Forum Discussion
Arie
Altostratus
AltostratusIP::client_addr / netmask addresses in Class (Data Group) - syntax problem
I have a class that contains a list of IP addresses with a netmask (/x). Initially I tried:
if { !( [ class match [IP::client_addr] equals class_CampusIPaddresses ] ) } {
However, that seems to work for 'straight' addresses only (i.e. without netmasks).
Assuming that I'd need to use IP::addr for the netmask match, I tried this:
if { !( [ class match [IP::addr [IP::client_addr]] equals class_CampusIPaddresses ] ) } {
The problem with that is that the editor complains "wrong args" when I try to save it.
Ideas?
nitassEmployee
this is mine.
[root@iris:Active] config b class test list class test { { host 1.1.1.1 network 2.2.2.0/24 } } [root@iris:Active] config b rule myrule list rule myrule { when RULE_INIT { log local0. "\[class match -- 1.1.1.1 equals test\]: [class match -- 1.1.1.1 equals test]" log local0. "\[class match -- 2.2.2.2 equals test\]: [class match -- 2.2.2.2 equals test]" log local0. "\[class match -- 3.3.3.3 equals test\]: [class match -- 3.3.3.3 equals test]" if {![class match -- 1.1.1.1 equals test]} { log local0. "!\[class match -- 1.1.1.1 equals test\]: 1" } else { log local0. "!\[class match -- 1.1.1.1 equals test\]: 0" } if {![class match -- 2.2.2.2 equals test]} { log local0. "!\[class match -- 2.2.2.2 equals test\]: 1" } else { log local0. "!\[class match -- 2.2.2.2 equals test\]: 0" } if {![class match -- 3.3.3.3 equals test]} { log local0. "!\[class match -- 3.3.3.3 equals test\]: 1" } else { log local0. "!\[class match -- 3.3.3.3 equals test\]: 0" } } } [root@iris:Active] config cat /var/log/ltm Nov 5 08:58:43 local/iris err mcpd[32723]: 01020066:3: The requested rule (myrule) already exists in partition Common. Nov 5 08:58:43 local/tmm info tmm[1609]: Rule myrule : [class match -- 1.1.1.1 equals test]: 1 Nov 5 08:58:43 local/tmm info tmm[1609]: Rule myrule : [class match -- 2.2.2.2 equals test]: 1 Nov 5 08:58:43 local/tmm info tmm[1609]: Rule myrule : [class match -- 3.3.3.3 equals test]: 0 Nov 5 08:58:43 local/tmm info tmm[1609]: Rule myrule : ![class match -- 1.1.1.1 equals test]: 0 Nov 5 08:58:43 local/tmm info tmm[1609]: Rule myrule : ![class match -- 2.2.2.2 equals test]: 0 Nov 5 08:58:43 local/tmm info tmm[1609]: Rule myrule : ![class match -- 3.3.3.3 equals test]: 1
ArieAre you saying that it is possible to simply use
as long as the value in the Class has the prefix "network"?[class match ...]
Michael_YatesNimbostratus
Hi Arie,
I have a class that contains a list of IP addresses with a netmask (/x). Initially I tried:
if { !( [ class match [IP::client_addr] equals class_CampusIPaddresses ] ) } {
However, that seems to work for 'straight' addresses only (i.e. without netmasks).
You are going to want to use your first working example because it takes the Client IP Address and determines if it would be contained in one of the networks within your subnets listed in "class_CampusIPaddresses".
It would be a huge assumption to guess the Subnet Mask of an incoming Client IP Address and make an exact match in a Data Group. It's easier to just see if it would be contained in one of the subnets in the Data Group (If so, do this....If not, do something else).
The reason your second example failed is due to the missing argument (the Client IP Subnet Mask): IP::addr
Hope this helps.- nitassAre you saying that it is possible to simply use
[class match ...]as long as the value in the Class has the prefix "network"?yes, i think so. - nitasscan you put some log command in the irule and post the irule along with log here?
- hooleylist
Cirrostratus
As Nitass said the class commands will do a bitwise comparison of a host or network against a datagroup. You just need to specify a type of "address" for the datagroup.
Aaron