Conditional Irule

when HTTP_REQUEST {

 

if { not (class match [IP::client_addr] equals internal_subnets) and ([URI::query [HTTP::uri]] contains "arch") } {

 

HTTP::respond 403 content "Forbidden"

 

}

 

}

 

Hi Sashi,

 

 

this is exactly the function I was looking for but I get a syntax error when I create the irule, I am on version 9.4.6, I have tried adding the $:: but without success.

 

 

01070151:3: Rule [jbtest] error:

 

line 2: [parse error: PARSE syntax 36 {syntax error in expression " not (class match [IP::client_addr] equals internal_subnets)...": variable references require preceding $}] [{ not (class match [IP::client_addr] equals internal_subnets) and ([URI::query [HTTP::uri]] contains "arch") }]

 

 

JB

ok, u cant use class on v9. use matchclass instead

 

 

https://devcentral.f5.com/wiki/irules.matchclass.ashx

Hi JB,

What Sashi told you should work fine, but if you wanted to change the order of things you could save yourself a few cycles by not doing an IP Address compare and a Query inspection for every request.

You could search for the Query Value and if it matches then do the IP Address lookup.

 v10.x.xwhen HTTP_REQUEST {
if { [HTTP::query] contains "arch" } {
if { !([class match [IP::client_addr] equals internal_subnets]) } {
HTTP::respond 403 content "Forbidden"
}
}
} v9.x.xwhen HTTP_REQUEST {if { [HTTP::query] contains "arch" } {if { !([matchclass [IP::client_addr] equals $::internal_subnets]) } {HTTP::respond 403 content "Forbidden"}}}

Just another option.

Hope this helps.

Thank You, I will test both of these options out tonight and update tomorrow.

 

Sashi and Michael,

 

 

This rule works as desired!

 

 

Thank you both for the assitance.

 

 

JB