From f171deba9f7bbd9cad85d591c5cedc611b558ef2 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 14 Jan 2018 16:27:39 +0100
Subject: [PATCH] net/haproxy: support many new conditions, refs #202

---
 .../OPNsense/HAProxy/forms/dialogAcl.xml      | 208 +++++++++++++++++
 .../OPNsense/HAProxy/forms/dialogBackend.xml  |   2 +-
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 220 +++++++++++++++++-
 .../templates/OPNsense/HAProxy/haproxy.conf   |  30 +++
 4 files changed, 455 insertions(+), 5 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index a86a6599e..886d9f206 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -198,6 +198,214 @@
         <type>text</type>
         <help><![CDATA[Verify the source IPv4 address of the client of the session matches the specified IPv4 or IPv6 address.]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_bytes_in_rate</style>
+    </field>
+    <field>
+        <id>acl.src_bytes_in_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_bytes_in_rate</id>
+        <label>Incoming bytes rate</label>
+        <type>text</type>
+        <help><![CDATA[The average bytes rate from the incoming connection's source address.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_bytes_out_rate</style>
+    </field>
+    <field>
+        <id>acl.src_bytes_out_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_bytes_out_rate</id>
+        <label>Outgoing bytes rate</label>
+        <type>text</type>
+        <help><![CDATA[The average bytes rate to the incoming connection's source address.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_conn_cnt</style>
+    </field>
+    <field>
+        <id>acl.src_conn_cnt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_conn_cnt</id>
+        <label>Connections count</label>
+        <type>text</type>
+        <help><![CDATA[The cumulative number of connections initiated from the current incoming connection's source address.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_conn_cur</style>
+    </field>
+    <field>
+        <id>acl.src_conn_cur_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_conn_cur</id>
+        <label>Concurrent connections</label>
+        <type>text</type>
+        <help><![CDATA[The current amount of concurrent connections initiated from the current incoming connection's source address.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_conn_rate</style>
+    </field>
+    <field>
+        <id>acl.src_conn_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_conn_rate</id>
+        <label>Connection rate</label>
+        <type>text</type>
+        <help><![CDATA[The average connection rate from the incoming connection's source address.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_http_err_cnt</style>
+    </field>
+    <field>
+        <id>acl.src_http_err_cnt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_http_err_cnt</id>
+        <label>HTTP error count</label>
+        <type>text</type>
+        <help><![CDATA[The cumulative number of HTTP errors from the incoming connection's source address.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_http_err_rate</style>
+    </field>
+    <field>
+        <id>acl.src_http_err_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_http_err_rate</id>
+        <label>HTTP error rate</label>
+        <type>text</type>
+        <help><![CDATA[The average rate of HTTP errors from the incoming connection's source address.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_http_req_cnt</style>
+    </field>
+    <field>
+        <id>acl.src_http_req_cnt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_http_req_cnt</id>
+        <label>HTTP request count</label>
+        <type>text</type>
+        <help><![CDATA[The cumulative number of HTTP requests from the incoming connection's source address.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_http_req_rate</style>
+    </field>
+    <field>
+        <id>acl.src_http_req_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_http_req_rate</id>
+        <label>HTTP request rate</label>
+        <type>text</type>
+        <help><![CDATA[The average rate of HTTP requests from the incoming connection's source address.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_kbytes_in</style>
+    </field>
+    <field>
+        <id>acl.src_kbytes_in_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_kbytes_in</id>
+        <label>Data received</label>
+        <type>text</type>
+        <help><![CDATA[The total amount of data received from the incoming connection's source address (in kilobytes).]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_kbytes_out</style>
+    </field>
+    <field>
+        <id>acl.src_kbytes_out_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_kbytes_out</id>
+        <label>Data sent</label>
+        <type>text</type>
+        <help><![CDATA[The total amount of data sent to the incoming connection's source address (in kilobytes).]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_port</style>
+    </field>
+    <field>
+        <id>acl.src_port_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_port</id>
+        <label>Source port</label>
+        <type>text</type>
+        <help><![CDATA[An integer value corresponding to the TCP source port of the connection on the client side, which is the port the client connected from.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_sess_cnt</style>
+    </field>
+    <field>
+        <id>acl.src_sess_cnt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_sess_cnt</id>
