ant77
Jul 01, 2020Cirrostratus
Alternative to getfield to check XFF client IP using data group
Hi All,
We ran into a bug when upgrading to 13.1.3.3 that process an iRule to check the client IP address in an XFF header
against what is defined in a data group "DG-ALLOWED-IP".
Is there an alternative to re-writing this to not use the "getfield" but still use the "DG-ALLOWED-IP" data group and see if the client
IP from the XFF header matches this or not. If it does not match, then reject?
Thanks!
ERROR:
01220001:3: TCL error: /Common/iRULE-WEB-REDIRECT <HTTP_REQUEST> - bad IP network address format (line 2)invalid IP match item for IP class /Common/DG-ALLOWED-IP (line 2) invoked from within "class match $CHECK_IP eq DG-ALLOWED-IP"
when HTTP_REQUEST {
set CHECK_IP [getfield [HTTP::header values X-Forwarded-For] " " 1]
if { !([class match $CHECK_IP eq DG-ALLOWED-IP]) } {
if { [class match [HTTP::uri] eq DG-ALLOWED-URI-LIST] } {
reject
}
}
}