Forum Discussion
istockchris_390
Nimbostratus
NimbostratusUnsuccessful matching against "address" data group
I'm trying to block IPs that show up in the X-Forwarded-For header, and I'm quickly finding out that the "Address" data group is very picky as to what you try to compare against it.
The rule I tried:
when HTTP_REQUEST {
if { not ([HTTP::header values "X-Forwarded-For"] equals "") } {
if { [matchclass [HTTP::header values "X-Forwarded-For"] equals $::block_ip] } {
log local0.info "Blocking: [IP::remote_addr]"
HTTP::respond 410
}
}
}My first problem was that "X-Forwarded-For" wasn't always set. When it wasn't, "[matchclass [HTTP::header values "X-Forwarded-For"] equals $::block_ip]" would throw errors. So that's when I put in the equals "" part. Now, that works fine until the X-Forwarded-For contains anything other than a single IP.
The error I get is:
TCL error: iRule_BlockIP - bad IP address formatInvalid class element for class block_ip invoked from within "matchclass [HTTP::header values "X-Forwarded-For"] equals $::block_ip"
So that's where I'm at. Should I give up on using the "Address" data group? Can anyone tell me of a better way to do this?
Many thanks
- If you're going to use the Address data group type, you'll need to clean the input a little bit to verify that you're using a valid address for a comparison, and only a single address, etc. If you're trying to compare single IPs, you could just as easily use the string type for the comparison which is a little more forgiving. The Address type allows for subnet matching and the like though, that can be very powerful.
Does that help?
Colin 
istockchris_390This does help, thanks.
