MINOR: http-rules: Update txn flags and status when a deny rule is executed
When a deny rule is executed, the flag TX_CLDENY and the status code are set on
the HTTP transaction. Now, these steps are handled by the code executing the
deny rule. So into http_req_get_intercept_rule() for the request and
http_res_get_intercept_rule() for the response.
diff --git a/src/http_ana.c b/src/http_ana.c
index c6e0bc7..628116d 100644
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -51,7 +51,7 @@
static void http_debug_stline(const char *dir, struct stream *s, const struct htx_sl *sl);
static void http_debug_hdr(const char *dir, struct stream *s, const struct ist n, const struct ist v);
-static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s, int *deny_status);
+static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s);
static enum rule_result http_res_get_intercept_rule(struct proxy *px, struct list *rules, struct stream *s);
static void http_manage_client_side_cookies(struct stream *s, struct channel *req);
@@ -472,7 +472,6 @@
struct htx *htx;
struct redirect_rule *rule;
enum rule_result verdict;
- int deny_status = HTTP_ERR_403;
struct connection *conn = objt_conn(sess->origin);
if (unlikely(msg->msg_state < HTTP_MSG_BODY)) {
@@ -491,7 +490,7 @@
/* evaluate http-request rules */
if (!LIST_ISEMPTY(&px->http_req_rules)) {
- verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s, &deny_status);
+ verdict = http_req_get_intercept_rule(px, &px->http_req_rules, s);
switch (verdict) {
case HTTP_RULE_RES_YIELD: /* some data miss, call the function later. */
@@ -548,7 +547,7 @@
/* parse the whole stats request and extract the relevant information */
http_handle_stats(s, req);
- verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s, &deny_status);
+ verdict = http_req_get_intercept_rule(px, &px->uri_auth->http_req_rules, s);
/* not all actions implemented: deny, allow, auth */
if (verdict == HTTP_RULE_RES_DENY) /* stats http-request deny */
@@ -640,8 +639,6 @@
*/
channel_dont_connect(req);
- txn->status = http_err_codes[deny_status];
-
req->analysers &= AN_REQ_FLT_END; /* remove switching rules etc... */
req->analysers |= AN_REQ_HTTP_TARPIT;
req->analyse_exp = tick_add_ifset(now_ms, s->be->timeout.tarpit);
@@ -662,8 +659,6 @@
if (s->be->cookie_name || sess->fe->capture_name)
http_manage_client_side_cookies(s, req);
- txn->flags |= TX_CLDENY;
- txn->status = http_err_codes[deny_status];
s->logs.tv_request = now;
stream_inc_http_err_ctr(s);
_HA_ATOMIC_ADD(&sess->fe->fe_counters.denied_req, 1);
@@ -2141,8 +2136,6 @@
return 1;
deny:
- txn->flags |= TX_CLDENY;
- txn->status = 502;
_HA_ATOMIC_ADD(&sess->fe->fe_counters.denied_resp, 1);
_HA_ATOMIC_ADD(&s->be->be_counters.denied_resp, 1);
if (sess->listener->counters)
@@ -2810,7 +2803,7 @@
* status.
*/
static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct list *rules,
- struct stream *s, int *deny_status)
+ struct stream *s)
{
struct session *sess = strm_sess(s);
struct http_txn *txn = s->txn;
@@ -2880,6 +2873,9 @@
rule_ret = HTTP_RULE_RES_DONE;
goto end;
case ACT_RET_DENY:
+ txn->flags |= TX_CLDENY;
+ if (txn->status == -1)
+ txn->status = 403;
rule_ret = HTTP_RULE_RES_DENY;
goto end;
case ACT_RET_ABRT:
@@ -2899,15 +2895,14 @@
goto end;
case ACT_ACTION_DENY:
- if (deny_status)
- *deny_status = rule->arg.http.i;
+ txn->flags |= TX_CLDENY;
+ txn->status = http_err_codes[rule->arg.http.i];
rule_ret = HTTP_RULE_RES_DENY;
goto end;
case ACT_HTTP_REQ_TARPIT:
txn->flags |= TX_CLTARPIT;
- if (deny_status)
- *deny_status = rule->arg.http.i;
+ txn->status = http_err_codes[rule->arg.http.i];
rule_ret = HTTP_RULE_RES_DENY;
goto end;
@@ -3055,6 +3050,9 @@
rule_ret = HTTP_RULE_RES_DONE;
goto end;
case ACT_RET_DENY:
+ txn->flags |= TX_CLDENY;
+ if (txn->status == -1)
+ txn->status = 502;
rule_ret = HTTP_RULE_RES_DENY;
goto end;
case ACT_RET_ABRT:
@@ -3074,6 +3072,8 @@
goto end;
case ACT_ACTION_DENY:
+ txn->flags |= TX_CLDENY;
+ txn->status = 502;
rule_ret = HTTP_RULE_RES_DENY;
goto end;