Class match does not appear to work how I expected with contains
All,
I am trying to write an irule that essentially matches a http header value and checks the allowed IPs which can send it. I have created a datagroup called headers (string type as address type does not allow multiple rows with the same IP address), where I hoped to be able to put mutliple header values with a separator as the string and the ip address/range as the value (e.g. header values are dave and matt) - below is an example record in the headers datagroup:
SSSdaveSSSmattSSS:= 10.10.10.5
I was expecting I could do a " class match -value SSSdaveSSS contains headers" however this fails to find a match, however if I change the string in the datagroup to be just "SSSdaveSSS" it matches, and appears to act the same as equals.
Can anyone advise how "contains" works when checking a string in datagroup and/or if there is a way to do a partial match on the string value in the datagroup?
Hi
Then you can :
- Create a data group "string" with header name as key, and IP / IP RANGE as values
header1 := 10.10.10.0/24|10.10.20.0/24|10.50.1.1
Get the header
Check if header in datagroup, and if not, allow (header not filtered)
If header in datagroup, get allowed IPs and range in list
Loop through each IP /range and check if source is included there.
And make a decision.
set allowedips [split [class match -value $hdrtocheck equals ttt] "|"] log local0. "$allowedips" set allowed 0 if { ! ($allowedips equals "") } { foreach ip $allowedips { if {[IP::addr $srcip equals $ip ]}{ incr allowed } } if { $allowed > 0 } { log local0. "$srcip allowed" } else { log local0. "$srcip denied" } } else { log local0. "not checked" }