SPOE filter for Intentions uses 'tcp-request content accept'

[NickMRamirez]

With Intentions enabled, the HAProxy configuration that's auto-generated contains this in the frontend for the local service:

frontend front_downstream 
  mode http
  bind 0.0.0.0:21000 name front_downstream_bind crt /tmp/haproxy-connect-002132058/e727ca4e64d85da74a3846094069b9bd80f41a92f36c5a16fd2417a1b2443f42 ca-file /tmp/haproxy-connect-002132058/6552a0a59b20ca0d1997c4e5e9afb8a5c3e31dc00aada13727733f742d79d4d5 ssl verify required
  timeout client 30000
  filter spoe engine intentions config /tmp/haproxy-connect-002132058/spoe.conf
  tcp-request content accept if { var(sess.connect.auth) -m int eq 1 }
  default_backend back_downstream

The tcp-request content accept line will accept the connection if there is no "Deny" intention in Consul forbidding it. However, there is no rule that rejects the connection otherwise. So, all requests are accepted, no matter whether the are denied in Consul.

Workaround:

Editing the configuration so that tcp-request content accept if is replaced with tcp-request content reject unless fixes it:

tcp-request content reject unless { var(sess.connect.auth) -m int eq 1 }

[NickMRamirez]

Added PR #3