Forum Discussion
Robert_47833
Altostratus
Altostratusblock client ip for existing connection via irule
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals xx.xx.xx.xx/xx] } {
reject
}
}
it seems it doesn't work for existing connection
any workaround?
nitass_89166
Noctilucent
NoctilucentCLIENT_ACCEPTED is triggered when connection is established. if connection is already established, it won't work.
another method is to keep collecting/releasing payload (e.g. TCP::collect/TCP::release) and check client ip against data group and then drop/reject it when matching. data group is needed because you can add/modify/remove ip in data group without changing irule. as you may know, configuration change does not affect existing connection.
sol13253: Configuration changes to local traffic objects do not affect existing connections
https://support.f5.com/kb/en-us/solutions/public/13000/200/sol13253.html
Robert_47833yeah,I know configuration change doesn't affect existing connection,but datagroup in irule can work around this. tcp:collect/tcp:release? does it affect perfermance? I assume tcp::collect only collect payload in layer7 or in layer4(not sure),not ip address which locates in layer3
