TCL error for basic ACL iRule

Question

Does someone know why this TCL error is happening? I'm running 11.4.1 HF2
Apr 13 11:28:49 F5-AS400-LB-ACTIVE err tmm3[12193]: 01220001:3: TCL error: /Common/source_filter  - bad action "172.17.1.250": must be match, search, lookup, element, type, exists, size, names, get, startsearch, nextelement, anymore, or donesearch     while executing "class [IP::client_addr] equals allowed_datagroup"

when RULE_INIT {
     v1.0 - basic ACL.
     January, 2014
    
     Purpose: 
       Bind this rule to a virtual server to simply allow or disallow traffic based on source IP. 
       This rule expects a datagroup that lists the addresses you wish to allow. 
       By default, traffic will be dropped.
    }
    when CLIENT_ACCEPTED  {

if { [class [IP::client_addr] equals allowed_datagroup] }{

Uncomment the line below to turn on logging.
                    log local0.  "Valid client IP: [IP::client_addr] - forwarding traffic"
                    forward
            } else {

Uncomment the line below to turn on logging.
                    log local0. "Invalid client IP: [IP::client_addr] - discarding"
                    discard
            }

}

tj_vreugdenhil · Answer

Here is the datagroup:

ltm data-group internal /Common/allowed_datagroup {
        records {
            10.12.20.0/22 { }
            10.12.25.0/24 { }
            10.12.28.0/24 { }
            172.18.50.0/24 { }
        }
        type ip
    }

cory_50405 · Answer

Try putting the word match after class in your if statement.&nbsp;

tj_vreugdenhil · Answer

This was the fix. I removed 'forward' too. 
when RULE_INIT {
     v1.0 - basic ACL.
     January, 2014
    
     Purpose: 
       Bind this rule to a virtual server to simply allow or disallow traffic based on source IP. 
       This rule expects a datagroup that lists the addresses you wish to allow. 
       By default, traffic will be dropped.
    }
    when CLIENT_ACCEPTED  {

if { [class match [IP::client_addr] equals allowed_datagroup] }{

Uncomment the line below to turn on logging.
                    log local0.  "Valid client IP: [IP::client_addr] - forwarding traffic"
            } else {

Uncomment the line below to turn on logging.
                    log local0. "Invalid client IP: [IP::client_addr] - discarding"
                    discard
            }

}

cory_50405 · Answer

Can simplify it a bit:
when RULE_INIT {
     v1.0 - basic ACL.
     January, 2014
    
     Purpose: 
       Bind this rule to a virtual server to simply allow or disallow traffic based on source IP. 
       This rule expects a datagroup that lists the addresses you wish to allow. 
       By default, traffic will be dropped.
    }
    when CLIENT_ACCEPTED  {
            if { ! [class match [IP::client_addr] equals allowed_datagroup] }{
                    log local0. "Invalid client IP: [IP::client_addr] - discarding"
                    discard
            }
    }

tj_vreugdenhil · Answer

True that, thanks Cory

Forum Discussion

TCL error for basic ACL iRule

5 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

iRule - Authorization Bearer / Basic

Basic OAuth concept and OAuth with F5 solutions

Basic findstr question

Insert Basic Auth Header

Units of AVR basic data?