Forum Discussion

Robert_Pagano_7's avatar
Robert_Pagano_7
Icon for Nimbostratus rankNimbostratus
Jan 08, 2008

accept/reject based on IP address using "matchclass" rather than "starts_with"

I have a working iRule that, besides making a pool selection based on the URI, also checks the IP address of the client to see if client is allowed to access the "admin" functions. See below...

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] starts_with "/app/admin" } {

 

if {[IP::client_addr] starts_with "10.64." } {

 

pool APP-7777_pool

 

} else {

 

reject

 

}

 

}

 

elseif { [HTTP::uri] starts_with "/content" } {

 

pool APP-CONTENT-80_pool

 

} else {

 

pool APP-7777_pool

 

}

 

}

 

 

Unfortunately, not all of the admins reside on IP networks that begin with "10.64." so I would like to expand the functionality of the above iRule so that it consults a list of IP networks when making the allow/reject decision.

 

 

I know the matchclass command can do this but my attempt at using it (see below) did not work. I used the GUI to create the "ADMIN-NETWORKS_class" data group which contains the IP network that should be allowed.

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] starts_with "/app/admin" } {

 

if { [matchclass [IP::client_addr] equals $::ADMIN-NETWORKS_class] } {

 

pool APP-7777_pool

 

} else {

 

reject

 

}

 

}

 

elseif { [HTTP::uri] starts_with "/content" } {

 

pool APP-CONTENT-80_pool

 

} else {

 

pool APP-7777_pool

 

}

 

}

 

 

The LTM is operating in one-arm mode and, so, we are using SNAT. Could this be causing the LTM to overwrite the client address with the SNAT address? If so, is there another variable I can use to get the address of the remote client?

 

 

Any help will be greatly appreciated!

 

 

Thank you.
application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 08, 2008
    Hi,

    If you want to compare a single IP/network to another IP/network, you can use the IP::addr function (Click here).

    As you want to compare the client IP address to multiple networks/hosts, you are correct in using matchclass. SNAT'ing is only done for the serverside connection, so it wouldn't impact the clientside evaluation you're doing.

    Your class definition should look like this (in the /config/bigip.conf file):

    
class ADMIN-NETWORKS_class {
   network 10.30.0.0/16
   host 10.40.1.1
}

    Can you add a log statement just after the HTTP_REQUEST line, to log the client IP address and the class contents and reply with the output?

    log local0. "client [IP::client_addr] with class: $::ADMIN-NETWORKS_class"

    I would guess the mask on your class' network entry might be missing or incorrect.

    Aaron