API Connect

API Connect

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

APIC Gateway Script to get originating IPs and check if within CIDR of OCP cluster

By Amit Kumar Singh posted Tue November 05, 2024 07:18 AM

  

There are often requirements come where we need to know originating Ip and make certain decisions based on those. (E.g - Allowing requests from only specific known Ips).  There are cases where calls are from Load Balancers, Proxy configuration, Virtual hosting etc where actual sourceIp is prior to ingress and present in X-Forwarder-For header.

In IBM APIC we can use gatewayscript policy to write custom code and can get sourceIP Address from the context message headers and use it accordingly as per requirement. 

Script to get source Ip Address and check whether it is ingress or prior to ingress:

Below is sample gateway script to get the source IP and log it in console.error.

// Get the source IP Address from the request context

   var sourceIp = context.get('message.headers')['X-Client-IP'];

// Log source IP to console.error

   console.error("Source IP is " + sourceIp);

// Check if sourceIp is from ingress layer

   var xForwardedFor =  context.get('message.headers')['X-Forwarded-For'];

   if(xForwardedFor)

   {

      var ips = xForwardedFor.split(',');

      sourceIp = ips[0].trim();

      console.error("Source IP prior to Ingress Layer " + sourceIp);

   }

   else

   {

      console.error("Source IP  Ingress Layer " + sourceIp);

   }

A screenshot of a computer Description automatically generated

Script to check if sourceIP is within CIDR of OCP Cluster:

 // You can use the command oc get network.config/cluster -o jsonpath='{.spec.clusterNetwork[0].cidr}'

// to get the cidr range of OCP cluster which gets used to compare in script

// Get the source IP Address from the request context

   var sourceIp = context.get('message.headers')['X-Client-IP'];

// Log source IP to console.error

   console.error("Source IP is " + sourceIp);

// Check if sourceIp is from ingress layer

   var xForwardedFor =  context.get('message.headers')['X-Forwarded-For'];

   if(xForwardedFor)

   {

      var ips = xForwardedFor.split(',');

      sourceIp = ips[0].trim();

      console.error("Originating sourceIp  " + sourceIp);

   }

   else

   {

      console.error("Originating sourceIp " + sourceIp);

   }

     

   function ipToLongConv(sourceIp)

   {

     return sourceIp.split('.').reduce((acc, octet) => (acc << 8) + parseInt(octet, 10), 0) >>> 0;

   }  

   function issourceIpInsideOCP(sourceIp, clusterCIDR)

   {

      const [range, mask] = clusterCIDR.split('/');

      const ipLong = ipToLongConv(sourceIp);

      const rangeLong = ipToLongConv(range);

      const maskLong = ~(Math.pow(2, (32 - mask)) - 1);

      return (ipLong & maskLong) === (rangeLong & maskLong);

   }

  

   var clusterCIDR = '10.128.0.0/14';

  

   if(issourceIpInsideOCP(sourceIp, clusterCIDR))

   {

     console.error("sourceIp is inside of OCP")

   }

   else

   {    

     console.error("sourceIp is outside of OCP")

   }

0 comments
12 views

Permalink

https://community.ibm.com/community/user/blogs/amit-kumar-singh/2024/11/05/apic-gateway-script-for-check-source-ips-and