For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

paul_79097's avatar
paul_79097
Icon for Nimbostratus rankNimbostratus
Sep 14, 2009

Unable to add a rule

hello there,

 

I am trying to add a rule to go to a specific node in a pool when specific ip address is connected.

 

when HTTP_REQUEST {

 

if {[IP::addr [IP::remote_addr] equals 216.254.x.x]} {

 

pool poolname member 10.1.0.101

 

}

 

}

 

for some reason it doesn't work :-/
application delivery
dev
devops
iRules

26 Replies

Show More
  • paul_79097's avatar
    paul_79097
    Icon for Nimbostratus rankNimbostratus
    Sep 14, 2009
    which should prove the point that the IF statement should work also - but it doesn't :-S

     

    makes 0 sense ...
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Sep 14, 2009
    Hi Scott,

    Now expand the irule to include the IF statement 

       
 when HTTP_REQUEST {    
 if { [HTTP::uri] eq "/myinfo" } {    
 if {[IP::client_addr] eq "219.254.86.x" } {   
 HTTP::respond 200 Content "    
 client info    
 Client IP: [IP::client_addr] again   
 "   
 }    
 }    
 }

    If this fails then this tells me that IF evaluation is not behaving as expected. At that point I would contact F5 support or perhaps perform a reload or failover to see if the condition is more related to the state of the F5.

    CB
  • paul_79097's avatar
    paul_79097
    Icon for Nimbostratus rankNimbostratus
    Sep 14, 2009
    skips the second if and goes to url requested... this is mind blowing !
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 14, 2009

    Posted By cmbhatt on 09/14/2009 12:18 PM

    Looking at your logic the condition is if the client IP matches then go to a specific pool member, but then if the clients URI matches go to the other pool members. Is it possible that you meeting 2 conditions that is forcing it to another pool?

    CB

    CB, I'd guess you found the problem here. If the client check was done in CLIENT_ACCEPTED but then another condition in HTTP_REQUEST was met, the pool selection in CLIENT_ACCEPTED would be over-ridden.

    Could you try something like this? You'll need to change 219.254.86.100 to the actual client IP you want. Also, it would be more efficient to use IP::addr to compare the IP address than a string comparison. 

     
 when CLIENT_ACCEPTED { 
  
     Select the pool member if the client IP is 219.254.86.100 
    if {[IP::addr [IP::client_addr] equals 219.254.86.100]} { 
       pool apache_webtier member 10.0.1.101:8080 
       set skip_event 1 
    } 
 } 
 when HTTP_REQUEST { 
  
     If the client IP check in CLIENT_ACCEPTED matched, then exit this event 
    if {[info exists skip_event]}{ 
       return 
    } 
  
     Else, check the requested URI to select the pool 
    switch -glob [HTTP::uri] { 
  
       "*awstats/awstats.pl*" - 
       "*web01*" { 
          pool apache_webtier member 10.0.1.101:8080 
       } 
       "*web02*" { 
          pool apache_webtier member 10.0.1.100:8080 
       } 
       "*web03*" { 
          pool apache_webtier member 10.0.1.102:8080 
       } 
       default { 
  
           Take some default action like select the VIP's default pool? 
       } 
    } 
 }

    Aaron
  • paul_79097's avatar
    paul_79097
    Icon for Nimbostratus rankNimbostratus
    Sep 14, 2009
    i've tried all the previous stuff completly without " when HTTP_REQUEST { "

     

    so i think it shouldn't even matter
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Sep 14, 2009
    As I said before. I think you might need to contact F5 support to see if there is something else beyond the irule that is influencing your irule.

     

     

    CB