Forum Discussion
AltostratusUsing 2 different Data Groups to control traffic to a Virtual Server in an iRule
I am trying to determine the best way to modify an iRule that I am using to control access to a specific Virtual Server. Currently the iRule is as follows:
when HTTP_REQUEST {
if { not [class match [IP::client_addr] equals trustedAddresses] }{
HTTP::respond 403 content "403 - Forbidden"
event HTTP_REQUEST disable
}
}
As you can see this iRule is looking at the Client's IP address and comparing it against a data group that I have setup. If the address is in that list then it allows the traffic to continue through. The problem that I am running into is that there are 2 IP addresses that I am wanting to blacklist: 159.140.254.82 & 159.140.254.83 but those 2 addresses are covered in the trustedAddresses under the following entry in the data group:
Address: 159.140.0.0
Mask: 255.255.0.0So I created another data group called BlacklistedAddresses and have included the 2 specific IPs that I am wanting to block. I have come up with the following edit of the above iRule that I think will work but I'm not sure if using a 'then' or an 'else' would work better?
when HTTP_REQUEST {
if {class match [IP::addr] equals BlacklistedAddresses] }{
HTTP::respond 403 content "403 - Forbidden"
} then { not [class match [IP::client_addr] equals trustedAddresses] }{
HTTP::respond 403 content "403 - Forbidden"
event HTTP_REQUEST disable
}
}
1 Reply
- Kevin_Stewart
Employee
Try this:
when HTTP_REQUEST { if { [class match [IP::addr] equals BlacklistedAddresses] } { HTTP::respond 403 content "403 - Forbidden" } elseif { not ( [class match [IP::client_addr] equals trustedAddresses] ) } { HTTP::respond 403 content "403 - Forbidden" event HTTP_REQUEST disable } }
