Hi Alex, On Mon, Feb 28, 2022 at 02:36:51PM +0000, Lais, Alexander wrote: > Dear all, > > I'm trying to understand, how ACL chains, e.g. for `http-request deny` are > executed, and whether they support short-circuit. > > > Example: > > acl1: ip in particular range > acl2: comple regex match with a long list of patterns > > http-request deny acl1 !acl2 > > > That would mean block the request if it fits the IP range of acl1 and does > not match any of the patterns in the list of regexes. > > I want to understand, whether the evaluation is stopped after acl1 did not > match, or if the long list of regexes is still executed? > > My programmer's intuition would expect that execution would stop when acl1 > does not match.
Your intuition is correct ;-) I like to explain ACLs as functions that try to find one match. First, acl1 is execute. If a match is found, the implicit AND is continued and acl2 can be evaluated. If no match is found, the ACL doess not match, and the implicit AND stops here. Your example is interesting because usually we don't really care about whether or not the second part is executed. But for sure when you have IP addresses in one ACL and long regexes in the second one, it's easy to understand why you'd want to be certain the second part is not executed! Regards, Willy
