For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Christopher_Da1's avatar
Christopher_Da1
Icon for Nimbostratus rankNimbostratus
Aug 08, 2006

iRule to manipulate designation content based off ip/subnet

First of all I’m new to iRules and not familiar with the syntax.     I have composed an irule and the editor says the syntax is correct, but it doesn’t behave correctly or the way I intend for i...
application delivery
dev
devops
iRules
JRahm's avatar
JRahm
Icon for Admin rankAdmin
Aug 09, 2006
If your IP matching is going to grow, you could build a class to clean up the rule. Also, since I assume that this is all HTTP traffic, you could move all the logic to the HTTP_REQUEST event to avoid setting the variable (or use info exists in the CLIENT_ACCEPTED event).


class my_exceptions {
  "156.74.138.63 GWWEB-HTTP"
  "156.74.12.223 GWWEB-HTTP"
  "156.74.12.222 GWWEB-HTTP"
  "10.10.10.10   DIFFERENT_POOL-HTTP"
}
when HTTP_REQUEST {
  if { [matchclass  [IP::client_addr] equals $::my_exceptions ]   } {
    log local0. "matched address [IP::client_addr] "
    pool [findclass [IP::client_addr] $::my_exceptions " " ]
  } elseif { not ( [IP::addr [IP::client_addr] equals 156.74.12.223 ] ) } {
      log local0. "matched subnet 156.74.16.0/24, issuing redirect..."
      HTTP::redirect "http://inweb.ci.seattle.wa.us/ccss/noaccess.asp"
  } else {
      log local0. "didn't match any addresses"
      pool GWWEB-HTTP
  }       
}

Note also that if you define GWWEB-HTTP as your default pool, you don't need the else statement...

Also note that the class is not part of the rule, it needs to be added under the datagroups tab in the GUI, or simply paste into to the bigip.conf file at the CLI and do a bigpipe load.

HTH

BTW, this compiled without error in the iRule Editor, but is untested.