REORG/MINOR: session: detect the TCP monitor checks at the protocol accept

It does not make sense anymore to wait for a session creation to process
a TCP monitor check which only closes the connection and returns. Better
to process this immediately after the accept() return. It also saves us
from counting a connection for monitor checks, which is much more logical.

diff --git a/src/protocols.c b/src/protocols.c
index cc7b3ce312e02e720d625eefa3549b2cde1c28d4..adbe44d5c800d462bf6a7e3ed21343562867ea17 100644 (file)
--- a/src/protocols.c
+++ b/src/protocols.c
@@ -339,6 +339,18 @@ int listener_accept(int fd)
                        }
                }
 
+               /* if this connection comes from a known monitoring system, we want to ignore
+                * it as soon as possible, which means closing it immediately if it is only a
+                * TCP-based monitoring check.
+                */
+               if (unlikely((l->options & LI_O_CHK_MONNET) &&
+                            (p->mode == PR_MODE_TCP) &&
+                            addr.ss_family == AF_INET &&
+                            (((struct sockaddr_in *)&addr)->sin_addr.s_addr & p->mon_mask.s_addr) == p->mon_net.s_addr)) {
+                       close(cfd);
+                       continue;
+               }
+
                if (unlikely(cfd >= global.maxsock)) {
                        send_log(p, LOG_EMERG,
                                 "Proxy %s reached the configured maximum connection limit. Please check the global 'maxconn' value.\n",

diff --git a/src/session.c b/src/session.c
index 4760a350bc7ef120d97080c0cc7342a4e4dbac7f..ed289b44361845a3102fbea453bf8bd1c796dfa6 100644 (file)
--- a/src/session.c
+++ b/src/session.c
@@ -75,21 +75,6 @@ int session_accept(struct listener *l, int cfd, struct sockaddr_storage *addr)
        s->stkctr1_table = NULL;
        s->stkctr2_table = NULL;
 
-       /* if this session comes from a known monitoring system, we want to ignore
-        * it as soon as possible, which means closing it immediately for TCP, but
-        * cleanly.
-        */
-       if (unlikely((l->options & LI_O_CHK_MONNET) &&
-                    addr->ss_family == AF_INET &&
-                    (((struct sockaddr_in *)addr)->sin_addr.s_addr & p->mon_mask.s_addr) == p->mon_net.s_addr)) {
-               if (p->mode == PR_MODE_TCP) {
-                       ret = 0; /* successful termination */
-                       goto out_free_session;
-               }
-               s->flags |= SN_MONITOR;
-               s->logs.logwait = 0;
-       }
-
        if (unlikely((t = task_new()) == NULL))
                goto out_free_session;
 
@@ -122,6 +107,17 @@ int session_accept(struct listener *l, int cfd, struct sockaddr_storage *addr)
        s->be  = s->fe  = p;
        s->req = s->rep = NULL; /* will be allocated later */
 
+       /* if this session comes from a known monitoring system, we want to ignore
+        * it as soon as possible, which means closing it immediately for TCP, but
+        * cleanly.
+        */
+       if (unlikely((l->options & LI_O_CHK_MONNET) &&
+                    addr->ss_family == AF_INET &&
+                    (((struct sockaddr_in *)addr)->sin_addr.s_addr & p->mon_mask.s_addr) == p->mon_net.s_addr)) {
+               s->flags |= SN_MONITOR;
+               s->logs.logwait = 0;
+       }
+
        /* now evaluate the tcp-request layer4 rules. Since we expect to be able
         * to abort right here as soon as possible, we check the rules before
         * even initializing the stream interfaces.