Object Storage

StorageGrid Traffic Classification - AND matching rules instead of OR

benkorvemaker
3,797 Views

Is there an easy way to create a traffic classification policy that does AND instead of OR on the matching rules? I'd like to match if clients from a certain CIDR are hitting a sub-optimal endpoint.

 

 

10 REPLIES 10

elementx
3,764 Views

Have you tried? Is it not possible? Or not easy?

benkorvemaker
3,738 Views

As documented, it's an OR of all conditions, and I've confirmed that.  (https://docs.netapp.com/us-en/storagegrid-116/admin/creating-traffic-classification-policies.html -- "Traffic that matches any rule is included in the policy.")  It also has inverse matches, and thinking back to a logic course many years ago, I was hoping I could leverage that, but it looks like I need more levels of NOT than available. 

elementx
3,737 Views

Right, so if your "allow" IPs are all over the place and there are many, then it may not be possible.

 

In that case I'd try to keep rules in a flat file and commit them with Ansible with SG modules?

I haven't looked if the module that can set the rules is available. If not, just write a shell script loop with curl and process manually crafted request template, perhaps?

benkorvemaker
3,735 Views

Right now, I'm trying with even just one and no success.

elementx
3,726 Views

Just one rule or just one Ansible/curl script?

 

If you're in the mood to try Discord, there may be some folks online for available for real-time chat.

benkorvemaker
3,721 Views

Just one IP hitting one wrong endpoint.

elementx
3,713 Views

🤔

Maybe there's a bug? If you could share your rule, someone from the SG team could try on a real SG (or maybe even tell you if the rule's not correct).

benkorvemaker
3,710 Views

It doesn't look like a bug -- it's operating as designed. Just not designed the way we want to use it.

elementx
3,702 Views

I thought you used a NOT rule and tried to access from an allowed address.

benkorvemaker
3,693 Views

It's not the access rules, but the traffic classification.

IP + Endpoint A,  with IP accessing Endpoint A, matches (and also matches anything else hitting Endpoint A)

NOT IP + Endpoint A,  with IP accessing Endpoint A, matches (ditto)

IP + NOT Endpoint A,  with IP accessing Endpoint A, matches (and also matches anything else hitting any other endpoint)

NOT IP + NOT Endpoint A,  with IP accessing Endpoint A, does not match (ditto)

 

 

Public