Convert HTTP Class iRules for version 11.5.1 or later

Question

Hello Folks,
I had a customer who is using the old version of iRules, which contains HTTP Class selected commands, and now they want to upgrade to 11.5.1. The command is no longer supporting in that version and I am not able to convert it to compatible way to accept that iRule in 11.5.1
Sample iRule from the customer setup is as following.
ltm rule /Common/Ems_staging_admins {
    when HTTP_REQUEST {
if { [class match [IP::client_addr] equals "disable_asm_ip_ranges"] }{                      
                                HTTP::class select /Common/cls_EMS_staging_admin
   }
else {
         HTTP::class select /Common/cls_EMS_staging 
     }
                }
}
ltm rule /Common/efax_smtp_allow {
    when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals "allowed_ip_efax"] }{                    
log local0. "allowed to relay from [IP::client_addr]"
   }
else {
drop
log local0. "Not allowed to relay from [IP::client_addr]"
     }
                }

There are 2 iRules, and many more which needs to get edited.
Can anyone shed some light on how can I modify the iRule in a way where it can be applied on 11.5.1
I have tried to follow the article, however I couldn't fix it.
Thank you,
Darshan

jg · Answer

What do those HTTP Class profiles do?

swo0sh_gt_13163 · Answer

Hello Jie,&nbsp;
Thanks for the reply.
It was my bad.&nbsp;
It is just for enabling ASM. Which I can do through traffic profile in 11.5.1
I will manage it.&nbsp;
Cheers!
Darshan&nbsp;

swo0sh_gt_13163 · Answer

Hey Folks,
I got stuck again with the same issue, this time the iRule is a little complex than the one I asked earlier.
Following is the snippet for your reference.
when HTTP_REQUEST {

set FLAG_BLOCKED 0
       set Disabl_ASM_FLAG 0   
        if {$GLOBAL_breakALL == 0}
    {   
       if {[HTTP::uri] starts_with "/admin/content/"} {
    if {[class match [IP::client_addr] equals AB_Web_Folder_IP]}  { 
     log local0. "Access to admin is allowed"
        ASM::disable    
         set Disabl_ASM_FLAG 1
    } else {
       log local0. "Someone trying to access /admin/content/ illegally from Source IP: [IP::client_addr] "
        set FLAG_BLOCKED 1
        set Disabl_ASM_FLAG 1
    }
    }
}
}
when HTTP_CLASS_SELECTED
{
log local0. "inside class selection"
    if {$Disabl_ASM_FLAG == 1}
    {
        if { [HTTP::class asm] == 1 }
        {
            ASM::disable
                       log local0. "ASM is disabled now"
        }
    }
    if {$FLAG_BLOCKED == 1}
    {
        reject
    }
}

How can I eliminate the use of when HTTP_CLASS_SELECTED and HTTP::class ASM ?
Any help?
Thank you,
Darshan

swo0sh_gt_13163 · Answer

Hey Folks,
I've managed to fix the iRule, following is the updated copy of the same.
when HTTP_REQUEST {

set FLAG_BLOCKED 0
                   set Disabl_ASM_FLAG 0   
                                if {$GLOBAL_breakALL == 0}
                {   
       if {[HTTP::uri] starts_with "/admin/content/"} {
                if {[class match [IP::client_addr] equals AB_Web_Folder_IP]}  { 
                 log local0. "Access to admin is allowed"
                                ASM::disable     
         set Disabl_ASM_FLAG 1
                } else {
                             log local0. "Someone trying to access /admin/content/ illegally from Source IP: [IP::client_addr] "
        set FLAG_BLOCKED 1
                                set Disabl_ASM_FLAG 1
                }
                }
}

if {[llength [POLICY::names matched]] &gt; 0} {
log local0. "inside class selection"
                if {$Disabl_ASM_FLAG == 1}
                {
                           if { [POLICY::controls asm] == 1 }
                                {
                                                ASM::disable
                       log local0. "ASM is disabled now"
                                }
                }
                if {$FLAG_BLOCKED == 1}
                {
                                reject
                }
}
}

I hope this would help someone.
Cheers!
Darshan

Forum Discussion

Convert HTTP Class iRules for version 11.5.1 or later

4 Replies

Recent Discussions

Reliable resources for identifying IP addresses

Maximum throughput of f5 ltm

Issue on license renewal

iRule cookie persistence and pool redirect

redirect not working

Related Content

Big IP version 12 API

F5OS Tenants TMOS version upgrade

Hey ChatGPT, can you write iRules?

Decrypting BIG-IP Packet Captures without iRules

Prism.js language definition for iRules