Forum Discussion
CirrusiRule with two data groups both using external files one working (addr) and one not (str)
I have an iRule in place that checks the IP address of an off-site host,
then it checks the IP address of the client and with a class match to see if it is contained in an external file (type addr)
if it is, the node is selected as the off-site host,
if not it checks the name of the client with a class match to see if it is contained in an external file (type str)
if it is, the node is selected as the off-site host,
if not the connection is dropped
The iRule works as far as checking the off-site host and checking the client IP address against the external address list but when the IP of the client is not in the IP list but the name of the client is, the class match is not matching.
My iRule:
when CLIENT_ACCEPTED {
set ips [RESOLV::lookup @x.x.x.x -a "smtp-relay.gmail.com"]
set nps [RESOLV::lookup @x.x.x.x [IP::client_addr]]
log local0. "Looked up smtp-relay.gmail.com and found $ips, parsed first element: [lindex $ips 0]"
log local0. "Looked up client IP and found $nps, parsed first element: [lindex $nps 0]"
if
{[class match [IP::client_addr] equals whitelist-smtps] or
[class match [lindex $nps 0] ends_with whitelist-smtp-names]} {
log local0. "accepted client IP = [IP::client_addr]"
log local0. "accepted client name = [lindex $nps 0]"
node [lindex $ips 0]
}
else {log local0. "smtp client dropped [IP::client_addr]"
drop }
}
The two data groups have external files that were imported into the ifiles area while creating the data groups.
the whitelist-smtps file looks like this:
host 10.32.8.92 := "host1",
host 10.41.69.188 := "host2",
host 10.44.4.158 := "host3",
host 10.63.253.164 := "host4",
host 10.65.11.144 := "host5",
host 10.65.14.220 := "host6",
host 10.66.1.43 := "host7",
and the whitelist-smtp-names file looks like this:
"str1" := "pims.cc.nd.edu",
"str2" := "controls.ame.nd.edu",
"str3" := "maul.chem.nd.edu",
"str4" := "grumpy.cse.nd.edu",
"str5" := "wizard.cse.nd.edu",
"str6" := "ariel.ee.nd.edu",
"str7" := "services.ee.nd.edu",
"str8" := "nomex.eeit.nd.edu",
What am I doing wrong?
5 Replies
Dave_MehlbergEDIT - the second class match is incorrect... it should be: [class match [lindex $nps 0] equals whitelist-smtp-names]} (equals not ends_with)- Dave_MehlbergIt is still not working though - no matter the equals or ends_with ...
- Kai_Wilke
MVP
Hi Dave,
a datagroup entry is always a
(where the value can be empty) combination and the search is always performed on the "key_names". Thekey_name=key_value
or simply[class match -value]
syntax will then TCL return the[class lookup]
instead of the booleankey_value
or0
of the native1
syntax.[class match]I guess your iRule isn't working correctly since you compare the reverse-dns-lookup results with the key_names
,str1
,str2
, etc. This wouldn't work unless your reverse DNS query would resolve to those strings (which I dont believe). So ,my best bet would be, that you have to flip the order or the whitelist-smtp-names datagroup, so that the FQDNs would become thestr3
.key_nameAdditional Note: Also check the format of your
entries. When using external datagroups, then you don't have to specify prefixes infront of each key/value pair.key_name=key_valueCheers, Kai
- Dave_Mehlberg
I was basing my original string file on the following link:
https://devcentral.f5.com/articles/irules-data-group-formatting-rules
which shows:
String Classes With string classes, quotes are necessary on the types and values: [internal class] class str_testclass { { "str1" { "value 1" } "str2" { "value 2" } } } [external class] class str_testclass_ext { type string filename "/var/class/str_testclass.class" separator ":=" } [/var/class/str_class.class] "str1" := "value 1", "str2" := "value 2",so I built my file as I saw in the bottom of the link for string classes
"str1" := "value 1",
and so forth
- Kai_WilkeYeah, sometimes those manuals are somewhat confusing... ;-) Cheers, Kai
