For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Lisa_Boyd_53788's avatar
Lisa_Boyd_53788
Icon for Nimbostratus rankNimbostratus
Dec 07, 2005

New to matchclass+IP::remote_addr & Data Group List

Goal: To restrict access to webservers via ip address

 

 

Three Data Groups were created: My-Nets, Cus-Health & Thomson-ExternalNets. If remote ip addresses are in Data Group List My-Nets or Cus-Health they are directed to the correct pool of webservers, otherwise if the remote ip addresses belong to the Thomson-ExternalNets group they are re-directed to MSN's or CNN's website.

 

 

Problem:

 

 

My ip address is part of the Thomson-ExternalNets Data Group, yet when I enter in/login with CustomerX creditenials, I am not re-directed to MSN's or CNN's website.

 

 

Current iRule in place:

 

 

elseif {[HTTP::uri] starts_with "/CustomerX/"} {

 

if { [matchclass [IP::remote_addr] equals $::My-Nets] } {

 

pool Test-Cus-Bambi

 

}

 

elseif { [matchclass [IP::remote_addr] equals $::Cus-Health] } {

 

pool Test-Cus-Bambi

 

}

 

elseif { [matchclass [IP::remote_addr] equals $::Thomson-ExternalNets] } {

 

HTTP::redirect "http://www.msn.com/"

 

}

 

else {

 

HTTP::redirect "http://www.cnn.com/"

 

}

 

}

 

 

 

Can someone offer some suggestions on what the issue maybe?

 

 

-Lisa

 

application delivery
dev
devops
iRules

1 Reply

  • Joe_Pruitt's avatar
    Joe_Pruitt
    Dec 07, 2005
    What you are looking at doing should be possible. Since you haven't posted a complete iRule, we can't tell if there is a problem elsewhere in the code. I would recommend you add logging statements at each path in your code so that you can diagnose for yourself where the control flow is failing you.

     

     

    ie.

     

     

    if { [matchclass [IP::remote_addr] equals $::My-Nets] } {
  log local0. "address [IP::remote_addr] found in class My-Nets"
  pool Test-Cus-Bambi
} elseif { [matchclass [IP::remote_addr] equals $::Cus-Health] } {
  log local0. "address [IP::remote_addr] found in class Cus-Health"
  pool Test-Cus-Bambi
}...

     

     

    Then look in the /var/log/ltm file for the output. This should help you figure out what's going on.

     

     

    Another thing I might mention is that if your data groups are quite large, you can compare IP addresses with subnet masks. That way you can just enter a subnet into your data group. Search the Forums for "IP::addr" and "matchclass". If you need to specify single addresses, then this option probably won't help.

     

     

    -Joe