From 3c2dd310fedd22c6d16937dbd60c7acaad4368cf Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 8 Feb 2026 22:43:34 +0100
Subject: [PATCH] net/haproxy: support more advanced sample fetches and
 converters

---
 net/haproxy/pkg-descr                         |  3 +-
 .../OPNsense/HAProxy/forms/dialogAcl.xml      | 27 ++++++++++++
 .../OPNsense/HAProxy/forms/dialogAction.xml   | 18 ++++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 43 +++++++++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 28 ++++++++++++
 5 files changed, 118 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index c0396f6dc..0af36b5e2 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -27,7 +27,8 @@ Added:
 * add support for GPC/GPT/SC to conditions and rules (#1123, #5109)
 * add support for SSL SNI expression to servers (#3756)
 * add column "mode" to servers overview (#4632)
-* add support for loading mapfiles in conditions
+* add support for loading mapfiles in conditions and rules
+* add support for sample fetches in rules
 
 Fixed:
 * Maintenance tab "SSL Certificates" not working with only one cert
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index 39716d8ad..192978937 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -266,6 +266,27 @@
         <type>text</type>
         <help><![CDATA[Specify the value for the URL parameter.]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_var</style>
+    </field>
+    <field>
+        <id>acl.var_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.var</id>
+        <label>Variable</label>
+        <type>text</type>
+        <help><![CDATA[The name of a variable, followed by an optional default value, e.g. (req.rate_limit) or (req.rate_limit,10).]]></help>
+    </field>
+    <field>
+        <id>acl.var_value</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
@@ -1788,4 +1809,10 @@
         <type>dropdown</type>
         <help><![CDATA[Load patterns from a map file.]]></help>
     </field>
+    <field>
+        <id>acl.converter</id>
+        <label>Converter</label>
+        <type>text</type>
+        <help><![CDATA[Transforms or processes the output of a sample fetch (e.g. variable, mapping, arithmetic, string manipulation) and passes the result to the next converter or final evaluation. Make more complex conditions possible, e.g. acl rate_abuse var(req.rate_limit),sub(req.request_rate) lt 0.]]></help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index 0222a2f4b..64c4230b3 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -325,4 +325,22 @@
         <type>text</type>
         <help><![CDATA[Refers to the number of the Stick Counter, e.g. 0 or 1 when using sc0 or sc1 respectively. This value will be ignored in rules that do not support SC.]]></help>
     </field>
+    <field>
+        <id>action.mapfile</id>
+        <label>Mapfile</label>
+        <type>dropdown</type>
+        <help><![CDATA[Load patterns from a map file.]]></help>
+    </field>
+    <field>
+        <id>action.map_default</id>
+        <label>Map default value</label>
+        <type>text</type>
+        <help><![CDATA[When a map file is specified, this is the default value.]]></help>
+    </field>
+    <field>
+        <id>action.sample_fetch</id>
+        <label>Sample fetch</label>
+        <type>text</type>
+        <help><![CDATA[Extracts a value from the request or connection context (e.g. path, header, source IP) to be used as input for converters or matching rules. May be used in combination with set-var and map files to create more complex rules, e.g.<br/>http-request set-var(req.rate_limit) path,map_beg(/path/to/mapfile,20)</br>http-request set-var(req.request_rate) base32+src,table_http_req_rate()]]></help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index a99d6d469..17d19969a 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1951,6 +1951,7 @@
                         <ssl_sni_sub>ssl_sni_sub – SNI TLS extension contains (TCP request content inspection)</ssl_sni_sub>
                         <stopping>stopping – HAProxy process is currently stopping</stopping>
                         <url_param>url_param – URL parameter contains</url_param>
+                        <var>var – Compare the value of a variable</var>
                         <wait_end>wait_end – Inspection period is over</wait_end>
                         <custom_acl>Custom condition (option pass-through)</custom_acl>
                     </OptionValues>
@@ -2076,6 +2077,25 @@
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </url_param_value>
+                <var type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </var>
+                <var_value type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </var_value>
+                <var_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </var_comparison>
                 <ssl_c_verify_code type="IntegerField">
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>500000</MaximumValue>
@@ -3467,6 +3487,10 @@
                     <ValidationMessage>Related mapfile item not found</ValidationMessage>
                     <Required>N</Required>
                 </mapfile>
+                <converter type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </converter>
             </acl>
         </acls>
         <actions>
@@ -4142,6 +4166,25 @@
                     <ValidationMessage>Please specify a value between 0 and 99.</ValidationMessage>
                     <Required>N</Required>
                 </sc_number>
+                <mapfile type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.HAProxy.HAProxy</source>
+                            <items>mapfiles.mapfile</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related mapfile item not found</ValidationMessage>
+                    <Required>N</Required>
+                </mapfile>
+                <map_default type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </map_default>
+                <sample_fetch type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </sample_fetch>
             </action>
         </actions>
         <luas>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 7e9c221cf..bf0ad72d8 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1381,6 +1381,18 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'var' %}
+{%               if acl_data.var|default("") != "" and acl_data.var_value|default("") != "" %}
+{%                 if acl_data.converter|default("") != "" %}
+{%                   set converter_data = ',' ~ acl_data.converter %}
+{%                 else %}
+{%                   set converter_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('var' ~ acl_data.var ~ converter_data ~ ' ' ~ acl_data.var_comparison ~ ' ' ~ acl_data.var_value) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {#             # handle boolean ACL types that do not require any input #}
 {%             elif acl_data.expression in acl_boolean_types %}
 {%               do acl_options.append(acl_data.expression) %}
@@ -1637,6 +1649,22 @@
 {%           set action_enabled = '0' %}
 {%           do global_action_options.append('# ERROR: unsupported rule type ' ~ action_data.type) %}
 {%         endif %}
+{#         # Add sample fetch to map file config. #}
+{%         if action_data.mapfile|default("") != "" %}
+{%           set mapfile_data = helpers.getUUID(action_data.mapfile) %}
+{%           set mapfile_path = '/tmp/haproxy/mapfiles/' ~ mapfile_data.id ~ '.txt' %}
+{%           set mapfile_config = 'map_' ~ mapfile_data.type %}
+{%           if action_data.map_default|default("") != "" %}
+{%             set mapfile_default = ',' ~ action_data.map_default %}
+{%           endif %}
+{%           if action_data.sample_fetch|default("") != "" %}
+{%             set mapfile_sf = action_data.sample_fetch ~ ',' %}
+{%           endif %}
+{%           do action_options.append(mapfile_sf ~ mapfile_config ~ '(' ~ mapfile_path ~ mapfile_default ~ ')') %}
+{#         # Add/append sample fetch. #}
+{%         elif action_data.sample_fetch|default("") != "" %}
+{%           do action_options.append(action_data.sample_fetch) %}
+{%         endif %}
 {#         # Is this rule enabled in the GUI? #}
 {%         if action_data.enabled|default('') == '1' %}
 {#           # check if action is valid #}