Hi Valentine,
With a little further hacking this is what Colin and I came up with. It will allow you to blacklist an entire domain and its subdomains (
www.sea.webcluster1.f5.com will always match f5.com). You'll want to create a datagroup containing the list of base domains (f5.com, example.com, etc.). Then add the datagroup name to the top of the iRule in the RULE_INIT section and you should be good to go. Here is the code:
ltm data-group internal /Common/domain_blacklist { records { anotherbaddomain.com { } somebaddomain.com { } } type string } ltm rule /Common/http_domain_blacklist { when RULE_INIT { set static::domain_blacklist_dg "domain_blacklist" set static::debug 1 } when HTTP_REQUEST { grab the base domain (top level plus subdomain) from HTTP::host set base_domain [join [lrange [split [HTTP::host] .] end-1 end] .] if { [class search $static::domain_blacklist_dg equals $base_domain] } { if { $static::debug > 0 } { log local0. "[IP::remote_addr] attempted to access a blacklisted_domain: $base_domain" } send a TCP reset reject } } }
Now if someone resolves somebaddomain.com,
www.somebaddomain.com, or
www.web1.gtm.somedc.somebaddomain.com and it points at the virtual with this iRule, the browser will receive a TCP reset.
-George