Forum Discussion

Dave_Mehlberg's avatar
Dave_Mehlberg
Icon for Nimbostratus rankNimbostratus
Mar 11, 2016

iRule with two data groups both using external files one working (addr) and one not (str)

I have an iRule in place that checks the IP address of an off-site host,

then it checks the IP address of the client and with a class match to see if it is contained in an external file (type addr)

if it is, the node is selected as the off-site host,

if not it checks the name of the client with a class match to see if it is contained in an external file (type str)

if it is, the node is selected as the off-site host,

if not the connection is dropped

The iRule works as far as checking the off-site host and checking the client IP address against the external address list but when the IP of the client is not in the IP list but the name of the client is, the class match is not matching.

My iRule:

    when CLIENT_ACCEPTED {

    set ips [RESOLV::lookup @x.x.x.x -a "smtp-relay.gmail.com"]

    set nps [RESOLV::lookup @x.x.x.x [IP::client_addr]]

    log local0. "Looked up smtp-relay.gmail.com and found $ips, parsed first element: [lindex $ips 0]"

    log local0. "Looked up client IP and found $nps, parsed first element: [lindex $nps 0]"


     if
        {[class match [IP::client_addr] equals whitelist-smtps] or 
         [class match [lindex $nps 0] ends_with whitelist-smtp-names]} {
         log local0. "accepted client IP = [IP::client_addr]"
         log local0. "accepted client name = [lindex $nps 0]"
         node [lindex $ips 0]
    }
    else {log local0. "smtp client dropped [IP::client_addr]"
    drop }
    }

The two data groups have external files that were imported into the ifiles area while creating the data groups.

the whitelist-smtps file looks like this:

host 10.32.8.92 := "host1",

host 10.41.69.188 := "host2",

host 10.44.4.158 := "host3",

host 10.63.253.164 := "host4",

host 10.65.11.144 := "host5",

host 10.65.14.220 := "host6",

host 10.66.1.43 := "host7",

and the whitelist-smtp-names file looks like this:

"str1" := "pims.cc.nd.edu",

"str2" := "controls.ame.nd.edu",

"str3" := "maul.chem.nd.edu",

"str4" := "grumpy.cse.nd.edu",

"str5" := "wizard.cse.nd.edu",

"str6" := "ariel.ee.nd.edu",

"str7" := "services.ee.nd.edu",

"str8" := "nomex.eeit.nd.edu",

What am I doing wrong?

application delivery
BIG-IP
iRules

5 Replies

Sort By
  • Dave_Mehlberg's avatar
    Dave_Mehlberg
    Icon for Nimbostratus rankNimbostratus
    Mar 11, 2016
    EDIT - the second class match is incorrect... it should be: [class match [lindex $nps 0] equals whitelist-smtp-names]} (equals not ends_with)
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Mar 11, 2016

    Hi Dave,

    a datagroup entry is always a 

    key_name=key_value
    (where the value can be empty) combination and the search is always performed on the "key_names". The 
    [class match -value]
    or simply 
    [class lookup]
    syntax will then TCL return the 
    key_value
    instead of the boolean 
    0
    or 
    1
    of the native 
    [class match]
    syntax.

    I guess your iRule isn't working correctly since you compare the reverse-dns-lookup results with the key_names 

    str1
    , 
    str2
    , 
    str3
    , etc. This wouldn't work unless your reverse DNS query would resolve to those strings (which I dont believe). So ,my best bet would be, that you have to flip the order or the whitelist-smtp-names datagroup, so that the FQDNs would become the 
    key_name
    .

    Additional Note: Also check the format of your 

    key_name=key_value
    entries. When using external datagroups, then you don't have to specify prefixes infront of each key/value pair.

    Cheers, Kai

  • Dave_Mehlberg's avatar
    Dave_Mehlberg
    Icon for Nimbostratus rankNimbostratus
    Mar 11, 2016

    I was basing my original string file on the following link:

    https://devcentral.f5.com/articles/irules-data-group-formatting-rules

    which shows:

    String Classes

With string classes, quotes are necessary on the types and values:


[internal class] 
class str_testclass { 
    { 
    "str1" { "value 1" } 
    "str2" { "value 2" } 
    } 
}   

[external class] 
class str_testclass_ext { 
    type string 
    filename "/var/class/str_testclass.class" 
    separator ":=" 
    }

[/var/class/str_class.class] 
"str1" := "value 1", 
"str2" := "value 2",

    so I built my file as I saw in the bottom of the link for string classes

    "str1" := "value 1",

    and so forth

    • Kai_Wilke's avatar
      Kai_Wilke
      Icon for MVP rankMVP
      Mar 11, 2016
      Yeah, sometimes those manuals are somewhat confusing... ;-) Cheers, Kai