From: Christopher Faulet Date: Fri, 12 Jul 2024 13:21:21 +0000 (+0200) Subject: BUG/MINOR: session: Eval L4/L5 rules defined in the default section X-Git-Tag: v3.1-dev4~94 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=076444550583acc11ef7fce7e7e740f039125696;p=thirdparty%2Fhaproxy.git BUG/MINOR: session: Eval L4/L5 rules defined in the default section It is possible to define TCP/HTTP rules in a named default section to inherit from it in a proxy. However, there is an issue with L4/L5 rules. Only the lists of the current frontend are checked to know if an eval must be performed. Nothing is done for an empty list. Of course, the lists of the default proxy must also be checked to be sure to not ignored default L4/L5 rules. It is now fixed. This patch should fix the issue #2637. It must be backported as far as 2.6. --- diff --git a/src/session.c b/src/session.c index 016e47120f..7101180243 100644 --- a/src/session.c +++ b/src/session.c @@ -201,7 +201,8 @@ int session_accept_fd(struct connection *cli_conn) /* now evaluate the tcp-request layer4 rules. We only need a session * and no stream for these rules. */ - if (!LIST_ISEMPTY(&p->tcp_req.l4_rules) && !tcp_exec_l4_rules(sess)) { + if (((sess->fe->defpx && !LIST_ISEMPTY(&sess->fe->defpx->tcp_req.l4_rules)) || + !LIST_ISEMPTY(&p->tcp_req.l4_rules)) && !tcp_exec_l4_rules(sess)) { /* let's do a no-linger now to close with a single RST. */ if (!(cli_conn->flags & CO_FL_FDLESS)) setsockopt(cfd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger)); @@ -493,7 +494,8 @@ int conn_complete_session(struct connection *conn) conn->flags |= CO_FL_XPRT_TRACKED; /* we may have some tcp-request-session rules */ - if (!LIST_ISEMPTY(&sess->fe->tcp_req.l5_rules) && !tcp_exec_l5_rules(sess)) + if (((sess->fe->defpx && !LIST_ISEMPTY(&sess->fe->defpx->tcp_req.l5_rules)) || + !LIST_ISEMPTY(&sess->fe->tcp_req.l5_rules)) && !tcp_exec_l5_rules(sess)) goto fail; session_count_new(sess);