Forum Discussion

shipszky_319427's avatar
shipszky_319427
Icon for Nimbostratus rankNimbostratus
Jan 29, 2018

Ip filter iRule with multiple data groups

I currently have an iRule in place to do ip filtering in multiple places in a website. I had an oversight when this was first written and failed to put a rule in for the entire website. when H...
application delivery
iRules
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 30, 2018

Hi shipszky,

If you want to stick to your existing iRule structure then take a look below to see how multiple data-groups can be queried in a serial manner for 

[HTTP::uri] eq /
.

Note: But I second Stanislas opinion, that an approach with just two data-groups (one to identify the IPs and a second one to identify the URI) makes way more sense (e.g. easier to maintain, better flexibility).

when HTTP_REQUEST {
    set low_uri [string tolower [HTTP::uri]]
    if { $low_uri eq "/t/lccc/" } then {
        if { [class match [IP::client_addr] equals /Education/tableau_lccc] } then {
             Let the request pass...
        } else {
            HTTP::respond 403 content "Access Denied"
        }        
    } elseif { $low_uri eq "/t/wwcc/" } then {
        if { [class match [IP::client_addr] equals /Education/tableau_wwcc] } then {
             Let the request pass...
        } else {
            HTTP::respond 403 content "Access Denied"
        }        
    } elseif { $low_uri eq "/t/nwccd/" } then {
        if { [class match [IP::client_addr] equals /Education/tableau_nwccd] } then {
             Let the request pass...
        } else {
            HTTP::respond 403 content "Access Denied"
        }        
    } elseif { $low_uri eq "/t/nwc/" } then {
        if { [class match [IP::client_addr] equals /Education/tableau_nwc] } then {
             Let the request pass...
        } else {
            HTTP::respond 403 content "Access Denied"
        }        
    } elseif { $low_uri eq "/t/ewc/" } then {
        if { [class match [IP::client_addr] equals /Education/tableau_ewc] } then {
             Let the request pass...
        } else {
            HTTP::respond 403 content "Access Denied"
        }        
    } elseif { $low_uri eq "/t/cwc/" } then {
        if { [class match [IP::client_addr] equals /Education/tableau_cwc] } then {
             Let the request pass...
        } else {
            HTTP::respond 403 content "Access Denied"
        }        
    } elseif { $low_uri eq "/t/cc/" } then {
        if { [class match [IP::client_addr] equals /Education/tableau_cc] } then {
             Let the request pass...
        } else {
            HTTP::respond 403 content "Access Denied"
        }
    } elseif { $low_uri eq "/" } then {
        if { ( [class match [IP::client_addr] equals /Education/tableau_lccc] ) 
          or ( [class match [IP::client_addr] equals /Education/tableau_wwcc] )
          or ( [class match [IP::client_addr] equals /Education/tableau_nwccd] )
          or ( [class match [IP::client_addr] equals /Education/tableau_nwc] )
          or ( [class match [IP::client_addr] equals /Education/tableau_ewc] )
          or ( [class match [IP::client_addr] equals /Education/tableau_cwc] )
          or ( [class match [IP::client_addr] equals /Education/tableau_cc] ) } then {
             Let the request pass...
        } else {
            HTTP::respond 403 content "Access Denied"
        }
    } else {
         Let the request pass...   
    }
}

Note: I've changed your existing syntax slightly so that LTM computes the lower URI just a single time (aka. 

set low_uri [string tolower [HTTP::uri]]
at the beginning) and then reuses the computed 
$low_uri
result for the individual 
[if]
statements.

Cheers, Kai