Forum Discussion

MW1's avatar
MW1
Icon for Cirrus rankCirrus
Apr 29, 2013

Can someone advise if this format of external class file (old v9.3.1) for addresses is in the correct formatt

Hi,

 

I have an irule that I have mashed together that checks the clients IP against a list in a file held locally on the F5 which works when I use an internal data group but is failing when I use an external one. It is on a very old 9.3.1 ltm. The F5 did not complain when I set it up however the matching does not appear to be working:

 

 

config b class IPlist list

 

 

class IPlist extern {

 

type ip

 

filename "/var/class/IPlist"

 

}

 

 

config cat /var/class/IPlist

 

 

host 172.30.0.30,

 

host 192.16.83.5,

 

host 128.44.5.3,

 

host 94.11.71.11,

 

host 128.33.4.3,

 

 

 

The Irule is

 

 

when HTTP_REQUEST {

 

log local0. "TEST-irule request coming"

 

switch -glob [string tolower [HTTP::uri]] {

 

"/medq_esb/proxy_services*" {

 

 

Only check POST requests

 

if { [HTTP::method] eq "POST" } {

 

log local0. "TEST-irule post request"

 

Default amount of request payload to collect (in bytes)

 

set collect_length 2048

 

 

Check for a non-existent Content-Length header

 

if {[HTTP::header Content-Length] eq ""}{

 

 

Use default collect length of 2k for POSTs without a Content-Length header

 

set collect_length $collect_length

 

 

} elseif {[HTTP::header Content-Length] == 0}{

 

 

Don't try collect a payload if there isn't one

 

unset collect_length

 

log local0. "TEST-irule no content length"

 

} elseif {[HTTP::header Content-Length] > $collect_length}{

 

 

Use default collect length

 

set collect_length $collect_length

 

 

} else {

 

 

Collect the actual payload length

 

set collect_length [HTTP::header Content-Length]

 

 

}

 

 

If the POST Content-Length isn't 0, collect (a portion of) the payload

 

if {[info exists collect_length]}{

 

 

Trigger collection of the request payload

 

HTTP::collect $collect_length

 

log local0. "TEST-irule going to collect request"

 

}

 

} else

 

{ pool company7_osb_pool } }

 

"/platform-webservices/filetransferdatatransferservices*" { pool company7_filetransfer_pool }

 

"/webservices/company*" { pool QASAR }

 

"/urls/forgot-password"

 

{ HTTP::redirect "https://ca.company.com/utilities/psa.aspx?ACT=REQPASS" }

 

"/urls/forgot-username"

 

{ HTTP::redirect "https://ca.company.com/utilities/psa.aspx?ACT=REQUNAME" }

 

default

 

{ discard

 

log local0. "TEST-irule request discarded" }

 

 

}

 

}

 

when HTTP_REQUEST_DATA {

 

 

set data {

 

Your IP address has not been recognized.

 

 

Please contact company support.false

 

}

 

 

 

Match the data for specific companyid and is a login request

 

if { [HTTP::payload] contains ">123" and [HTTP::payload] contains " log local0. "TEST-irule matched company and login request"

 

Match the clients IP to register list and respond with block MSG if not found

 

if { ![matchclass [IP::client_addr] equals $::IPlist] } {

 

log local0. "TEST-irule going to reply with block to [IP::client_addr] "

 

HTTP::respond 200 content $data "Content-Type" "text/xml; charset=utf-8"

 

}

 

else { pool company7_osb_pool

 

log local0. "TEST-irule IP Matched"

 

}

 

}

 

pool company7_osb_pool

 

log local0. "TEST-irule no company and login request match"

 

 

}

 

application delivery
dev
devops
iRules

5 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 29, 2013
    this is mine. 

    [root@bigip:Active] config  b version|grep -iA 1 version
BIG-IP Version 9.3.1 37.1
Final Edition

[root@bigip:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
   log local0. "\[IP::client_addr\] [IP::client_addr]"
   log local0. "\[matchclass [IP::client_addr] equals $::IPlist\] [matchclass [IP::client_addr] equals $::IPlist]"
}
}
[root@bigip:Active] config  b class IPlist list
class IPlist extern {
   type ip
   filename "/var/class/IPlist"
}
[root@bigip:Active] config  cat /var/class/IPlist
host 94.11.71.11,
host 100.100.100.1,
host 128.33.4.3,
host 128.44.5.3,
host 172.30.0.30,
host 192.16.83.5,