+        <label>Session count</label>
+        <type>text</type>
+        <help><![CDATA[The cumulative number of connections initiated from the incoming connection's source address.]]></help>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index b311cfca5..0f93af843 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -86,7 +86,7 @@
         <label>Stored data types</label>
         <type>select_multiple</type>
         <style>tokenize</style>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.stickiness_expire</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index acbef1629..ab97b718c 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -951,9 +951,6 @@
                         <path_end>Path ends with</path_end>
                         <path>Path matches</path>
                         <path_reg>Path regex</path_reg>
-                        <!-- XXX: Notes for migration (added a new similar option):
-                                    path_contains = path_dir (Path contains subdir)
-                                    NEW:            path_sub (Path contains string) -->
                         <path_dir>Path contains subdir</path_dir>
                         <path_sub>Path contains string</path_sub>
                         <url_param>URL parameter contains</url_param>
@@ -962,6 +959,26 @@
                         <ssl_c_verify_code>SSL Client certificate verify error result</ssl_c_verify_code>
                         <ssl_c_ca_commonname>SSL Client certificate issued by CA common-name</ssl_c_ca_commonname>
                         <src>Source IP matches specified IP</src>
+                        <src_is_local>Source IP is local</src_is_local>
+                        <src_port>Source IP: TCP source port</src_port>
+                        <src_bytes_in_rate>Source IP: incoming bytes rate</src_bytes_in_rate>
+                        <src_bytes_out_rate>Source IP: outgoing bytes rate</src_bytes_out_rate>
+                        <src_kbytes_in>Source IP: amount of data received (in kilobytes)</src_kbytes_in>
+                        <src_kbytes_out>Source IP: amount of data sent (in kilobytes)</src_kbytes_out>
+                        <!-- <src_clr_gpc0>Source IP: clear first General Purpose Counter</src_clr_gpc0> -->
+                        <src_conn_cnt>Source IP: cumulative number of connections</src_conn_cnt>
+                        <src_conn_cur>Source IP: concurrent connections</src_conn_cur>
+                        <src_conn_rate>Source IP: connection rate</src_conn_rate>
+                        <!-- <src_get_gpc0>Source IP: get first General Purpose Counter</src_get_gpc0> -->
+                        <!-- <src_get_gpt0>Source IP: get first General Purpose Tag</src_get_gpt0> -->
+                        <!-- <src_gpc0_rate>Source IP: increment rate of the first General Purpose Counter</src_gpc0_rate> -->
+                        <src_http_err_cnt>Source IP: cumulative number of HTTP errors</src_http_err_cnt>
+                        <src_http_err_rate>Source IP: rate of HTTP errors</src_http_err_rate>
+                        <src_http_req_cnt>Source IP: number of HTTP requests</src_http_req_cnt>
+                        <src_http_req_rate>Source IP: rate of HTTP requests</src_http_req_rate>
+                        <!-- <src_inc_gpc0>Source IP: increment the first General Purpose Counter</src_inc_gpc0> -->
+                        <src_sess_cnt>Source IP: cumulative number of connections</src_sess_cnt>
+                        <src_sess_rate>Source IP: session rate</src_sess_rate>
                         <nbsrv>Minimum number of usable servers in backend</nbsrv>
                         <traffic_is_http>Traffic is HTTP</traffic_is_http>
                         <traffic_is_ssl>Traffic is SSL</traffic_is_ssl>
@@ -1054,6 +1071,202 @@
                     <mask>/^.{1,4096}$/u</mask>
                     <Required>N</Required>
                 </src>
+                <src_bytes_in_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_bytes_in_rate_comparison>
+                <src_bytes_in_rate type="IntegerField">
+                    <Required>N</Required>
+                </src_bytes_in_rate>
+                <src_bytes_out_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_bytes_out_rate_comparison>
+                <src_bytes_out_rate type="IntegerField">
+                    <Required>N</Required>
+                </src_bytes_out_rate>
+                <src_conn_cnt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_conn_cnt_comparison>
+                <src_conn_cnt type="IntegerField">
+                    <Required>N</Required>
+                </src_conn_cnt>
+                <src_conn_cur_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_conn_cur_comparison>
+                <src_conn_cur type="IntegerField">
+                    <Required>N</Required>
+                </src_conn_cur>
+                <src_conn_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_conn_rate_comparison>
+                <src_conn_rate type="IntegerField">
+                    <Required>N</Required>
+                </src_conn_rate>
+                <src_http_err_cnt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_http_err_cnt_comparison>
+                <src_http_err_cnt type="IntegerField">
+                    <Required>N</Required>
+                </src_http_err_cnt>
+                <src_http_err_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_http_err_rate_comparison>
+                <src_http_err_rate type="IntegerField">
