Forum Discussion
sidiov
Nimbostratus
NimbostratusTrouble with a irule using a data group
I am attempting to drop several user agent headers that hit a website consistantly with bad traffic, I wanted to use a data group for a list of agents, but when i use it, it drops all connections.
Here is the data group irule:
when HTTP_REQUEST { if {[matchclass [string tolower [HTTP::header "User-Agent"]] contains $::danger-user-agents] } { drop } }
danger-user-agents group contains 2 strings:
zmeu
black hole
If I manually specify the names it works:
when HTTP_REQUEST { if { [string tolower [HTTP::header "User-Agent"]] contains "zmeu" } {drop} elseif { [string tolower [HTTP::header User-Agent]] contains "black hole" } {drop} }
What am I doing wrong in the data group version?
I do have a similar data group working for another site's irule that drops based on uri strings, and that works fine:
3 Replies
hoolioCirrostratus
If you're on 9.4.4 or higher, you should remove the $:: prefix from the datagroup name. If you're on 10.0+ you should use class match instead of matchclass:when HTTP_REQUEST { if {[class match [string tolower [HTTP::header "User-Agent"]] contains danger-user-agents] } { drop } }
If you run into issues with drop, try reject instead.
Aaron- hoolioActually, the issue is with the hyphens in the datagroup name. Can you change them to underscores or wrap the datagroup name inthe iRule in curly braces:
when HTTP_REQUEST { if {[class match [string tolower [HTTP::header "User-Agent"]] contains {danger-user-agents}] } { drop } }
Or if you change the datagroup name:when HTTP_REQUEST { if {[class match [string tolower [HTTP::header "User-Agent"]] contains danger_user_agents}] } { drop } }
Without the curly braces, the hyphen in TCL (and iRules) breaks up the variable (or class) name.
Aaron 
sidiovThanks!
I changed the name and removed the $:: and everything worked. I update to class match as well and everything is good. Thanks.
