On Fri, Mar 18, 2011 at 09:00:50PM -0400, David Birdsong wrote: > On Fri, Mar 18, 2011 at 4:56 PM, Willy Tarreau <[email protected]> wrote: > > Hi David, > > > > On Thu, Mar 17, 2011 at 04:17:15AM -0400, David Birdsong wrote: > >> this line in my haproxy config: > >> acl bad_guys_ip hdr(X-Forwarded-For) -f /etc/haproxy/block_ip.txt > >> > >> will block a single ip, but i can't figure out the syntax for specifying a > >> subnet > >> this block_ip.txt blocks my ip > >> <snip> > >> # comment lines ok > >> > >> # block an ip > >> x.x.x.86 > >> > >> # block a subnet doesn't work for some reason > >> # x.x.x.0/24 > > > > I'm pretty certain that subnets do work in files. However, in your case, > > that's a bit different. "hdr()" returns a string, so you're performing > > string matching against all patterns in the file. Replace that with > > hdr_ip() and the match will be performed as an IP address, and you'll > > see your masks work. > > great, i was wondering it it was a string or an actual ip address. > this will definitely improve performance on big ip lists.
It will be even better, because IP lists loaded from files are stored in binary trees. Even if you load one million prefixes, you should barely notice it under load, as the prefix lookup is cheaper than the header extraction itself. Regards, Willy
