Forum Discussion

MW1's avatar
MW1
Icon for Cirrus rankCirrus
Jul 01, 2014

Can anyone explain the behaviour of this irule

All, I am trying to understand the behaviour of the below irule. It was meant to block access to the down.php URI, except from the two src ip ranges stated, however it blocks access from any location and I cant see why 

                when HTTP_REQUEST { 

log local0. " Request in [IP::client_addr] [HTTP::host][HTTP::uri]"
if { [HTTP::uri] contains "/down.php"  && ( ![IP::addr [IP::remote_addr] equals 75.66.12.0/255.255.255.0]) or 

[HTTP::uri] contains "/down.php"  && ( ![IP::addr [IP::remote_addr] equals 15.150.0.0/255.255.0.0])
 } { 
      log local0. " Blocked access [IP::client_addr] [HTTP::host][HTTP::uri]"
       drop the request
discard
}  

}
application delivery
devops
iRules
LTM
management

4 Replies

Sort By
  • afedden_1985's avatar
    afedden_1985
    Icon for Cirrus rankCirrus
    Jul 01, 2014

    It looks like it's discarding those 2 subnets if the URI contains that string in lower case.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 01, 2014

    can you try this?

    when HTTP_REQUEST { 
  log local0. " Request in [IP::client_addr] [HTTP::host][HTTP::uri]"
  if { [HTTP::uri] contains "/down.php"  } {
    if { ![IP::addr [IP::remote_addr] equals 75.66.12.0/255.255.255.0] and \
         ![IP::addr [IP::remote_addr] equals 15.150.0.0/255.255.0.0] } { 
      log local0. " Blocked access [IP::client_addr] [HTTP::host][HTTP::uri]"
       drop the request
      discard
    }
  }  
}
  • MW1's avatar
    MW1
    Icon for Cirrus rankCirrus
    Jul 01, 2014

    I thought the ! in front of the IP match statement is a NOT/inverse statement

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 01, 2014

    A slightly different placement of the logic is in order:

    when HTTP_REQUEST { 
    log local0. " Request in [IP::client_addr] [HTTP::host][HTTP::uri]"
    if { ( [HTTP::uri] contains "/down.php" ) and not ( ( [IP::addr [IP::client_addr] equals 75.66.12.0/255.255.255.0] ) or ( [IP::addr [IP::client_addr] equals 15.150.0.0/255.255.0.0] ) ) } { 
        log local0. " Blocked access [IP::client_addr] [HTTP::host][HTTP::uri]"
         drop the request
        reject
    }  
}

    If you're ever curious about what a logic statement is returning, you can do something like this:

    log local0. [expr { ( ( [IP::addr [IP::client_addr] equals 10.80.0.0/255.255.255.0] ) or ( [IP::addr [IP::client_addr] equals 15.150.0.0/255.255.0.0] ) ) }]