From 8df215e382efc1a4f9c35d69fd228d3cd4e6deb8 Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Tue, 19 Aug 2025 09:18:55 +0000 Subject: [PATCH] Fix L7Rules with FILE_TYPE and EQUAL_TO When using a L7Rule with FILE_TYPE and EQUAL_TO, Octavia generated an ACL with "path_end -m str " which doesn't work in HAProxy (https://github.com/haproxy/haproxy/issues/2567) Using "path_end " fixes the issue. Closes-Bug: #2066165 Change-Id: I71309a0f7d57ccbe9bade5413fbd7fec01eed627 Signed-off-by: Gregory Thiemonge (cherry picked from commit c64c5f54430c1fb647183b46e1fdaf25c643cb69) --- .../haproxy/combined_listeners/templates/macros.j2 | 13 ++++++++++--- .../haproxy/combined_listeners/test_jinja_cfg.py | 4 ++-- ...-l7rule-FILE_TYPE-EQUAL_TO-6e84773d6ab22c50.yaml | 5 +++++ 3 files changed, 17 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/fix-l7rule-FILE_TYPE-EQUAL_TO-6e84773d6ab22c50.yaml diff --git a/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2 b/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2 index f4d42377a2..5a61da2e0a 100644 --- a/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2 +++ b/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2 @@ -77,7 +77,7 @@ bind {{ lb_vip_address }}:{{ listener.protocol_port }} {{ {% endmacro %} -{% macro l7rule_compare_type_macro(constants, ctype) %} +{% macro l7rule_compare_type_macro(constants, ctype, rtype=None) %} {% if ctype == constants.L7RULE_COMPARE_TYPE_REGEX %} {{- "-m reg" -}} {% elif ctype == constants.L7RULE_COMPARE_TYPE_STARTS_WITH %} @@ -87,7 +87,14 @@ bind {{ lb_vip_address }}:{{ listener.protocol_port }} {{ {% elif ctype == constants.L7RULE_COMPARE_TYPE_CONTAINS %} {{- "-m sub" -}} {% elif ctype == constants.L7RULE_COMPARE_TYPE_EQUAL_TO %} - {{- "-m str" -}} + {# Specific handling for FILE_TYPE with EQUAL_TO, "path_end -m str" + # doesn't work with haproxy, "path_end" is enough for this type of + # comparison + # https://github.com/haproxy/haproxy/issues/2567 + #} + {% if rtype != constants.L7RULE_TYPE_FILE_TYPE %} + {{- "-m str" -}} + {% endif %} {% endif %} {% endmacro %} @@ -101,7 +108,7 @@ bind {{ lb_vip_address }}:{{ listener.protocol_port }} {{ constants, l7rule.compare_type) }} {{ l7rule.value }} {% elif l7rule.type == constants.L7RULE_TYPE_FILE_TYPE %} acl {{ l7rule.id }} path_end {{ l7rule_compare_type_macro( - constants, l7rule.compare_type) }} {{ l7rule.value }} + constants, l7rule.compare_type, l7rule.type) }} {{ l7rule.value }} {% elif l7rule.type == constants.L7RULE_TYPE_HEADER %} acl {{ l7rule.id }} req.hdr({{ l7rule.key }}) {{ l7rule_compare_type_macro( diff --git a/octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py b/octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py index cda218e653..5f3756b247 100644 --- a/octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py +++ b/octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py @@ -1191,7 +1191,7 @@ class TestHaproxyCfg(base.TestCase): "this.*|that\n" " redirect code 302 location http://www.example.com if " "!sample_l7rule_id_2 sample_l7rule_id_3\n" - " acl sample_l7rule_id_4 path_end -m str jpg\n" + " acl sample_l7rule_id_4 path_end jpg\n" " acl sample_l7rule_id_5 req.hdr(host) -i -m end " ".example.com\n" " http-request deny if sample_l7rule_id_4 " @@ -1915,7 +1915,7 @@ class TestHaproxyCfg(base.TestCase): "this.*|that\n" " redirect code 302 location http://www.example.com " "if !sample_l7rule_id_2 sample_l7rule_id_3\n" - " acl sample_l7rule_id_4 path_end -m str jpg\n" + " acl sample_l7rule_id_4 path_end jpg\n" " acl sample_l7rule_id_5 req.hdr(host) -i -m end " ".example.com\n" " http-request deny " diff --git a/releasenotes/notes/fix-l7rule-FILE_TYPE-EQUAL_TO-6e84773d6ab22c50.yaml b/releasenotes/notes/fix-l7rule-FILE_TYPE-EQUAL_TO-6e84773d6ab22c50.yaml new file mode 100644 index 0000000000..716e574a7f --- /dev/null +++ b/releasenotes/notes/fix-l7rule-FILE_TYPE-EQUAL_TO-6e84773d6ab22c50.yaml @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixed a bug when using a L7Rule with FILE_TYPE and EQUAL_TO comparison, + it never matched due to an issue with the generated HAProxy configuration.