Forum Discussion

René_Posthumus_'s avatar
René_Posthumus_
Icon for Nimbostratus rankNimbostratus
May 03, 2019

Accept LTM traffic based on IP and variable datagroup

Hi, we are trying to do the following thing on our platform. I'll explain the flow first:

  1. Traffic enters the box using a single VS (EntryVS).
  2. An iRule triggers, looks at the host-header and directs the traffic to the correct VS for that site (ApplicationVS)
  3. A policy triggers there that rewrites the external received host-header to an internally used host-header.
  4. Traffic is forwarded to the backend pool members

So far so good and is working fine. But we need access-lists per ApplicationVS based on Client-IP.

I found an example to do that using in iRule, but we have hundreds of ApplicationVSses and many different access-lists and i don't want to create that many iRules. Many data-groups are acceptable but the iRule then must be aware of which data-group it has to use based on the host-header which, i think, is not available at the CLIENT_ACCEPTED stage.

This is the iRule i have so far:

    when RULE_INIT {

    Drop unknown source IP addresses?  0 = no, 1 = yes
   set static::drop_unknown_sources 1

    Log accepted requests?  0 = no, 1 = yes
   set static::log_accepted_requests 1

    Log accepted requests?  0 = no, 1 = yes
   set static::log_dropped_requests 1

}

 This event is triggered when a client - BIG-IP TCP connection is established
when CLIENT_ACCEPTED {

    Is client IP address defined in the admin_datagroup?   
   if { [class match [IP::client_addr] starts_with DATAGROUP_NAME] }{

       Log accepted admin request
      if {$static::log_accepted_requests==1}{

          Log the client IP address:port -> destination IP address:port 
         log local0. "request accepted from client: \
                [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      }

   }  else {

       Request didn't match the conditions for allowing the request
      if {$static::log_dropped_requests==1}{

          Log the client IP address:port -> destination IP address:port
         log local0. "unknown request rejected from client: \
                [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
      }

       Drop request if the option is enabled.  Could also send a reset using 'reject'
      if {$static::drop_unknown_sources==1}{
         drop

      }
   }
}

How can i make the dategroup variable so that on each request, a host-header is verified and a matching datagroup is used like FQDN_access_DG? Or is there a better solution to this issue ?

Regards, René

No RepliesBe the first to reply