vADC Forum

Reply
Occasional Visitor
Posts: 1
Registered: ‎02-01-2016

how do I allow an IP range and a set of allowed IPs in one traffic script rule?

HI, I'm trying to configure a trafficscript rule on our SteelApp VTM. 

 

I want to allow BOTH a specified IP address AND an IP range to reach blah.com, and for the following suffixes to be redirected to blah.com/RDWeb: /rpc, /remoteDesktopGateway, 

 

Here is my rule: 

 

$allowedIPs = [ "123.123.0.1","109.233.52.0/24"];
$ip = request.getremoteip();
$drop = false;
$arraylen = array.length($allowedIPs);
$url = http.getHeader("Host");
$path = http.getpath ();

for ( $i = 0; $i < $arraylen; $i++ ) {
   log.info( "IP= " . $ip . "AllowedIP= " . $allowedIPs[$i] . "");
   if( string.startsWithI( $url, "blah.com")) {
      if(string.containsI( $path, "/RDWeb" ) || string.containsI ( $path, "/rpc" ) || string.containsI( $path, "/remoteDesktopGateway" )){
         if ( $ip == $allowedIPs[$i]) {
            
            pool.use( "Blah_RDS" );
            break;
         } else {
            $drop = true;
         }
      }
      else {
         http.redirect( "https://blah.com/rdweb" );
      }
   }

}
if ($drop == true) {
   connection.discard();
}

 

---

 

This rule compiles fine but doesn't work. Any ideas? 

Contributor
Posts: 40
Registered: ‎03-26-2013

Re: how do I allow an IP range and a set of allowed IPs in one traffic script rule?

[ Edited ]

You are testing for a string match:

 

  if ( $ip == $allowedIPs[$i])

This works for an IP but not for a subnet.

 

TrafficScript offers a function to test an IP presence in a subnet: 

 

string.ipmaskmatch($ip, $subnet)

 

And you can use a simple foreach to test the array until a match is found like in this subroutine:

 

sub IPorSubnetMatch($networksAndIPs, $ip) {
   foreach ($subnetOrIP in $networksAndIPs) {
      if (string.ipmaskmatch($ip, $subnetOrIP)) {
         return (1==1);
      }
   }
   return(1!=1);
}

(I was not sure if boolean is a real type in TS)

 

 

Another problem - might not be relevant since you edited that part of the code - is that you redirect to https://blah.com/rdweb if Host: starts with "blah.com" which sounds like a redirect loop to me Smiley Happy

 

To wrap it up and because you don't want to test the requested path on each IP test, you should use the aforementionned function and reduce your code to something like

 

if( string.startsWithI( http.getHostHeader(), “blah.com”)) {
  $path = http.getPath();
  if(string.containsI( $path, "/RDWeb" ) || string.containsI ( $path, "/rpc" ) || string.containsI( $path, "/remoteDesktopGateway" )) {
    $allowedIPs = [ "123.123.0.1","109.233.52.0/24"];
    $ip = request.getRemoteIP();
    if (IPorSubnetMatch($allowedIPs, $ip)) {
   pool.use( "Blah_RDS" );
    } else {
      connection.discard();
    }
  }
} else {
  http.redirect( "https://notblah.com/rdweb" );
}

 

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.