Forum Discussion
DM_5174
Nimbostratus
NimbostratusPOSSBILE BUG WITH MATCHCLASS ON LTM??
Hi All,
I have an issue that does not make any sense since the same code works for another
irule when applied to a different virtual server.
Below is a maintenance redirect i-rule and below are the objective.
OBJECTIVE: Allow IP not defined in the data-group to get maintenance page, and if your IP matches what is in the data group, you do NOT get sent to the maintenance page.
1. If your source IP address DOES match either "199.200.99.150" or "199.200.99.151", then skip the redirect to maintenance page and go to WEB_POOL1 if your URI matches "/app.." if not then you go to the default WEB_POOL2.
2. If, however your IP address DOES NOT match what is in the "CORPORATE-ISP" datagroup, you will get redirected to "http://www.mysite.com/maintenance/maintenance.htm"
PROBLEM:
The problem here is if your source IP address matches what is in the Corporate-ISP data group, you still get redirected to the "http://www.mysite.com/maintenance/maintenance.htm" Page.
Can anyone please let me know what i am doing wrong or if there is a better way of doing this?
LOGS FROM LTM
Feb 11 15:53:06 tmm tmm[933]: Rule MAINTENANCE-IRULE : 200.22.196.190 matched an allowed host.
Feb 11 15:53:06 tmm tmm[933]: Rule MAINTENANCE-IRULE : 163.152.231.212 matched an allowed host.
Feb 11 15:53:11 tmm tmm[933]: Rule MAINTENANCE-IRULE : 68.12.196.178 matched an allowed host.
class CORPORATE-ISP {
host 199.200.99.150
host 199.200.99.151
when HTTP_REQUEST {
Check if client host IP is in the datagroup or not, if not then redirect
if {!([matchclass [IP::client_addr] equals $::CORPORATE-ISP])}{
log local0. "[IP::client_addr] matched an allowed host."
HTTP::redirect "http://www.mysite.com/maintenance/maintenance.htm"
} else {
set stime 10
switch -glob [string tolower [HTTP::uri]] {
"/app1*" -
"/app2*" -
"/app3*" -
"/app4*" -
"/app5*" -
"/app6*" -
"/app7*" -
"/app8*" -
"/app9*"
{ pool WEB_POOL1 }
default { pool WEB_POOL2 }
}
}
}
10 Replies
hoolioCirrostratus
Hi DM,
If you're on 9.4.4 or higher, remove the $:: prefix from the CORPORATE-ISP data group reference in the iRule. In 9.4.4 - 9.4.8 it will just break CMP but work. In 10.x using the $:: prefix will not work at all.
Aaron
DM_5174Hi Aaron,
The version of LTM we are running is 9.3.1 (37.1)...
Does the code look correct to you?
Thanks,
DM- hoolioFor 9.3.x, I think you'll have an issue with the hyphen in the data group name. You can either escape it with curly braces:
if {!([matchclass [IP::client_addr] equals ${::CORPORATE-ISP}])}{
Or replace the hyphen with an underscore in both the data group name and the iRule reference:
if {!([matchclass [IP::client_addr] equals $::CORPORATE_ISP])}{
And there are a thousand reasons (bug fixes, security fixes, feature enhancements) to upgrade from 9.3.1. 10.2.3 would be a good option for a stable version.
Aaron - DM_5174Thanks so much Aaron! We will try this and see if that works. I agree with you on the upgrade, but unfortunately we will need to
get new hardware since the one we have does not support 10.x and up.
-DM - DM_5174Hi Aaron,
I tried changing the data group name to just "ISP" and still it is not working. It is redirecting all users, even if the user is coming from
a host that matches the IP address listed in the data group to the maintenance page. Is there another way of doing this without
using the data group and just the two IP address (199.200.99.150 and 199.200.99.151) in the code?
if {!([matchclass [IP::client_addr] equals $::ISP])}{
BTW: I have the same code in an irule named differently used with another VS and it works. So this is where I don't know if it is
a bug where the LTM does not parse this one.
Thanks again,
-DM - DM_5174Hi Aaron or anyone -
I tried changing the data group name to just "ISP" and still it is not working. It is redirecting all users, even if the user is coming from
a host that matches the IP address listed in the data group to the maintenance page. Is there another way of doing this without
using the data group and just the two IP address (199.200.99.150 and 199.200.99.151) in the code?
Thanks for the help.
-DM - nitass
Employee
Is there another way of doing this without
using the data group and just the two IP address (199.200.99.150 and 199.200.99.151) in the code? can you try something like this?when HTTP_REQUEST { if {not ([IP::addr [IP::client_addr] equals 199.200.99.150]) and \ not ([IP::addr [IP::client_addr] equals 199.200.99.151])} { log local0. "do" } else { log local0. "do something else" } } - DM_5174Hi Nitass,
Here is my code...Does this look good?when HTTP_REQUEST { Check if client host IP is in the datagroup or not, if not then redirect if {not ([IP::addr [IP::client_addr] equals 199.200.99.150]) and \ not ([IP::addr [IP::client_addr] equals 199.200.99.151])} { HTTP::redirect "http://www.mysite.com/maintenance/maintenance.htm" } else { set stime 10 switch -glob [string tolower [HTTP::uri]] { "/app1*" - "/app2*" - "/app3*" - "/app4*" - "/app5*" - "/app6*" - "/app7*" - "/app8*" - "/app9*" { pool WEB_POOL1 } default { pool WEB_POOL2 } } } }
-DM - nitassyes, it looks fine for me. :-)
- hoolioIt is redirecting all users, even if the user is coming from a host that matches the IP address listed in the data group to the maintenance page.
That's really odd. It might be worth opening a case with F5 Support as this should "just work".
Aaron
