On Mon, Jul 20, 2015 at 8:19 PM, [email protected] <[email protected]> wrote: > 2015-07-13 18:07 GMT+02:00 [email protected] <[email protected]>: >> Hi, >> >> i'm using stick-tables to track requests and block abusers if needed. >> Abusers should be blocked only for a short period of time and i want a >> stick-table entry to expire. >> >> Therefore, i have to check if the client is already marked as an >> abuser and do not track this client. >> >> >> example config: >> >> >> frontend fe_http_in >> >> bind 127.0.0.1:8001 >> >> stick-table type ip size 100k expire 600s store gpc0 >> >> # Not working >> # acl is_overlimit sc0_get_gpc0(fe_http_in) gt 0 >> >> # Working >> # acl is_overlimit src_get_gpc0(fe_http_in) gt 0 >> >> tcp-request connection track-sc0 src if !is_overlimit >> >> default_backend be >> >> >> backend be >> >> ... incrementing gpc0 ( with "sc0_inc_gpc0") ... >> >> >> >> If i use "sc0_get_gpc0", the stick-table entry will never expire >> because the timer will be resetted (tcp-request connection track-sc0 >> ... seems to ignore this acl). >> >> >> With "src_get_gpc0" everything works as expected. >> >> >> Both ACL's are correct and triggered (verified with debug headers >> (http-response set-header ...)) >> >> >> What's the difference between these ACL's in conjunction with >> "tcp-request connection track-sc0 ..." ? >> >> Is this a bug or intended behaviour ? >> >> >> ----------- >> Bjoern > > > > Has anyone observed the same behaviour or knowing if this is the > correct behaviour? > > > > ----------- > Bjoern >
Hi, This is not doable in 1.5. In up coming 1.6, you can "copy" the data into a blacklist purpose stick table with an expire argument, then use the "in_table" converter to know if a request is blacklisted or not. When you use "sc0_*" function, you refresh the data in the table. Baptiste
