matching two classes - iRule 10.2.4

Replace || with &&. It looks like you want both conditions to be met for the connection to be dropped and logged. Therefore you need to AND instead of OR.

 

 

Condition 1: ! [class match [substr [X509:subject [SSL::cert 0]] 3 ","] equals CLASS-1 ]

 

Condition 2: ! [class match [substr [X509:subject [SSL::cert 0]] 3 ","] equals CLASS-2 ]

 

 

Hope this helps.

No, I'm really looking for an OR condition. I tried && to, and it still throws a PARSE error.

Let me explain a bit more:

 

 

b class CLASS-1 '{

 

{

 

"CN=XXXXXX,"

 

}

 

}'

 

 

b class CLASS-2 '{

 

{

 

"CN=YYYYY,"

 

}

 

}'

 

 

 

This works:

 

when CLIENTSSL_CLIENTCERT {

 

 

if {[SSL::cert count] > 0}{

 

if { ! [class match [substr [X509::subject [SSL::cert 0]] 3 ","] equals CLASS-1 ] } {

 

log local0. "Client dropped :[substr [X509::subject [SSL::cert 0]] 3 ","]"

 

drop

 

}

 

}

 

}

 

 

However when trying to add CLASS-2 as a OR condition I get a TCL error(below iRule):

 

 

when CLIENTSSL_CLIENTCERT {

 

if {[SSL::cert count] > 0}{

 

set X509_subject [X509::subject [SSL::cert 0]]

 

if { { ! [class match [substr $X509_subject 3 ","] equals CLASS-1] } || {!([class match [substr $X509_subject 3 ","] equals CLASS-2] } } {

 

log local0. "Client dropped :[substr [X509::subject [SSL::cert 0]] 3 ","]"

 

drop

 

}

 

}

 

}

 

 

Apr 5 15:07:55 local/tmm3 err tmm3[6610]: 01220001:3: TCL error: test-iRule - expected boolean value but got " ! [class match [substr $X509_subject 3 ","] equal" while executing "if { { ! [class match [substr $X509_subject 3 ","] equals CLASS-1 ] } || {!([class match [substr $X509_subject 3 ","] equals CLASS-2..."

 

 

I got this to work using the following:

set X509_subject [substr [X509::subject [SSL::cert 0]] 3 ","]
log local0. "X509-subject-CN:$X509_subject"
if { ! ( [class match $X509_subject equals CLASS-1 ] || [class match $X509_subject equals CLASS-2] ) } {
log local0. "Client dropped :$X509_subject"
drop