Forum Discussion
Nimbostratusi write with not it applies true
when HTTP_REQUEST {
if { ([lindex [split [HTTP::path] "/"] 2] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 3] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 1] contains "sql" ) and ![class match [IP::client_addr] eq ss_allowed_address] } { reject }
}
i try to write a rule to reject if ip is not in ss_allowed_address datagroup list. But it does the opposite it does not accept not equal sign with !
?
10 Replies
- nitass
Employee
isn't this correct?
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { log local0. "uri: [HTTP::uri]" if { ([lindex [split [HTTP::path] "/"] 2] contains "control") or \ ([lindex [split [HTTP::path] "/"] 3] contains "control") or \ ([lindex [split [HTTP::path] "/"] 1] contains "sql" and \ ![class match [IP::client_addr] eq ss_allowed_address]) } { reject log local0. "1: [lindex [split [HTTP::path] "/"] 1] \ 2: [lindex [split [HTTP::path] "/"] 2] \ 3: [lindex [split [HTTP::path] "/"] 3] \ class: ![class match [IP::client_addr] eq ss_allowed_address] \ reseult: reject" } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal ss_allowed_address ltm data-group internal ss_allowed_address { type ip } test [root@ve11a:Active:In Sync] config tail -f /var/log/ltm May 27 05:51:10 ve11a info tmm1[14715]: Rule /Common/qux : uri: /sql/controlA/controlB/something May 27 05:51:10 ve11a info tmm1[14715]: Rule /Common/qux : 1: sql 2: controlA 3: controlB class: !0 reseult: reject 
maximillean_953Hi again,
There is a redirect rule right after this. redirect rule redirects when /servlet/control is called redirect it to https. this redirect rule somehow disables filter.
when I send request for example /1/control it rejects but when i send /servlet/control it doesnot apply the filter?
when i remove redirect rule after filter rule filter starts working again.
redirect rule is like,
when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/servlet/control") } { HTTP::respond 301 noserver Location https://xyz.com[HTTP::uri] } }
cjuniorNacreous
I think it is because 'or' overrides 'and'. Place parentheses: if { ( (1 eq 1) or (2 eq 2) ) and !(2 eq 1) } { reject }
Try:
when HTTP_REQUEST { if { ( ([lindex [split [HTTP::path] "/"] 2] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 3] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 1] contains "sql" ) ) and ![class match [IP::client_addr] equals ss_allowed_address] } { reject } }- PK_Bhatia
Please try this
when HTTP_REQUEST { if { ([lindex [split [HTTP::path] "/"] 2] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 3] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 1] contains "sql" ) and (class match [IP::client_addr] eq ne ss_allowed_address) } { reject } }
- maximillean_953
eq ne wrong argument. by the way friends rules that claudio and nitass posted are correct i have a different problem now. I have a redirect rule after filter rule makes filter pass and redirects
- nitass
it seems reject does not work with HTTP::respond in HTTP_REQUEST (when request matches both reject and HTTP::respond). not sure if it is a bug or not.
can you move reject to CLIENT_ACCEPTED instead?
this is my testing in 11.5.1.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 33 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { reject HTTP::respond 301 } } test [root@centos1 ~] curl -I http://172.28.24.10/ HTTP/1.0 301 Moved Permanently Server: BigIP Connection: Keep-Alive Content-Length: 0 - maximillean_953
OWWWW too bad we have 11.4.x
- nitass
it seems reject does not work with HTTP::respond in HTTP_REQUEST (when request matches both reject and HTTP::respond). not sure if it is a bug or not.
it happens in 10.2.4 hf7 and 11.5.1. changing command order (reject and HTTP::respond) does not help. if it is same in your version, you may open a support case to verify if it is a bug or not. :-)
- maximillean_953
same behaviour when you use drop rather then reject this must be definetly a bug. Same does not apply on netscalers. I am migrating rules from one to another. I write same as netscaler. Netscaler has same rules same as f5 irule but ns blocks but f5 passes redirect even when used drop or reject. I hope this will be fixed asap. Its meaningless to be a normal behaviour. I am definetly going to open a case for this.!
- maximillean_953
Ok its fixed by local f5 guy by adding event disable all and return right after reject.And then http::respond doesnot pass reject anymore.
when HTTP_REQUEST { if { ([lindex [split [HTTP::path] "/"] 2] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 3] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 1] contains "sql" ) and ![class match [IP::client_addr] eq ss_allowed_address] } { reject event disable all return } }
