Forum Discussion
Meeks_60174
Nimbostratus
NimbostratusClient address filtering outside an iRule v11.5 code
Hello,
I've been looking around, and perhaps my google-foo is not very strong, so I apologize if this is a fairly common solution. Essentially I have this iRule i would like to rid myself of if en...
Stanislas_Piro2
Cumulonimbus
CumulonimbusPolicy are executed first, then irules.
You can set tcl variable in Policies actions and use it in iRules.
So, you can create a policy to filter based on HTTP header, if it matches, set a variable HeadersAllow to 1, then check if the variable exists and if value is 1 in irule.
when HTTP_REQUEST {
check header exists and have the right value, or is an internal or trusted address
if { !(([info exists "HeadersAllow"]) && ($HeadersAllow) || ([class match [IP::client_addr] equals Trusted-Ip-Addresses ]))} {
drop the packet
drop
}
}
The policy is :
ltm policy MyTestPolicy {
controls { forwarding }
requires { http }
rules {
http_header {
actions {
0 {
tcl
set variable
name HeadersAllow
expression 1
}
}
conditions {
0 {
http-header
name MyHeader
contains
values { Predefined_Value }
}
}
ordinal 3
}
}
strategy first-match
}
In version 11.6 and above, the policy configuration is:
ltm policy Policy_test {
controls { forwarding }
requires { tcp http }
rules {
rule1 {
actions {
0 {
forward
reset
}
}
conditions {
0 {
tcp
address
not
matches
values { 1.2.3.4 }
}
1 {
http-header
name MyHeader
not
values { Predefined_Value }
missing
}
}
ordinal 1
}
}
strategy first-match
}