On Tue, May 28, 2019 at 10:13:38PM -0400, Frank Myhr wrote:
> haproxy src ACL file:
> + fast (with haproxy)
> + easy to maintain simple file format
> - restart required to update (but can be done without dropping any
> connections)
> haproxy map
> + very flexible
> + fast
> + can be updated via socket api, no restart required
> - syncing in-memory and on-disk state is more complex than simple file edit
> and reload

In fact ACLs and maps are *exactly* the same, the only difference is that
ACLs have a single column (the pattern) while maps associate a value (2nd
column) to a pattern. Both are loaded from files, both can be updated at
runtime from the CLI or from http-request rules. Note that what we're
missing compared to ipset is a simple tool to append/remove entries to a
file and to apply it to the CLI at the same time. It's quite trivial to
do, it's just that nobody has apparently contributed such a thing (but
probably many sysadmins out there have their own version).

> I now plan to use src ACL files with hitless reload. I might keep my
> whitelists & blacklists in files with slightly more elaborate syntax and use
> a script to translate them into ipset or haproxy ACL files as appropriate.

That's indeed the cleanest way to do it.

> For example, the ipset "nomatch" exception can be very handy for "punching
> out" ip subnets. A script could translate a single list file that included
> "nomatch" ranges into a haproxy whitelist and blacklist file pair to be
> combined in compound acl test.

Indeed. I used to have an example utility somewhere based on ebtree to
punch holes in networks and to merge other networks, I just don't remember
where I've put it. This would be something useful. In this case you can
use a single list which is exhaustive.


Reply via email to