[root@bigip:Active] config  tail -f /var/log/ltm
Apr 29 18:05:02 tmm tmm[1229]: Rule myrule : [IP::client_addr] 100.100.100.1
Apr 29 18:05:02 tmm tmm[1229]: Rule myrule : [matchclass 100.100.100.1 equals {172.30.0.30/32} {192.16.83.5/32} {128.44.5.3/32} {94.11.71.11/32} {128.33.4.3/32} {100.100.100.1/32}] 6
Apr 29 18:05:04 tmm tmm[1229]: Rule myrule : [IP::client_addr] 100.100.100.3
Apr 29 18:05:04 tmm tmm[1229]: Rule myrule : [matchclass 100.100.100.3 equals {172.30.0.30/32} {192.16.83.5/32} {128.44.5.3/32} {94.11.71.11/32} {128.33.4.3/32} {100.100.100.1/32}] 0
  • MW1's avatar
    MW1
    Icon for Cirrus rankCirrus
    Apr 30, 2013
    Thanks for the response - I have realised my issue is the external data group does not get reloaded when the file was altered so it is matching, just not using the updated data. The F5 this is eventually destined for is running v11 so that might give me some options round this (I only have the v9.3.1 to test on currently and realise there will need to be a few tweaks to the irule for v11). Unfortunately I am looking to have this data group updated without needing support accessing the F5, so need to look for someway to detect the file has changed and perform an action to read the new data group. 

     
when HTTP_REQUEST {
log local0. "TEST-irule request coming"
    switch -glob [string tolower [HTTP::uri]] {
        "/medq_esb/proxy_services*" {

  Only check POST requests
   if { [HTTP::method] eq "POST" } {
log local0. "TEST-irule post request"
       Default amount of request payload to collect (in bytes)
      set collect_length 2048

       Check for a non-existent Content-Length header
      if {[HTTP::header Content-Length] eq ""}{

          Use default collect length of 2k for POSTs without a Content-Length header
         set collect_length $collect_length

      } elseif {[HTTP::header Content-Length] == 0}{

          Don't try collect a payload if there isn't one
         unset collect_length
         log local0. "TEST-irule no content length"
      } elseif {[HTTP::header Content-Length] > $collect_length}{

          Use default collect length
         set collect_length $collect_length

      } else {

          Collect the actual payload length
         set collect_length [HTTP::header Content-Length]

      }

       If the POST Content-Length isn't 0, collect (a portion of) the payload
      if {[info exists collect_length]}{

          Trigger collection of the request payload
         HTTP::collect $collect_length
log local0. "TEST-irule going to collect request"
      }
} else
 { pool company7_osb_pool } } 
        "/platform-webservices/filetransferdatatransferservices*" { pool company7_filetransfer_pool }
  "/webservices/company*" { pool QASAR }
     "/urls/forgot-password"   
             { HTTP::redirect "https://ca.company.com/utilities/psa.aspx?ACT=REQPASS" }
        "/urls/forgot-username"   
             { HTTP::redirect "https://ca.company.com/utilities/psa.aspx?ACT=REQUNAME" }
    default
        { discard   
log local0. "TEST-irule request discarded" }
 
    }
}
when HTTP_REQUEST_DATA {
 
set data {
Your IP address has not been recognized.  

Please contact company support.false
}


 Match the data for specific companyid and is a login request
   if {  [HTTP::payload] contains ">123" and    [HTTP::payload] contains "
  • MW1's avatar
    MW1
    Icon for Cirrus rankCirrus
    Apr 30, 2013
    Realise I am starting to fall out of the irule arena, however to prevent starting multiple threads - looking in to loading a data group it appears I need to issue a b load to reload the config. Can anyone advise if existing connections are disrupted/lost during a config load?

    To complete the picture I am running an external monitor script to poll and update the data group from a remote web site (guess could as easily be done by cron - however thanks to the gent who suggested) 

     
!/bin/bash
 F5 monitor script to pull IP list for data group from remote web page


define tmp file with path for download
tmpfile="/var/tmp/ip-tmp"

define final IPlist data group file with path used by F5
IPlist="/var/class/IPlist"

define URL to retrive IP's from e.g http://site/list.html
URL="http://192.168.52.243/IPlist.html"


PIDFILE="/var/run/`basename ${0}`.pid"

 kill of the last instance of this monitor if hung and log current pid
if [ -f $PIDFILE ]
then
   kill -9 `cat $PIDFILE` > /dev/null 2>&1
fi
echo "$$" > $PIDFILE


 Call curl to download IP list and pull IP's using perl with correct formatting and write to tmp file
curl -s $URL | perl -lne 'while (/(\d+\.){3}\d+/g){print "host $&,"}' > $tmpfile

 Check tmp is not empty
if [ -s "$tmpfile" ]
then

check if the files differ
diff $tmpfile $IPlist

if [ $? -ne 0 ]
then
 copy the tmp file over the original file

cp -fr $tmpfile $IPlist

 reload config to pick up new data group
b load

fi
fi

rm -f $tmpfile
rm -f $PIDFILE

exit
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 30, 2013
    Can anyone advise if existing connections are disrupted/lost during a config load? yes

     

     

    instead of re-loading configuration, can you try something like this?

     

     

    How do you re-instantiate an iRule after external Data Group changes?

     

    https://devcentral.f5.com/community/group/aft/2165353/asg/50

     

     

    by the way, you know external file is managed differently in 11.x, don't you?

     

     

    sol13423: Importing external files to the BIG-IP system

     

    http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13423.html
  • MW1's avatar
    MW1
    Icon for Cirrus rankCirrus
    Apr 30, 2013
    Thanks for that - I was actually in mid-reply when you posted stating I had updated to similar to the above -I was actually deleting then re-adding however your suggestion of just adding is even less impacting.

     

     

    Very much appreciated