Forum Discussion
gomebe_33353
Nimbostratus
NimbostratusTCL error
TCL error: /Common/v3CSR-IP-CHECK - invalid IP network mask specification (line 9)invalid IP match item 63.x.x.x 64.x.x.x for IP class /Common/v2whitelist_client (line 9) invoked from within "class match [HTTP::header values "X-Forwarded-For"] equals v2whitelist_client"
Public->waf->f5 F5 need to read X-Forward
when HTTP_REQUEST {
if { [class match [HTTP::path] starts_with protectedpaths ] } {
if { [class match [HTTP::header values "X-Forwarded-For"] equals v2whitelist_client] } {
log local0. "Allowed Request From: [IP::remote_addr]"
} else {
HTTP::redirect "http://www.domains/errors/error.html"
log local0. "Denied Request From: [IP::remote_addr]"
}
}
if { [class match [HTTP::path] starts_with kargopath ] } {
if { [class match [HTTP::header values "X-Forwarded-For"] equals whitelist_kargo] } {
log local0. "Allowed Request From: [IP::remote_addr]"
} else {
HTTP::redirect "http://www.domains/errors/error.html"
log local0. "Denied Request From: [IP::remote_addr]"
}
}
}
1 Reply
Yann_DesmarestCirrus
Hello,
When you have more than one IP address in the X-Forwarded-For header, your irule generate this tcl error.
You should replace
if { [class match [HTTP::header values "X-Forwarded-For"] equals v2whitelist_client] } { log local0. "Allowed Request From: [IP::remote_addr]" } else { HTTP::redirect "http://www.domains/errors/error.html" log local0. "Denied Request From: [IP::remote_addr]" }by :
foreach ipaddress [HTTP::header values "X-Forwarded-For"] { if { [class match $ipaddress equals v2whitelist_client] } { log local0. "Allowed Request From: [IP::remote_addr]" } else { HTTP::redirect "http://www.domains/errors/error.html" log local0. "Denied Request From: [IP::remote_addr]" } }
