Advanced policy expressions: IP and MAC addresses, throughput, VLAN IDs
You can use Advanced policy expression prefixes that return IPv4 and IPv6 addresses, MAC addresses, IP subnets, useful client and server data such as the throughput rates at the interface ports (Rx, Tx, and RxTx), and the IDs of the VLANs through which packets are received. You can then use various operators to evaluate the data that is returned by these expression prefixes.
Expressions for IP addresses and IP subnets
You can use Advanced policy expressions to evaluate addresses and subnets that are in Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) format. Expression prefixes for IPv6 addresses and subnets include IPv6 in the prefix. Expression prefixes for IPv4 addresses and subnets include IP in the prefix. Following is an example of an expression that identifies whether a request has originated from a particular IPv4 subnet.
client.ip.src.in_subnet(147.1.0.0/16)
<!--NeedCopy-->
Following are two examples of Rewrite policies that examine the subnet from which the packet is received and perform a rewrite action on the Host header. With these two policies configured, the rewrite action that is performed depends on the subnet in the request. These two policies evaluate IP addresses that are in the IPv4 address format.
- add rewrite action URL1-rewrite-action replace "http.req.header(\"Host\")" "\"www.mycompany1.com\""
- add rewrite policy URL1-rewrite-policy "http.req.header(\"Host\").contains(\"www.test1.com\") && client.ip.src.in_subnet(147.1.0.0/16)" URL1-rewrite-action
- add rewrite action URL2-rewrite-action replace "http.req.header(\"Host\")" "\"www.mycompany2.com\""
- add rewrite policy URL2-rewrite-policy "http.req.header(\"Host\").contains(\"www.test2.com\") && client.ip.src.in_subnet(10.202.0.0/16)" URL2-rewrite-action
<!--NeedCopy-->
Note
The preceding examples are commands that you type at the Citrix ADC command-line interface (CLI) and, therefore, each quotation mark must be preceded by a backslash (\). For more information, see Configuring advanced policy expressions in a policy.”
Prefixes for IPV4 addresses and IP subnets
The following table describes prefixes that return IPv4 addresses and subnets, and segments of IPv4 addresses. You can use numeric operators and operators that are specific to IPv4 addresses with these prefixes. For more information about numeric operations, see “Basic Operations on Expression Prefixes” and “Compound Operations for Numbers.”
Table 1. Prefixes That Evaluate IP and MAC Addresses
Prefix | Description |
---|---|
CLIENT.IP.SRC | Returns the source IP of the current packet as an IP address or as a number. |
CLIENT.IP.DST | Returns the destination IP of the current packet as an IP address or as a number. |
SERVER.IP.SRC | Returns the source IP of the current packet as an IP address or as a number. |
SERVER.IP.DST | Returns the destination IP of the current packet as an IP address or as a number. |
Operations for IPV4 Addresses
The Prefix for IPV4 operations table describes the operators that can be used with prefixes that return an IPv4 address.
About IPv6 expressions
The IPv6 address format allows more flexibility than the older IPv4 format. IPv6 addresses are in the hexadecimal format (RFC 2373). In the following examples, Example 1 is an IPv6 address, Example 2 is a URL that includes the IPv6 address, and Example 3 includes the IPv6 address and a port number.
Example 1:
9901:0ab1:22a2:88a3:3333:4a4b:5555:6666
<!--NeedCopy-->
Example 2:
http://[9901:0ab1:22a2:88a3:3333:4a4b:5555:6666]/
<!--NeedCopy-->
Example 3:
https://[9901:0ab1:22a2:88a3:3333:4a4b:5555:6666]:8080/
<!--NeedCopy-->
In Example 3, the brackets separate the IP address from the port number (8080).
Note that you can only use the ‘+’ operator to combine IPv6 expressions with other expressions. The output is a concatenation of the string values that are returned from the individual expressions. You cannot use any other arithmetic operator with an IPv6 expression. The following syntax is an example:
client.ipv6.src + server.ip.dst
<!--NeedCopy-->
For example, if the client source IPv6 address is ABCD:1234::ABCD
, and the server destination IPv4 address is 10.100.10.100
, the preceding expression returns "ABCD:1234::ABCD10.100.10.100"
.
Note that when the Citrix ADC appliance receives an IPv6 packet, it assigns a temporary IPv4 address from an unused IPv4 address range and changes the source address of the packet to this temporary address. At response time, the outgoing packet’s source address is replaced with the original IPv6 address.
Note
You can combine an IPv6 expression with any other expression except an expression that produces a Boolean result.
Expression prefixes for IPv6 addresses
The IPv6 addresses that are returned by the expression prefixes in the following table can be treated as text data. For example, the prefix client.ipv6.dst returns the destination IPv6 address as a string that can be evaluated as text.
The following table describes expression prefixes that return an IPv6 address.
