Forum Discussion
MW1
Cirrus
CirrusCan anyone explain the behaviour of this irule
All, I am trying to understand the behaviour of the below irule. It was meant to block access to the down.php URI, except from the two src ip ranges stated, however it blocks access from any location and I cant see why
when HTTP_REQUEST {
log local0. " Request in [IP::client_addr] [HTTP::host][HTTP::uri]"
if { [HTTP::uri] contains "/down.php" && ( ![IP::addr [IP::remote_addr] equals 75.66.12.0/255.255.255.0]) or
[HTTP::uri] contains "/down.php" && ( ![IP::addr [IP::remote_addr] equals 15.150.0.0/255.255.0.0])
} {
log local0. " Blocked access [IP::client_addr] [HTTP::host][HTTP::uri]"
drop the request
discard
}
}
4 Replies
afedden_1985It looks like it's discarding those 2 subnets if the URI contains that string in lower case.
- nitass
Employee
can you try this?
when HTTP_REQUEST { log local0. " Request in [IP::client_addr] [HTTP::host][HTTP::uri]" if { [HTTP::uri] contains "/down.php" } { if { ![IP::addr [IP::remote_addr] equals 75.66.12.0/255.255.255.0] and \ ![IP::addr [IP::remote_addr] equals 15.150.0.0/255.255.0.0] } { log local0. " Blocked access [IP::client_addr] [HTTP::host][HTTP::uri]" drop the request discard } } } 
MW1I thought the ! in front of the IP match statement is a NOT/inverse statement
- Kevin_Stewart
A slightly different placement of the logic is in order:
when HTTP_REQUEST { log local0. " Request in [IP::client_addr] [HTTP::host][HTTP::uri]" if { ( [HTTP::uri] contains "/down.php" ) and not ( ( [IP::addr [IP::client_addr] equals 75.66.12.0/255.255.255.0] ) or ( [IP::addr [IP::client_addr] equals 15.150.0.0/255.255.0.0] ) ) } { log local0. " Blocked access [IP::client_addr] [HTTP::host][HTTP::uri]" drop the request reject } }If you're ever curious about what a logic statement is returning, you can do something like this:
log local0. [expr { ( ( [IP::addr [IP::client_addr] equals 10.80.0.0/255.255.255.0] ) or ( [IP::addr [IP::client_addr] equals 15.150.0.0/255.255.0.0] ) ) }]
