Forum Discussion
MW1
Cirrus
CirrusClass match does not appear to work how I expected with contains
All, I am trying to write an irule that essentially matches a http header value and checks the allowed IPs which can send it. I have created a datagroup called headers (string type as address typ...
Hi
Then you can :
- Create a data group "string" with header name as key, and IP / IP RANGE as values
header1 := 10.10.10.0/24|10.10.20.0/24|10.50.1.1
Get the header
Check if header in datagroup, and if not, allow (header not filtered)
If header in datagroup, get allowed IPs and range in list
Loop through each IP /range and check if source is included there.
And make a decision.
set allowedips [split [class match -value $hdrtocheck equals ttt] "|"] log local0. "$allowedips" set allowed 0 if { ! ($allowedips equals "") } { foreach ip $allowedips { if {[IP::addr $srcip equals $ip ]}{ incr allowed } } if { $allowed > 0 } { log local0. "$srcip allowed" } else { log local0. "$srcip denied" } } else { log local0. "not checked" }
Yoann_Le_Corvi1
Cumulonimbus
CumulonimbusHi
class match -value SSSdaveSSS will return "10.10.10.5" that is, the value of the name/value pair.
Depending on what you are trying to create a datagroug of type address, then insert name value pair, like this :
10.10.10.0/24 := header1|header2|header3|header4
then use
if { [class match -value $srcIP equals DGallowedheader] contains $headertocheck } {
log local0. "allowed"
} else {
log local0. "denied
}This approach also allows you to use netork range in your datagroup.
Yoann
MW1Cirrus
Cirrusapologies meant to hit reply rather than submit as a different answer