MAJOR: tcp: make tcp_exec_req_rules() only rely on the session

It passes a NULL wherever a stream was needed (acl_exec_cond() and
action_ptr mainly). It can still track the connection rate correctly
and block based on ACLs.

diff --git a/include/proto/proto_tcp.h b/include/proto/proto_tcp.h
index 96488f1078d90c142b69c4d4fb748d2097b8359f..056129c14728f109b27c7387e8b54a21b4c30ad8 100644 (file)
--- a/include/proto/proto_tcp.h
+++ b/include/proto/proto_tcp.h
@@ -38,7 +38,7 @@ int tcp_get_dst(int fd, struct sockaddr *sa, socklen_t salen, int dir);
 int tcp_drain(int fd);
 int tcp_inspect_request(struct stream *s, struct channel *req, int an_bit);
 int tcp_inspect_response(struct stream *s, struct channel *rep, int an_bit);
-int tcp_exec_req_rules(struct stream *s);
+int tcp_exec_req_rules(struct session *sess);
 
 /* TCP keywords. */
 void tcp_req_conn_keywords_register(struct tcp_action_kw_list *kw_list);

diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index b7451ef99a57f560601cb1fb58b21a289680b46e..17ec22e1bc5faf8f01bfe616e3288e62637cb04f 100644 (file)
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -1360,9 +1360,8 @@ resume_execution:
  * matches or if no more rule matches. It can only use rules which don't need
  * any data. This only works on connection-based client-facing stream interfaces.
  */
-int tcp_exec_req_rules(struct stream *s)
+int tcp_exec_req_rules(struct session *sess)
 {
-       struct session *sess = s->sess;
        struct tcp_rule *rule;
        struct stksess *ts;
        struct stktable *t = NULL;
@@ -1377,7 +1376,7 @@ int tcp_exec_req_rules(struct stream *s)
                ret = ACL_TEST_PASS;
 
                if (rule->cond) {
-                       ret = acl_exec_cond(rule->cond, sess->fe, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL);
+                       ret = acl_exec_cond(rule->cond, sess->fe, sess, NULL, SMP_OPT_DIR_REQ|SMP_OPT_FINAL);
                        ret = acl_pass(ret);
                        if (rule->cond->pol == ACL_COND_UNLESS)
                                ret = !ret;
@@ -1390,10 +1389,6 @@ int tcp_exec_req_rules(struct stream *s)
                                if (sess->listener->counters)
                                        sess->listener->counters->denied_conn++;
 
-                               if (!(s->flags & SF_ERR_MASK))
-                                       s->flags |= SF_ERR_PRXCOND;
-                               if (!(s->flags & SF_FINST_MASK))
-                                       s->flags |= SF_FINST_R;
                                result = 0;
                                break;
                        }
@@ -1407,7 +1402,7 @@ int tcp_exec_req_rules(struct stream *s)
                                        continue;
 
                                t = rule->act_prm.trk_ctr.table.t;
-                               key = stktable_fetch_key(t, s->be, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL);
+                               key = stktable_fetch_key(t, sess->fe, sess, NULL, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL);
 
                                if (key && (ts = stktable_get_entry(t, key)))
                                        stream_track_stkctr(&sess->stkctr[tcp_trk_idx(rule->action)], t, ts);
@@ -1418,7 +1413,7 @@ int tcp_exec_req_rules(struct stream *s)
                        }
                        else {
                                /* Custom keywords. */
-                               rule->action_ptr(rule, sess->fe, s);
+                               rule->action_ptr(rule, sess->fe, NULL);
 
                                /* otherwise it's an accept */
                                break;

diff --git a/src/stream.c b/src/stream.c
index 7f2f27a4459387e94870e8734b85f2eb56184dca..b3eba12155525d1305e7720327e119e5fb056661 100644 (file)
--- a/src/stream.c
+++ b/src/stream.c
@@ -157,7 +157,7 @@ int stream_accept(struct listener *l, int cfd, struct sockaddr_storage *addr)
         * to abort right here as soon as possible, we check the rules before
         * even initializing the stream interfaces.
         */
-       if ((l->options & LI_O_TCP_RULES) && !tcp_exec_req_rules(s)) {
+       if ((l->options & LI_O_TCP_RULES) && !tcp_exec_req_rules(sess)) {
                /* let's do a no-linger now to close with a single RST. */
                setsockopt(cfd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger));
                ret = 0; /* successful termination */