For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Supahoopsa_8892's avatar
Supahoopsa_8892
Icon for Nimbostratus rankNimbostratus
Jun 10, 2011

IRule not working - sytnax error or something else?

I have tried writing my first iRule to check the url of my site and then depending on which site the user is attempting to access, I then check a list of approved IP addresses.

 

 

 

If the clients IP address is not found in the list, I redirect them to an unauthorised page, otherwise I let them through.

 

 

 

 

This is my code:

 

 

when HTTP_REQUEST {

 

switch -glob [string tolower [HTTP::uri]] {

 

"*XXX*" {

 

if not { matchclass [IP::client_addr] equals $::XXX_access_list } {

 

HTTP::redirect https://MyXXXUnauthPage.com

 

}

 

}

 

"*YYY*" {

 

if not { matchclass [IP::client_addr] equals $::YYY_access_list } {

 

HTTP::redirect https://MyYYYUnauthPage.com

 

}

 

}

 

"*ZZZ*" {

 

if not { matchclass [IP::client_addr] equals $::ZZZ_access_list } {

 

HTTP::redirect https://MyZZZUnauthPage.com

 

}

 

}

 

}

 

}

 

 

Is there a syntax error here or have I just gor my logic wrong.

 

 

 

Any help would be GREATLY appreciated.

 

 

 

 

 

 

 

 

 

application delivery
dev
devops
iRules

3 Replies

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2011
    Try this: 

     
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri]] {
"*XXX*" {
if { !([matchclass [IP::client_addr] equals $::XXX_access_list]) } {
                HTTP::redirect https://MyXXXUnauthPage.com
            }
        }
        "*YYY*" {
            if { !([matchclass [IP::client_addr] equals $::YYY_access_list]) } {
                HTTP::redirect https://MyYYYUnauthPage.com
            }
        }
        "*ZZZ*" {
            if { !([matchclass [IP::client_addr] equals $::ZZZ_access_list]) } {
                HTTP::redirect https://MyZZZUnauthPage.com
            }
        }
    }
}

    Your not comparison (can also be expressed by "!"), needs to be inside of your if statement and needs to be applied to the entire comparison.

    Comparison: [matchclass [IP::client_addr] equals $::ZZZ_access_list]

    Comparison: !(results of first comparison)

    Result: if false, do this....

  • Supahoopsa_8892's avatar
    Supahoopsa_8892
    Icon for Nimbostratus rankNimbostratus
    Jun 10, 2011
    Hi Michael, thanks for your quick feedback.

     

     

    I've just applied the changes with your recommendations, but it appears we're still having problems with the matchclass aspects. I wanted to state that I created "site_access_list" as a Data Group in the BIGIP UI. It contains multiple Host and Network addresses. Anything I should be considering on that?

     

     

    Code looks like:

     

     

    
when HTTP_REQUEST { 
    switch -glob [string tolower [HTTP::uri]] { 
        "*client*" { 
            if { !([matchclass [IP::client_addr] equals $::site_access_list]) } { 
HTTP::redirect https://site
            } 
        } 
    } 
}
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 10, 2011
    If you're on 9.4.4 or higher you should remove the $:: prefix from the datagroup name. It will demote the iRule from CMP in any version, but won't work at all to access the datagroup in v10+:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/CMPCompatibility.html

     

     

    For 10.x you should also change from matchclass to the class match command for better efficiency:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/class

     

     

    Aaron