Command pfctl does not seems to be executed

Question

Command pfctl does not seems to be executed

Closed this issue 5 years ago · 4 comments

Hello Derek,

I guess I have a correct config file, but command pfctl doesn't seems to get executed properly.

I've got the following logs

Sep 8 20:17:37 vm-haproxy-1 hfm[6708]: '192.168.3.244/haproxy2' run 1a24e52cc9c1958:192.168.3.244/haproxy2:1 change command produced output: {[47 115 98 105 110 47 112 102 99 116 108 32 45 113 32 45 116 32 104 97 112 114 111 120 121 45 105 110 116 45 115 116 100 32 45 84 32 100 101 108 101 116 101 32 49 57 50 46 49 54 56 46 51 46 50 52 52 47 51 50 10] 0 0}

Could you give me advise to check why ?

Regards

Thomas

Answer 1 · 2019-09-09T10:37:25.000Z

Anywhere you can post your config?

Answer 2 · 2019-09-09T10:48:07.000Z

Hello,

Before your answer I was thinking about right, but I still got the same issue with sudo.

You'll find my config file below

interval = 10s
192.168.3.243 {
status = "enabled"
interval = 1s
# matches test interval
# interval_fail =
haproxy1 {
interval = 200ms
interval_fail = 10s
test = "fetch"
test_arguments = [
"-o",
"/dev/null",
"-T1",
"-q",
"http://192.168.3.243:8404/stats"
]
change_fail = "/bin/sh"
change_fail_arguments = [ "-c", "'/usr/local/bin/sudo /sbin/pfctl -q -t haproxy-int-std -T delete 192.168.3.243/32'" ]
change_success = "/bin/sh"
change_success_arguments = [ "-c", "'/usr/local/bin/sudo /sbin/pfctl -q -t haproxy-int-std -T add 192.168.3.243/32'" ]
}
}

192.168.3.244 {
status = "enabled"
interval = 1s
# matches test interval
# interval_fail =
haproxy2 {
interval = 200ms
interval_fail = 10s
test = "fetch"
test_arguments = [
"-o",
"/dev/null",
"-T1",
"-q",
"http://192.168.3.244:8404/stats"
]
change_fail = "/bin/sh"
change_fail_arguments = [ "-c", "'usr/local/bin/sudo /sbin/pfctl -q -t haproxy-int-std -T delete 192.168.3.244/32'" ]
change_success = "/bin/sh"
change_success_arguments = [ "-c", "'/usr/local/bin/sudo /sbin/pfctl -q -t haproxy-int-std -T add 192.168.3.244/32'" ]
}
}

Answer 3 · 2019-09-09T15:01:10.000Z

Hello,

Sorry, I haven't search properly, It works.

Many thanks for your time

Regards

Thomas

Answer 4 · 2019-09-09T20:09:04.000Z

Thanks! For what it's worth, you're looking at the output of the command, encoded as decimal ASCII-value.

Also, I haven't run this thing in production - because of #1 . It looks like it was resolved in FreeBSD but haven't had time to test it out. Also, check out the comments here:

https://derek.chezmarcotte.ca/haproxy-carp-on-freebsd#comment-524117