On 23.11.2015 17:04, Andrew Hayworth wrote: > On Mon, Nov 23, 2015 at 6:26 AM, Dennis Jacobfeuerborn > <denni...@conversis.de> wrote: >> >> On 16.11.2015 15:25, Dennis Jacobfeuerborn wrote: >>> Hi, >>> I'm trying to figure out the best way to match a source ip against an ip >>> mapping file and make decisions based on that. What I'm now doing is this: >>> >>> acl acl_is_xx src,map_ip(<map-file-1>) -m str xx >>> acl acl_is_yy src,map_ip(<map-file-1>) -m str yy >>> >>> acl acl_value src,map_ip(<map-file-1>) -m copy >>> http-request set-header X-Test wasxx if acl_value==xx >>> http-request set-header X-Test wasyy if acl_value==yy >>> > >>> Is there an alternative way to express something like this? >> >> Does nobody have any idea how to accomplish this? >> This is happening in a GeoIP context and I'm now planning to make >> distinct lookups for four different countries which seems pretty wasteful. > > Hi Dennis - > > I think this configuration would do what you want: > > acl has_ip_map src -M -f <map-file> > http-request set-header X-Test %[src,map_ip(<map-file>)] if has_ip_map > > The idea is that map-file is a two-column file like so: > > # ip_addr name > 1.2.3.4 wasxx > 5.6.7.8 wasyy > > This works by treating <map-file> as both a map AND and acl (the '-M' > flag does that). When you treat it as an ACL, it only evaluates the > first column. This lets you test the ip address, to see if it's one > you care about. > > Then, you use the <map-file> as a map, and you look up the value for > your header based on the ip address - but only if the prior acl > evaluated to true. > > An added benefit of this is that you can scale out easily to many > values in the map/acl file without polluting your configuration. > Additionally, you can use the socket commands to dynamically add > things to the map/acl without reloading haproxy, if you wanted > (something like 'add map <map-file> <address> <value>').
Hm, I wasn't aware of the -M flag, thanks! However in you example you again you have to do multiple lookups even though that shouldn't be necessary. I can make decisions based on the fact that the IP is present in the map but what I really want to do is make a decision based on what the actual value for that IP in the map is i.e. if the value is "de" then I want to do one thing and if it is "at" then I want to do something else. Regards, Dennis
