Forum Discussion

Cirrostratus

Nov 09, 2023

Solved

iRule operator evaluation order OR/AND

Hi all, This must be some simple syntax problem but I have been bashing my head for a while. Here is the irule: when HTTP_REQUEST { if {(![class match [getfield [IP::client_addr] "%" 1]...

application delivery

irule

Enes_Afsin_Al

Nov 09, 2023

Hi alex100,

It might be better to think in parts.

when HTTP_REQUEST {
    #if uri matches with uripath_a:
    if { [class match [string tolower [HTTP::uri]] contains /Common/uripath_a] } {
        #log local0. "Log1 - Uri matched [HTTP::host][HTTP::uri]"
        
        #if Client IP doesn't match with tcp_whitelist
        if { !([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) }
            #log local0. "Log2 - Uri matched [HTTP::host][HTTP::uri] | Client IP did not match [IP::client_addr]"
            
            #if XFF doesn't match with xff_whitelist
            if { !([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist]) }
                #log local0. "Log3 - Uri matched [HTTP::host][HTTP::uri] | Client IP did not match [IP::client_addr] | XFF did not match [HTTP::header X-Forwarded-For]"
            }
            #if Client IP doesn't match with tcp_whitelist and XFF matches with xff_whitelist
            else {
                #log local0. "Log4 - Uri matched [HTTP::host][HTTP::uri] | Client IP did not match [IP::client_addr] | XFF matched [HTTP::header X-Forwarded-For]"
            }
        #if Client IP matches with tcp_whitelist
        else {
            #log local0. "Log5 - Uri matched [HTTP::host][HTTP::uri] | Client IP matched [IP::client_addr]"
            
            #if XFF doesn't match with xff_whitelist
            if { !([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist]) }
                #log local0. "Log6 - Uri matched [HTTP::host][HTTP::uri] | Client IP matched [IP::client_addr] | XFF did not match [HTTP::header X-Forwarded-For]"
            }
            #if Client IP matches with tcp_whitelist and XFF matches with xff_whitelist
            else {
                #log local0. "Log7 - Uri matched [HTTP::host][HTTP::uri] | Client IP matched [IP::client_addr] | XFF matched [HTTP::header X-Forwarded-For]"
            }
        }
    }
    #if uri doesn't match with uripath_a
    else {
        #log local0. "Log8 - Uri did not match [HTTP::host][HTTP::uri]"
    }
}

I think you want this condition:

when HTTP_REQUEST {
    if { !([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) and !([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist]) and ([class match [string tolower [HTTP::uri]] contains /Common/uripath_a]) }
        # log local0. "Batman Client IP [IP::client_addr], Client XXF IP [HTTP::header X-Forwarded-For], [HTTP::method], URL: [HTTP::host][HTTP::uri]"
    }
    else {
        pool pl-something-WEB-443
    }
}

some function with different operators:

when HTTP_REQUEST {
    if { !(([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) or ([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist])) and ([class match [string tolower [HTTP::uri]] contains /Common/uripath_a]) }
        # log local0. "Batman Client IP [IP::client_addr], Client XXF IP [HTTP::header X-Forwarded-For], [HTTP::method], URL: [HTTP::host][HTTP::uri]"
    }
    else {
        pool pl-something-WEB-443
    }
}

Enes_Afsin_Al

MVP

Nov 09, 2023

Hi alex100,

It might be better to think in parts.

when HTTP_REQUEST {
    #if uri matches with uripath_a:
    if { [class match [string tolower [HTTP::uri]] contains /Common/uripath_a] } {
        #log local0. "Log1 - Uri matched [HTTP::host][HTTP::uri]"
        
        #if Client IP doesn't match with tcp_whitelist
        if { !([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) }
            #log local0. "Log2 - Uri matched [HTTP::host][HTTP::uri] | Client IP did not match [IP::client_addr]"
            
            #if XFF doesn't match with xff_whitelist
            if { !([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist]) }
                #log local0. "Log3 - Uri matched [HTTP::host][HTTP::uri] | Client IP did not match [IP::client_addr] | XFF did not match [HTTP::header X-Forwarded-For]"
            }
            #if Client IP doesn't match with tcp_whitelist and XFF matches with xff_whitelist
            else {
                #log local0. "Log4 - Uri matched [HTTP::host][HTTP::uri] | Client IP did not match [IP::client_addr] | XFF matched [HTTP::header X-Forwarded-For]"
            }
        #if Client IP matches with tcp_whitelist
        else {
            #log local0. "Log5 - Uri matched [HTTP::host][HTTP::uri] | Client IP matched [IP::client_addr]"
            
            #if XFF doesn't match with xff_whitelist
            if { !([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist]) }
                #log local0. "Log6 - Uri matched [HTTP::host][HTTP::uri] | Client IP matched [IP::client_addr] | XFF did not match [HTTP::header X-Forwarded-For]"
            }
            #if Client IP matches with tcp_whitelist and XFF matches with xff_whitelist
            else {
                #log local0. "Log7 - Uri matched [HTTP::host][HTTP::uri] | Client IP matched [IP::client_addr] | XFF matched [HTTP::header X-Forwarded-For]"
            }
        }
    }
    #if uri doesn't match with uripath_a
    else {
        #log local0. "Log8 - Uri did not match [HTTP::host][HTTP::uri]"
    }
}

I think you want this condition:

when HTTP_REQUEST {
    if { !([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) and !([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist]) and ([class match [string tolower [HTTP::uri]] contains /Common/uripath_a]) }
        # log local0. "Batman Client IP [IP::client_addr], Client XXF IP [HTTP::header X-Forwarded-For], [HTTP::method], URL: [HTTP::host][HTTP::uri]"
    }
    else {
        pool pl-something-WEB-443
    }
}

some function with different operators:

when HTTP_REQUEST {
    if { !(([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) or ([class match [getfield [HTTP::header X-Forwarded-For] "%" 1] eq /Common/xff_whitelist])) and ([class match [string tolower [HTTP::uri]] contains /Common/uripath_a]) }
        # log local0. "Batman Client IP [IP::client_addr], Client XXF IP [HTTP::header X-Forwarded-For], [HTTP::method], URL: [HTTP::host][HTTP::uri]"
    }
    else {
        pool pl-something-WEB-443
    }
}

alex100

Cirrostratus

Nov 10, 2023

Thank you for your feedback, time and refactored rule. Looks like I was on the right path but the culprit turned out to be about negation sign ["!"] placement.

Original if statement

{((![class match [getfield [IP::client_addr] "%" 1] eq tcp_whitelist]) or (![class match [getfield [HTTP::header X-Forwarded-For] "%" 1] equals xff_whitelist])) and ([class match [string tolower [HTTP::uri]] contains uripath_a])}

Re-factored if statement

{ ([class match [string tolower [HTTP::uri]] starts_with uripath_a]) and !(([class match [getfield [IP::client_addr] "%" 1] eq /Common/tcp_whitelist]) or ([class match [HTTP::header X-Forwarded-For] contains /Common/xff_whitelist])) }

Looks like with multiple class mach commands , "!" has to be moved outside of ().

Forum Discussion

iRule operator evaluation order OR/AND

Recent Discussions

redirect not working

Reliable resources for identifying IP addresses

Could not connect to SMTP host.

Viprion files on blades.

The best load balance method on this scenario?

Related Content

2. SYN Cookie: Operation

Security Operations Center - Helpers Behind the Scenes

Insights of F5 Distributed Cloud WAAP Events Export, New Operators and Trends features

Intermediate iRules: Evaluating Performance

Understanding GTM Wide IP Operations