Forum Discussion

swo0sh_gt_13163's avatar
swo0sh_gt_13163
Icon for Altostratus rankAltostratus
Feb 25, 2015

Convert HTTP Class iRules for version 11.5.1 or later

Hello Folks,

I had a customer who is using the old version of iRules, which contains HTTP Class selected commands, and now they want to upgrade to 11.5.1. The command is no longer supporting in that version and I am not able to convert it to compatible way to accept that iRule in 11.5.1

Sample iRule from the customer setup is as following.

ltm rule /Common/Ems_staging_admins {
    when HTTP_REQUEST {
if { [class match [IP::client_addr] equals "disable_asm_ip_ranges"] }{                      
                                HTTP::class select /Common/cls_EMS_staging_admin
   }
else {
         HTTP::class select /Common/cls_EMS_staging 
     }
                }
}
ltm rule /Common/efax_smtp_allow {
    when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals "allowed_ip_efax"] }{                    
log local0. "allowed to relay from [IP::client_addr]"
   }
else {
drop
log local0. "Not allowed to relay from [IP::client_addr]"
     }
                }

There are 2 iRules, and many more which needs to get edited. Can anyone shed some light on how can I modify the iRule in a way where it can be applied on 11.5.1

I have tried to follow the article, however I couldn't fix it.

Thank you, Darshan

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    What do those HTTP Class profiles do?
  • Hello Jie,

     

    Thanks for the reply. It was my bad.

     

    It is just for enabling ASM. Which I can do through traffic profile in 11.5.1 I will manage it.

     

    Cheers! Darshan

     

  • Hey Folks,

    I got stuck again with the same issue, this time the iRule is a little complex than the one I asked earlier.

    Following is the snippet for your reference.

    when HTTP_REQUEST {
    
           set FLAG_BLOCKED 0
           set Disabl_ASM_FLAG 0   
            if {$GLOBAL_breakALL == 0}
        {   
           if {[HTTP::uri] starts_with "/admin/content/"} {
        if {[class match [IP::client_addr] equals AB_Web_Folder_IP]}  { 
         log local0. "Access to admin is allowed"
            ASM::disable    
             set Disabl_ASM_FLAG 1
        } else {
           log local0. "Someone trying to access /admin/content/ illegally from Source IP: [IP::client_addr] "
            set FLAG_BLOCKED 1
            set Disabl_ASM_FLAG 1
        }
        }
    }
    }
    when HTTP_CLASS_SELECTED
    {
    log local0. "inside class selection"
        if {$Disabl_ASM_FLAG == 1}
        {
            if { [HTTP::class asm] == 1 }
            {
                ASM::disable
                           log local0. "ASM is disabled now"
            }
        }
        if {$FLAG_BLOCKED == 1}
        {
            reject
        }
    }
    

    How can I eliminate the use of when

    HTTP_CLASS_SELECTED
    and
    HTTP::class ASM
    ? Any help?

    Thank you,

    Darshan

  • Hey Folks,

    I've managed to fix the iRule, following is the updated copy of the same.

    when HTTP_REQUEST {
    
           set FLAG_BLOCKED 0
                       set Disabl_ASM_FLAG 0   
                                    if {$GLOBAL_breakALL == 0}
                    {   
           if {[HTTP::uri] starts_with "/admin/content/"} {
                    if {[class match [IP::client_addr] equals AB_Web_Folder_IP]}  { 
                     log local0. "Access to admin is allowed"
                                    ASM::disable     
             set Disabl_ASM_FLAG 1
                    } else {
                                 log local0. "Someone trying to access /admin/content/ illegally from Source IP: [IP::client_addr] "
            set FLAG_BLOCKED 1
                                    set Disabl_ASM_FLAG 1
                    }
                    }
    }
    
    if {[llength [POLICY::names matched]] > 0} {
    log local0. "inside class selection"
                    if {$Disabl_ASM_FLAG == 1}
                    {
                               if { [POLICY::controls asm] == 1 }
                                    {
                                                    ASM::disable
                           log local0. "ASM is disabled now"
                                    }
                    }
                    if {$FLAG_BLOCKED == 1}
                    {
                                    reject
                    }
    }
    }
    

    I hope this would help someone.

    Cheers! Darshan