For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Robert_Pagano_7's avatar
Robert_Pagano_7
Icon for Nimbostratus rankNimbostratus
Jan 08, 2008

accept/reject based on IP address using "matchclass" rather than "starts_with"

I have a working iRule that, besides making a pool selection based on the URI, also checks the IP address of the client to see if client is allowed to access the "admin" functions. See below...   ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 08, 2008
Hi,

If you want to compare a single IP/network to another IP/network, you can use the IP::addr function (Click here).

As you want to compare the client IP address to multiple networks/hosts, you are correct in using matchclass. SNAT'ing is only done for the serverside connection, so it wouldn't impact the clientside evaluation you're doing.

Your class definition should look like this (in the /config/bigip.conf file):


class ADMIN-NETWORKS_class {
   network 10.30.0.0/16
   host 10.40.1.1
}

Can you add a log statement just after the HTTP_REQUEST line, to log the client IP address and the class contents and reply with the output?

log local0. "client [IP::client_addr] with class: $::ADMIN-NETWORKS_class"

I would guess the mask on your class' network entry might be missing or incorrect.

Aaron