For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Michael_A__Fied's avatar
Michael_A__Fied
Icon for Nimbostratus rankNimbostratus
May 21, 2010

iRule using URI classes to restrict access

(version 9.4.7) I have been restricting access to certain pools via the following iRule statement: if { [matchclass [IP::client_addr] equals $::TrustedIPs] and [matchclass [HTTP::path] starts_wit...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
May 24, 2010
string map can't recursively perform substitutions:

 

 

 

http://www.tcl.tk/man/tcl8.4/TclCmd/string.htmM34

 

 

string is only iterated over once, so earlier key replacements will have no affect for later key matches.

 

 

 

You could either loop string map while there aren't instances of // or you could use regsub to search for //+ and replace it with /. However, if you're trying to handle obfuscation techniques, there are many more to account for than multiple forward slashes. As you're whitelisting based on IP address, obfuscation attempts might not be so much of a concern though. See these recent posts for more examples:

 

 

irule based on ip and url

 

http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/1171094/afv/topic/Default.aspx1171131

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3090031324

 

 

Aaron