diff options
author | PiBa-NL <pba_2k3@yahoo.com> | 2015-02-08 00:53:11 +0100 |
---|---|---|
committer | PiBa-NL <pba_2k3@yahoo.com> | 2015-02-08 00:53:11 +0100 |
commit | cec43bb753d271b84aa6610315fdc02f784895c4 (patch) | |
tree | c7d77bfcc1e543a18a33466e7376ca6f1f210e79 /config | |
parent | 75372116092d861ab829d52f3d245325696cee66 (diff) | |
download | pfsense-packages-cec43bb753d271b84aa6610315fdc02f784895c4.tar.gz pfsense-packages-cec43bb753d271b84aa6610315fdc02f784895c4.tar.bz2 pfsense-packages-cec43bb753d271b84aa6610315fdc02f784895c4.zip |
haproxy-devel, 0.18, make sure frontend without acl's is last 'default' even when system acl is added
Diffstat (limited to 'config')
-rw-r--r-- | config/haproxy-devel/haproxy.inc | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index a7394cf3..fd4262a5 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -1147,6 +1147,7 @@ function haproxy_writeconf($configpath) { $default_backend = ""; $config_acls = ""; $config_usebackends = ""; + $config_usedefaultbackends = ""; $transparent_clientip = false; foreach ($bind['config'] as $frontend) { @@ -1171,11 +1172,13 @@ function haproxy_writeconf($configpath) { $backend = haproxy_find_backend($frontend['backend_serverpool']); $transparent_clientip = $backend["transparent_clientip"] == 'yes'; + $allowfordefaultbackend = true; $ipv = array(); if ($transparent_clientip) { if ($useipv4 && $useipv6) { $ipv["ipv4"]['acl'] = " src_is_ipv4 "; $ipv["ipv6"]['acl'] = " !src_is_ipv4 "; + $allowfordefaultbackend = false; // transparent backend must always match client-ip which is ipv4 v.s. ipv6 specific so there cannot be a default. } else if ($useipv6) $ipv["ipv6"]['acl'] = " "; else @@ -1217,10 +1220,12 @@ function haproxy_writeconf($configpath) { $a_pendingpl[$poolname]['frontend'] = $bind; $a_pendingpl[$poolname]['ipversion'] = $ipversion; } - + $canbedefaultbackend = false; // Write this out once, and must be before any backend config text if (($default_backend == "" || $frontend['secondary'] != 'yes') && count($a_acl) == 0 ) { - $default_backend = $poolname; + $canbedefaultbackend = true; + if ($allowfordefaultbackend) + $default_backend = $poolname; } foreach ($a_acl_combine as $a_usebackend) { @@ -1281,12 +1286,17 @@ function haproxy_writeconf($configpath) { $y++; } - if (count($useracls) == 0) $useracls[] = ""; // add empty item to enter foreach loop at least once. + $systemacl = trim("{$certacl}{$ipversionoptions['acl']}"); + if (!empty($systemacl) && count($useracls) == 0) $useracls[] = ""; // add empty item to enter foreach loop at least once when a system acl is pressent. foreach($useracls as $useracl) { $backendacl = ""; - $backendacl .= "|| {$useracl}{$certacl}{$ipversionoptions['acl']}"; + $backendacl .= "|| {$useracl}{$systemacl}"; $backendacl = substr($backendacl, 3); - $config_usebackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n"; + if ($canbedefaultbackend) { + // makes sure these come last even though systemacl's might have been added. + $config_usedefaultbackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n"; + } else + $config_usebackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n"; } } } @@ -1302,6 +1312,7 @@ function haproxy_writeconf($configpath) { // Write backends after advanced options so custom use_backend rules can be applied first. fwrite ($fd, $config_usebackends); + fwrite ($fd, $config_usedefaultbackends); if ($default_backend) fwrite ($fd, "\tdefault_backend\t\t" . $default_backend . "\n"); |