Table 3. IPv6 Expression Prefixes That Return Text
Prefix | Description |
---|---|
CLIENT.IPV6 | Operates on the IPv6 address in with the current packet. |
CLIENT.IPV6.DST | Returns the IPv6 address in the destination field of the IP header. |
CLIENT.IPV6.SRC | Returns the IPv6 address in the source field of the IP header. Following are examples: client.ipv6.src.in_subnet(2007::2008/64) client.ipv6.src.get1.le(2008)
|
SERVER.IPV6 | Operates on the IPv6 address in with the current packet. |
SERVER.IPV6.DST | Returns the IPv6 address in the destination field of the IP header. |
SERVER.IPV6.SRC | Returns the IPv6 address in the source field of the IP header. Following are examples: server.ipv6.src.in_subnet(2007::2008/64) server.ipv6.src.get1.le(2008)
|
Operations for IPv6 prefixes
The following table describes the operators that can be used with prefixes that return an IPv6 address:
Table 4. Operations That Evaluate IPv6 Addresses
IPv6 Operation | Description |
---|---|
<ipv6>.EQ(<IPv6_address> |
Returns a Boolean TRUE if the IP address value is same as the <IPv6_address> argument. Following is an example: client.ipv6.dst.eq(ABCD:1234::ABCD)
|
<ipv6>.GET1. . .GET8 |
Returns a segment of an IPv6 address as a number. The following example expressions retrieve segments from the ipv6 address 1000:1001:CD10:0000:0000:89AB:4567:CDEF: client.ipv6.dst.get5 extracts 0000 , which is the fifth set of bits in the address. client.ipv6.dst.get6 extracts 89AB. client.ipv6.dst.get7 extracts 4567. You can perform numeric operations on these segments. Note that you cannot perform numeric operations when you retrieve an entire IPv6 address. This is because expressions that return an entire IPv6 address, such as CLIENT.IPV6.SRC, return the address in text format. |
<ipv6>.IN_SUBNET(<subnet>) |
Returns a Boolean TRUE if the IPv6 address value is in the subnet specified by the <subnet> argument. Following is an example: client.ipv6.dst.eq(1000:1001:CD10:0000:0000:89AB:4567:CDEF/60)
|
<ipv6>.IS_IPV4 |
Returns a Boolean TRUE if this is an IPv4 client, and returns a Boolean FALSE if it is not. |
<ipv6>.SUBNET(<n>) |
Returns the IPv6 address after applying the subnet mask specified as the argument. The subnet mask can take values between 0 and 128. For example: CLIENT.IPV6.SRC.SUBNET(24)
|
Expressions for MAC addresses
A MAC address consists of colon-delimited hexadecimal values in the format ##:##:##:##:##:##, where each “#” represents either a number from 0 through 9 or a letter from A through F. Default syntax expression prefixes and operators are available for evaluating source and destination MAC addresses.
Prefixes for MAC addresses
The following table describes prefixes that return MAC addresses.
Table 5. Prefixes That Evaluate MAC Addresses
Prefix | Description |
---|---|
client.ether.dstmac |
Returns the MAC address in the destination field of the Ethernet header. |
client.ether.srcmac |
Returns the MAC address in the source field of the Ethernet header. |
Operations for MAC addresses
The following table describes the operators that can be used with prefixes that return a MAC address.
Table 6. Operations on MAC Addresses
Prefix | Description |
---|---|
<mac address>.EQ(<address>) |
Returns a Boolean TRUE if the MAC address value is same as the <address> argument. |
<mac address>.GET1. . .GET4 |
Returns a numeric value extracted from the segment of the MAC address that is specified in the GET operation. For example, if the MAC address is 12:34:56:78:9a:bc, the following returns 34: client.ether.dstmac.get2
|
Expressions for numeric client and server data
The following table describes prefixes for working with numeric client and server data, including throughput, port numbers, and VLAN IDs.
Table 7. Prefixes that evaluate numeric client and server data
Prefix | Description |
---|---|
client.interface.rxthroughput | Returns an integer representing the raw received traffic throughput in kilobytes per second (KBps) for the previous seven seconds. |
client.interface.txthroughput | Returns an integer representing the raw transmitted traffic throughput in KBps for the previous seven seconds. |
client.interface.rxtxthroughput | Returns an integer representing the raw received and transmitted traffic throughput in KBps for the previous seven seconds. |
server.interface.rxthroughput | Returns an integer representing the raw received traffic throughput in KBps for the previous seven seconds. |
server.interface.txthroughput | Returns an integer representing the raw transmitted traffic throughput in KBps for the previous seven seconds. |
server.interface.rxtxthroughput | Returns an integer representing the raw received and transmitted traffic throughput in KBps for the previous seven seconds. |
server.vlan.id | Returns a numeric ID of the VLAN through which the current packet entered the Citrix ADC. |
client.vlan.id | Returns a numeric ID for the VLAN through which the current packet entered the Citrix ADC. |