BUG/MEDIUM: session: do not report a failure when rejecting a session

In session_accept_fd() we can perform a synchronous call to
conn_complete_session() and if it succeeds the connection is accepted
and turned into a session. If it fails we take it as an error while it
is not, in this case, it's just that a tcp-request rule has decided to
reject the incoming connection. The problem with reporting such an event
as an error is that the failed status is passed down to the listener code
which decides to disable accept() for 100ms in order to leave some time
for transient issues to vanish, and that's not what we want to do here.

This fix must be backported as far as 1.7. In 1.7 the code is a bit
different as tcp_exec_l5_rules() is called directly from within
session_new_fd() and ret=0 must be assigned there.
This commit is contained in:
Willy Tarreau 2020-01-07 18:03:09 +01:00
parent 584348be63
commit e5891ca6c1

View File

@ -288,6 +288,12 @@ int session_accept_fd(struct listener *l, int cfd, struct sockaddr_storage *addr
if (conn_complete_session(cli_conn) >= 0) if (conn_complete_session(cli_conn) >= 0)
return 1; return 1;
/* if we reach here we have deliberately decided not to keep this
* session (e.g. tcp-request rule), so that's not an error we should
* try to protect against.
*/
ret = 0;
/* error unrolling */ /* error unrolling */
out_free_sess: out_free_sess:
/* prevent call to listener_release during session_free. It will be /* prevent call to listener_release during session_free. It will be