On 2019/05/29 10:35, Frank Myhr wrote:
On 2019/05/28 22:34, Willy Tarreau wrote:
In fact ACLs and maps are *exactly* the same, the only difference is that
ACLs have a single column (the pattern) while maps associate a value (2nd
column) to a pattern. Both are loaded from files, both can be updated at
runtime from the CLI or from http-request rules. Note that what we're
missing compared to ipset is a simple tool to append/remove entries to a
file and to apply it to the CLI at the same time. It's quite trivial to
do, it's just that nobody has apparently contributed such a thing (but
probably many sysadmins out there have their own version).

Thank you very much for the clarification.

I now plan to use src ACL files with hitless reload. I might keep my
whitelists & blacklists in files with slightly more elaborate syntax and use a script to translate them into ipset or haproxy ACL files as appropriate.

That's indeed the cleanest way to do it.

OK, this is now definitely the way I'll do it! Thanks for your confirmation. :-)

For example, the ipset "nomatch" exception can be very handy for "punching out" ip subnets. A script could translate a single list file that included
"nomatch" ranges into a haproxy whitelist and blacklist file pair to be
combined in compound acl test.

Indeed. I used to have an example utility somewhere based on ebtree to
punch holes in networks and to merge other networks, I just don't remember
where I've put it. This would be something useful. In this case you can
use a single list which is exhaustive.

That sounds like a very useful utility. Interesting that you haven't ended up using it much.


Reply via email to