NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

Object Storage

StorageGrid Traffic Classification - AND matching rules instead of OR

benkorvemaker
6,015 Views

Is there an easy way to create a traffic classification policy that does AND instead of OR on the matching rules? I'd like to match if clients from a certain CIDR are hitting a sub-optimal endpoint.

 

 

10 REPLIES 10

elementx
5,982 Views

Have you tried? Is it not possible? Or not easy?

benkorvemaker
5,956 Views

As documented, it's an OR of all conditions, and I've confirmed that.  (https://docs.netapp.com/us-en/storagegrid-116/admin/creating-traffic-classification-policies.html -- "Traffic that matches any rule is included in the policy.")  It also has inverse matches, and thinking back to a logic course many years ago, I was hoping I could leverage that, but it looks like I need more levels of NOT than available. 

elementx
5,955 Views

Right, so if your "allow" IPs are all over the place and there are many, then it may not be possible.

 

In that case I'd try to keep rules in a flat file and commit them with Ansible with SG modules?

I haven't looked if the module that can set the rules is available. If not, just write a shell script loop with curl and process manually crafted request template, perhaps?

benkorvemaker
5,953 Views

Right now, I'm trying with even just one and no success.

elementx
5,944 Views

Just one rule or just one Ansible/curl script?

 

If you're in the mood to try Discord, there may be some folks online for available for real-time chat.

benkorvemaker
5,939 Views

Just one IP hitting one wrong endpoint.

elementx
5,931 Views

🤔

Maybe there's a bug? If you could share your rule, someone from the SG team could try on a real SG (or maybe even tell you if the rule's not correct).

benkorvemaker
5,928 Views

It doesn't look like a bug -- it's operating as designed. Just not designed the way we want to use it.

elementx
5,920 Views

I thought you used a NOT rule and tried to access from an allowed address.

benkorvemaker
5,911 Views

It's not the access rules, but the traffic classification.

IP + Endpoint A,  with IP accessing Endpoint A, matches (and also matches anything else hitting Endpoint A)

NOT IP + Endpoint A,  with IP accessing Endpoint A, matches (ditto)

IP + NOT Endpoint A,  with IP accessing Endpoint A, matches (and also matches anything else hitting any other endpoint)

NOT IP + NOT Endpoint A,  with IP accessing Endpoint A, does not match (ditto)

 

 

Public