For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JP_42120's avatar
JP_42120
Icon for Nimbostratus rankNimbostratus
Dec 02, 2014

Trying to add more restrictions to exiting iRule with flags

Hi, we are trying to additional restrictions based on new IP and URL to existing rule... Below is an example of our current and also NEW iRule. does this look right? is there a better way to do th...
shaggy_121467's avatar
shaggy_121467
Icon for Cumulonimbus rankCumulonimbus
Dec 02, 2014

does the irule work as intended in its current state? unless i'm misreading, it looks like $show_flag is always set if $allow_flag was set earlier in the rule, regardless of whether the client-IP is in allow_address_data_group:

if { [class match [IP::client_addr] equals allow_address_data_group ] } {
    set show_flag 1
} else {
    if { $allow_flag } {
        set show_flag 1
    }
}

it seems overly complicated and not very flexible. Why not store your allowed-URIs in a data-group?

when HTTP_REQUEST {
  if { [HTTP::host] starts_with "foo.com" } {
       if { [ class match [IP::client_addr] equals allow_address_dg ] } {
        if { [ class match [HTTP::uri] starts_with allow_uri_dg ] } {
             pool secure_80_pool
        } else {
              client-IP matched allow_address_dg but uri didn't match allow_uri_dg
             HTTP::redirect "http://default.internal.com"
         }
       } else {
           client-IP did not match allow_address_data_group 
          HTTP::redirect "http://default.external.com"
        }
  } else {
     host did not match foo.com
  }
}
JP_42120's avatar
JP_42120
Icon for Nimbostratus rankNimbostratus
Dec 02, 2014
Hi Shaggy, I was thinking that too when I first saw it, but the app team says it's been working as expected for them. Storing URI's in a datagroup is a great idea. (me newbie :D) it would simplify the irule. thanks!