Project

General

Profile

Actions

Bug #8213

open

acl src file not populated from alias

Added by Jerry Fath over 6 years ago. Updated about 6 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
haproxy
Target version:
-
Start date:
12/15/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.4.2_1
Affected Plus Version:
Affected Architecture:

Description

Trying to use an alias as frontend ACL source IP filter. Alias (7 hosts) resolves correctly in pfSense, HAProxy config file looks good, but src file created for alias is empty
HAProxy package (non-devel) 0.54_2

I configured an alias called infoddns in pfSense latest stable (2.4.2-RELEASE-p1) that consists of 7 hosts. The hosts are configured as FQDNs that are all updated using ddns. mysub1.mydom.info, mysub2.mydom.info, etc.

When I look at Diagnostics/Tables, infoddns is there and the correctly resolved IP addresses are listed in the table.

I used that alias name as the value for a front end ACL of type "Source IP matches IP or Alias". When I look at the generated HAProxy config, all looks correct:
acl infoacl src -f /var/etc/haproxy/ipalias_infoddns.lst

If I add the ACL to an action, those IPs (and all IPs) are blocked and return a 503.

When I look at the file /var/etc/haproxy/ipalias_infoddns.lst it is empty.

It seems that everything is set up correctly, but the resolved alias IPs are never written to the HAProxy acl src file. Restarting HAProxy causes ipalias_infoddns.lst to be re-written, but still empty.

Actions #1

Updated by Pi Ba about 6 years ago

Basically current haproxy package only supports static ip/subnet aliases.

Workaround available here (Thanks Jerry :) ): https://forum.pfsense.org/index.php?topic=141438.msg773319#msg773319
Which might be a good start for implementing that or something similar into the package..

Actions

Also available in: Atom PDF