[MEDIUM] acl: enforce ACL type checking
ACL now hold information on the availability of the data they rely
on. They can indicate which parts of the requests/responses they
require, and the rules parser may now report inconsistencies.
As an example, switching rules are now checked for response-specific
ACLs, though those are not still set. A warning is reported in case
of mismatch. ACLs keyword restrictions will now have to be specifically
set wherever a better control is expected.
The line number where an ACL condition is declared has been added to
the conditions in order to be able to report the faulty line number
during post-loading checks.
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 9aac0eb..1f1755f 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -1116,6 +1116,7 @@
file, linenum);
return -1;
}
+ cond->line = linenum;
LIST_ADDQ(&curproxy->block_cond, &cond->list);
}
else if (!strcmp(args[0], "redirect")) {
@@ -1201,6 +1202,7 @@
return -1;
}
+ cond->line = linenum;
rule = (struct redirect_rule *)calloc(1, sizeof(*rule));
rule->cond = cond;
rule->rdr_str = strdup(destination);
@@ -1235,11 +1237,17 @@
}
if ((cond = parse_acl_cond((const char **)args + 3, &curproxy->acl, pol)) == NULL) {
- Alert("parsing [%s:%d] : error detected while parsing blocking condition.\n",
+ Alert("parsing [%s:%d] : error detected while parsing switching rule.\n",
file, linenum);
return -1;
}
+ cond->line = linenum;
+ if (cond->requires & ACL_USE_RTR_ANY) {
+ Warning("parsing [%s:%d] : switching rule involves some response-only criteria which will be ignored.\n",
+ file, linenum);
+ }
+
rule = (struct switching_rule *)calloc(1, sizeof(*rule));
rule->cond = cond;
rule->be.name = strdup(args[1]);
@@ -1516,6 +1524,7 @@
file, linenum, args[0], args[1]);
return -1;
}
+ cond->line = linenum;
LIST_ADDQ(&curproxy->mon_fail_cond, &cond->list);
}
else {