Hi Max,
On Tue, Sep 02, 2025 at 11:35:40AM +0200, Maximilian Moehl wrote:
> On Thu, 22 May 2025 00:33:28 -0700, Willy Tarreau wrote:
> > If you don't have too many IP addresses per host, maybe you can enumerate
> > them all and have everything in a single list, in which you would look up
> > a concatenation of the host and the IP address. If you have many addresses
> > with various prefixes, then we'd need first to turn the addresses to binary
> > before performing a longest match lookup of the concatenation of host and
> > IP. This would be fast since it's one in a tree. However we don't have such
> > an operator right now, but that wouldn't be too hard to implement. Maybe
> > that's something we could add to the short-term todo list.
>
> That sounds like a great idea! As we will mostly have prefixes we can probably
> use a prefix match to avoid having to enumerate every IP. An example map could
> look like this:
>
> # 10.0.1.0/24
> example.com|000010100000000000000001 1
> # 0.0.0.0/0
> allow-any.com| 1
>
> where 1 means a request should be allowed. Then the client IP 10.0.1.10 for a
> request to example.com would be converted to:
>
> example.com|00001010000000000000000100001010
>
> which is looked up using map_beg_int. So the entire thing would look something
> like this (assuming the converter is called ip_bin):
>
> http-request set-var(req.ip_bin) src,ip_bin
> http-request set-var-fmt(req.acl_key) %[hdr(host)]|%[var(req.ip_bin)]
> http-request deny if {
> var(req.acl_key),map_beg_int(/etc/haproxy/allow-list,0) eq 0 }
>
> The converter would accept ip as input type and output type would be str.
>
> Does this make sense?
Yes, that's exactly the point!
> I would be interested to take a stab at implementing the converter, though I'm
> a bit of a newbie when it comes to C programming.
No problem, we've all been newbies at this, and you'll find that it's
easier than you think because it shares common roots with plenty of
more modern languages.
I would suggest to do something even simpler for the converter, which
is to create one called "bin" which would convert the input to binary,
exactly like "hex" currently works. Normally these ones will automatically
work with an IP address on input, and that will make the converter much
more versatile. Plus it's easier to implement. Have a look at the function
"sample_conv_bin2hex()", which does that for "hex()". Admittedly the naming
can be confusing because we use "bin" internally to indicate raw data, as
opposed to "string".
Maybe you can call your converter "base2" instead, to remove this confusion.
We know that binary is base2 encoding, and it avoids this confusion. But the
code can easily be picked from the function above and adjusted to produce
8 digits per input byte instead of 2.
Cheers,
Willy
