From: Willy Tarreau Date: Mon, 31 May 2010 08:56:17 +0000 (+0200) Subject: [MINOR] frontend: only check for monitor-net rules if LI_O_CHK_MONNET is set X-Git-Tag: v1.5-dev8~589 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de3041d443c7859b686229e7353973e911e2d9cc;p=thirdparty%2Fhaproxy.git [MINOR] frontend: only check for monitor-net rules if LI_O_CHK_MONNET is set We can disable the monitor-net rules on a listener if this flag is not set in the listener's options. This will be useful when we don't want to check that fe->addr is set or not for non-TCP frontends. --- diff --git a/include/types/protocols.h b/include/types/protocols.h index 8f8faefbe1..922a642899 100644 --- a/include/types/protocols.h +++ b/include/types/protocols.h @@ -73,6 +73,7 @@ #define LI_O_NOQUICKACK 0x0004 /* disable quick ack of immediate data (linux) */ #define LI_O_DEF_ACCEPT 0x0008 /* wait up to 1 second for data before accepting */ #define LI_O_TCP_RULES 0x0010 /* run TCP rules checks on the incoming connection */ +#define LI_O_CHK_MONNET 0x0020 /* check the source against a monitor-net rule */ /* The listener will be directly referenced by the fdtab[] which holds its * socket. The listener provides the protocol-specific accept() function to diff --git a/src/cfgparse.c b/src/cfgparse.c index 41313783fe..af27d9811f 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -5359,6 +5359,9 @@ out_uri_auth_compat: if (!LIST_ISEMPTY(&curproxy->tcp_req.l4_rules)) listener->options |= LI_O_TCP_RULES; + if (curproxy->mon_mask.s_addr) + listener->options |= LI_O_CHK_MONNET; + /* smart accept mode is automatic in HTTP mode */ if ((curproxy->options2 & PR_O2_SMARTACC) || (curproxy->mode == PR_MODE_HTTP && diff --git a/src/frontend.c b/src/frontend.c index 5af5582e8e..04c3d9baad 100644 --- a/src/frontend.c +++ b/src/frontend.c @@ -79,7 +79,7 @@ int frontend_accept(struct listener *l, int cfd, struct sockaddr_storage *addr) /* if this session comes from a known monitoring system, we want to ignore * it as soon as possible, which means closing it immediately for TCP. */ - if (unlikely(p->mon_mask.s_addr && + if (unlikely((l->options & LI_O_CHK_MONNET) && addr->ss_family == AF_INET && (((struct sockaddr_in *)addr)->sin_addr.s_addr & p->mon_mask.s_addr) == p->mon_net.s_addr)) { if (p->mode == PR_MODE_TCP) {