Project

General

Profile

Feature #10600

Add support for pfBlockerNG "Action list" feature

Added by DRago_Angel [InV@DER] 5 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
05/27/2020
Due date:
% Done:

0%

Estimated time:

Description

Some other plugins that can use pfBlockerNG native aliases can need additional reload/restart action to load new IPs from updated file generated by pfBlockerNG.

Action list for IPs lists give universal way to reload any service or run custom scripts on pfSense in same way this done in ACME package.
Suggested flow:
  1. add 'ip list action section with table' to create/edit IPs lists
  2. on update job:
    • update ips lists and if updated ip list has 'action' save them to run at end of update job
    • at end of update job leave only unique 'actions' and run them
      This deduplication needed to not run action same command more then one time per update. Doesn't know cases when people will need run it per each script multiply times. But if you know usecase - possible add checkbox to deffer job 'action' and deduplicate 'action' which is enable by default and can be turned off to run command instantly and in result many times.

Pros and cons
+ universal
+ easier to implement
- need to explicitly create action on each IP list
- this flow will trigger 'action' even this action not required anymore, f.e.: due to changed configuration of end package/software, etc, but missed to remove action from pfBlockerNG IPs list

HAproxy Reload Integration
HAproxy is great software which is widely used in pfSense (as well as pfBlockerNG) and has support ACL for SrcIPs from aliases, so it can be added as option on General tab to reload HAproxy config.
Suggested flow:
  1. check if haproxy service is running: proceed if true, or skip reload if false
  2. get all ACLs with SrcIPs that not commented by # at start of string and save their name and file path to array
  3. check that SrcIP ACL name is used at least by one not commented-out action rule, f.e: action if some_acl srcIpAclName anotherAcl !aclCanHaveNegativeSoNeedStripExclamationPoint - if check is true save their file path to list, or skip if false
  4. extract ^/var/etc/haproxy/(here must be regex to validate common alias restrictions like a-zA-Z0-9_ and maximum alias name lench).lst from list and compare to list of updated pfBlockerNG aliases - if there is at least one matches then trigger reload of Haproxy
    pros and cons:
    + more user-friendly: enable/disable done in one place
    + this flow will reload HAproxy only when it needed and do it only once per all update - this is very critical for HAproxy package as used to provide availability of web servires or load balancing of critical services like ldap\sql so unneeded interruptions better to be avoided.
    - not universal
    - harder to implement

This task related originally to https://redmine.pfsense.org/issues/9793

History

#1 Updated by DRago_Angel [InV@DER] 5 months ago

It would be cool if you add both flows. Thank you guys. And about HAproxy Reload Integration it better to be done as in way of https://redmine.pfsense.org/issues/10599

#2 Updated by Jim Pingle 5 months ago

  • Category set to pfBlockerNG

#3 Updated by DRago_Angel [InV@DER] 3 months ago

Hi, any update on the issue? Thanks.

Also available in: Atom PDF