Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Data Group Lists for iRules

Hi everyone,

We need to create an iRule to allow access to a VIP from only a certain list of IP addresses. I can see how to do this by creating an iRule that references an IP Address Data Group. The problem lies in that we have a 20,000 user network and need to restrict the access to 600 individual IP addresses. We can do some summarization but we're still looking at 500 entries into the Data Group.

Does anyone know if you can import a text file or copy and paste somehow into the IP Address Data Group to save entering 500 IP addresses?

Thanks very much in advance.
-Tim
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
You could either use an external class which requires you to create a file and paste it in there...otherwise, you could simply edit the config file and paste into there.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Another option is to look at iControl to handle the Data Group

Using the LocalLBAddress class:

getStringClassInfo();
getAddressClassInfo();
setStringClassInfo();
setAddressClassInfo();
deleteClassInfo();
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Your best options are:

- Uploading a text file in the appropriate format
- Using an iControl script that's on the forums somewhere (I KNOW Joe has one for this, just gotta find it, I'll look in a minute...)
- TMSH? I'll have to check but I bet TMSH could whip this out too.

#Colin
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi guys,
thanks a bunch for your quick replies. this sounds promising. I'll do some research on using iControl. I'm not too sure what TMSH is.
Thanks again
Tim
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
TMSH is the built in scripting language on the BIG-IP platform. Take a look: Click Here

#Colin
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I'm new here and am trying to create the ip list to be imported as a data-group.

This is my file:

6.6.16.197/32 := "host1",

6.1.17.133/32 := "host 2",


Trying to import it with the GUI, I get error:

01070626:3: The IP data group external file (/config/filestore/.stage_d/502_d/Common_d/data_group_d/:Common:banned-ip-list.file_1) has an invalid format, line: 1.


Then I tried to load it from the command line and I get:

[chris@LTM-51:Active] ~ # tmsh create /sys file data-group banned-ip-list.file separator ":=" source-path /var/class/banned-ip-list.dg type address Syntax Error: invalid property value "type":"address"

[chris@LTM-51:Active] ~ # tmsh create /sys file data-group banned-ip-list.file separator ":=" source-path /var/class/banned-ip-list.dg type ip curl: (3) malformed Unexpected Error: Failed! exit_code (3). [chris@LTM-51:Active] ~ #



What am I doing wrong?

Rgds, Chris.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
You need to preceed the name of the file with
file:

file:/var/class/banned-ip-list.dg

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
01070626:3: The IP data group external file (/config/filestore/.stage_d/502_d/Common_d/data_group_d/:Common:banned-ip-list.file_1) has an invalid format, line: 1.
have you seen "Handling Line Terminator Discrepencies" section in the following article? can you try?

v11: iRules Data Group Updates by Jason
https://devcentral.f5.com/tech-tips/articles/v11-irules-data-group-updates
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
OK I'm now getting to the invalid format error :-(

I've tried
6.6.16.197/32 := "host1",
6.1.17.133/32 := "host 2",


"6.6.16.197/32" := "host1",
"6.1.17.133/32" := "host 2",


6.6.16.197 := "host1",
6.1.17.133 := "host 2",

and
"6.6.16.197" := "host1",
"6.1.17.133" := "host 2",


Non of them work same error:
tmsh create /sys file data-group banned-ip-list.file separator ":=" source-path file:/var/class/banned-ip-list.dg type ip
01070626:3: The IP data group external file (/config/filestore/.stage_d/524_d/Common_d/data_group_d/:Common:banned-ip-list.file_1) has an invalid format, line: 1.


And I only have a \n as line separator...

What am I missing?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
e.g.
[root@ve11a:Active:Changes Pending] config # cat /var/tmp/test.txt
host 6.6.16.197 := "host1",
network 6.6.17.0/24 := "host2",

[root@ve11a:Active:Changes Pending] config # tmsh create sys file data-group banned-ip-list separator := source-path file:/var/tmp/test.txt type ip

[root@ve11a:Active:Changes Pending] config # tmsh list sys file data-group banned-ip-list
sys file data-group banned-ip-list {
    checksum SHA1:60:37aa2406b8368adf69e80ce408890d9efcbc9b3c
    create-time 2013-03-14:21:12:28
    created-by root
    last-update-time 2013-03-14:21:12:28
    mode 33152
    revision 1
    size 60
    source-path file:/var/tmp/test.txt
    type ip
    updated-by root
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Chris,

Reading over this may help: Writing iRules look in the sub-topic "Creating, managing, and using data groups".

Location:
An external data group must reside in either the /config or the /var/class directory. The default location for storing external data groups is the /config directory.


As far as your formatting issue I think you must specify what it is in the External Class. If it's a host it automatically appends 255.255.255.255 in the background (you will only see this if you use iControl to pull the class members) and if it's a network it appends the assigned netmask:

host 6.6.16.197 := "host1",
host 6.1.17.133 := "host2",
network 192.168.1.1/24 := "network1",

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks everyone.
My issues have been solved with your help! yes

0