For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sandy16's avatar
sandy16
Icon for Altostratus rankAltostratus
Jun 14, 2016

iRule for matching source-ip OR true-client-ip from a datagroup

Hi experts, Need help in writing an iRule that has the following logic -

Request is allowed only if the source-ip OR true-client-ip present in the header (if the request comes via a proxy) are part of a datagroup called "Allowed-ips". Else is dropped.

when HTTP_REQUEST { if { [class match [IP::client_addr] OR [HTTP::header "True-Client-IP"] equals "Allowed-ips" ] }{ Do not interfere (Allowed)

} else {
  drop

} } }

This gives me an error for wrong argument. What am i missing, please advise?

iRules
security

2 Replies

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Jun 14, 2016
    when HTTP_REQUEST { 
if { ([class match [IP::client_addr] equals Allowed-ips]) or ([class match [HTTP::header "True-Client-IP"] equals Allowed-ips]) } { 
  Do not interfere (Allowed)
} else {
  drop
} 
}

    Untested - give it a shot !

    Also, you need to replace this 

     Do not interfere (Allowed)
    with pool information, if you want the traffic to go to a specific pool.

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 14, 2016

    Hi,

    A class match was missing in the if condition :

    when HTTP_REQUEST { 
    if { ([class match [IP::client_addr] equals Allowed-ips]) or ([HTTP::header exists "True-Client-IP"] and [class match [HTTP::header "True-Client-IP"] equals Allowed-ips]) } { 
      Do not interfere (Allowed)
    } else {
      drop
    } 
}