BUG/MINOR: http-ana: Apply stop to the current section for http-response rules
A TCP/HTTP action can stop the rules evaluation. However, it should be
applied on the current section only. For instance, for http-requests rules,
an "allow" on a frontend must stop evaluation of rules defined in this
frontend. But the backend rules, if any, must still be evaluated.
For http-response rulesets, according the configuration manual, the same
must be true. Only "allow" action is concerned. However, since the
beginning, this action stops evaluation of all remaining rules, not only
those of the current section.
This patch may be backported to all supported versions. But it is not so
critical because the bug exists since a while. I doubt it will break any
existing configuration because the current behavior is
counterintuitive.
diff --git a/reg-tests/http-rules/h1or2_to_h1c.vtc b/reg-tests/http-rules/h1or2_to_h1c.vtc
index 182013b..4263a2a 100644
--- a/reg-tests/http-rules/h1or2_to_h1c.vtc
+++ b/reg-tests/http-rules/h1or2_to_h1c.vtc
@@ -160,6 +160,8 @@
http-response set-header sl1-crc "%[res.fhdr(sl1),crc32]"
http-response set-header sl2-crc "%[res.fhdr(sl2),crc32]"
http-response set-header hdr-crc "%[res.fhdr(hdr),crc32]"
+ http-response allow
+ http-response deny # must not be evaluated
server s1 ${s1_addr}:${s1_port}
} -start
diff --git a/src/http_ana.c b/src/http_ana.c
index c037261..341a9f8 100644
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -1815,7 +1815,7 @@
while (1) {
/* evaluate http-response rules */
- if (ret == HTTP_RULE_RES_CONT) {
+ if (ret == HTTP_RULE_RES_CONT || ret == HTTP_RULE_RES_STOP) {
struct list *def_rules, *rules;
def_rules = ((cur_proxy->defpx && (cur_proxy == s->be || cur_proxy->defpx != s->be->defpx)) ? &cur_proxy->defpx->http_res_rules : NULL);