT;
 
                        listener = listener->next;

diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 2fb6a85c70e84c0eee3a88d2e86911036d140ec0..ec9d23a0c9198d146d94d9927efd85c92600cca3 100644 (file)
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -404,7 +404,7 @@ int tcp_inspect_request(struct session *s, struct buffer *req)
         * - if one rule returns KO, then return KO
         */
 
-       if (req->flags & BF_SHUTR || tick_is_expired(req->analyse_exp, now_ms))
+       if (req->flags & BF_SHUTR || !s->fe->tcp_req.inspect_delay || tick_is_expired(req->analyse_exp, now_ms))
                partial = 0;
        else
                partial = ACL_PARTIAL;
@@ -417,7 +417,7 @@ int tcp_inspect_request(struct session *s, struct buffer *req)
                        if (ret == ACL_PAT_MISS) {
                                buffer_write_dis(req);
                                /* just set the request timeout once at the beginning of the request */
-                               if (!tick_isset(req->analyse_exp))
+                               if (!tick_isset(req->analyse_exp) && s->fe->tcp_req.inspect_delay)
                                        req->analyse_exp = tick_add_ifset(now_ms, s->fe->tcp_req.inspect_delay);
                                return 0;
                        }