On Wed, May 13, 2009 at 11:50:07AM +0200, Maik Broemme wrote: > > The second case above was precisely what led me to discover the segfault > > bug, which was introduced in 1.3.17 with the refinement of the config > > warnings. But the behaviour has not changed since 1.3.16. > > > > You have missed the non-working case. :-) > > - the following config seems to be ok, but didn't work as expected. > > tcp-request content reject <cond> > > This is just because of the missing 'if' and in 1.3.17 this missing 'if' > result in a crash. A crash isn't better, but in case of crash you know > that something was misconfigured.
I don't get you. You mean that simply omitting the "if" between "reject" and "cond" is not returned as an error, that's it ? If so, yes I agree that it would be better that it yells here. Since I copy-pasted the parser from other rules (use_backend, block, redirect, ...) the same problem should be present everywhere. > Sure I have attached the file. If you remove the 'if' in the > 'tcp-request' the config file is ok, haproxy starts but every request > from everywhere is dropped. OK, so it's clearly a matter of not reporting that an unknown word is present where only {empty, "if", "unless") are accepted. I'll look into that. BTW, you can simplify your rules by using two things : either you make only one ACL : acl localnet dst 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 tcp-request content reject if localnet or you can keep your 3 ACLs but group them into one rule : acl localnet-1 dst 192.168.0.0/16 acl localnet-2 dst 172.16.0.0/12 acl localnet-3 dst 10.0.0.0/8 tcp-request content reject if localnet-1 or localnet-2 or localnet-3 Regards, Willy