On Fri, Mar 18, 2011 at 4:56 PM, Willy Tarreau <[email protected]> wrote: > Hi David, > > On Thu, Mar 17, 2011 at 04:17:15AM -0400, David Birdsong wrote: >> this line in my haproxy config: >> acl bad_guys_ip hdr(X-Forwarded-For) -f /etc/haproxy/block_ip.txt >> >> will block a single ip, but i can't figure out the syntax for specifying a >> subnet >> this block_ip.txt blocks my ip >> <snip> >> # comment lines ok >> >> # block an ip >> x.x.x.86 >> >> # block a subnet doesn't work for some reason >> # x.x.x.0/24 > > I'm pretty certain that subnets do work in files. However, in your case, > that's a bit different. "hdr()" returns a string, so you're performing > string matching against all patterns in the file. Replace that with > hdr_ip() and the match will be performed as an IP address, and you'll > see your masks work.
great, i was wondering it it was a string or an actual ip address. this will definitely improve performance on big ip lists. > > Regards, > Willy > >
