On Wed, May 13, 2009 at 11:50:07AM +0200, Maik Broemme wrote:
> > The second case above was precisely what led me to discover the segfault
> > bug, which was introduced in 1.3.17 with the refinement of the config
> > warnings. But the behaviour has not changed since 1.3.16.
> >
>
> You have missed the non-working case. :-)
>
> - the following config seems to be ok, but didn't work as expected.
>
> tcp-request content reject <cond>
>
> This is just because of the missing 'if' and in 1.3.17 this missing 'if'
> result in a crash. A crash isn't better, but in case of crash you know
> that something was misconfigured.
I don't get you. You mean that simply omitting the "if" between "reject" and
"cond" is not returned as an error, that's it ? If so, yes I agree that it
would be better that it yells here. Since I copy-pasted the parser from other
rules (use_backend, block, redirect, ...) the same problem should be present
everywhere.
> Sure I have attached the file. If you remove the 'if' in the
> 'tcp-request' the config file is ok, haproxy starts but every request
> from everywhere is dropped.
OK, so it's clearly a matter of not reporting that an unknown word is
present where only {empty, "if", "unless") are accepted. I'll look into
that.
BTW, you can simplify your rules by using two things :
either you make only one ACL :
acl localnet dst 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
tcp-request content reject if localnet
or you can keep your 3 ACLs but group them into one rule :
acl localnet-1 dst 192.168.0.0/16
acl localnet-2 dst 172.16.0.0/12
acl localnet-3 dst 10.0.0.0/8
tcp-request content reject if localnet-1 or localnet-2 or localnet-3
Regards,
Willy
