Forum Discussion

MW1's avatar
MW1
Icon for Cirrus rankCirrus
Jan 23, 2020

Class match does not appear to work how I expected with contains

All, I am trying to write an irule that essentially matches a http header value and checks the allowed IPs which can send it. I have created a datagroup called headers (string type as address typ...
  • Yoann_Le_Corvi1's avatar
    Jan 23, 2020

    Hi

    Then you can :

    - Create a data group "string" with header name as key, and IP / IP RANGE as values

    header1 := 10.10.10.0/24|10.10.20.0/24|10.50.1.1

    Get the header

    Check if header in datagroup, and if not, allow (header not filtered)

    If header in datagroup, get allowed IPs and range in list

    Loop through each IP /range and check if source is included there.

    And make a decision.

     
    set allowedips [split [class match -value $hdrtocheck equals ttt] "|"]
    log local0. "$allowedips"
    set allowed 0
     
    if { ! ($allowedips equals "") } {  
        foreach ip $allowedips {
            if {[IP::addr $srcip equals $ip ]}{
                incr allowed
            }
        }
     
        if { $allowed > 0 } {
                log local0. "$srcip allowed"
        } else {
        
                log local0. "$srcip denied"   
            }
            
    } else {
        log local0. "not checked"
     
    }