Forum Discussion

alex100's avatar
alex100
Icon for Cirrostratus rankCirrostratus
Nov 09, 2023

iRule operator evaluation order OR/AND

Hi all,  This must be some simple syntax problem but I have been bashing my head for a while. Here is the irule:     when HTTP_REQUEST { if {(![class match [getfield [IP::client_addr] "%" 1]...
application delivery
irule
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Nov 09, 2023

    Hi alex100,

    It might be better to think in parts.

    when HTTP_REQUEST {
    #if uri matches with uripath_a:
    if { [class match [string tolower [HTTP::uri]] contains /Common/uripath_a] } {
        #log local0. "Log1 - Uri matched [HTTP::host][HTTP::uri]"
        
        #if Client IP doesn't match with tcp_whitelist
        if { !([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) }
            #log local0. "Log2 - Uri matched [HTTP::host][HTTP::uri] | Client IP did not match [IP::client_addr]"
            
            #if XFF doesn't match with xff_whitelist
            if { !([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist]) }
                #log local0. "Log3 - Uri matched [HTTP::host][HTTP::uri] | Client IP did not match [IP::client_addr] | XFF did not match [HTTP::header X-Forwarded-For]"
            }
            #if Client IP doesn't match with tcp_whitelist and XFF matches with xff_whitelist
            else {
                #log local0. "Log4 - Uri matched [HTTP::host][HTTP::uri] | Client IP did not match [IP::client_addr] | XFF matched [HTTP::header X-Forwarded-For]"
            }
        #if Client IP matches with tcp_whitelist
        else {
            #log local0. "Log5 - Uri matched [HTTP::host][HTTP::uri] | Client IP matched [IP::client_addr]"
            
            #if XFF doesn't match with xff_whitelist
            if { !([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist]) }
                #log local0. "Log6 - Uri matched [HTTP::host][HTTP::uri] | Client IP matched [IP::client_addr] | XFF did not match [HTTP::header X-Forwarded-For]"
            }
            #if Client IP matches with tcp_whitelist and XFF matches with xff_whitelist
            else {
                #log local0. "Log7 - Uri matched [HTTP::host][HTTP::uri] | Client IP matched [IP::client_addr] | XFF matched [HTTP::header X-Forwarded-For]"
            }
        }
    }
    #if uri doesn't match with uripath_a
    else {
        #log local0. "Log8 - Uri did not match [HTTP::host][HTTP::uri]"
    }
}

    I think you want this condition:

    when HTTP_REQUEST {
    if { !([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) and !([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist]) and ([class match [string tolower [HTTP::uri]] contains /Common/uripath_a]) }
        # log local0. "Batman Client IP [IP::client_addr], Client XXF IP [HTTP::header X-Forwarded-For], [HTTP::method], URL: [HTTP::host][HTTP::uri]"
    }
    else {
        pool pl-something-WEB-443
    }
}

    some function with different operators:

    when HTTP_REQUEST {
    if { !(([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) or ([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist])) and ([class match [string tolower [HTTP::uri]] contains /Common/uripath_a]) }
        # log local0. "Batman Client IP [IP::client_addr], Client XXF IP [HTTP::header X-Forwarded-For], [HTTP::method], URL: [HTTP::host][HTTP::uri]"
    }
    else {
        pool pl-something-WEB-443
    }
}
Enes_Afsin_Al's avatar
Enes_Afsin_Al
Icon for MVP rankMVP
Nov 09, 2023

Hi alex100,

It might be better to think in parts.

when HTTP_REQUEST {
    #if uri matches with uripath_a:
    if { [class match [string tolower [HTTP::uri]] contains /Common/uripath_a] } {
        #log local0. "Log1 - Uri matched [HTTP::host][HTTP::uri]"
        
        #if Client IP doesn't match with tcp_whitelist
        if { !([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) }
            #log local0. "Log2 - Uri matched [HTTP::host][HTTP::uri] | Client IP did not match [IP::client_addr]"
            
            #if XFF doesn't match with xff_whitelist
            if { !([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist]) }
                #log local0. "Log3 - Uri matched [HTTP::host][HTTP::uri] | Client IP did not match [IP::client_addr] | XFF did not match [HTTP::header X-Forwarded-For]"
            }
            #if Client IP doesn't match with tcp_whitelist and XFF matches with xff_whitelist
            else {
                #log local0. "Log4 - Uri matched [HTTP::host][HTTP::uri] | Client IP did not match [IP::client_addr] | XFF matched [HTTP::header X-Forwarded-For]"
            }
        #if Client IP matches with tcp_whitelist
        else {
            #log local0. "Log5 - Uri matched [HTTP::host][HTTP::uri] | Client IP matched [IP::client_addr]"
            
            #if XFF doesn't match with xff_whitelist
            if { !([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist]) }
                #log local0. "Log6 - Uri matched [HTTP::host][HTTP::uri] | Client IP matched [IP::client_addr] | XFF did not match [HTTP::header X-Forwarded-For]"
            }
            #if Client IP matches with tcp_whitelist and XFF matches with xff_whitelist
            else {
                #log local0. "Log7 - Uri matched [HTTP::host][HTTP::uri] | Client IP matched [IP::client_addr] | XFF matched [HTTP::header X-Forwarded-For]"
            }
        }
    }
    #if uri doesn't match with uripath_a
    else {
        #log local0. "Log8 - Uri did not match [HTTP::host][HTTP::uri]"
    }
}

I think you want this condition:

when HTTP_REQUEST {
    if { !([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) and !([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist]) and ([class match [string tolower [HTTP::uri]] contains /Common/uripath_a]) }
        # log local0. "Batman Client IP [IP::client_addr], Client XXF IP [HTTP::header X-Forwarded-For], [HTTP::method], URL: [HTTP::host][HTTP::uri]"
    }
    else {
        pool pl-something-WEB-443
    }
}

some function with different operators:

when HTTP_REQUEST {
    if { !(([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) or ([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist])) and ([class match [string tolower [HTTP::uri]] contains /Common/uripath_a]) }
        # log local0. "Batman Client IP [IP::client_addr], Client XXF IP [HTTP::header X-Forwarded-For], [HTTP::method], URL: [HTTP::host][HTTP::uri]"
    }
    else {
        pool pl-something-WEB-443
    }
}
  • alex100's avatar
    alex100
    Icon for Cirrostratus rankCirrostratus
    Nov 10, 2023

    Thank you for your feedback, time and refactored rule. Looks like I was on the right path but the culprit turned out to be about negation sign ["!"] placement. 

    Original if statement 

    {((![class match [getfield [IP::client_addr] "%" 1] eq tcp_whitelist]) or (![class match [getfield [HTTP::header X-Forwarded-For] "%" 1] equals xff_whitelist])) and ([class match [string tolower [HTTP::uri]] contains uripath_a])}

    Re-factored if statement

    { ([class match [string tolower [HTTP::uri]] starts_with uripath_a]) and !(([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) or ([class match [HTTP::header X-Forwarded-For] contains /Common/xff_whitelist])) }

    Looks like with multiple class mach commands , "!" has to be moved outside of ().