Forum Discussion

Kevin_Leicht_51's avatar
Kevin_Leicht_51
Icon for Nimbostratus rankNimbostratus
Aug 14, 2012

iRule not working since upgrading to 11.2

Apologies if a similar question has been asked and answered. I searched the forum but couldn't find anything. I have an irule that references a data group for blocking spiders by user-agent (I copied it from a rule posted previously on DevCentral). The rule is:

 

 

when HTTP_REQUEST {

 

if { [matchclass [HTTP::header "User-Agent"] contains $::UserAgentBlacklist ] } {

 

drop

 

return }

 

 

}

 

 

The Data Group is a string data gorup called UserAgentBlacklist with a series of entries:

 

 

80legs

 

snitch

 

Yandex

 

discobot

 

....

 

 

It worked nicely in 10.2, but after upgrading to 11.2, I'm getting:

 

 

tmm err tmm[11342]: 01220001:3: TCL error: /Common/UserAgent-Blacklist_irule - can't read "::UserAgentBlacklist": no such variable while executing "matchclass [HTTP::header "User-Agent"] contains $::UserAgentBlacklist

 

 

Any chance it's something obvious in the syntax that's changed with 11.x?

 

  • Richard__Harlan's avatar
    Richard__Harlan
    Historic F5 Account
    You need to convert over to class command the matchclass command is deprecated in v10. it is a easy change

     

     

    https://devcentral.f5.com/wiki/iRules.class.ashx
  • e.g.

    when HTTP_REQUEST {
       if { [class match -- [HTTP::header "User-Agent"] equals UserAgentBlacklist ] } {
          drop
       }
    }
    
  • Wow, that was toooo easy. Thanks so much for the exceptionaly quick reply!! I made the change and it's working great. Cheers!
  • It was the $:: prefix breaking the iRule on 11.x.

    Adding to Niass' suggestion, you could also add your user-agent strings in lower case to the data group and then set the User-Agent header value to lower case in the iRule:

    
    when HTTP_REQUEST {
       if { [class match -- [string tolower [HTTP::header "User-Agent"]] equals UserAgentBlacklist ] } {
          drop
       }
    }
    

    Aaron
  • Let me clarify things Richard Harlan said:

    You need to convert over to class command the matchclass command is deprecated in v10. it is a easy change

    Everything I read didn't say "matchclass" would stop working in 11.X - in fact it works in bothe VE 11.2.0 and on production hardware at 11.2.0 (documented as less performant). In fact the https://devcentral.f5.com/wiki/iRules.class.ashx (never said it stopped working) it only says:

    The class command deprecates the findclass and matchclass commands as it offers better functionality and performance than the older commands. Note that you should not use a $:: or :: prefix on the datagroup name when using the class command (or in any datagroup reference on 9.4.4 or later). For details, see the CMP compatibility page.

    Yes I agree with hoolio the $:: prefix on data groups was breaking (also noted in the above) my iRules on 11.x two weeks ago - thank goodness for a 11.2.0 VE to debug this stuff - I figured it out on my own in case C1171849 on 7/30/2012 where I ended up using a 'sed' pipline to fix my /config/bigip.conf file (all iRULEs) in mass. The added benefit is that my globals became CMP compliment.

    I did this on a F5 system running version 10.2.0 prior to upgrading it to version 11.2.0 as follows (special note all my datagroups start with g_dg_ so LOOK hard at the sed command - don't blindly run it):

    
     backup up the config
    cp -p /config/bigip.conf /config/bigip.conf.sav
    
     make sure '::' only exists in iRULEs blocks
    grep '::' /config/bigip.conf.sav
    
     alter the syntax to 11.X CMP compliance via a sed pipeline
    cat /config/bigip.conf.sav  | \
      sed -e 's/set ::/set static::/g' | \
      sed -e 's/incr ::/incr static::/g' | \
      sed -e 's/info exists ::/info exists static::/g' | \
      sed -e 's/\$::/$static::/g' | \
      sed -e 's/\$static::g_dg/g_dg/g' > \
      /tmp/bigip.conf.new
    
    Manually change old “matchclass” to new “class match” for more performance on my data groups
    grep 'matchclass' | grep g_dg /config/bigip.conf.new
            if { [matchclass [IP::client_addr] equals g_dg_handset] } {
            if { [matchclass [IP::client_addr] equals g_dg_other] } {
            if { [matchclass [IP::client_addr] equals g_dg_dongle] } {
    
     use “vi” editor alter the above to 'class match'
    vi /tmp/bigip.conf.new
    
     verify change
    grep 'class match' /config/bigip.conf
            if { [class match [IP::client_addr] equals g_dg_handset] } {
            if { [class match [IP::client_addr] equals g_dg_other] } {
            if { [class match [IP::client_addr] equals g_dg_dongle] } {
    
     install and make active this 10.2.0 syntax, in 11.x you  need to use a tmsh command
    cp /tmp/bigip.conf.new /config/bigip.conf
    b load
    
     
  • I ended up going with:

    when HTTP_REQUEST {
       if { [class match [string tolower [HTTP::header "User-Agent"]] contains UserAgentBlacklist ] } {
          drop
       }
    }