Add support for pfBlockerNG "Action list" feature
Plus Target Version:
Some other plugins that can use pfBlockerNG native aliases can need additional reload/restart action to load new IPs from updated file generated by pfBlockerNG.Action list for IPs lists give universal way to reload any service or run custom scripts on pfSense in same way this done in ACME package.
- add 'ip list action section with table' to create/edit IPs lists
- on update job:
- update ips lists and if updated ip list has 'action' save them to run at end of update job
- at end of update job leave only unique 'actions' and run them
This deduplication needed to not run action same command more then one time per update. Doesn't know cases when people will need run it per each script multiply times. But if you know usecase - possible add checkbox to deffer job 'action' and deduplicate 'action' which is enable by default and can be turned off to run command instantly and in result many times.
Pros and cons
+ easier to implement
- need to explicitly create action on each IP list
- this flow will trigger 'action' even this action not required anymore, f.e.: due to changed configuration of end package/software, etc, but missed to remove action from pfBlockerNG IPs list
HAproxy is great software which is widely used in pfSense (as well as pfBlockerNG) and has support ACL for SrcIPs from aliases, so it can be added as option on General tab to reload HAproxy config.
- check if haproxy service is running: proceed if true, or skip reload if false
- get all ACLs with SrcIPs that not commented by # at start of string and save their name and file path to array
- check that SrcIP ACL name is used at least by one not commented-out action rule, f.e: action if some_acl srcIpAclName anotherAcl !aclCanHaveNegativeSoNeedStripExclamationPoint - if check is true save their file path to list, or skip if false
- extract ^/var/etc/haproxy/(here must be regex to validate common alias restrictions like a-zA-Z0-9_ and maximum alias name lench).lst from list and compare to list of updated pfBlockerNG aliases - if there is at least one matches then trigger reload of Haproxy
pros and cons:
+ more user-friendly: enable/disable done in one place
+ this flow will reload HAproxy only when it needed and do it only once per all update - this is very critical for HAproxy package as used to provide availability of web servires or load balancing of critical services like ldap\sql so unneeded interruptions better to be avoided.
- not universal
- harder to implement
This task related originally to https://redmine.pfsense.org/issues/9793
Updated by DRago_Angel [InV@DER] almost 3 years ago
It would be cool if you add both flows. Thank you guys. And about HAproxy Reload Integration it better to be done as in way of https://redmine.pfsense.org/issues/10599
Updated by Jim Pingle almost 3 years ago
- Category set to pfBlockerNG
Updated by DRago_Angel [InV@DER] over 2 years ago
Hi, any update on the issue? Thanks.