Irule logic question

Question

when HTTP_REQUEST {
if { ([matchclass [string tolower [HTTP::uri]] contains Allowed_uri]) or ([matchclass [IP::client_addr] equals Allowed_IP]) } {
 }
  else {&nbsp;
log local0. "---CLIENT IP---[IP::client_addr] URI is [HTTP::uri]"
drop
 }&nbsp;
In the above irule, would the http request be permitted as long as either datagroup matches? It wouldn't have to match both to be permitted because of the "or" logic?&nbsp;

lee_sutcliffe · Answer

Hi Lee, 
I sometimes find it easier to read an iRule (especially when you include NOTs) by breaking the 'or' into separate 'if' conditions. 
Notice the "!" - this makes the condition a NOT. 
So:
IF NOT datagroup URI,
    IF NOT datagoup IP,
        drop.
  (everything else will be allowed)
when HTTP_REQUEST {
    if {(![class match [string tolower [HTTP::uri]] contains Allowed_uri])} {
        if {(![class match [IP::client_addr] equals Allowed_IP])} {
            drop
        }
    }
}

PS - matchclass has been depricated:
 https://devcentral.f5.com/wiki/iRules.matchclass.ashx
Lee

andy_mcgrath · Answer

Your iRule is almost correct but logic needs to be change from OR to AND:
when HTTP_REQUEST {
    if {[matchclass [string tolower [HTTP::uri]] contains Allowed_uri] and [matchclass [IP::client_addr] equals Allowed_IP]} {
        return
     } else {
        log local0. "---CLIENT IP---[IP::client_addr] URI is [HTTP::uri]"
        drop
    }
}

reversing the logic, like MrPlastic has done, you can do the same with less using not and logic OR:
when HTTP_REQUEST {
    if {(not [matchclass [string tolower [HTTP::uri]] contains Allowed_uri]) or (not [matchclass [IP::client_addr] equals Allowed_IP])} {
        log local0. "---CLIENT IP---[IP::client_addr] URI is [HTTP::uri]"
        drop
    }
}

lee_wooderson_1 · Answer

How would I rewrite my irule if I only wanted to permit URIs in Allowed_uri and just use the one datagroup and forget the source IP filter? Thanks for ur guys help.&nbsp;

lee_sutcliffe · Answer

This should be all you need, traffic not matching the URI data group will be dropped. Everything else will
be permitted. 
when HTTP_REQUEST {
    if {(not [class match [string tolower [HTTP::uri]] contains Allowed_uri])} {
        drop
    }
}

Forum Discussion

Irule logic question

4 Replies

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

IPv8 Would Fix My Routing Tables. It Will Never Ship.

Recent Discussions

F5 ASM/AWAF – violations logged but no learning suggestions generated

F5 VELOS Backplane Inter-Tenants Communication

migrate from serie I to R. Cluster LTM-GTM

Best Practice guide for enabling Attack signature In BIG-IP ASM

SSL Forward Proxy, iRules and Client Hello

Related Content

F5 Distributed Cloud - Listener Logic

Intermediate iRules: Validating Your Logic

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing

vCMP logical interfaces throughput

AppWorld Berlin iRules Contest!

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS