Forum Discussion

markonans_11916's avatar
markonans_11916
Icon for Nimbostratus rankNimbostratus
May 14, 2015

Forwarding VS - with selective irule for SRC to DST only allowed to access (using data groups) - syntax fail

Hello this syntax looks logical to me, but is rejected. Can someone please help to tell me what i am doing wrong?

 

when CLIENT_ACCEPTED {

 

if {([class match [IP::client_addr] equals L2L_SITEA_SUBNETS] && [class match [IP::local_addr] equals L2L_SITEB_SUBNETS])}

 

{

 

forward

 

return

 

}

 

elseif {([class match [IP::client_addr] equals L2L_SITEB_SUBNETS] && [class match [IP::local_addr] equals L2L_SITEA_SUBNETS])}

 

{

 

forward

 

return

 

}

 

else

 

{

 

drop

 

}

 

}

 

application delivery
deployment
devops
iRules
LTM
security

2 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 14, 2015

    it seems okay here. you have created data groups, haven't you?

    root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  if { ([class match [IP::client_addr] equals L2L_SITEA_SUBNETS] && [class match [IP::local_addr] equals L2L_SITEB_SUBNETS]) } {
    forward
    return
  } elseif { ([class match [IP::client_addr] equals L2L_SITEB_SUBNETS] && [class match [IP::local_addr] equals L2L_SITEA_SUBNETS]) } {
    forward
    return
  } else {
    drop
  }
}
}
  • markonans_11916's avatar
    markonans_11916
    Icon for Nimbostratus rankNimbostratus
    May 14, 2015

    Yes Data Groups have been defined (each contains multiple subnets). Removed the word "return" for the if and the elseif statement - which fixed issue