iRule not working since upgrading to 11.2

You need to convert over to class command the matchclass command is deprecated in v10. it is a easy change

 

 

https://devcentral.f5.com/wiki/iRules.class.ashx

e.g.

when HTTP_REQUEST {
   if { [class match -- [HTTP::header "User-Agent"] equals UserAgentBlacklist ] } {
      drop
   }
}

Wow, that was toooo easy. Thanks so much for the exceptionaly quick reply!! I made the change and it's working great. Cheers!

It was the $:: prefix breaking the iRule on 11.x.

Adding to Niass' suggestion, you could also add your user-agent strings in lower case to the data group and then set the User-Agent header value to lower case in the iRule:

when HTTP_REQUEST {
   if { [class match -- [string tolower [HTTP::header "User-Agent"]] equals UserAgentBlacklist ] } {
      drop
   }
}

Aaron

Ahh, that's a good idea. Thanks, I'll do that.

Let me clarify things Richard Harlan said:

You need to convert over to class command the matchclass command is deprecated in v10. it is a easy change

Everything I read didn't say "matchclass" would stop working in 11.X - in fact it works in bothe VE 11.2.0 and on production hardware at 11.2.0 (documented as less performant). In fact the https://devcentral.f5.com/wiki/iRules.class.ashx (never said it stopped working) it only says:

The class command deprecates the findclass and matchclass commands as it offers better functionality and performance than the older commands. Note that you should not use a $:: or :: prefix on the datagroup name when using the class command (or in any datagroup reference on 9.4.4 or later). For details, see the CMP compatibility page.

Yes I agree with hoolio the $:: prefix on data groups was breaking (also noted in the above) my iRules on 11.x two weeks ago - thank goodness for a 11.2.0 VE to debug this stuff - I figured it out on my own in case C1171849 on 7/30/2012 where I ended up using a 'sed' pipline to fix my /config/bigip.conf file (all iRULEs) in mass. The added benefit is that my globals became CMP compliment.

I did this on a F5 system running version 10.2.0 prior to upgrading it to version 11.2.0 as follows (special note all my datagroups start with g_dg_ so LOOK hard at the sed command - don't blindly run it):

 backup up the config
cp -p /config/bigip.conf /config/bigip.conf.sav

 make sure '::' only exists in iRULEs blocks
grep '::' /config/bigip.conf.sav

 alter the syntax to 11.X CMP compliance via a sed pipeline
cat /config/bigip.conf.sav  | \
  sed -e 's/set ::/set static::/g' | \
  sed -e 's/incr ::/incr static::/g' | \
  sed -e 's/info exists ::/info exists static::/g' | \
  sed -e 's/\$::/$static::/g' | \
  sed -e 's/\$static::g_dg/g_dg/g' > \
  /tmp/bigip.conf.new

Manually change old “matchclass” to new “class match” for more performance on my data groups
grep 'matchclass' | grep g_dg /config/bigip.conf.new
        if { [matchclass [IP::client_addr] equals g_dg_handset] } {
        if { [matchclass [IP::client_addr] equals g_dg_other] } {
        if { [matchclass [IP::client_addr] equals g_dg_dongle] } {

 use “vi” editor alter the above to 'class match'
vi /tmp/bigip.conf.new

 verify change
grep 'class match' /config/bigip.conf
        if { [class match [IP::client_addr] equals g_dg_handset] } {
        if { [class match [IP::client_addr] equals g_dg_other] } {
        if { [class match [IP::client_addr] equals g_dg_dongle] } {

 install and make active this 10.2.0 syntax, in 11.x you  need to use a tmsh command
cp /tmp/bigip.conf.new /config/bigip.conf
b load

 

I ended up going with:

when HTTP_REQUEST {
   if { [class match [string tolower [HTTP::header "User-Agent"]] contains UserAgentBlacklist ] } {
      drop
   }
}