cancel
Showing results for 
Search instead for 
Did you mean: 

how do I allow an IP range and a set of allowed IPs in one traffic script rule?

Highlighted

how do I allow an IP range and a set of allowed IPs in one traffic script rule?

HI, I'm trying to configure a trafficscript rule on our SteelApp VTM. 

 

I want to allow BOTH a specified IP address AND an IP range to reach blah.com, and for the following suffixes to be redirected to blah.com/RDWeb: /rpc, /remoteDesktopGateway, 

 

Here is my rule: 

 

$allowedIPs = [ "123.123.0.1","109.233.52.0/24"];
$ip = request.getremoteip();
$drop = false;
$arraylen = array.length($allowedIPs);
$url = http.getHeader("Host");
$path = http.getpath ();

for ( $i = 0; $i < $arraylen; $i++ ) {
   log.info( "IP= " . $ip . "AllowedIP= " . $allowedIPs[$i] . "");
   if( string.startsWithI( $url, "blah.com")) {
      if(string.containsI( $path, "/RDWeb" ) || string.containsI ( $path, "/rpc" ) || string.containsI( $path, "/remoteDesktopGateway" )){
         if ( $ip == $allowedIPs[$i]) {
            
            pool.use( "Blah_RDS" );
            break;
         } else {
            $drop = true;
         }
      }
      else {
         http.redirect( "https://blah.com/rdweb" );
      }
   }

}
if ($drop == true) {
   connection.discard();
}

 

---

 

This rule compiles fine but doesn't work. Any ideas? 

1 REPLY
Contributor

Re: how do I allow an IP range and a set of allowed IPs in one traffic script rule?

You are testing for a string match:

 

  if ( $ip == $allowedIPs[$i])

This works for an IP but not for a subnet.

 

TrafficScript offers a function to test an IP presence in a subnet: 

 

string.ipmaskmatch($ip, $subnet)

 

And you can use a simple foreach to test the array until a match is found like in this subroutine:

 

sub IPorSubnetMatch($networksAndIPs, $ip) {
   foreach ($subnetOrIP in $networksAndIPs) {
      if (string.ipmaskmatch($ip, $subnetOrIP)) {
         return (1==1);
      }
   }
   return(1!=1);
}

(I was not sure if boolean is a real type in TS)

 

 

Another problem - might not be relevant since you edited that part of the code - is that you redirect to https://blah.com/rdweb if Host: starts with "blah.com" which sounds like a redirect loop to me Smiley Happy

 

To wrap it up and because you don't want to test the requested path on each IP test, you should use the aforementionned function and reduce your code to something like

 

if( string.startsWithI( http.getHostHeader(), “blah.com”)) {
  $path = http.getPath();
  if(string.containsI( $path, "/RDWeb" ) || string.containsI ( $path, "/rpc" ) || string.containsI( $path, "/remoteDesktopGateway" )) {
    $allowedIPs = [ "123.123.0.1","109.233.52.0/24"];
    $ip = request.getRemoteIP();
    if (IPorSubnetMatch($allowedIPs, $ip)) {
   pool.use( "Blah_RDS" );
    } else {
      connection.discard();
    }
  }
} else {
  http.redirect( "https://notblah.com/rdweb" );
}