AltostratusCan datagroups be accessed from APM Advanced Access Policy Rules? If so how?
Hi. I've been trying, without success, to access a datagroup from within a custom branch rule (aka "empty" object) in the APM. I'm writing what the APM manual calls "Advanced Access Policy Rules" within the custom branch object. These rules are based on TCL but there seem to be a lot of differences in how they work vs how iRules work, and I'm struggling.
My goal is pretty simple: I want to take one branch if a user is on our network, and take another action if they aren't. "Our network" is actually a number of different subnets, all stored in a datagroup. In iRules I do this sort of thing all the time, but APM is throwing me a curve. (I know this can be done by hardcoding the subnets in the custom branch rule and checking each of them, but there are quite a few and they change from time to time, so I want to reference my existing datagroup so that I only have to make these changes in one place).
Here is what I put in the custom branch object:
expr { [class match [mcget {session.user.clientip}] equals our_net] && ![class match [mcget {session.user.clientip}] equals our_guest_net] }I've tried a variety of other permutations, but they've all been equally ineffective for various reason. This particular one results in the following error in the apm log:
err apd[10936]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "evaluateExpression()" line: 441 Msg: failed to eval rule: invalid command name "class"
Are APMs not allowed to use the class command? If so, does anyone know if there is any way to do what I am trying to accomplish? Thanks in advance for any help!
