Irule logic question

Hi Lee,

I sometimes find it easier to read an iRule (especially when you include NOTs) by breaking the 'or' into separate 'if' conditions. Notice the "!" - this makes the condition a NOT.

So:

IF NOT datagroup URI, IF NOT datagoup IP, drop. (everything else will be allowed)

when HTTP_REQUEST {
    if {(![class match [string tolower [HTTP::uri]] contains Allowed_uri])} {
        if {(![class match [IP::client_addr] equals Allowed_IP])} {
            drop
        }
    }
}

PS -

matchclass

Lee

Your iRule is almost correct but logic needs to be change from OR to AND:

when HTTP_REQUEST {
    if {[matchclass [string tolower [HTTP::uri]] contains Allowed_uri] and [matchclass [IP::client_addr] equals Allowed_IP]} {
        return
     } else {
        log local0. "---CLIENT IP---[IP::client_addr] URI is [HTTP::uri]"
        drop
    }
}

reversing the logic, like MrPlastic has done, you can do the same with less using not and logic OR:

when HTTP_REQUEST {
    if {(not [matchclass [string tolower [HTTP::uri]] contains Allowed_uri]) or (not [matchclass [IP::client_addr] equals Allowed_IP])} {
        log local0. "---CLIENT IP---[IP::client_addr] URI is [HTTP::uri]"
        drop
    }
}

How would I rewrite my irule if I only wanted to permit URIs in Allowed_uri and just use the one datagroup and forget the source IP filter? Thanks for ur guys help.

This should be all you need, traffic not matching the URI data group will be dropped. Everything else will be permitted.

when HTTP_REQUEST {
    if {(not [class match [string tolower [HTTP::uri]] contains Allowed_uri])} {
        drop
    }
}