matching a host or network inside a data group using class match

Awesome question...I imagine it would go top to bottom as far as your list goes. If you're using 10.1, you can use the "value field," use different values for your 2 entries, and log the value for the one that gets hit.

Chris,

 

i did it, this is the result

 

In bigip.conf the class is...

 

class NavControlAndSnat {

 

{

 

network 192.168.1.0/24 { "172.17.170.12" }

 

network 192.168.163.0/24 { "172.17.170.11" }

 

host 192.168.163.228 { "172.17.170.103" }

 

host 192.168.163.229 { "172.17.170.103" }

 

}

 

}

 

 

the irule is....

 

when CLIENT_ACCEPTED {

 

set snataddr [class match -value [IP::client_addr] equals $::NavControlAndSnat ]

 

if { not ($snataddr equals "") } {

 

log local0. "i am [IP::client_addr] my snat is $snataddr"

 

snat $snataddr

 

}

 

else {

 

log local0. "drop traffic from [IP::client_addr]"

 

}

 

}

 

 

and the log is...

 

Aug 9 09:44:42 local/tmm info tmm[5761]: Rule NavControlAndSnat : i am 192.168.163.29 my snat is 172.17.170.11

 

Aug 9 09:44:43 local/tmm info tmm[5761]: Rule NavControlAndSnat : i am 192.168.163.229 my snat is 172.17.170.103

 

Aug 9 09:44:43 local/tmm info tmm[5761]: Rule NavControlAndSnat : i am 192.168.163.20 my snat is 172.17.170.11

 

Aug 9 09:44:44 local/tmm info tmm[5761]: Rule NavControlAndSnat : i am 192.168.1.168 my snat is 172.17.170.12

 

Aug 9 09:44:44 local/tmm info tmm[5761]: Rule NavControlAndSnat : i am 192.168.163.29 my snat is 172.17.170.11

 

 

conclusion...

 

looks like "class match" match the most exact ip definition in the class...like a route resolution.

 

there is a document explaining this feature?

 

 

thanks

 

Awesome exercise Juan! I suppose the "most specific match" does follow F5's logic since that's how they handle VIPs. I unfortunately cannot locate a precise wiki on "Data Groups"

In general, way BigIP resolves ambiguity like this is that it matches most specific first, so this makes perfect sense. It holds true for VIPs (e.g. a VS definition like 0.0.0.0:80 will match HTTP, while 0.0.0.0:0 handles everything else) as well as data groups and any other potential 'multi-match' situation I can think of. The more specific match will (and should) always win.

 

 

-Matt

I would imagine that rule changes when you use "contains, ends_with, starts_with", correct?

 

 

Bhattman

Posted By The Bhattman on 08/09/2010 09:06 AM

 

I would imagine that rule changes when you use "contains, ends_with, starts_with", correct?

 

 

Bhattman

 

 

What would syntax look like in a situation like that? If we have a network-type datagroup with 1.1.1.0/24 while our IP was 1.1.1.1, how could we ever match using starts_with?

I believe that syntax is specific to string type data groups. BigIP treats IP/subnet groups differently. Someone please correct me if I am wrong.

 

 

-Matt

Actually, for IP/networks, equals and starts_with would effectively be the same. Eg: is it not true that 1.1.1.1 starts_with 1.1.1.0/24? So, under the covers, the matching actually uses more of a starts_with type of logic when matching IP's. However, when matching IP datagroups you will only be allowed to use the "equals" operator. The other operators are not allowed.

thanks, data group type ip is clear for me now.

 

now i have a new problem...access control to ftp...

 

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/1172852/aff/5/afv/topic/showtab/groupforums/Default.aspx

 

Posted By unRuleY on 08/09/2010 01:39 PM

 

Actually, for IP/networks, equals and starts_with would effectively be the same. Eg: is it not true that 1.1.1.1 starts_with 1.1.1.0/24? So, under the covers, the matching actually uses more of a starts_with type of logic when matching IP's. However, when matching IP datagroups you will only be allowed to use the "equals" operator. The other operators are not allowed.

 

 

I haven't tested this, but assumed that starts_with is simply a string and wouldn't understand a network/mask type comparison..would 1.1.1.1 really start with 1.1.1.0/24?