how to use matchclass work with network group

Hi Roy,

There are a few related posts I found that should get you started:

http://devcentral.f5.com/Default.aspx?tabid=28&view=topic&forumid=5&postid=7544

http://devcentral.f5.com/Default.aspx?tabid=28&view=topic&forumid=5&postid=7204

I think this class and rule should work for you to reject any requests coming from the host/networks defined in the class:

class my_hosts_networks_class  {
   network 10.0.0.0 mask 255.0.0.0
   host 192.168.0.100
}
rule reject_rule {
   when CLIENT_ACCEPTED {
      if { [matchclass $::my_hosts_networks_class equals ::my_hosts_networks_class ] } { 
         reject
      }
       default action is to return to VIP's configuration for handling traffic that doesn't match this rule
   }
}

Reply if you still have questions.

Aaron

haha, it takes me one hour to combat with if-else state!!!!! I don't know why, but it's true , blew irules can run:

 

 

when CLIENT_ACCEPTED {

 

if { [ matchclass [IP::client_addr] equals $::hacker_group ] } {

 

log "stop!!! "

 

reject

 

} else

 

{

 

log "continue!!!"

 

pool router_web

 

}

 

}

 

 

and when I change the else location, it can't run:

 

when CLIENT_ACCEPTED {

 

if { [ matchclass [IP::client_addr] equals $::hacker_group ] } {

 

log "stop!!! "

 

reject

 

}

 

else {

 

log "continue!!!"

 

pool router_web

 

}

 

}

 

 

software is bigip v9.2.3!! and all our example is just like the second, my god!

Yes - in TCL commands do not continue beyond the end of a line with the following exceptions:

 

 

1) a backslash at the end of a line - \

 

2) open braces - {

 

3) double quotes - "

 

 

-Al