Forum Discussion
bbensten_8485
Jul 07, 2014Nimbostratus
Following order in Irule processing.
Hi, we have the following irule that thanks to a Dev Central user is working well but I have an additional question. Can someone help me add logic that allows the rule to process in order of granula...
nitass
Employee
e.g.
config
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.24.10:80
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
http { }
tcp { }
}
rules {
qux
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vs-index 55
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal allowed_IPs
ltm data-group internal allowed_IPs {
records {
172.28.24.15/32 { }
}
type ip
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
when HTTP_REQUEST {
set path [string tolower [HTTP::path]]
log local0. "*********************"
log local0. "client=[IP::client_addr] host=[HTTP::host] path=$path"
if { $path starts_with "/blah" } {
if { [string match "/blah/*/blah2*" $path] } {
log local0. "$path matches /blah/*/blah2*"
} else {
log local0. "$path starts with /blah but not /blah/*/blah2*"
if { ! [class match [IP::client_addr] equals allowed_IPs]} {
log local0. "[IP::client_addr] does not match allowed IP list"
} else {
log local0. "[IP::client_addr] matches allowed IP list"
}
}
}
}
}
/var/log/ltm
[root@ve11a:Active:In Sync] config tail -f /var/log/ltm
Jul 8 00:38:53 ve11a info tmm[29362]: Rule /Common/qux : *********************
Jul 8 00:38:53 ve11a info tmm[29362]: Rule /Common/qux : client=172.28.24.1 host=172.28.24.10 path=/blah/something
Jul 8 00:38:53 ve11a info tmm[29362]: Rule /Common/qux : /blah/something starts with /blah but not /blah/*/blah2*
Jul 8 00:38:53 ve11a info tmm[29362]: Rule /Common/qux : 172.28.24.1 does not match allowed IP list
Jul 8 00:39:23 ve11a info tmm[29362]: Rule /Common/qux : *********************
Jul 8 00:39:23 ve11a info tmm[29362]: Rule /Common/qux : client=172.28.24.15 host=172.28.24.10 path=/blah/something
Jul 8 00:39:23 ve11a info tmm[29362]: Rule /Common/qux : /blah/something starts with /blah but not /blah/*/blah2*
Jul 8 00:39:23 ve11a info tmm[29362]: Rule /Common/qux : 172.28.24.15 matches allowed IP list
Jul 8 00:39:36 ve11a info tmm1[29362]: Rule /Common/qux : *********************
Jul 8 00:39:36 ve11a info tmm1[29362]: Rule /Common/qux : client=172.28.24.1 host=172.28.24.10 path=/blah/1/2/blah2/something
Jul 8 00:39:36 ve11a info tmm1[29362]: Rule /Common/qux : /blah/1/2/blah2/something matches /blah/*/blah2*
Jul 8 00:39:57 ve11a info tmm[29362]: Rule /Common/qux : *********************
Jul 8 00:39:57 ve11a info tmm[29362]: Rule /Common/qux : client=172.28.24.1 host=172.28.24.10 path=/somethingelse
bbensten_8485
Jul 10, 2014Nimbostratus
Nitass,
This is very helpful. I have a few follow up questions.
1- As you clearly did above, I want to be able to evaluate multiple URI strings and if not one of those strings, require the client IP to be allowed. Right now, there are 7 evaluations that need to be done and if not one of those, it needs to match the ip list. List is as follows:
/blah/blah1
/blah/blah2
/blah/blah3
/blah/blah3/*
/blah/blah4/*
/blah/blah4/*/foo1/foo2
/blah/blah5/blah6-*
2- Would it make sense to do the list of URI options as a Datagroup list? If so, how would we do that?
I really appreciate your help.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects