Citrix ADC

Compound advanced policy expressions

You can configure an Advanced policy expression with boolean or arithmetic operators and atomic operations. The following compound expression has a boolean AND:

http.req.hostname.eq("mycompany.com") && http.req.method.eq(post)

The following expression adds the value of two targets, and compares the result to a third value:

http.req.url.length + http.req.cookie.length \<= 500

A compound expression can have any number of logical and arithmetic operators.

The following expression evaluates the length of an HTTP request. This expression is based on the URL and cookie. This expression evaluates the text in the header. Also, does a Boolean AND on these two results:

http.req.url.length + http.req.cookie.length \<= 500 && http.req.header.contains("some text")

You can use parentheses to control the order of evaluation in a compound expression.

Booleans in compound expressions

You configure compound expressions with the following operators:

  • &&.

    This operator is a logical AND. For the expression to evaluate to TRUE, all components must evaluate to TRUE.

    Example:

    http.req.url.hostname.eq(“myHost”) && http.req.header(“myHeader”).exists

  • ||.

    This operator is a logical OR. If any component of the expression evaluates to TRUE, the entire expression is TRUE.

  • !.

    P Does a logical NOT on the expression.

Sometimes, the Citrix ADC configuration utility offers AND, NOT, and OR operators in the Add Expression dialog box. However, these compound expressions are of limited use. Citrix recommends that you use the operators &&, ||, and! To configure compound expressions that use Boolean logic.

Parentheses in compound expressions

You can use parentheses to control the order of evaluation of an expression. The following is an example:

http.req.url.contains("myCompany.com") || (http.req.url.hostname.eq("myHost") && http.req.header("myHeader").exists)

The following is another example:

(http.req.header("Content-Type").exists && http.req.header("Content-Type").eq("text/html")) || (http.req.header("Transfer-Encoding").exists || http.req.header("Content-Length").exists)

Compound operations for strings

The following table describes operators that you can use to configure compound operations on string data.

Operations that produce a string value Description
str + str Concatenates the value of the expression on the left of the operator with the value on the right. Example: http.req.hostname + http.req.url.protocol
str + num Concatenates the value of the expression on the left of the operator with a numeric value on the right. Example: http.req.hostname + http.req.url.content_length
num + str Concatenates the numeric value of the expression on the left side of the operator with a string value on the right. Example: http.req.url.content_length + http.req.url.hostname
str + ip Concatenates the string value of the expression on the left side of the operator with an IP address value on the right. Example: http.req.hostname + 10.00.000.00
IP + str Concatenates the IP address value of the expression on the left of the operator with a string value on the right. Example: client.ip.dst + http.req.url.hostname
str1 ALT str2 Uses string2 if the evaluation of string1 results in an undef exception or the result is a null string. Otherwise uses string1 and never evaluates string2. Example: http.req.hostname alt client.ip.src
Operations on strings that produce a result of TRUE or FALSE Description
str == str Evaluates whether the strings on either side of the operator are the same. Following is an example: http.req.header(“myheader”) == http.res.header(“myheader”)
str <= str Evaluates whether the string on the left side of the operator is the same as the string on the right, or precedes it alphabetically.
str >= str Evaluates whether the string on the left side of the operator is the same as the string on the right, or follows it alphabetically.
str < str Evaluates whether the string on the left side of the operator precedes the string on the right alphabetically.
str > str Evaluates whether the string on the left side of the operator follows the string on the right alphabetically.
str !!= str Evaluates whether the strings on either side of the operator are different.
Logical operations on strings Description
bool && bool This operator is a logical AND. When evaluating the components of the compound expression, all components that are joined by the AND must evaluate to TRUE. Following is an example: http.req.method.eq(GET) && http.req.url.query.contains(“viewReport && my_pagelabel”)
bool || bool This operator is a logical OR. When evaluating the components of the compound expression, if any component of the expression belonging to OR evaluates to TRUE, the entire expression is TRUE. Following is an example: http.req.url.contains(“.js”) || http.res.header.(“Content-Type”). Contains(“javascript”)
bool Performs a logical NOT on the expression.

Compound operations for numbers

You can configure compound numeric expressions. For example, the following expression returns a numeric value that is the sum of an HTTP header length and a URL length:

http.req.header.length + http.req.url.length

The following tables describe operators that you can use to configure compound expressions for numeric data.

