plugins icon indicating copy to clipboard operation
plugins copied to clipboard

Published 20 hours ago verified publisher icon opnsense

net/haproxy: support built-in WAIT_END acl rule and/or wait_end condition

Open wjl opened this issue 1 year ago • 0 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [X] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [X] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [X] When the request is meant for an existing plugin, I've added its name to the title.

Is your feature request related to a problem? Please describe.

I've switched a firewall machine from a custom setup to OPNsense, and am porting my HAProxy configuration from a file to OPNsense's GUI. One missing thing I've found was there was no good way to write this succinctly, and no way to do it without an option pass-through that I could find:

tcp-request content reject if WAIT_END

The workaround I had to use was to:

  1. Make a condition "wait_ended" with an option pass-through of "wait_end".
  2. Make a rule "reject-on-timeout" with the "wait_ended" condition in a rule with "tcp-request content reject".

Describe the solution you'd like

This works once I figured it out, but it was pretty round-about, especially since HAProxy already has WAIT_END as a built-in acl and wait_end as a built-in conditional (which I've never otherwise used and I had to discover from the HAProxy docs while trying to make this work!). So ideally, I would have been able to:

  • Make my "reject-on-timeout" rule with "tcp-request content reject" and the condition WAIT_END (built-in).
  • Alternately, make my "wait_ended" condition with "wait_end" selected from the drop down, instead of using option pass-through.

Describe alternatives you've considered

There is no alternative that I'm aware of -- using an indirect condition with option pass-through was the only way I could figure out to make this work.

Additional context

The pattern of using inspect-delay followed by a WAIT_END is a pretty common pattern in HAProxy configs. For example, I use this when multiplexing SSH over both HTTP and HTTPS ports:

tcp-request inspect-delay 5s
tcp-request content accept           if is_ssh_payload
tcp-request content accept           if is_https_port is_https_proto
tcp-request content switch-mode http if is_http_port  is_http_proto
tcp-request content reject           if WAIT_END

wjl avatar Dec 11 '23 02:12 wjl