mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 06:11:32 +02:00
Code Issues Projects Releases Wiki Activity

MAJOR: tcp: make tcp_exec_req_rules() only rely on the session

Browse Source 
It passes a NULL wherever a stream was needed (acl_exec_cond() and
action_ptr mainly). It can still track the connection rate correctly
and block based on ACLs.
This commit is contained in:
Willy Tarreau 2015-04-04 16:41:45 +02:00
parent 70f454e8fa
commit e73ef85a63
3 changed files with 6 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/proto/proto_tcp.h
View File

@ -38,7 +38,7 @@ int tcp_get_dst(int fd, struct sockaddr *sa, socklen_t salen, int dir);
int tcp_drain(int fd); int tcp_drain(int fd);
int tcp_inspect_request(struct stream *s, struct channel *req, int an_bit); int tcp_inspect_request(struct stream *s, struct channel *req, int an_bit);
int tcp_inspect_response(struct stream *s, struct channel *rep, int an_bit); int tcp_inspect_response(struct stream *s, struct channel *rep, int an_bit);
int tcp_exec_req_rules(struct stream *s); int tcp_exec_req_rules(struct session *sess);
/* TCP keywords. */ /* TCP keywords. */
void tcp_req_conn_keywords_register(struct tcp_action_kw_list *kw_list); void tcp_req_conn_keywords_register(struct tcp_action_kw_list *kw_list);

13
src/proto_tcp.c
View File

@ -1360,9 +1360,8 @@ resume_execution:
* matches or if no more rule matches. It can only use rules which don't need * matches or if no more rule matches. It can only use rules which don't need
* any data. This only works on connection-based client-facing stream interfaces. * any data. This only works on connection-based client-facing stream interfaces.
*/ */
int tcp_exec_req_rules(struct stream *s) int tcp_exec_req_rules(struct session *sess)
{ {
struct session *sess = s->sess;
struct tcp_rule *rule; struct tcp_rule *rule;
struct stksess *ts; struct stksess *ts;
struct stktable *t = NULL; struct stktable *t = NULL;
@ -1377,7 +1376,7 @@ int tcp_exec_req_rules(struct stream *s)
ret = ACL_TEST_PASS; ret = ACL_TEST_PASS;
if (rule->cond) { if (rule->cond) {
ret = acl_exec_cond(rule->cond, sess->fe, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL); ret = acl_exec_cond(rule->cond, sess->fe, sess, NULL, SMP_OPT_DIR_REQ|SMP_OPT_FINAL);
ret = acl_pass(ret); ret = acl_pass(ret);
if (rule->cond->pol == ACL_COND_UNLESS) if (rule->cond->pol == ACL_COND_UNLESS)
ret = !ret; ret = !ret;
@ -1390,10 +1389,6 @@ int tcp_exec_req_rules(struct stream *s)
if (sess->listener->counters) if (sess->listener->counters)
sess->listener->counters->denied_conn++; sess->listener->counters->denied_conn++;
if (!(s->flags & SF_ERR_MASK))
s->flags |= SF_ERR_PRXCOND;
if (!(s->flags & SF_FINST_MASK))
s->flags |= SF_FINST_R;
result = 0; result = 0;
break; break;
} }
@ -1407,7 +1402,7 @@ int tcp_exec_req_rules(struct stream *s)
continue; continue;
t = rule->act_prm.trk_ctr.table.t; t = rule->act_prm.trk_ctr.table.t;
key = stktable_fetch_key(t, s->be, sess, s, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL); key = stktable_fetch_key(t, sess->fe, sess, NULL, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL);
if (key && (ts = stktable_get_entry(t, key))) if (key && (ts = stktable_get_entry(t, key)))
stream_track_stkctr(&sess->stkctr[tcp_trk_idx(rule->action)], t, ts); stream_track_stkctr(&sess->stkctr[tcp_trk_idx(rule->action)], t, ts);
@ -1418,7 +1413,7 @@ int tcp_exec_req_rules(struct stream *s)
} }
else { else {
/* Custom keywords. */ /* Custom keywords. */
rule->action_ptr(rule, sess->fe, s); rule->action_ptr(rule, sess->fe, NULL);
/* otherwise it's an accept */ /* otherwise it's an accept */
break; break;

2
src/stream.c
View File

@ -157,7 +157,7 @@ int stream_accept(struct listener *l, int cfd, struct sockaddr_storage *addr)
* to abort right here as soon as possible, we check the rules before * to abort right here as soon as possible, we check the rules before
* even initializing the stream interfaces. * even initializing the stream interfaces.
*/ */
if ((l->options & LI_O_TCP_RULES) && !tcp_exec_req_rules(s)) { if ((l->options & LI_O_TCP_RULES) && !tcp_exec_req_rules(sess)) {
/* let's do a no-linger now to close with a single RST. */ /* let's do a no-linger now to close with a single RST. */
setsockopt(cfd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger)); setsockopt(cfd, SOL_SOCKET, SO_LINGER, (struct linger *) &nolinger, sizeof(struct linger));
ret = 0; /* successful termination */ ret = 0; /* successful termination */