Arithmetic operations on numbers Description
num + num Add the left expression value of the operator to the right expression value. Example: http.req.content_length + http.req.url.length
num – num Subtract the right expression value of the operator from the left expression value.
num x num Multiply the left expression value of the operator with the right expression value. Example: client.interface.rxthroughput * 9
num / num Divide the left expression value of the operator by the right expression value.
num % num Calculate the modulo, or the numeric remainder on a division of the value of the expression on the left of the operator by the value of the expression on the right. For example, the values “15 mod 4” equal 3, and “12 mod 4” equals 0.
~number Returns a number after applying a bitwise logical negation of the number. The following example assumes that numeric.expression returns 12 (binary 1100): ~numeric.expression. The result of applying the ~ operator is -11 (a binary 1110011, 32 bits total with all ones to the left). All returned values of less than 32 bits before applying the operator implicitly have zeros to the left to make them 32 bits wide.
number ^ number Compares two bit patterns of equal length and performs an XOR operation on each pair of corresponding bits in each number argument, returning 1 if the bits are different, and 0 if they are the same. Returns a number after applying a bitwise XOR to the integer argument and the current number value. If the values in the bitwise comparison are the same, the returned value is a 0. The following example assumes that numeric.expression1 returns 12 (binary 1100) and numeric.expression2 returns 10 (binary 1010): numeric.expression1 ^ numeric.expression2The result of applying the ^ operator to the entire expression is 6 (binary 0110). All returned values of less than 32 bits before applying the operator implicitly have zeros to the left to make them 32 bits wide.
number | number Returns a number after applying a bitwise OR to the number values. If either value in the bitwise comparison is a 1, the returned value is a 1. The following example assumes that numeric.expression1 returns 12 (binary 1100) and numeric.expression2 returns 10 (binary 1010): numeric.expression1 | numeric.expression2 The result of applying the | operator to the entire expression is 14 (binary 1110). All returned values of less than 32 bits before applying the operator implicitly have zeros to the left to make them 32 bits wide.
number & number Compares two bit patterns of equal length and performs a bitwise AND operation on each pair of corresponding bits, returning 1 if both of the bits contain a value of 1, and 0 if either bits are 0. The following example assumes that numeric.expression1 returns 12 (binary 1100) and numeric.expression2 returns 10 (binary 1010): numeric.expression1 & numeric.expression2 The whole expression evaluates to 8 (binary 1000). All returned values of less than 32 bits before applying the operator implicitly have zeros to the left to make them 32 bits wide.
num « num Returns a number after a bitwise left shift of the number value by the right-side number argument number of bits. The number of bits shifted is integer modulo 32. The following example assumes that numeric.expression1 returns 12 (binary 1100) and numeric.expression2 returns 3: numeric.expression1 « numeric.expression2 The result of applying the LSHIFT operator is 96 (a binary 1100000). All returned values of less than 32 bits before applying the operator implicitly have zeros to the left to make them 32 bits wide.
num » num Returns a number after a bitwise right shift of the number value by the integer argument number of bits. The number of bits shifted is integer modulo 32. The following example assumes that numeric.expression1 returns 12 (binary 1100) and numeric.expression2 returns 3: numeric.expression1 » numeric.expression2 The result of applying the RSHIFT operator is 1 (a binary 0001). All returned values of less than 32 bits before applying the operator implicitly have zeros to the left to make them 32 bits wide.
Numeric operators that produce a result of TRUE or FALSE Description  
num == num Determine if the value of the expression on the left of the operator is equal to the value of the expression on the right.  
num!= num Determine if the value of the expression on the left of the operator is not equal to the value of the expression on the right.  
num > num Determine if the value of the expression on the left of the operator is greater than the value of the expression on the right.  
num < num Determine if the value of the expression on the left of the operator is less than the value of the expression on the right.  
num >= num Determine if the value of the expression on the left of the operator is greater than or equal to the value of the expression on the right.  
num <= num Determine if the value of the expression on the left of the operator is less than or equal to the value of the expression on the right  

Functions for data types in the policy infrastructure

The Citrix ADC policy infrastructure supports the following numeric data types:

  • Integer (32 bits)
  • Unsigned long (64 bits)
  • Double (64 bits)

Simple expressions can return all of these data types. Also, you can create compound expressions that use arithmetic operators and logical operators to evaluate or return the values of these data types. Also, you can use all of these values in policy expressions. Literal constants of type unsigned long can be specified by appending the string ul to the number. Literal constants of type double contain a period (.), an exponent, or both.

Arithmetic Operators, Logical Operators, and Type Promotion

In compound expressions, the following standard arithmetic and logical operators can be used for the double and unsigned long data types:

  • +, -, *, and /
  • %, ~, ^, &, , <<, and >> (do not apply to double)
  • ==,!=, >, <, >=, and <=

All of these operators have the same meaning as in the C programming language.

In all cases of mixed operations between operands of type integer, unsigned long, and double. Type promotion is done to do the operation on the operands of the same type. The operation promotes a lower precedence type to the operand with the highest precedence type. The order of precedence (higher to lower) is as follows:

  • Double
  • Unsigned long
  • Integer

So, an operation that returns a numeric result returns a result of the highest type involved in the operation.

For example, if the operands are of type integer and unsigned long, the integer operand is automatically converted to type unsigned long. This type conversion is done in simple expressions. The type of data identified by the expression prefix does not match the type of data that is passed as the argument to the function. In the operation HTTP.REQ.CONTENT_LENGTH.DIV(3ul), the prefix HTTP.REQ.CONTENT_LENGTH returns an integer that becomes an unsigned long. Unsigned long: the data type passed as the argument to the DIV() function, an unsigned long division is done. Similarly, the argument can be promoted in an expression. For example, HTTP.REQ.HEADER(“myHeader”).TYPECAST_DOUBLE_AT.DIV(5) promotes the integer 5 to type double and does double-precision division.

For information about expressions to cast data of one type to data of another type, see Typecasting data.

Compound advanced policy expressions