Forum Discussion

GeoffSweet_3221's avatar
GeoffSweet_3221
Icon for Nimbostratus rankNimbostratus
Jun 16, 2009

Need to permit a list of hosts

So I am sure that I can create an iRule that simply blocks a single host via 

 
 when CLIENT_ACCEPTED { 
 if { [IP::addr [IP::client_addr] equals 10.10.10.10] } { 
   pool my_pool 
 } 
 else { 
   drop 
 }

right? But what if I have a list of say 10 or 12 hosts. I kinda need to improvise a ACL for a site by the seat of my pants here. I tried the forum search but no matter what I put in, it returns zero results.

Thanks everyone!
application delivery
dev
devops
iRules

6 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 16, 2009
    Hi,

    You can use a datagroup and the matchclass command (Click here😞 

     
 when CLIENT_ACCEPTED { 
  
     Check if client IP is not defined in the allowed_clients datagroup 
    if { not ([matchclass [IP::client_addr] equals $::allowed_clients]) } { 
  
        Drop further packets from the client 
       drop 
    } 
 }

    If a client doesn't get dropped the VS's default pool will be used.

    Aaron
  • SentinelPrime_1's avatar
    SentinelPrime_1
    Icon for Nimbostratus rankNimbostratus
    Dec 11, 2014

    I am getting unknown option error using allowed_clients datagroup. is this the same syntax for LTM 10.2.3?

     

    Cheers SP

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 14, 2014

    I am getting unknown option error using allowed_clients datagroup. is this the same syntax for LTM 10.2.3?

    can you try this?

    when CLIENT_ACCEPTED { 
  if { not ([class match -- [IP::client_addr] equals allowed_clients]) } { 
    drop 
  } 
}
    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      Dec 14, 2014
      class wiki https://clouddocs.f5.com/api/irules/class.html
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Dec 14, 2014

    I am getting unknown option error using allowed_clients datagroup. is this the same syntax for LTM 10.2.3?

    can you try this?

    when CLIENT_ACCEPTED { 
  if { not ([class match -- [IP::client_addr] equals allowed_clients]) } { 
    drop 
  } 
}