Forum Discussion

yves_werniers_1's avatar
yves_werniers_1
Icon for Nimbostratus rankNimbostratus
Oct 14, 2009

class and v9.1.2

Hello,

 

 

It seems like the class command was introduced in v10.0, whereas matchclass was introduced in v9.0.

 

I am running v9.1.2. How can I cerate something classlike and use classmatch?

 

I want to limit connections to certain url/uri combinations based on the source ip address. I am using the X-Forwarded-For header because it is behind a reverse proxy.

 

 

This is the script I would like to use:

 

 

class hrmstest_uris {

 

"/hraccent/ess/client_prod"

 

"/hraccent/ess/login.php?company=client_prod"

 

"/hraccentops/ess/client_prod"

 

"/hraccentops/ess/login.php?company=client_prod"

 

}

 

when HTTP_REQUEST {

 

set my_uri [string tolower [HTTP::uri]]

 

if {[HTTP::host] == "www.host.com" and [matchclass $my_uri starts_with $::hrmstest_uris] } {

 

if { [HTTP::header X-Forwarded-For] != "ip1" and [HTTP::header X-Forwarded-For] != "ip2" and [HTTP::header X-Forwarded-For] != "ip3"}{

 

log local0. "\[request blocked\] : [HTTP::header X-Forwarded-For]"

 

drop

 

}

 

}

 

}

 

application delivery
dev
devops
iRules

4 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 14, 2009
    You can use matchclass in 9.x or 10.x to evaluate an IP address or string against a class.

     

     

    You might also consider adding the three IP addresses to an address type datagroup (aka class) and then use matchclass again to check the XFF header value against the datagroup.

     

     

    Be aware that it's likely that attackers could bypass your logic though using obfuscation techniques:

     

     

    http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=30900

     

     

    Aaron
  • yves_werniers_1's avatar
    yves_werniers_1
    Icon for Nimbostratus rankNimbostratus
    Oct 14, 2009
    but the big problem is that I cannot even save that iRule. I get an error on the class line:

     

    undefined procedure: class

     

     

    any thoughts?
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 14, 2009
    Ah, the class definition is separate from the iRule. You define the class (called a datagroup in the GUI) under Local Traffic | iRules | Datagroup List. Then define the iRule under the iRules tab.

     

     

    Aaron