Forum Discussion

pelle_71294's avatar
pelle_71294
Icon for Nimbostratus rankNimbostratus
Jul 08, 2010

iRule Redirection Problem

Hi,

 

 

Got a few iRule problems. My main problem is that I usually don't configure our F5 BigIPs very often and the guy doing it is not available.

 

 

The problem is that I thought I had created a maintenance iRule based on some simple requirements that will redirect requests based on source-ip and url. However when I now got a chance to test it, it won't work as I expected.

 

 

Would very much appriciate any pointers to what I have done wrong with this.

 

 

when HTTP_REQUEST {

 

if { ! [matchclass [IP::client_addr] equals $::acl_mycompany_nets]

 

|| ! [matchclass [URI::decode [string tolower [HTTP::uri]]] contains $::acl_maintenance]} {

 

HTTP::redirect http://www.mycompany.com/maintenance/index.php

 

}

 

}

 

 

It's using the two data lists.

 

 

acl_mycompany_nets contains 2 networks for the sake of example. 10.10.0.0/22 and 172.16.0.0/23.

 

 

acl_maintenance contains /callback/ /maintenance/ and /pictures/

 

 

It redirects as it should to /maintanence/index.php

 

 

But when I click a link on that go to /maintenance/pictures//index.php it just goes back to /maintenance/index.php, same thing for /callback//index.php

 

 

Both returns to /maintenance/index.php

 

 

 

 

application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 08, 2010
    I assume you want to allow your company nets users to access the pool regardless of whether maintenance is being done? If so, can you try this? If it doesn't work as you'd like, you can uncomment the debug log lines and check /var/log/ltm for the output: 

    
when HTTP_REQUEST {
    log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::method] for [HTTP::host][HTTP::uri]"
   if { [matchclass [IP::client_addr] equals $::acl_mycompany_nets] } {
       log local0. "[IP::client_addr]:[TCP::client_port]: Client is in acl_mycompany_nets class. Exiting"
       Client is a corporate user, so exit the iRule and don't redirect them
      return
   } else {
       log local0. "[IP::client_addr]:[TCP::client_port]: Client is not in acl_mycompany_nets class. Checking URI."
      if { ![matchclass [URI::decode [string tolower [HTTP::uri]]] contains $::acl_maintenance] } {
          log local0. "[IP::client_addr]:[TCP::client_port]: Client is not in acl_mycompany_nets class and URI check failed. Redirecting."
         HTTP::redirect http://www.mycompany.com/maintenance/index.php
      }
   }
}

    Also, if you're on 9.4.4 or higher, you should remove the $:: prefix from the datagroup names in the iRule.

    Aaron
  • pelle_71294's avatar
    pelle_71294
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2010
    Hi Aaron,

     

     

    Of course I forgot to add what version we're running. It's BIG-IP 10.1.0 Build 3341.43 Engineering Hotfix.

     

     

    Since it's above 9.4.4 I removed $:: but now I get a TCL error in ltm log.

     

     

    local/tmm err tmm[4730]: 01220001:3: TCL error: new_maintenance - Invalid matchclass operands - no class or list type found, lhs: string, rhs: acl_maintenance (line 1) invoked from within "matchclass [URI::decode [string tolower [HTTP::uri]]] contains acl_maintenance"

     

     

    And you're right in that our internal users should gain access during the maintenance for testing.

     

     

    Confusing that I get the TCL error since I checked it several times now. The data list is there and it's named correct.

     

     

    Thanks a lot for your help. Very much appreciated.

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 08, 2010
    Are you sure you have a datagroup named exact acl_maintenance? Is it a type string datagroup?

     

     

    Aaron
  • pelle_71294's avatar
    pelle_71294
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2010
    Yes. Checked so many times I lost count now. It's a string data group.

     

    I worked around it with expanding the iRule instead and it works as it should now.

     

     

    Thank you very much for your help. Very much appreciated.

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 08, 2010
    That's odd. If you run 'b class acl_maintenance list' to you get a result back?

     

     

    Aaron
  • pelle_71294's avatar
    pelle_71294
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2010
    No I don't. I get parsing error for some reason.

     

     

    BIGpipe parsing error:

     

    012e0008:3: The requested command (acl_maintenance list) is invalid

     

     

    Pretty sure I should be reading up a lot more on this. Problem is always that I never touch the BigIPs.

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 08, 2010
    If you have full command line access, can you run this instead and reply with the output:

     

     

    grep -A 5 'class acl_maintenance' /config/bigip.conf

     

     

    Aaron
  • pelle_71294's avatar
    pelle_71294
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2010
    Ok, it's pretty obvious I need sleep now. Sorry for taking up your time. Been checking it again and again and again.

     

     

    It's me who have spelled wrong and too tired to even see that I have done that.

     

     

    Again, thanks a lot for your help.