Subwebsite ACL

 

class subsite {

 

"/admin"

 

}

 

 

class allow {

 

host 215.45.65.25

 

network 192.168.0.1 255.255.255.0

 

}

 

 

when HTTP_REQUEST {

 

if { not [matchclass [IP::client_addr] equals $::allow] && [matchclass [string tolower [HTTP::uri]] contains $::subsite] } {

 

discard

 

} else {

 

}

 

}

 

 

 

The errors are 01070151:3: Rule [subsite_ACL] error: line 1: [command is not valid in the current scope] [class subsite { "/admin" } ] line 5: [command is not valid in the current scope] [class allow { host 216.81.150.194 network 192.168.0.1 255.255.255.0 } ]

 

 

Please help!

 

 

when HTTP_REQUEST {
    if { [matchclass [string tolower [HTTP::uri]] contains $::subsite] and [matchclass [IP::client_addr] ne $::allow] } {
          discard }
}

What version are you using? You could optimize this quite a bit if you're on 10.x.

10.1.0

Posted By Jason@musl.com on 08/09/2010 05:41 PM

10.1.0

Let's go with this then:

when HTTP_REQUEST {
    if { [class match [string tolower [HTTP::uri]] contains subsite] and [class match [IP::client_addr] ne allow] } {
  discard }
}

Let me know if you have any issues with that.

Still the same problem with line 1 and 5. Must not be defining something or it isn't written correctly.

Also.. the most recent code you wrote returns several new errors as well.

 

 

01070151:3: Rule [subsite_ACL] error: line 1: [command is not valid in the current scope] [class subsite { "/admin" } ] line 5: [command is not valid in the current scope] [class allow { host 216.81.150.194 network 192.168.0.1 255.255.255.0 } ] line 11: [can't find value_list] [class match [string tolower [HTTP::uri]] contains subsite] line 11: [invalid operator "ne" must be: contains ends_with equals starts_with] [class match [IP::client_addr] ne allow]

Posted By Jason@musl.com on 08/09/2010 07:06 PM

 

Also.. the most recent code you wrote returns several new errors as well.

 

 

01070151:3: Rule [subsite_ACL] error: line 1: [command is not valid in the current scope] [class subsite { "/admin" } ] line 5: [command is not valid in the current scope] [class allow { host 216.81.150.194 network 192.168.0.1 255.255.255.0 } ] line 11: [can't find value_list] [class match [string tolower [HTTP::uri]] contains subsite] line 11: [invalid operator "ne" must be: contains ends_with equals starts_with] [class match [IP::client_addr] ne allow]

 

 

This compiles for me:

when HTTP_REQUEST {
    if { [class match [string tolower [HTTP::uri]] contains subsite] and ![class match [IP::client_addr] eq allow] } {
  discard }
}

Jason: Use the gui to add these - I replicated your issue on 10.2 but I am able to use the rule (without class definitions at the top) fine if I define the classes in the admin interface. To do this, go to iRules->Data Group List->+, then add a string type for your subsite definition for /admin (leave the value blank), then choose network for your network class. Then you should be able to start using your rule and tuning it from there. Chris is correct that we can optimize a bit, by the way.

 

 

-Matt

Ok if i type.

 

 

class subsite {

 

"/admin"

 

}

 

 

class allow {

 

host 215.45.65.25

 

network 192.168.0.1 255.255.255.0

 

}

 

 

when HTTP_REQUEST {

 

if { [class match [string tolower [HTTP::uri]] contains subsite] and ![class match [IP::client_addr] eq allow] } {

 

discard }

 

}

 

 

I get:

 

 

01070151:3: Rule [subsite_ACL] error: line 1: [command is not valid in the current scope] [class subsite { "/admin" } ] line 5: [command is not valid in the current scope] [class allow { host 215.45.65.25 network 192.168.0.1 255.255.255.0 } ] line 11: [can't find value_list] [class match [string tolower [HTTP::uri]] contains subsite] line 11: [can't find value_list] [class match [IP::client_addr] eq allow]

Ahh, Thanks L4L7. I was missing that step. The rule works now, thank you both!!