Using matchclass to check Source IP with HTTP_REQUEST?

Question

F5 Posting 
&nbsp;  
&nbsp; Hi, 
&nbsp;  
&nbsp; With this iRule I am hoping to direct certain Source IP addresses to Pool-A while directing other HTTP Requests based on URIs to other pools. The syntax is valid, but the iRule doesn't work for any of the conditions. If I remove the first "matchclass" portion the rest of the iRule works. I suspect that using "matchclass" to inspect a client_addr doesn't work with the "HTTP_REQUEST" event. But when I tried to nest the HTTP_REQUEST as part of the original CLIENT_ACCEPTED (in order to use matchclass successfully) the syntax was marked invalid. Will I need two seperate IRules to accomplish this ? One with  
&nbsp; the "CLIENT_ACCEPTED" event then a second with the "HTTP_REQUEST" event ? 
&nbsp;  
&nbsp;  
&nbsp; Combined iRule that doesn't work: 
&nbsp;  
&nbsp; when HTTP_REQUEST {  
&nbsp;     if { [matchclass $::testips contains [IP::client_addr]]  } {  
&nbsp;        pool poolA   
&nbsp;     } else {  
&nbsp; if { [HTTP::uri] contains "/cf/" or [HTTP::uri] contains "/hf/"} { 
&nbsp; pool poolB 
&nbsp; } elseif { 
&nbsp; [HTTP::uri] contains "/asweb/"} { 
&nbsp; pool poolC 
&nbsp; }  elseif { 
&nbsp; [HTTP::uri] contains "/vh/"} { 
&nbsp; pool poolD 
&nbsp; } else {  
&nbsp; pool poolE } 
&nbsp; } 
&nbsp;  } 
&nbsp;  
&nbsp; Individual ones that work seperately: 
&nbsp;  
&nbsp; ******************************************************************************** 
&nbsp;  
&nbsp; when HTTP_REQUEST {  
&nbsp;      if { [HTTP::uri] contains "/cf/" or [HTTP::uri] contains "/hf/"} { 
&nbsp; pool poolB 
&nbsp; } elseif { 
&nbsp; [HTTP::uri] contains "/asweb/"} { 
&nbsp; pool poolC 
&nbsp; }  elseif { 
&nbsp; [HTTP::uri] contains "/vh/"} { 
&nbsp; pool poolD 
&nbsp; } else {  
&nbsp; pool poolE } 
&nbsp; } 
&nbsp;  } 
&nbsp;  
&nbsp; ******************************************************************************** 
&nbsp;  
&nbsp; when CLIENT_ACCEPTED {  
&nbsp;     if { [matchclass $::testips contains [IP::client_addr]]  } {  
&nbsp;        pool poolA     
&nbsp;     } else {  
&nbsp;          pool poolE } 
&nbsp; } 
&nbsp;  
&nbsp;

hooleylist · Answer

Hi, 
  
 I think this might implement the logic you're looking for.  If not, try adding logging to the iRule and then modify it as you require.

when CLIENT_ACCEPTED { 
  
     Check if the client IP is in the testips datagroup 
    if { [matchclass [IP::client_addr] equals $::testips] } { 
  
        Select poolA and track that we've selected a pool 
       pool poolA 
       set pool_selected 1 
  
    } else { 
        Continue checking the URI to select a pool 
       set pool_selected 0 
    } 
 } 
 when HTTP_REQUEST { 
  
     Check if the pool has already been selected 
    if {$pool_selected}{ 
  
        Exit this event in this rule  
       return 
  
    } else { 
  
        Check the requested path 
       switch -glob [HTTP::path] { 
  
          "*/cf/*" - 
          "*/hf/*" { 
             pool poolB 
          } 
          "*/asweb/* { 
             pool poolC 
          } 
          "*/vh/* { 
             pool poolD 
          } 
          default { 
             pool poolE 
          } 
       } 
    } 
 }

Aaron

hooleylist · Answer

If you aren't and don't plan to add other iRules to this VIP, you could replace the pool_selected variable logic and just disable the HTTP_REQUEST event for clients who are in the datagroup.  This would apply to all iRules on the VIP though.

when CLIENT_ACCEPTED {  
    
      Check if the client IP is in the testips datagroup  
     if { [matchclass [IP::client_addr] equals $::testips] } {  
    
         Select poolA 
        pool poolA 
  
         Disable the HTTP_REQUEST event for this TCP connection as it isn't needed 
        event HTTP_REQUEST disable 
     }  
  }  
  when HTTP_REQUEST {  
    
      Check the requested path  
     switch -glob [HTTP::path] {  
    
        "*/cf/*" -  
        "*/hf/*" {  
           pool poolB  
        }  
        "*/asweb/* {  
           pool poolC  
        }  
        "*/vh/* {  
           pool poolD  
        }  
        default {  
           pool poolE  
        }  
     }  
  }

Aaron

Forum Discussion

Using matchclass to check Source IP with HTTP_REQUEST?

2 Replies

Recent Discussions

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

google-visualization-issues

google autenticator broken barcode

Related Content

How to ensure source address and source port are accepted and traversed properly via F5 SNAT automap

iControl Library For Java With Source

source address persistence maximum session timeout

No Source configuration available when upgrading from 15.1.9.1 to 15.1.10.2

Block destination IP by source IP