data group not matching
I'm writing an irule to deny logins from external users. I've tried to define a datagroup that contains allowed subnets, but have not been able to get it to match to an incoming address. See below.
class UserDataGroup {
{
network 10.9.0.0/13
network 10.16.0.0/13
}
}
when CLIENT_ACCEPTED {
set debug "1"
if {$debug} {log local0. "Client IP address is: [IP::remote_addr]"}
Check if client IP is not in the UserDataGroup
if { [matchclass [IP::remote_addr] equals $::UserDataGroup] }{
log local0. "Client is in UserDataGroup1"
Prevent the HTTP_REQUEST event from firing if user is from local network
event HTTP_REQUEST disable
}
else {log local0. "Client is in NOT UserDataGroup"}
}
when HTTP_REQUEST {
switch -glob [HTTP::uri] {
"/login.aspx" -
"/foo/login.aspx" -
"/bar/login.aspx" {
Reject login info from non local sites
HTTP::respond 403 content "Logins only allowed from local networks.\r\n"
}
}
}
Apr 1 14:12:52 local/tmm info tmm[4711]: Rule LocalOnly : Client IP address is: 10.10.17.153
Apr 1 14:12:52 local/tmm info tmm[4711]: Rule LocalOnly : Client is in NOT UserDataGroup
If I change my rule to this it works fine
if { [IP::addr [IP::remote_addr] equals 10.9.0.0/12] }{
log local0. "Client is in UserDataGroup1"
Prevent the HTTP_REQUEST event from firing if user is from local network
event HTTP_REQUEST disable
}
elseif { [IP::addr [IP::remote_addr] equals 10.16.0.0/13] }{
log local0. "Client is in UserDataGroup2"
Any idea what I'm doing wrong?