Project

General

Profile

Bug #8213

acl src file not populated from alias

Added by Jerry Fath over 1 year ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
haproxy
Target version:
-
Start date:
12/15/2017
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.2_1
Affected Architecture:

Description

Trying to use an alias as frontend ACL source IP filter. Alias (7 hosts) resolves correctly in pfSense, HAProxy config file looks good, but src file created for alias is empty
HAProxy package (non-devel) 0.54_2

I configured an alias called infoddns in pfSense latest stable (2.4.2-RELEASE-p1) that consists of 7 hosts. The hosts are configured as FQDNs that are all updated using ddns. mysub1.mydom.info, mysub2.mydom.info, etc.

When I look at Diagnostics/Tables, infoddns is there and the correctly resolved IP addresses are listed in the table.

I used that alias name as the value for a front end ACL of type "Source IP matches IP or Alias". When I look at the generated HAProxy config, all looks correct:
acl infoacl src -f /var/etc/haproxy/ipalias_infoddns.lst

If I add the ACL to an action, those IPs (and all IPs) are blocked and return a 503.

When I look at the file /var/etc/haproxy/ipalias_infoddns.lst it is empty.

It seems that everything is set up correctly, but the resolved alias IPs are never written to the HAProxy acl src file. Restarting HAProxy causes ipalias_infoddns.lst to be re-written, but still empty.

History

#1 Updated by Pi Ba over 1 year ago

Basically current haproxy package only supports static ip/subnet aliases.

Workaround available here (Thanks Jerry :) ): https://forum.pfsense.org/index.php?topic=141438.msg773319#msg773319
Which might be a good start for implementing that or something similar into the package..

Also available in: Atom PDF