Kevin_Nail
Mar 08, 2011Nimbostratus
Need some help with an iRule
I have an iRule that appears to be processing correctly but does not drop my connection when it should. Please help!!
I have created 2 external data classes and to make this work, I added the US into the blocked_country data class.
when HTTP_REQUEST {
Check if country code is a part of the embargoed list
log local0.debug "IRule has been triggered"
log local0.debug "Connection attempt from country [whereis [IP::client_addr] country]"
if { ([class match [whereis [IP::client_addr] country] equals blocked_country]) } {
log local0.debug "The [whereis [IP::client_addr] country] is a part of the embargoed list"
Country code matched the embargoed list. Check the IP exception list
if { ([class match [IP::client_addr] equals ip_exception])} {
log local0.debug "[IP::client_addr] Your IP was approved via the exception list"
Client IP matched the class, so allow it
} else {
drop
log local0.debug "[IP::client_addr] was NOT approved via the exception list"
log local0.debug "Dropping connection" }
}
else {
log local0.debug "[whereis [IP::client_addr] country] Country approved"
}
}
This is what it logs:
Mar 8 15:50:36 local/tmm debug tmm[4948]: Rule GEOIP_Final : IRule has been triggered
Mar 8 15:50:36 local/tmm debug tmm[4948]: Rule GEOIP_Final : Connection attempt from country US
Mar 8 15:50:36 local/tmm debug tmm[4948]: Rule GEOIP_Final : The US is a part of the embargoed country list
Mar 8 15:50:36 local/tmm debug tmm[4948]: Rule GEOIP_Final : x.x.x.x was NOT approved via the exception list
Mar 8 15:50:36 local/tmm debug tmm[4948]: Rule GEOIP_Final : Dropping connection
And yet, I still get the page that I should not be seeing. What have I got out of place? Should the "drop" be the very last thing?