iRule to only allow traffic from 3 differents subnets

Datagroups are highly performant so no CPU worries there;-

when HTTP_REQUEST {
    if {[string tolower [HTTP::path]] ends_with "/xxx" && ![class match [IP::client_addr] equals dg_ip_whitelist] } {
        HTTP::respond 200 content "URL Blocked"
    }
}

IheartF5, thanks for your answer. Just one more thing, do you think that something like this would work?

 

when HTTP_REQUEST { if {( [string tolower [HTTP::path]] ends_with "/xxx " ) and not ( [matchclass [IP::client_addr] equals $::xxx_allowed] ) } { HTTP::respond 200 content "URL Blocked" } }

 

Just one more thing, do you think that something like this would work?

what version are you running? if it is 9.4.4 or later, you should remove $:: prefix.

Class / Data Group List References

9.4.0 - 9.4.3, class reference not compatible as of 9.4.4, "::" and "$::" prefixes are no longer required to reference classes using findclass or matchclass. Classes are static and are therefore CMP compatible. There is no need to treat them as global objects.

10.0, matchclass / findclass deprecated in favor of new class command

CMP Compatibility

https://devcentral.f5.com/wiki/iRules.cmpcompatibility.ashx

Nitass, I have version 11 in one cluster where I´m testing the irule, but I get this error:

 

The current configuration forces the Virtual (/Common/XXX) to be demoted from CMP.

 

The irule is below:

 

when HTTP_REQUEST { if {( [string tolower [HTTP::path]] ends_with "/xxx " ) and not ( [class [IP::client_addr] equals $::xxx_allowed] ) } { HTTP::respond 200 content "URL Blocked" } }

 

I have version 11 in one cluster where I´m testing the irule, but I get this error

 

can you change from $::xxx_allowed to xxx_allowed?

 

Nitass, now it´s working fine. The irule is the below:

 

when HTTP_REQUEST { if {( [string tolower [HTTP::path]] ends_with "/xxx" ) and not ( [class match [IP::client_addr] equals xxx_allowed] ) } { HTTP::respond 200 content "URL Blocked" } }