Forum Discussion

maximillean_953's avatar
maximillean_953
Icon for Nimbostratus rankNimbostratus
May 27, 2014

i write with not it applies true

when HTTP_REQUEST { 
    if { ([lindex [split [HTTP::path] "/"] 2] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 3] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 1] contains "sql" ) and ![class match [IP::client_addr] eq ss_allowed_address] } { reject }
}

i try to write a rule to reject if ip is not in ss_allowed_address datagroup list. But it does the opposite it does not accept not equal sign with !

?

10 Replies

  • isn't this correct?

     config
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
    ltm rule qux {
        when HTTP_REQUEST {
      log local0. "uri: [HTTP::uri]"
      if { ([lindex [split [HTTP::path] "/"] 2] contains "control") or \
        ([lindex [split [HTTP::path] "/"] 3] contains "control") or \
        ([lindex [split [HTTP::path] "/"] 1] contains "sql" and \
        ![class match [IP::client_addr] eq ss_allowed_address]) } {
        reject
        log local0. "1: [lindex [split [HTTP::path] "/"] 1] \
          2: [lindex [split [HTTP::path] "/"] 2] \
          3: [lindex [split [HTTP::path] "/"] 3] \
          class: ![class match [IP::client_addr] eq ss_allowed_address] \
          reseult: reject"
      }
    }
    }
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal ss_allowed_address
    ltm data-group internal ss_allowed_address {
        type ip
    }
    
     test
    
    [root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
    May 27 05:51:10 ve11a info tmm1[14715]: Rule /Common/qux : uri: /sql/controlA/controlB/something
    May 27 05:51:10 ve11a info tmm1[14715]: Rule /Common/qux : 1: sql  2: controlA  3: controlB  class: !0  reseult: reject
    
    
  • Hi again,

    There is a redirect rule right after this. redirect rule redirects when /servlet/control is called redirect it to https. this redirect rule somehow disables filter.

    when I send request for example /1/control it rejects but when i send /servlet/control it doesnot apply the filter?

    when i remove redirect rule after filter rule filter starts working again.

    redirect rule is like,

    when HTTP_REQUEST { 
        if { ([HTTP::uri] starts_with "/servlet/control") } {
                HTTP::respond 301 noserver Location https://xyz.com[HTTP::uri]
            }   
    }
    
  • I think it is because 'or' overrides 'and'. Place parentheses: if { ( (1 eq 1) or (2 eq 2) ) and !(2 eq 1) } { reject }

    Try:

    when HTTP_REQUEST {
      if { ( ([lindex [split [HTTP::path] "/"] 2] contains "control" ) or ( [lindex [split   [HTTP::path] "/"] 3] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 1] contains "sql" ) ) and ![class match [IP::client_addr] equals ss_allowed_address] } { reject }
    }
    
  • Please try this

     

    when HTTP_REQUEST { if { ([lindex [split [HTTP::path] "/"] 2] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 3] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 1] contains "sql" ) and (class match [IP::client_addr] eq ne ss_allowed_address) } { reject } }

     

  • eq ne wrong argument. by the way friends rules that claudio and nitass posted are correct i have a different problem now. I have a redirect rule after filter rule makes filter pass and redirects

     

  • it seems reject does not work with HTTP::respond in HTTP_REQUEST (when request matches both reject and HTTP::respond). not sure if it is a bug or not.

    can you move reject to CLIENT_ACCEPTED instead?

    this is my testing in 11.5.1.

     config
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.24.10:80
        ip-protocol tcp
        mask 255.255.255.255
        pool foo
        profiles {
            http { }
            tcp { }
        }
        rules {
            qux
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        vs-index 33
    }
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
    ltm rule qux {
        when HTTP_REQUEST {
      reject
      HTTP::respond 301
    }
    }
    
     test
    
    [root@centos1 ~] curl -I http://172.28.24.10/
    HTTP/1.0 301 Moved Permanently
    Server: BigIP
    Connection: Keep-Alive
    Content-Length: 0
    
    
  • it seems reject does not work with HTTP::respond in HTTP_REQUEST (when request matches both reject and HTTP::respond). not sure if it is a bug or not.

     

    it happens in 10.2.4 hf7 and 11.5.1. changing command order (reject and HTTP::respond) does not help. if it is same in your version, you may open a support case to verify if it is a bug or not. :-)

     

  • same behaviour when you use drop rather then reject this must be definetly a bug. Same does not apply on netscalers. I am migrating rules from one to another. I write same as netscaler. Netscaler has same rules same as f5 irule but ns blocks but f5 passes redirect even when used drop or reject. I hope this will be fixed asap. Its meaningless to be a normal behaviour. I am definetly going to open a case for this.!

     

  • Ok its fixed by local f5 guy by adding event disable all and return right after reject.And then http::respond doesnot pass reject anymore.

    when HTTP_REQUEST { 
        if { ([lindex [split [HTTP::path] "/"] 2] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 3] contains "control" ) or ( [lindex [split [HTTP::path] "/"] 1] contains "sql" ) and ![class match [IP::client_addr] eq ss_allowed_address] } {
    reject
    event disable all
    return
     }
    }