block client ip for existing connection via irule

Question

when CLIENT_ACCEPTED {
    if { [IP::addr [IP::client_addr] equals xx.xx.xx.xx/xx] } {
        reject
    }
}
it seems it doesn't work for existing connection&nbsp;
any workaround?&nbsp;

nitass · Answer

CLIENT_ACCEPTED is triggered when connection is established. if connection is already established, it won't work.&nbsp;
another method is to keep collecting/releasing payload (e.g. TCP::collect/TCP::release) and check client ip against data group and then drop/reject it when matching. data group is needed because you can add/modify/remove ip in data group without changing irule. as you may know, configuration change does not affect existing connection.&nbsp;
sol13253: Configuration changes to local traffic objects do not affect existing connections&nbsp;
https://support.f5.com/kb/en-us/solutions/public/13000/200/sol13253.html&nbsp;

nitass_89166 · Answer

CLIENT_ACCEPTED is triggered when connection is established. if connection is already established, it won't work.&nbsp;
another method is to keep collecting/releasing payload (e.g. TCP::collect/TCP::release) and check client ip against data group and then drop/reject it when matching. data group is needed because you can add/modify/remove ip in data group without changing irule. as you may know, configuration change does not affect existing connection.&nbsp;
sol13253: Configuration changes to local traffic objects do not affect existing connections&nbsp;
https://support.f5.com/kb/en-us/solutions/public/13000/200/sol13253.html&nbsp;

robert_47833 · Answer

yeah,I know configuration change doesn't affect existing connection,but datagroup in irule can work around this.

tcp:collect/tcp:release? does it affect perfermance?
I assume tcp::collect only collect payload in layer7 or in layer4(not sure),not ip address which locates in layer3

robert_47833 · Answer

yeah,I know configuration change doesn't affect existing connection,but datagroup in irule can work around this.

tcp:collect/tcp:release? does it affect perfermance?
I assume tcp::collect only collect payload in layer7 or in layer4(not sure),not ip address which locates in layer3

nitass_89166 · Answer

tcp:collect/tcp:release?

e.g.
 configuration

root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:22
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 5
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:22 {
            address 200.200.200.101
        }
    }
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal blacklist
ltm data-group internal blacklist {
    type ip
}
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  log local0. "$$class get blacklist$$=[class get blacklist]"
}
when CLIENT_DATA {
  log local0. "$$class get blacklist$$=[class get blacklist]"
  if { [class match -- [IP::client_addr] equals blacklist] } {
    log local0. "reject"
    reject
    return
  }
  TCP::release
  TCP::collect
}
when SERVER_CONNECTED {
  log local0. ""
  clientside {
    TCP::collect
  }
}
}

/var/log/ltm

[root@ve11c:Active:In Sync] config  tail -f /var/log/ltm
May  8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux :
May  8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:20 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:21 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:21 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:22 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=
May  8 16:28:28 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=192.168.206.0/23 {}
May  8 16:28:28 ve11c info tmm[15145]: Rule /Common/qux : reject

does it affect perfermance?

nothing has no impact. 🙂

Forum Discussion

block client ip for existing connection via irule

8 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Software Downgrade from version 17.x.x to 15.x.x

Error diskmonitor

CPU utilization of F5OS on r2600

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Hardware replacement i2800 to r2600

Related Content

Log client to vip connections

Limit Connections From Client

Connect to the F5 VPN with BIG-IP Edge Client

F5 Distributed Cloud - Traffic Steering based on Client IP Address

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS