Forum Discussion

Mike_Lowell_456's avatar
Mike_Lowell_456
Historic F5 Account
Nov 03, 2004

how do I get "one of" functionality in version 9?

The manual suggests this rule: 

 START  
 iRule my_iRule 
 when CLIENT_ACCEPTED { 
   if { [IP::remote_addr] eq matchclass aol } { 
     pool aol_pool 
   } else { 
     pool all_pool 
   } 
 } 
  END

And besides the fact that the paranthases are wrong (whoops!) the rule doesn't seem to work. I get a syntax error when trying to load this in my rule: 

 START  
 rule routing_rule1 { 
   when HTTP_REQUEST { 
     if { matchclass [IP::remote_addr] blacklisted_clients } { 
        use pool pool_dummy 
     } 
   } 
 } 
  END

Where “blacklisted_clients” is a valid class list of client IP's, of course.

I heard some an F5 person that the “one of” operator was supposed to work in v9, but I can't find any reference to it in the manual, and I can't make it work for the life of me. Could someone post an example of a simple:

if ( http_uri contains one of myclass ) { use pool blah }

In BIG-IP v9 syntax?

Thanks!

a1l0s2k9
application delivery
dev
devops
iRules

5 Replies

Sort By
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Nov 03, 2004
    Give this a try: 

    when HTTP_REQUEST {  
   if { [ matchclass [IP::remote_addr] equals $::blacklisted_clients ]} {  
     pool pool_dummy  
     log local0. "Blacklisted client found - [IP::remote_addr]"  
   }  
   else {  
     log local0. "Non-Blacklisted client found - [IP::remote_addr]"  
   }  
 }
  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Nov 03, 2004

    Also note that there is a big difference between which argument is on the left-hand side and which is on the right-hand side of the operator. This most notably has an effect on the starts_with, ends_with and contains operators.

     

     

    In v4.x, the one of class operator always assumed the class was on the right-hand side and checked whether the left-hand side variable existed in the class.

     

     

    With v9, you can flip the class and object around if you want. Anotherwards, there is a big difference between the following to command implementations:

     

     

    [matchclass [HTTP::uri] ends_with $::image_ext] - checks whether the uri ends with one of the extensions in the image_ext class.

     

     

    [matchclass $::bad_uris ends_with [HTTP::path]] - checks whether any of the strings in bad_uris end with the http path.

     

     

    This difference may seem subtle, but is potentially important to understand.

     

     

    Also, in this example, it would most likely be best to use the “equals” operator instead of the “contains” operator, since it is IP addresses you are comparing (does an IP address contain another IP address). It's also good to point out that IP addresses are compared in this case as strings.

     

  • Bradley__Wheele's avatar
    Bradley__Wheele
    Icon for Nimbostratus rankNimbostratus
    Dec 15, 2004
    What if the blacklisted_clients list is a data group consisting of network addresses (example: 1.1.0.0/16) instead of a host address?

     

  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Dec 15, 2004
    There is a known issue (CR42434) in 9.0.2 where IP classes containing network addresses are not compared using the networks mask. This has been corrected in the forthcoming 9.0.3.