From 90d22a88cbb2750751ef227e01c57ae04c0e2001 Mon Sep 17 00:00:00 2001 From: Christopher Faulet Date: Fri, 6 Mar 2020 11:18:39 +0100 Subject: [PATCH] BUG/MINOR: http-rules: Return ACT_RET_ABRT to abort a transaction When an action interrupts a transaction, returning a response or not, it must return the ACT_RET_ABRT value and not ACT_RET_DONE. ACT_RET_DONE is reserved to stop the processing on the current channel but some analysers may still be active. When ACT_RET_ABRT is returned, all analysers are removed, except FLT_END if it is set. No backport needed because on previous verions, the action return value was not handled the same way. It is stated in the comment the return action returns ACT_RET_ABRT on success. It it the right code to use to abort a transaction. ACT_RET_DONE must be used when the message processing must be stopped. This does not means the transaction is interrupted. No backport needed. --- src/http_act.c | 6 +++--- src/http_ana.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/http_act.c b/src/http_act.c index 7c16c336c..b44130add 100644 --- a/src/http_act.c +++ b/src/http_act.c @@ -361,7 +361,7 @@ static enum act_parse_ret parse_http_set_status(const char **args, int *orig_arg * alternative to the silent-drop action to defend against DoS attacks, and may * also be used with HTTP/2 to close a connection instead of just a stream. * The txn status is unchanged, indicating no response was sent. The termination - * flags will indicate "PR". It always returns ACT_RET_DONE. + * flags will indicate "PR". It always returns ACT_RET_ABRT. */ static enum act_return http_action_reject(struct act_rule *rule, struct proxy *px, struct session *sess, struct stream *s, int flags) @@ -382,7 +382,7 @@ static enum act_return http_action_reject(struct act_rule *rule, struct proxy *p if (!(s->flags & SF_FINST_MASK)) s->flags |= SF_FINST_R; - return ACT_RET_DONE; + return ACT_RET_ABRT; } /* parse the "reject" action: @@ -1863,7 +1863,7 @@ static enum act_return http_action_return(struct act_rule *rule, struct proxy *p struct buffer *body = NULL; const char *status, *reason, *clen, *ctype; unsigned int slflags; - enum act_return ret = ACT_RET_DONE; + enum act_return ret = ACT_RET_ABRT; s->txn->status = rule->arg.http_return.status; channel_htx_truncate(res, htx); diff --git a/src/http_ana.c b/src/http_ana.c index 4d85c9f31..34967b876 100644 --- a/src/http_ana.c +++ b/src/http_ana.c @@ -2933,7 +2933,7 @@ static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct lis goto end; case ACT_HTTP_REDIR: - rule_ret = HTTP_RULE_RES_DONE; + rule_ret = HTTP_RULE_RES_ABRT; if (!http_apply_redirect_rule(rule->arg.redir, s, txn)) rule_ret = HTTP_RULE_RES_ERROR; goto end;