Forum Discussion

TJ_Vreugdenhil's avatar
Apr 04, 2013

matching two classes - iRule 10.2.4

I have the iRule working below with just CLASS-1. I am simply trying to say CLASS-1 OR CLASS-2, but having trouble getting F5 to take it. Do I need to set a variable or something like an elseif?

 

 

when CLIENTSSL_CLIENTCERT {

 

if {[SSL::cert count] > 0}{

 

if { ! ( [class match [substr [X509:subject [SSL::cert 0]] 3 ","] equals CLASS-1 ] || {![class match [substr [X509:subject [SSL::cert 0]] 3 ","] equals CLASS-2 ] } ) } {

 

log local0. "Client dropped :[substr [X509::subject [SSL::cert 0]] 3 ","]"

 

drop

 

}

 

}

 

}

 

 

b class CLASS-1 '{

 

{

 

"11111"

 

"CN=,OU=xxxxx"

 

"Requestor1"

 

"cert-subject-name" { "Details" }

 

}

 

}'

 

 

b class CLASS-2 '{

 

{

 

"22222"

 

"CN=,OU=yyyyy"

 

"Requestor2"

 

"cert-subject-name" { "Details" }

 

}

 

}'

 

 

Thanks!

 

4 Replies

  • Replace || with &&. It looks like you want both conditions to be met for the connection to be dropped and logged. Therefore you need to AND instead of OR.

     

     

    Condition 1: ! [class match [substr [X509:subject [SSL::cert 0]] 3 ","] equals CLASS-1 ]

     

    Condition 2: ! [class match [substr [X509:subject [SSL::cert 0]] 3 ","] equals CLASS-2 ]

     

     

    Hope this helps.
  • No, I'm really looking for an OR condition. I tried && to, and it still throws a PARSE error.
  • Let me explain a bit more:

     

     

    b class CLASS-1 '{

     

    {

     

    "CN=XXXXXX,"

     

    }

     

    }'

     

     

    b class CLASS-2 '{

     

    {

     

    "CN=YYYYY,"

     

    }

     

    }'

     

     

     

    This works:

     

    when CLIENTSSL_CLIENTCERT {

     

     

    if {[SSL::cert count] > 0}{

     

    if { ! [class match [substr [X509::subject [SSL::cert 0]] 3 ","] equals CLASS-1 ] } {

     

    log local0. "Client dropped :[substr [X509::subject [SSL::cert 0]] 3 ","]"

     

    drop

     

    }

     

    }

     

    }

     

     

    However when trying to add CLASS-2 as a OR condition I get a TCL error(below iRule):

     

     

    when CLIENTSSL_CLIENTCERT {

     

    if {[SSL::cert count] > 0}{

     

    set X509_subject [X509::subject [SSL::cert 0]]

     

    if { { ! [class match [substr $X509_subject 3 ","] equals CLASS-1] } || {!([class match [substr $X509_subject 3 ","] equals CLASS-2] } } {

     

    log local0. "Client dropped :[substr [X509::subject [SSL::cert 0]] 3 ","]"

     

    drop

     

    }

     

    }

     

    }

     

     

    Apr 5 15:07:55 local/tmm3 err tmm3[6610]: 01220001:3: TCL error: test-iRule - expected boolean value but got " ! [class match [substr $X509_subject 3 ","] equal" while executing "if { { ! [class match [substr $X509_subject 3 ","] equals CLASS-1 ] } || {!([class match [substr $X509_subject 3 ","] equals CLASS-2..."

     

     

  • I got this to work using the following:

    set X509_subject [substr [X509::subject [SSL::cert 0]] 3 ","]
    log local0. "X509-subject-CN:$X509_subject"
    if { ! ( [class match $X509_subject equals CLASS-1 ] || [class match $X509_subject equals CLASS-2] ) } {
    log local0. "Client dropped :$X509_subject"
    drop