On 2019/05/28 22:25, Willy Tarreau wrote:
Frank, I've wanted to support ipset 10 years ago or so, before we had
the ability to update ACLs at run time. I also wanted to be able to
update them at run time. But later I figured that 1) it wouldn't bring
any extra functionality over ACLs, 2) would not be portable, 3) would
require haproxy to run as root in order to support being updated at
runtime. So overall it would add extra dependencies and deployment
constraints with little to no real benefit.
Hoping this helps,
Willy
Willy,
Those are excellent reasons for not supporting ipset from haproxy. Thank
you for detailing them, it's very helpful indeed.
Off-topic here, but the need to remain portable across platforms is
likely the reason apache also doesn't support ipset. Good to be reminded
to remove my Linux blinders occasionally.
Frank
