Forum Discussion

Leslie_South_55's avatar
Leslie_South_55
Icon for Nimbostratus rankNimbostratus
Jan 31, 2008

Multiple matchclass + "if" AND "if not"

I am trying to use both an 'if' and an 'if not' statement where both statements are looking at 2 different external class files. Here is the rule:


when HTTP_REQUEST {
      log local0 "requested [HTTP::uri]"
   if {not [matchclass [string tolower [HTTP::uri]] contains $::uri_block] } {
    if {[matchclass [IP::client_addr] equals $::allowed] } {
      log local0.  "Valid Packet: [IP::client_addr] - [HTTP::uri] forwarding traffic"
 } else  {
      log local0. "Invalid Packet: [IP::client_addr] - [HTTP::uri] discarding"
     discard
   }
  }
 }

it does not seem to be reading the entire rule, as I get log entries as follows:

: Valid Packet: 10.2.6.31 - /AeXHD/user/default.aspx forwarding traffic

where the "user" is defined in the uri_block class (what I am trying to block access to)

and 10.2.6.31 is defined in the allowed class (one of the allowed client IP's)

Any help much appreciated.

-L
application delivery
dev
devops
iRules

5 Replies

  • Leslie_South_55's avatar
    Leslie_South_55
    Icon for Nimbostratus rankNimbostratus
    Jan 31, 2008
    I can do this with 2 rules on the VS, and I guess that is OK, just was trying to get it all in one rule.

     

     

    -L
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 31, 2008
    Can you try wrapping the conditional test you're not'ing in parens?

    
when HTTP_REQUEST {
   log local0 "requested [HTTP::uri]"
   if {not ([matchclass [string tolower [HTTP::uri]] contains $::uri_block])} {
      if {[matchclass [IP::client_addr] equals $::allowed] } {
         log local0.  "Valid Packet: [IP::client_addr] - [HTTP::uri] forwarding traffic"
      } else  {
         log local0. "Invalid Packet: [IP::client_addr] - [HTTP::uri] discarding"
         discard
      }
   }
}

    Aaron
  • Leslie_South_55's avatar
    Leslie_South_55
    Icon for Nimbostratus rankNimbostratus
    Jan 31, 2008
    Aaron,

     

    I added the parens as per your suggestion, but still no go. Not sure if this is the app or not, but I get 4 HTTP_REQUESTs that include text I am tring to restrict before the valid packet log statement is getting generated, here is the log

     

     

     

    : requested /aexhd/user

     

    : requested /aexhd/user

     

    : requested /aexhd/user

     

    : requested /aexhd/user/

     

    : requested /AeXHD/css/styles.css

     

    : Valid Packet: 10.2.6.31 - /AeXHD/css/styles.css forwarding traffic

     

     

     

     

    my uri_block class file has "user" defined

     

     

    -L
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 31, 2008
    Actually, I think I missed part of what you're trying to do. Do you want to allow the request if the requested URI is not in the blocked URI class or if the client IP is in the allowed IP's class; and drop all other requests?

    If so, I think this should work and be slightly clearer:

    
when HTTP_REQUEST {
   log local0 "requested [HTTP::uri]"
   if {not ([matchclass [string tolower [HTTP::uri]] contains $::uri_block]) or [matchclass [IP::client_addr] equals $::allowed]} {
      log local0.  "Valid Packet: [IP::client_addr] - [HTTP::uri] forwarding traffic"
   } else  {
      log local0. "Invalid Packet: [IP::client_addr] - [HTTP::uri] discarding"
      discard
   }
}

    Aaron
  • Leslie_South_55's avatar
    Leslie_South_55
    Icon for Nimbostratus rankNimbostratus
    Jan 31, 2008
    I need to match on BOTH, so I changed the 'or' to 'and'...now I'm in buisness...funy thing is I tried the AND between the if statements on my first attempt and ketp getting all sorts of syntax errors, must have been the misplaced parens.

     

     

    Thanks Aaron for your assistance.

     

     

    -L