Hi Joris, On Wed, Feb 25, 2015 at 02:24:45PM +0100, joris dedieu wrote: > Hi, > I have a list of valid cookies associated with client IP, that I try > to make match in an acl. > The map format is : > > cookie-value\tip-address\n > > This acl should do : > if (client has cookie plop and plop value lookup in plop.map returns > src); then > the acl is valid > endif > > I tried things like : > > acl valid_cookie src %[req.cook(plop),map_str_ip(plop.map)] > or > acl valid_cookie req.cook(plop),map_str_ip(plop.map) -m ip %[src] > > but it clearly don't works (error detected while parsing ACL > 'valid_cookie' : '%[req.cook(plop),map_str_ip(plop.map)]' or %[src] is > not a valid IPv4 or IPv6 address). > > I maybe misunderstand %[ substitution ? Does anyone here knows the > right way to do that ? Maybe the -M switch ?
The problem with "%[]" is that it became widespread enough to let people believe it can be used everywhere. It's only valid in some arguments of the http-request actions, and in log formats of course. It cannot be used to describe ACL patterns since by definitions these patterns are constant. In your case, if you need to check that the combination of (source,cookie) matches one in your table, I think you could proceed like this : 1) build a composite header which contains "$cookie=$ip" : http-request add-header blah %[req.cook(plop)]=%[src] 2) match this header against your own list of "cookie=src" entries in an ACL : acl valid_cookie req.hdr(add-header) -f valid-cookies.lst 3) fill your "valid-cookies.lst" file with the valid combinations in the form "cookie=ip". 4) optionally remove the header blah after you've used the valid_cookie ACL. Hoping this helps, Willy
