Forum Discussion

Jure_Simsic_106's avatar
Jure_Simsic_106
Icon for Nimbostratus rankNimbostratus
Feb 16, 2007

Admin access check

I have a fairly basic irule that's giving me trouble. The idea is that when a client a ceirtain url, he get's allowed access (use another pool) in case his IP is from a valid subnet, otherwise we don't let him through. I have tried this, but I must have some error somewhere:

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] starts_with "/admin" and

 

{ if { [IP::addr[IP::client_addr] starts_with "10.10.10" ] or

 

[IP::addr[IP::client_addr] starts_with "10.10.11" ] }

 

use pool admin-pool

 

} else { drop }

 

}

 

}

 

 

Can anyone tell me what is wrong here

5 Replies

  • Your logic looks sound...what error are you getting? You probably need "discard" instead of "drop" though.

     

     

    Denny

     

     

    EDIT: Is it a syntax error or just not working as expected? You might try a log statement to see what [IP::client_addr] is evaluating to...
  • So it appears you are trying to validate that a client's IP address matches a specific IP class then right?

    You could do the following (note: untested, check the syntax and make sure I haven't gummed something up):

    
    class networks_class  {
       network 10.10.10.0 mask 255.255.255.0
       network 10.10.11.0 mask 255.255.255.0
    }
    when HTTP_REQUEST {
       set my_uri [HTTP::uri]
       set my_client [IP::client_addr]
       if { $my_uri starts_with "/admin" } {
          if { [matchclass $my_client equals $::networks_class] } { 
             pool admin-pool
          }
       } else {
          discard
       }
    }

    It's a bit cleaner, plus you are using some v4x syntax as well, use pool is now just pool .

    I haven't tested this, but the config was accepted, I don't see why it wouldn't work. Best of all, you are using a datagroup which contains the network masks you want to validate against, all you have to do is update the datagroup each time you want to add a new network class, or remove one.
  • This looks neat, but I keep getting syntax errors. I've left just the class definition in:

     

     

    class networks_class {

     

    network 10.10.10.0 mask 255.255.255.0

     

    network 10.10.11.0 mask 255.255.255.0

     

    }

     

     

    .. but this is what I get:

     

     

    01070151:3: Rule [xxx] error:

     

    line 1: [undefined procedure: class] [class networks_class {

     

    network 10.10.10.0 mask 255.255.255.0

     

    network 10.10.11.0 mask 255.255.255.0

     

    }]

     

     

    I'm running BIG-IP 9.1.1 Build 54.6, is this a firmware issue?
  • The class is a separate object from the rule. In the GUI it's called a datagroup. What you have there is how it's listed in the bigip.conf.

     

     

    To create a class in the GUI, go to Local Traffic | iRules and click on the Datagroup tab along the top. You can then define a datagroup for the networks.

     

     

    Aaron
  • Yeah should have mentioned that before. The bigip.conf lists the class as what appears to be an irule, but in reality it's really just a classification of an object within TCL. Think of it has really just an array, you can loop through it, which is what the matchclass does.

     

     

    The best part of this setup is that your irule should stay fairly static, whereas the datagroup will always be dynamic as you add and/or remove content from it. It's far easier to maintain a datagroup than an irule...IMHO. :-)

     

     

    -wn