For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sandy16's avatar
sandy16
Icon for Altostratus rankAltostratus
May 09, 2016

iRule for matching 2 x Data-groups

Hi experts, I have two data-groups. One is type 

string' which contains URIs called - Allowed-URIs and the other is type
ipaddress' which contains some internal subnets called - Allowed-IPs. Can you help me create an irule which has the following logic - the URIs in the data-group Allowed-URIs are only accessible from the Allowed-IPs data-group. Else DROP !

application delivery
iRules
LTM

4 Replies

  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    May 09, 2016

    Nothing too complex. A nested IF-condition will do.

    when HTTP_REQUEST {

  if { [class match [string tolower [HTTP::uri]] eq "Allowed-URIs" ] }{
    if { [class match [IP::client_addr] eq "Allowed-IPs" ] }{
       Do not interfere (Allowed)
      return
    } else {
       Not allowed
      drop
    }
  }

}

    If you're going to use my solution, check to make sure that your Allowed-URIs definitions are all lower-case (or just remove the 'string tolower' function if you need case-sensitive matching).

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      May 09, 2016
      I prefer the positive match as well for readability, but for efficiency, you could eliminate the else by reversing the match on the nested if (not [class match [IP::client_addr...)
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    May 09, 2016

    Nothing too complex. A nested IF-condition will do.

    when HTTP_REQUEST {

  if { [class match [string tolower [HTTP::uri]] eq "Allowed-URIs" ] }{
    if { [class match [IP::client_addr] eq "Allowed-IPs" ] }{
       Do not interfere (Allowed)
      return
    } else {
       Not allowed
      drop
    }
  }

}

    If you're going to use my solution, check to make sure that your Allowed-URIs definitions are all lower-case (or just remove the 'string tolower' function if you need case-sensitive matching).

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      May 09, 2016
      I prefer the positive match as well for readability, but for efficiency, you could eliminate the else by reversing the match on the nested if (not [class match [IP::client_addr...)