Forum Discussion
how to use matchclass work with network group
Hi, all
very easy question ,but I tried serveral times ,still not found the answer. The question is how to write the irules like below which is irule4.5 .
if( client_ip == one of hacker_class) {
discard
}
else {
use pool server_Pool
}
class hackerIP {
host 202.1.1.1
;host 202.1.1.2
;host 202.1.1.3
;network 202.1.1.0 mask 255.255.255.0
.
.
}
sorry, I don't know how to use matchclass work with [ip::remote]?
does anybody can help me to re-write this irules into irulev9?
hoolioCirrostratus
Hi Roy,
There are a few related posts I found that should get you started:
http://devcentral.f5.com/Default.aspx?tabid=28&view=topic&forumid=5&postid=7544
http://devcentral.f5.com/Default.aspx?tabid=28&view=topic&forumid=5&postid=7204
I think this class and rule should work for you to reject any requests coming from the host/networks defined in the class:class my_hosts_networks_class { network 10.0.0.0 mask 255.0.0.0 host 192.168.0.100 } rule reject_rule { when CLIENT_ACCEPTED { if { [matchclass $::my_hosts_networks_class equals ::my_hosts_networks_class ] } { reject } default action is to return to VIP's configuration for handling traffic that doesn't match this rule } }
Reply if you still have questions.
Aaron- haha, it takes me one hour to combat with if-else state!!!!! I don't know why, but it's true , blew irules can run:
when CLIENT_ACCEPTED {
if { [ matchclass [IP::client_addr] equals $::hacker_group ] } {
log "stop!!! "
reject
} else
{
log "continue!!!"
pool router_web
}
}
and when I change the else location, it can't run:
when CLIENT_ACCEPTED {
if { [ matchclass [IP::client_addr] equals $::hacker_group ] } {
log "stop!!! "
reject
}
else {
log "continue!!!"
pool router_web
}
}
software is bigip v9.2.3!! and all our example is just like the second, my god! 
Al_Carandang_11Nimbostratus
Yes - in TCL commands do not continue beyond the end of a line with the following exceptions:
1) a backslash at the end of a line - \
2) open braces - {
3) double quotes - "
-Al