Object Storage

cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Object Storage

Ask a Question

StorageGrid Traffic Classification - AND matching rules instead of OR

benkorvemaker
‎2023-02-13 12:14 PM
4,024 Views

Is there an easy way to create a traffic classification policy that does AND instead of OR on the matching rules? I'd like to match if clients from a certain CIDR are hitting a sub-optimal endpoint.

 

 

0 Kudos
10 REPLIES 10

elementx
NetApp
‎2023-02-13 06:19 PM
3,991 Views

Have you tried? Is it not possible? Or not easy?

0 Kudos

benkorvemaker
‎2023-02-14 06:19 AM
In response to elementx
3,965 Views

As documented, it's an OR of all conditions, and I've confirmed that.  (https://docs.netapp.com/us-en/storagegrid-116/admin/creating-traffic-classification-policies.html -- "Traffic that matches any rule is included in the policy.")  It also has inverse matches, and thinking back to a logic course many years ago, I was hoping I could leverage that, but it looks like I need more levels of NOT than available. 

0 Kudos

elementx
NetApp
‎2023-02-14 07:18 AM
In response to benkorvemaker
3,964 Views

Right, so if your "allow" IPs are all over the place and there are many, then it may not be possible.

 

In that case I'd try to keep rules in a flat file and commit them with Ansible with SG modules?

I haven't looked if the module that can set the rules is available. If not, just write a shell script loop with curl and process manually crafted request template, perhaps?

0 Kudos

benkorvemaker
‎2023-02-14 07:20 AM
In response to elementx
3,962 Views

Right now, I'm trying with even just one and no success.

0 Kudos

elementx
NetApp
‎2023-02-14 07:33 AM
In response to benkorvemaker
3,953 Views

Just one rule or just one Ansible/curl script?

 

If you're in the mood to try Discord, there may be some folks online for available for real-time chat.

0 Kudos

benkorvemaker
‎2023-02-14 07:36 AM
In response to elementx
3,948 Views

Just one IP hitting one wrong endpoint.

0 Kudos

elementx
NetApp
‎2023-02-14 08:31 AM
In response to benkorvemaker
3,940 Views

🤔

Maybe there's a bug? If you could share your rule, someone from the SG team could try on a real SG (or maybe even tell you if the rule's not correct).

0 Kudos

benkorvemaker
‎2023-02-14 08:35 AM
3,937 Views

It doesn't look like a bug -- it's operating as designed. Just not designed the way we want to use it.

0 Kudos

elementx
NetApp
‎2023-02-14 09:05 AM
In response to benkorvemaker
3,929 Views

I thought you used a NOT rule and tried to access from an allowed address.

0 Kudos

benkorvemaker
‎2023-02-14 09:11 AM
3,920 Views

It's not the access rules, but the traffic classification.

IP + Endpoint A,  with IP accessing Endpoint A, matches (and also matches anything else hitting Endpoint A)

NOT IP + Endpoint A,  with IP accessing Endpoint A, matches (ditto)

IP + NOT Endpoint A,  with IP accessing Endpoint A, matches (and also matches anything else hitting any other endpoint)

NOT IP + NOT Endpoint A,  with IP accessing Endpoint A, does not match (ditto)

 

 

0 Kudos
Announcements
All Community Forums
Public