Re: Dynamically Loading and Selecting ACL Maps / Files

Thu, 22 May 2025 00:33:28 -0700 

On Thu, May 22, 2025 at 09:22:41AM +0200, Maximilian Moehl wrote:
> > I have no idea how many such different files you need, but if it's a low
> > number, say 10, you can very well combine multiple ACLs in your rules.
> > For example:
> >
> >     tcp-request session set-var(sess.allowlist) 
> > ssl_fc_sni,map(/usr/local/etc/custom_allowlists)
> >     tcp-request session accept if { var(sess.allowlist) -m str 1 } { src -f 
> > /path/to/list1.acl }
> >     tcp-request session accept if { var(sess.allowlist) -m str 2 } { src -f 
> > /path/to/list2.acl }
> >     tcp-request session accept if { var(sess.allowlist) -m str 3 } { src -f 
> > /path/to/list3.acl }
> >     tcp-request session accept if { var(sess.allowlist) -m str 4 } { src -f 
> > /path/to/list4.acl }
> >
> > This remains very cheap as a single ACL will be evaluated (at most),
> > the rest being only a single variable. In certain cases, depending on
> > your architecture, this can even be deferred to backends, in which
> > case only one rule will be evaluated. This can ease the setup when
> > dealing with multiple rules, but it depends if your server farm is
> > compatible with such an architecture:
> >
> >   frontend
> >     tcp-request session set-var(sess.allowlist) 
> > ssl_fc_sni,map(/usr/local/etc/custom_allowlists)
> >     use_backend back-%[var(sess.allowlist)]
> >
> >   back-1
> >     tcp-request session accept if { src -f /path/to/list1.acl }
> >     server ...
> >
> >   back-2
> >     tcp-request session accept if { src -f /path/to/list2.acl }
> >     server ...
> >     ...
> 
> Unfortunately, we have a shared backend and will probably need more than a 
> few lists.

If you don't have too many IP addresses per host, maybe you can enumerate
them all and have everything in a single list, in which you would look up
a concatenation of the host and the IP address. If you have many addresses
with various prefixes, then we'd need first to turn the addresses to binary
before performing a longest match lookup of the concatenation of host and
IP. This would be fast since it's one in a tree. However we don't have such
an operator right now, but that wouldn't be too hard to implement. Maybe
that's something we could add to the short-term todo list.

Willy

Reply via email to