NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

Object Storage

StorageGrid Traffic Classification - AND matching rules instead of OR

benkorvemaker
6,017 Views

Is there an easy way to create a traffic classification policy that does AND instead of OR on the matching rules? I'd like to match if clients from a certain CIDR are hitting a sub-optimal endpoint.

 

 

10 REPLIES 10

elementx
5,984 Views

Have you tried? Is it not possible? Or not easy?

benkorvemaker
5,958 Views

As documented, it's an OR of all conditions, and I've confirmed that.  (https://docs.netapp.com/us-en/storagegrid-116/admin/creating-traffic-classification-policies.html -- "Traffic that matches any rule is included in the policy.")  It also has inverse matches, and thinking back to a logic course many years ago, I was hoping I could leverage that, but it looks like I need more levels of NOT than available. 

elementx
5,957 Views

Right, so if your "allow" IPs are all over the place and there are many, then it may not be possible.

 

In that case I'd try to keep rules in a flat file and commit them with Ansible with SG modules?

I haven't looked if the module that can set the rules is available. If not, just write a shell script loop with curl and process manually crafted request template, perhaps?

benkorvemaker
5,955 Views

Right now, I'm trying with even just one and no success.

elementx
5,946 Views

Just one rule or just one Ansible/curl script?

 

If you're in the mood to try Discord, there may be some folks online for available for real-time chat.

benkorvemaker
5,941 Views

Just one IP hitting one wrong endpoint.

elementx
5,933 Views

🤔

Maybe there's a bug? If you could share your rule, someone from the SG team could try on a real SG (or maybe even tell you if the rule's not correct).

benkorvemaker
5,930 Views

It doesn't look like a bug -- it's operating as designed. Just not designed the way we want to use it.

elementx
5,922 Views

I thought you used a NOT rule and tried to access from an allowed address.

benkorvemaker
5,913 Views

It's not the access rules, but the traffic classification.

IP + Endpoint A,  with IP accessing Endpoint A, matches (and also matches anything else hitting Endpoint A)

NOT IP + Endpoint A,  with IP accessing Endpoint A, matches (ditto)

IP + NOT Endpoint A,  with IP accessing Endpoint A, matches (and also matches anything else hitting any other endpoint)

NOT IP + NOT Endpoint A,  with IP accessing Endpoint A, does not match (ditto)

 

 

Public