Forum Discussion

smp_86112's avatar
smp_86112
Icon for Cirrostratus rankCirrostratus
Dec 14, 2010

Matching Client IP to Network List in Data Group

I have this requirement to decide if the client IP address is in a list of IP networks. The IP networks are in a Data Group. This is the IF statement:

if { not ([ class match [IP::remote_addr] equals address_group ]) } {
  log local0. "Client [IP::remote_addr] not in address_group"
}

This is a portion of the class definition:

class address_group {
   {
      network 10.0.0.0/8
      network 172.16.0.0/12
    }
}

To my surprise, the log statement triggers on a client whose address is in a the 172.22.104.0/21 subnet. How could I modify the IF condition to handle this case, or does this seem like a bug?

application delivery
dev
devops
iRules

3 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 14, 2010
    Hi SMP,

     

     

    172.16.0.0/12 covers 172.16.0.0 - 172.31.255.255. 172.22.104.0/21 covers 172.22.104.0 - 172.22.111.255 and should match a check for 172.16/12. Are you using route domains? Can you log the value for [IP::remote_addr]?

     

     

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 14, 2010
    Yeah, this seems to work in a simple test on 10.2.x without route domains: 

    
when RULE_INIT {
log local0. "\[class get address_group\]: [class get address_group]"
log local0. "\[class match 172.22.104.0 equals address_group\]: [class match 172.22.104.0 equals address_group]"
}

: [class get address_group]: 172.16.0.0/12 {}
: [class match 172.22.104.0 equals address_group]: 1

    Aaron

  • smp_86112's avatar
    smp_86112
    Icon for Cirrostratus rankCirrostratus
    Dec 15, 2010
    Thanks for the sanity check hoolio, I thought it might be a little crazy if it didn't work the way I expected it to. No route domains. The customer who claimed they were affected by this issue provided me with the client IP, and I was not in a position to verify. So the info they provided to me must be bogus, and my rule must be working as I expected.

     

     

    Thanks again.

     

     

Related Content