From: Willy Tarreau Date: Wed, 30 Oct 2013 18:24:00 +0000 (+0100) Subject: BUG/MEDIUM: tcp: do not skip tracking rules on second pass X-Git-Tag: v1.5-dev20~252 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44778ad87d9aa4127b6968a18413b74487c0b762;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: tcp: do not skip tracking rules on second pass The track-sc* tcp rules are bogus. The test to verify if the tracked counter was already assigned is performed in the same condition as the test for the action. The effect is that a rule which tracks a counter that is already being tracked is implicitly converted to an accept because the default rule is an accept. This bug only affects 1.5-dev releases. --- diff --git a/src/proto_tcp.c b/src/proto_tcp.c index 56fa2a392d..0f1dc370af 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -939,13 +939,15 @@ int tcp_inspect_request(struct session *s, struct channel *req, int an_bit) s->flags |= SN_FINST_R; return 0; } - else if ((rule->action >= TCP_ACT_TRK_SC0 && rule->action <= TCP_ACT_TRK_SCMAX) && - !s->stkctr[tcp_trk_idx(rule->action)].entry) { + else if (rule->action >= TCP_ACT_TRK_SC0 && rule->action <= TCP_ACT_TRK_SCMAX) { /* Note: only the first valid tracking parameter of each * applies. */ struct stktable_key *key; + if (s->stkctr[tcp_trk_idx(rule->action)].entry) + continue; + t = rule->act_prm.trk_ctr.table.t; key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr); @@ -1099,13 +1101,15 @@ int tcp_exec_req_rules(struct session *s) result = 0; break; } - else if ((rule->action >= TCP_ACT_TRK_SC0 && rule->action <= TCP_ACT_TRK_SCMAX) && - !s->stkctr[tcp_trk_idx(rule->action)].entry) { + else if (rule->action >= TCP_ACT_TRK_SC0 && rule->action <= TCP_ACT_TRK_SCMAX) { /* Note: only the first valid tracking parameter of each * applies. */ struct stktable_key *key; + if (s->stkctr[tcp_trk_idx(rule->action)].entry) + continue; + t = rule->act_prm.trk_ctr.table.t; key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr);