Forum Discussion

Basil_Parsley_1's avatar
Basil_Parsley_1
Icon for Nimbostratus rankNimbostratus
Mar 01, 2017

class match with OR - irule not capturing traffic as expected

Guys can someone help with the below – I have a funny feeling I could be heading for a “plant face on desk” moment …

 

Requirement to selectively block a HSL logging irule from logging to my SIEM by IP or by xff.

 

Initial irule has

 

if { not [class match [IP::client_addr] equals ip_external_scan_addresses] } {

 

Log some stuff }

 

This works fine with my src IP in “ip_external_scan_addresses” no log. Src IP removed for datagroup = log

 

(Works also for xff in the same code snippet)

 

I then moved to add an OR against xff –

 

if { not ([class match [IP::client_addr] equals ip_external_scan_addresses]) or ([class match [HTTP::header "X-Forwarded-For"] equals ip_external_scan_addresses]) } {

 

Log some stuff }

 

Which complies fine and doesn’t break website access BUT now whatever IP I put in the datagroup nothing gets logged – the line does not capture ANY traffic – noting in my test case xff and client_addr are the same IP.

 

Any ideas – Thanks !!

 

application delivery
iRules

1 Reply

Sort By
  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Mar 01, 2017
    when HTTP_REQUEST {
    if { not ([class match [IP::client_addr] equals ip_external_scan_addresses]) } {
        log local0. "[IP::client_addr] is not in acl ip_external_scan_addresses"
    } elseif { [HTTP::header values "X-Forwarded-For"] ne ""} {
        set found 0
        foreach xff_item [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {
            if { [class match $xff_item equals ip_external_scan_addresses] } {
                set found 1
                break
            }
        }
        if { $found == 0 } {
            log local0. "[IP::client_addr] is not on acl ip_external_scan_addresses."
        }
    }
}