Forum Discussion

Vincent_95925's avatar
Vincent_95925
Icon for Nimbostratus rankNimbostratus
Aug 27, 2012

Irule to filter access to VIP -- F5 V.9.4.7

Hi Guys,

 

 

I am very new to implementing irules and I need your expert advices. We're trying to implement an irule that will filter access to Virtual Servers. We have a list of subnets (approx 5000 lines of subnets) to be used.

 

I am thinking of creating an external file (Drop_Subnet) that would list those networks on the below format:

 

network x.x.x.x mask x.x.x.x,

 

network x.x.x.x mask x.x.x.x,

 

...

 

and so on..

 

 

Then after creating the file, i will create the following class which will point to the file i just created:

 

Class Drop_Subnet_Class extern {

 

filename "/Config/Drop_Subnet"

 

type ip

 

}

 

and rule like:

 

 

rule Drop_AV_Subnets {

 

when CLIENT_ACCEPTED {

 

if { [matchclass [IP::client_addr] equals $::Drop_Subnet_Class] }{

 

discard

 

} else {

 

forward

 

}

 

 

}

 

 

I believe I cannot use $:: as it will break CMP compatibility though. Please feel free to correct if you find some other errors apart from it. Can someone perhaps provide me how to implement it properly? TIA!!

 

BIG-IP 3600

 

BIG-IP Version 9.4.7 330.0

 

 

Thank you,

 

Vince

 

 

 

 

 

 

3 Replies

  • Hi Vince,

     

     

    That should work fine if you remove the $:: prefix from the data group name in the iRule.

     

     

    Aaron
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    If you're using v10 or later, I'd change the matchless to use the (Newer) [class ...] syntax. That'll get rid of your $:: namespace problems and enable CMP mode.

    The syntax would be somethign like

    
    when CLIENT_ACCEPTED {
        if { [class lookup [IP::client_addr] "Drop_Subnet_Class"] }{
          discard
        }  
    }
    

    H