Firewall/Whitelisting feature blocking the queries while in disabled mode

[aniljoshi2022]

The firewall mode is in (off/detecting) state so ideally it shouldn't restrict any un-matched pattern queries however its blocking them.

mysql> select * from global_variables where variable_name  = 'pgsql-firewall_whitelist_enabled';
+----------------------------------+----------------+
| variable_name                    | variable_value |
+----------------------------------+----------------+
| pgsql-firewall_whitelist_enabled | 1             |
+----------------------------------+----------------+
1 row in set (0.01 sec)

mysql> select * from pgsql_firewall_whitelist_users;
+--------+----------+----------------+------+------------------------+
| active | username | client_address | mode | comment                |
+--------+----------+----------------+------+------------------------+
| 1      | app      | %              | OFF  | whitelist user details |
+--------+----------+----------------+------+------------------------+
1 row in set (0.00 sec)

mysql> select * from pgsql_firewall_whitelist_rules;
+--------+----------+----------------+----------+--------+--------------------+-----------+
| active | username | client_address | database | flagIN | digest             | comment   |
+--------+----------+----------------+----------+--------+--------------------+-----------+
| 1      | app      |                | test     | 0      | 0x122e2293a50d2982 | data feed |
| 1      | app      |                | test     | 0      | 0x69a5d62ad668d376 | data feed |
| 1      | app      |                | test     | 0      | 0x8ea80a04af1ea11b | data feed |
| 1      | app      |                | test     | 0      | 0x695fbf255dbeb0dd | data feed |
| 1      | app      |                | test     | 0      | 0xd6a4033c06bd91c3 | data feed |
| 1      | app      |                | test     | 0      | 0xfad1519e4760cbde | data feed |
| 1      | app      |                | test     | 0      | 0x14413e3ae346d20e | data feed |
| 1      | app      |                | test     | 0      | 0x1c1a6dc31d09139b | data feed |
| 1      | app      |                | test     | 0      | 0x230fac846491170f | data feed |
| 1      | app      |                | test     | 0      | 0x28b3b57ef755d47e | data feed |
| 1      | app      |                | test     | 0      | 0x374ef2a1b51b27d4 | data feed |
| 1      | app      |                | test     | 0      | 0x3b6a8e2973759fbe | data feed |
| 1      | app      |                | test     | 0      | 0x42f84902f0b2fc3c | data feed |
| 1      | app      |                | test     | 0      | 0x4bcb6024bc5b5c7e | data feed |

Query blocking:

shell> PGPASSWORD="app" psql -h 127.0.0.1 -p 6133 -U app -d test -c "SELECT now();"
ERROR:  Firewall blocked this query

When we globally disable the firewall it works.

mysql> SET pgsql-firewall_whitelist_enabled = 0;
Query OK, 1 row affected (0.00 sec)

mysql> LOAD PGSQL VARIABLES TO RUNTIME;
Query OK, 0 rows affected (0.00 sec)

shell>  PGPASSWORD="app" psql -h 127.0.0.1 -p 6133 -U app -d test -c "SELECT now();"
              now
-------------------------------
 2026-01-28 04:55:38.971978+00
(1 row)

The documentation also says the workload should be allowed. I think there is buggy behaviour here or a scope of improvement.

mode defines the firewall user mode, that can be:
OFF : allows any query
DETECTING : allows any query, but queries not explicitly enabled in table mysql_firewall_whitelist_rules generate an error entry in the error log
PROTECTING : allows only queries explicitly enabled in mysql_firewall_whitelist_rules , and blocks any other query