Forum Discussion

sandy16's avatar
sandy16
Icon for Altostratus rankAltostratus
May 09, 2016

iRule for matching 2 x Data-groups

Hi experts, I have two data-groups. One is type 

string' which contains URIs called - Allowed-URIs and the other is type
ipaddress' which contains some internal subnets called - Allowed-IPs. Can you help me create an irule which has the following logic - the URIs in the data-group Allowed-URIs are only accessible from the Allowed-IPs data-group. Else DROP !

application delivery
iRules
LTM

4 Replies

Sort By
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    May 09, 2016

    Nothing too complex. A nested IF-condition will do.

    when HTTP_REQUEST {

  if { [class match [string tolower [HTTP::uri]] eq "Allowed-URIs" ] }{
    if { [class match [IP::client_addr] eq "Allowed-IPs" ] }{
       Do not interfere (Allowed)
      return
    } else {
       Not allowed
      drop
    }
  }

}

    If you're going to use my solution, check to make sure that your Allowed-URIs definitions are all lower-case (or just remove the 'string tolower' function if you need case-sensitive matching).

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      May 09, 2016
      I prefer the positive match as well for readability, but for efficiency, you could eliminate the else by reversing the match on the nested if (not [class match [IP::client_addr...)
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    May 09, 2016

    Nothing too complex. A nested IF-condition will do.

    when HTTP_REQUEST {

  if { [class match [string tolower [HTTP::uri]] eq "Allowed-URIs" ] }{
    if { [class match [IP::client_addr] eq "Allowed-IPs" ] }{
       Do not interfere (Allowed)
      return
    } else {
       Not allowed
      drop
    }
  }

}

    If you're going to use my solution, check to make sure that your Allowed-URIs definitions are all lower-case (or just remove the 'string tolower' function if you need case-sensitive matching).

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      May 09, 2016
      I prefer the positive match as well for readability, but for efficiency, you could eliminate the else by reversing the match on the nested if (not [class match [IP::client_addr...)