From 44778ad87d9aa4127b6968a18413b74487c0b762 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 30 Oct 2013 19:24:00 +0100 Subject: [PATCH] BUG/MEDIUM: tcp: do not skip tracking rules on second pass The track-sc* tcp rules are bogus. The test to verify if the tracked counter was already assigned is performed in the same condition as the test for the action. The effect is that a rule which tracks a counter that is already being tracked is implicitly converted to an accept because the default rule is an accept. This bug only affects 1.5-dev releases. --- src/proto_tcp.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/proto_tcp.c b/src/proto_tcp.c index 56fa2a392..0f1dc370a 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -939,13 +939,15 @@ int tcp_inspect_request(struct session *s, struct channel *req, int an_bit) s->flags |= SN_FINST_R; return 0; } - else if ((rule->action >= TCP_ACT_TRK_SC0 && rule->action <= TCP_ACT_TRK_SCMAX) && - !s->stkctr[tcp_trk_idx(rule->action)].entry) { + else if (rule->action >= TCP_ACT_TRK_SC0 && rule->action <= TCP_ACT_TRK_SCMAX) { /* Note: only the first valid tracking parameter of each * applies. */ struct stktable_key *key; + if (s->stkctr[tcp_trk_idx(rule->action)].entry) + continue; + t = rule->act_prm.trk_ctr.table.t; key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr); @@ -1099,13 +1101,15 @@ int tcp_exec_req_rules(struct session *s) result = 0; break; } - else if ((rule->action >= TCP_ACT_TRK_SC0 && rule->action <= TCP_ACT_TRK_SCMAX) && - !s->stkctr[tcp_trk_idx(rule->action)].entry) { + else if (rule->action >= TCP_ACT_TRK_SC0 && rule->action <= TCP_ACT_TRK_SCMAX) { /* Note: only the first valid tracking parameter of each * applies. */ struct stktable_key *key; + if (s->stkctr[tcp_trk_idx(rule->action)].entry) + continue; + t = rule->act_prm.trk_ctr.table.t; key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr);