For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ant77's avatar
ant77
Icon for Cirrostratus rankCirrostratus
Jul 01, 2020

Alternative to getfield to check XFF client IP using data group

Hi All, We ran into a bug when upgrading to 13.1.3.3 that process an iRule to check the client IP address in an XFF header against what is defined in a data group "DG-ALLOWED-IP". Is there an...
application delivery
BIG-IP
iRules
Jim_Deucker's avatar
Jim_Deucker
Icon for Employee rankEmployee
Jul 02, 2020

Here's an old proc for sorting this down

proc get_xff_ip {{xff_hdr {X-Forwarded-For}}} {
    foreach ip "[string map {- { } \{ { } \} { } , { } \[ { } \] { } \" { } \( { } \) { } ; { } \$ { } # { } \\ { }} [HTTP::header values $xff_hdr]] [IP::client_addr]" {
        if {![catch {IP::addr $ip mask ::}]} {
            if {![IP::addr $ip equals 127.0.0.0/8] && ![IP::addr $ip equals 0.0.0.0/32] && ![IP::addr $ip equals ::/127]} {
                return $ip
            }
        }
    }
}

This returns the first non-localhost, non bogon 0.0.0.0 valid IP address in either the specified header or the client's IP.