matchclass not returning a result

Hi,

 

I'm trying to setup a simple blacklist iRule to drop connections from clients with an IP that matches an entry in a DataGroup, and log the relevant entry. I use seperate Host and Network DataGroups for clarity.

 

 

However, matchclass isn't returning any value other than 0 - thus connections are always allowed.

 

The problem statement(s) are (from the code block below)

 

 

set idxnet [matchclass [IP::client_addr] equals $::blacklistnet]

 

set idxaddr [matchclass [IP::client_addr] equals $::blacklistaddr]

 

 

If I delete the DataGroups and recreate them, the rule will work for one connection (ie. drops it), then it constantly fails (ie allows connections from a blacklisted machine).

 

 

 

when CLIENT_ACCEPTED {

 

set idxnet [matchclass [IP::client_addr] equals $::blacklistnet]

 

log local0. "idxnet = $idxnet - ip = [IP::client_addr]"

 

if { $idxnet > 0 } {

 

set valnet [ lindex $::blacklistnet [expr $idxnet - 1] ]

 

log local0. "Subnet Blacklisted - [IP::client_addr] matched $valnet"

 

drop

 

return

 

} else {

 

set idxaddr [matchclass [IP::client_addr] equals $::blacklistaddr]

 

log local0. "idxaddr = $idxaddr - ip = [IP::client_addr]"

 

if { $idxaddr > 0 } {

 

set valaddr [ lindex $::blacklistaddr [expr $idxaddr - 1] ]

 

log local0. "Address Blacklisted - [IP::client_addr] matched $valaddr"

 

drop

 

return

 

} else {

 

log local0. "Address Allowed - [IP::client_addr]"

 

}

 

}

 

}

 

 

 

The output I get (from the log statments) is -

 

 

: indexnet = 0 - ip = xxx.xxx.xxx.xxx

 

: indexaddr = 0 - ip = xxx.xxx.xxx.xxx

 

: Address Allowed - xxx.xxx.xxx.xxx

 

 

 

Any ideas?

 

(We're running BIG-IP 9.4.1 Build 29.0)