+                    <Required>N</Required>
+                </src_http_err_rate>
+                <src_http_req_cnt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_http_req_cnt_comparison>
+                <src_http_req_cnt type="IntegerField">
+                    <Required>N</Required>
+                </src_http_req_cnt>
+                <src_http_req_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_http_req_rate_comparison>
+                <src_http_req_rate type="IntegerField">
+                    <Required>N</Required>
+                </src_http_req_rate>
+                <src_kbytes_in_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_kbytes_in_comparison>
+                <src_kbytes_in type="IntegerField">
+                    <Required>N</Required>
+                </src_kbytes_in>
+                <src_kbytes_out_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_kbytes_out_comparison>
+                <src_kbytes_out type="IntegerField">
+                    <Required>N</Required>
+                </src_kbytes_out>
+                <src_port_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_port_comparison>
+                <src_port type="IntegerField">
+                    <Required>N</Required>
+                </src_port>
+                <src_sess_cnt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_sess_cnt_comparison>
+                <src_sess_cnt type="IntegerField">
+                    <Required>N</Required>
+                </src_sess_cnt>
+                <src_sess_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <default>gt</default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_sess_rate_comparison>
+                <src_sess_rate type="IntegerField">
+                    <Required>N</Required>
+                </src_sess_rate>
                 <nbsrv type="IntegerField">
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>500000</MaximumValue>
@@ -1158,7 +1371,6 @@
                 </operator>
                 <type type="OptionField">
                     <Required>Y</Required>
-                    <!-- XXX TODO: use more user-friendly names instead of HAProxys option names -->
                     <OptionValues>
                         <use_backend>Use specified Backend Pool</use_backend>
                         <use_server>Override server in Backend Pool</use_server>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 9eb5f0976..cfc150c62 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -172,6 +172,36 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'src_is_local' %}
+{%               do acl_options.append('src_is_local') %}
+{%             elif acl_data.expression == 'src_bytes_in_rate' %}
+{%               do acl_options.append('src_bytes_in_rate ' ~ acl_data.src_bytes_in_rate_comparison ~ ' ' ~ acl_data.src_bytes_in_rate) %}
+{%             elif acl_data.expression == 'src_bytes_out_rate' %}
+{%               do acl_options.append('src_bytes_out_rate ' ~ acl_data.src_bytes_out_rate_comparison ~ ' ' ~ acl_data.src_bytes_out_rate) %}
+{%             elif acl_data.expression == 'src_conn_cnt' %}
+{%               do acl_options.append('src_conn_cnt ' ~ acl_data.src_conn_cnt_comparison ~ ' ' ~ acl_data.src_conn_cnt) %}
+{%             elif acl_data.expression == 'src_conn_cur' %}
+{%               do acl_options.append('src_conn_cur ' ~ acl_data.src_conn_cur_comparison ~ ' ' ~ acl_data.src_conn_cur) %}
+{%             elif acl_data.expression == 'src_conn_rate' %}
+{%               do acl_options.append('src_conn_rate ' ~ acl_data.src_conn_rate_comparison ~ ' ' ~ acl_data.src_conn_rate) %}
+{%             elif acl_data.expression == 'src_http_err_cnt' %}
+{%               do acl_options.append('src_http_err_cnt ' ~ acl_data.src_http_err_cnt_comparison ~ ' ' ~ acl_data.src_http_err_cnt) %}
+{%             elif acl_data.expression == 'src_http_err_rate' %}
+{%               do acl_options.append('src_http_err_rate ' ~ acl_data.src_http_err_rate_comparison ~ ' ' ~ acl_data.src_http_err_rate) %}
+{%             elif acl_data.expression == 'src_http_req_cnt' %}
+{%               do acl_options.append('src_http_req_cnt ' ~ acl_data.src_http_req_cnt_comparison ~ ' ' ~ acl_data.src_http_req_cnt) %}
+{%             elif acl_data.expression == 'src_http_req_rate' %}
+{%               do acl_options.append('src_http_req_rate ' ~ acl_data.src_http_req_rate_comparison ~ ' ' ~ acl_data.src_http_req_rate) %}
+{%             elif acl_data.expression == 'src_kbytes_in' %}
+{%               do acl_options.append('src_kbytes_in ' ~ acl_data.src_kbytes_in_comparison ~ ' ' ~ acl_data.src_kbytes_in) %}
+{%             elif acl_data.expression == 'src_kbytes_out' %}
+{%               do acl_options.append('src_kbytes_out ' ~ acl_data.src_kbytes_out_comparison ~ ' ' ~ acl_data.src_kbytes_out) %}
+{%             elif acl_data.expression == 'src_port' %}
+{%               do acl_options.append('src_port ' ~ acl_data.src_port_comparison ~ ' ' ~ acl_data.src_port) %}
+{%             elif acl_data.expression == 'src_sess_cnt' %}
+{%               do acl_options.append('src_sess_cnt' ~ acl_data.src_sess_cnt_comparison ~ ' ' ~ acl_data.src_sess_cnt) %}
+{%             elif acl_data.expression == 'src_sess_rate' %}
+{%               do acl_options.append('src_sess_rate ' ~ acl_data.src_sess_rate_comparison ~ ' ' ~ acl_data.src_sess_rate) %}
 {%             elif acl_data.expression == 'nbsrv' %}
 {%               do acl_options.append('') %}
 {%               if acl_data.nbsrv|default("") != "" %}