I have a customer who’s commercial requirement is to ensure only specific networks (clients) access a host or URL. Today they are using an IRULE with a class-list to call out the networks that should be matched for a particular host. An example IRULE of what they have is pasted below
when HTTP_REQUEST { switch [string tolower [HTTP::host]] { “CLIENT-cms.pwidman.com” { if { [matchclass [IP::client_addr] equals $::CLIENT_allow_list] } { log local0. “[IP::client_addr] matched CLIENT_allow_list” pool pool_ivos_CLIENT-cms.pwidman_http } else { log local0. “[IP::client_addr] NOT matched CLIENT_allow_list” discard } } “someotherclient.pwidman.com” { pool pool_ivos_SomeOtherClient.pwidman_http } “yetanotherclient.int.pwidman.com” { pool pool_ivos_yetanotherclient.pwidman_http }
Since class-lists are not available in the current release of code 2.6.1 do we have to call out each source (network client_addr) that are being called in the class-list in order to get the same results?
Posted by ddesmidt Hi, Looking at the message: 1. You have an iRule That iRule looks at the “host” and: . if host = CLIENT-cms.pwidman.com, you go to the pool “pool_ivos_CLIENT-cms.pwidman_http” . otherwise you drop the request 2. You have a Class-List That’s not in your config displayed but I understand you also have a Class List per client with their public IP addresses and: . if the source-IP belongs to that class list => you do the iRules Today (2.6.1) as you noticed we can do the “step1” but AX is missing step2. Important Note: That piece will be part of 2.6.2 planned very soon (Q4’2011). And if required we can give you under NDA a beta code as soon as today Waiting for that 2.6.2 release as you said, you have to do the “step2” in the aFleX. Here is a example on how to do it: Code:when HTTP_REQUEST { # Customer1 if { [IP::addr [IP::client_addr] equals 10.10.10.0/24] } { if {[string tolower [HTTP::host] equals "client-cms.pwidman.com")} { log local0. "[IP::client_addr] matched CLIENT_allow_list" pool pool_ivos_CLIENT-cms.pwidman_http } else { log local0. "[IP::client_addr] NOT matched CLIENT_allow_list" discard } } # Customer2 if { [IP::addr [IP::client_addr] equals 20.20.20.0/24] } { if {[string tolower [HTTP::host] equals " someotherclient.pwidman.com")} { log local0. "[IP::client_addr] matched XYZ_allow_list" pool pool_ivos_XYZ-cms.pwidman_http } else { log local0. "[IP::client_addr] NOT matched XYZ_allow_list" discard } } } etc
Posted by mcyork From the above I have built the below (might work?). I am not clear if the syntax of the condition is in fact grabbing all the IP address with in this range or doing a string compare (and this failing to ever go to a pool). Is it a string compare and I need some other syntax to hit true on an IP within the network range? when HTTP_REQUEST { # 192.168.0.0 if { [IP::addr [IP::client_addr] equals 192.168.0.0/16] } { if { [HTTP::uri] equals “/” } { HTTP::redirect https://[HTTP::host]/login.html } pool sg_internal } # 10.0.0.0 if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] } { if { [HTTP::uri] equals “/” } { HTTP::redirect https://[HTTP::host]/login.html } pool sg_internal } HTTP::redirect www.google.com/ }
The script “[IP::addr [IP::client_addr] equals 192.168.0.0/16]” is not a string compare, but really an IP address check. So this one above will get the IP address 192.168.10.15 but also 192.168.35.245, etc.
Thanks - it ended up there was an odd error in my larger version. The GUI accepted the code but it would not execute. Loading it into notepad++ helped me sort out the { } combinations.