IRule not working - sytnax error or something else?

Question

I have tried writing my first iRule to check the url of my site and then depending on which site the user is attempting to access, I then check a list of approved IP addresses.&nbsp;&nbsp;

&nbsp;If the clients IP address is not found in the list, I redirect them to an unauthorised page, otherwise I let them through.&nbsp;&nbsp;&nbsp;&nbsp;
This is my code:&nbsp;&nbsp;
when HTTP_REQUEST {
&nbsp;    switch -glob [string tolower [HTTP::uri]] {
&nbsp;        "*XXX*" {
&nbsp;            if not { matchclass [IP::client_addr] equals $::XXX_access_list } {
&nbsp;                HTTP::redirect https://MyXXXUnauthPage.com
&nbsp;            }
&nbsp;        }
&nbsp;        "*YYY*" {
&nbsp;            if not { matchclass [IP::client_addr] equals $::YYY_access_list } {
&nbsp;                HTTP::redirect https://MyYYYUnauthPage.com
&nbsp;            }
&nbsp;        }
&nbsp;        "*ZZZ*" {
&nbsp;            if not { matchclass [IP::client_addr] equals $::ZZZ_access_list } {
&nbsp;                HTTP::redirect https://MyZZZUnauthPage.com
&nbsp;            }
&nbsp;        }
&nbsp;    }
&nbsp;}&nbsp;&nbsp;
Is there a syntax error here or have I just gor my logic wrong.&nbsp;&nbsp;&nbsp;
Any help would be GREATLY appreciated.&nbsp;&nbsp;

&nbsp;

&nbsp;
&nbsp;
&nbsp;

&nbsp; 
&nbsp;
 &nbsp;

michael_yates · Answer

Try this:

when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri]] {
"*XXX*" {
if { !([matchclass [IP::client_addr] equals $::XXX_access_list]) } {
                HTTP::redirect https://MyXXXUnauthPage.com
            }
        }
        "*YYY*" {
            if { !([matchclass [IP::client_addr] equals $::YYY_access_list]) } {
                HTTP::redirect https://MyYYYUnauthPage.com
            }
        }
        "*ZZZ*" {
            if { !([matchclass [IP::client_addr] equals $::ZZZ_access_list]) } {
                HTTP::redirect https://MyZZZUnauthPage.com
            }
        }
    }
}

Your not comparison (can also be expressed by "!"), needs to be inside of your if statement and needs to be applied to the entire comparison. 
  
 Comparison:  [matchclass [IP::client_addr] equals $::ZZZ_access_list] 
 Comparison: !(results of first comparison) 
 Result:  if false, do this....

supahoopsa_8892 · Answer

Hi Michael, thanks for your quick feedback. 
&nbsp;  
&nbsp; I've just applied the changes with your recommendations, but it appears we're still having problems with the matchclass aspects.  I wanted to state that I created "site_access_list" as a Data Group in the BIGIP UI.  It contains multiple Host and Network addresses.  Anything I should be considering on that? 
&nbsp;  
&nbsp; Code looks like: 
&nbsp;  
&nbsp; 
when HTTP_REQUEST { 
    switch -glob [string tolower [HTTP::uri]] { 
        "*client*" { 
            if { !([matchclass [IP::client_addr] equals $::site_access_list]) } { 
HTTP::redirect https://site
            } 
        } 
    } 
}

hooleylist · Answer

If you're on 9.4.4 or higher you should remove the $:: prefix from the datagroup name.  It will demote the iRule from CMP in any version, but won't work at all to access the datagroup in v10+: 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/CMPCompatibility.html 
&nbsp;  
&nbsp; For 10.x you should also change from matchclass to the class match command for better efficiency: 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/class 
&nbsp;  
&nbsp; Aaron

Forum Discussion

IRule not working - sytnax error or something else?

3 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

APM RDP Access not working - I'm sure I'm missing something!

Working with MasterKeys

F5 iRUule not working

iRule TCL: if 'something' in 'list' then, syntax/parser error

BIG-IP connection mirroring in public cloud doesn't work, but why?