Combining Logical Operators

Question

Hi all. Hope you're all well.&nbsp;
&nbsp;I'd like to reduce some scripts I have that are used to restrict and redirect traffic. Access is based on domain name and client IP address. We've multiple domain names pointing to a single VS and restricted URI's too, as well as multiple clients, none of whom should see each others sites.&nbsp;
&nbsp;So, I've got something like that below. We check the IP against the data group and then evaluation the host and uri. Based on the results we redirect accordingly. Then we have to do the same for every different host and every different uri. A nightmare.&nbsp;
&nbsp;It's never gonna be great (we're simply running too much through a single VS) however, I'm sure some of the checks could be reduced. For instance [matchclass [IP::client_addr] equals $::AAA_HOSTS or BBB_HOSTS or CCC_HOSTS]. Is it possible? &nbsp;
&nbsp;(We can combine the data groups by the way, we'd lose track of who's who - unless we could reference data groups from within data groups??)&nbsp;
&nbsp;if {[matchclass [IP::client_addr] equals $::AAA_HOSTS] &amp;&amp; "[HTTP::host]" equals "HOSTA" &amp;&amp; "[HTTP::uri]" equals "/"}
&nbsp;        {
&nbsp;        log local0. "blah blah"
&nbsp;        HTTP::redirect https://blah blah
&nbsp;        }
&nbsp;elseif {[matchclass [IP::client_addr] equals $::BBB_HOSTS] &amp;&amp; "[HTTP::host]" equals "HOSTA" &amp;&amp; "[HTTP::uri]" equals "/"}
&nbsp;        {
&nbsp;        HTTP::redirect https://somewhere else
&nbsp;        }
&nbsp;if&nbsp;&nbsp;
&nbsp;Thanks in advance

gerald_chisholm · Answer

I am trying to generalize some rules, to do this I think a "class" needs to be created. The "class" would be loaded into an array to be referenced by the rule. The size of the class would be unknown and have a format something like this:&nbsp;
&nbsp;IP, number of items that follow, port 1, port 2, port x
&nbsp;"10.10.10.10,2,4111,4121"&nbsp;
&nbsp;Is there a way to bulk load a class into an array?
&nbsp;Should I have a last line in the class to search for?

joe_pruitt · Answer

Data Groups (or classes) can be operated on as if they were a TCL list.  You can use the TCL list commands to get the length of the list and extract elements.  I'm unsure why you want to use an array for this.&nbsp;
&nbsp;If you want to convert the values in the lines of the list into an array, I guess I could understand that but you can still use the list commands to achieve the same goal.&nbsp;
&nbsp;Another question I have is why you are including the number of items after the address in the class item value?  Here's some code that will take a class, pull out line by line, convert each line into a separate list (from the comma separated values) and extract the relevant information.&nbsp;&nbsp;class port_mappings {
  "10.10.10.10,4111,4121",
  "10.10.10.20,5111,5121"
}
*** BEGIN iRule ***
when HTTP_REQUEST {
     iterate through port_mappings class (as a list)
    foreach line $::port_mappings {
     Create a list from the current line
    set item_list [split $line ","]
     Extract item 0 (ip address)
    set ip [lindex $item_list 0]
     iterate through all the port numbers.
    for {set x 1} {$x&lt;[llength $item_list]} {incr x} {
      set port [lindex $src_list $x]
    } 
  }
}
*** END iRule ***&nbsp;
&nbsp;Sidenote, if you are trying to use the data group with the matchclass command to find a matching ip address, you could use findclass instead and have it return the trailing list of ports if you format the line like this and call findclass with a separator of a space.&nbsp;
&nbsp;"10.10.10.10 4111,4121"&nbsp;
&nbsp;Not sure if this helps you or not, but I hope it gives you some ideas...&nbsp;
&nbsp;-Joe&nbsp;

gerald_chisholm · Answer

I think this is just what I wanted. We are in the process of moving from 4.5.x to 9.x.y and have more than 50 rules per LB, they are all tweaked a little for each VIP. I would like to generalize to about 5 - 10 rules, to do this I need variable data per VIP.&nbsp;
&nbsp;Also to do this I could use an "init rule" to load the data or have the rule sense the data hadn't been loaded and load it at that time. If the rule senses the data is to be loaded it adds overhead. &nbsp;
&nbsp;  if { [info exists ::slice_list] } {
&nbsp;    if {$::slice_list(0) != "loaded" } {&nbsp;
&nbsp;Is there another / better way of doing this?

what_lies_bene1 · Answer

Thanks for the reply Colin. I think the first option is the most appropriate, it will still simplify things alot, nice one. The second isn't really useable as two IP's (it's all client web proxies) needs access to multiple domains pointing to a single VS but only specific URI's on those domains, another single IP needs access to only one of those domains and on and on and on. That covers a client, their call centre provider and their IVR system. Then you have another client, different domains, same VS, same URI restrictions and so on. Every client has a slightly different setup and trust levels for their IVR providers etc are also different.&nbsp;
&nbsp;It's efficient on the server/platform side but tough to manage, hence the need to seperate the IP's and data group to keep a grip!&nbsp;
&nbsp;Thanks again.

what_lies_bene1 · Answer

Worth noting for anyone who found this useful that my LB's (running 9.05) didn't like the round brackets () at all. Simply removing them solved the problem. Cheers

Forum Discussion

Combining Logical Operators

Recent Discussions

Use of SSL Decryption.

Big IP DNS Failover

Diameter iRules attachment?

Health Monitor unable to connect to OpenShift Router

AS3 Limitations

Related Content

F5 Distributed Cloud - Listener Logic

Conditional XOR operations

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing

2. SYN Cookie: Operation

vCMP logical interfaces throughput

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS