For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

David_Gonzalez1's avatar
David_Gonzalez1
Icon for Nimbostratus rankNimbostratus
May 06, 2013

Data group list

Hi,   Im new to F5 and im trying to read the string of a text file from an iRule (v10.2.4). That file is on the windows servers of the pool and im trying to do it with a data group list (not sure ...
application delivery
dev
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
May 06, 2013
I think your better bet is to create TWO data groups and a "PUSH" mechanism (vs. PULL😞

The first data group would be your IP list - the list of IPs or IP subnets that you want to allow access regardless of maintenance mode. In the BIG-IP management UI, under Local Traffic and iRules, click the Data Group List tab. This is where you create internal data groups and the references to external (file-based) data groups. We'll create a simple Address data group here and specify the IPs or IP subnets of your internal admin network. In this example I'll the data group "MAINTMODE_IP".

The second data group would be your maintenance "switch". There's a hundred ways to do this, but for now create a string data group with a string value of "maintenance" (arbitrary), and a value of 0 (zero). In this example I'll call the data group "MAINTMODE_SWITCH".

Then create an iRule that you'll apply to the virtual server: 


when HTTP_REQUEST {
    if { ( [class lookup "maintenance" MAINTMODE_SWITCH] eq 1 ) and not ( [class match [IP::client_addr] equals MAINTMODE_IP] ) } {
         initiate maintenance mode content
        HTTP::respond 200 content "maintenance mode"
    }
}

To enable maintenance mode, set the "maintenance" key in the MAINTMODE_SWITCH data group to a value of 1. When an HTTP_REQUEST event is triggered, the first condition will be true (maintenance == 1). Then if the client IP is NOT in the MAINTMODE_IP data group, the request will immediately trigger an HTTP::respond action. You can put any HTML/CSS/JS content that you can imagine inside the HTTP::respond command.

The next step then would be to determine WHEN to enable maintenance mode. I'm assuming that you're attempting to (manually) set a file on a server to some value to enable maintenance mode and expecting the BIG-IP to PULL this information on each client request. The above configuration allows you to PUSH the information instead, which will not suffer the same latency issues. There are also a ton of ways to do this too. If you have access to a Linux box or an SSH terminal, you can issue remote commands via SSH to change the value of the data group. Here's what that command would look like:

tmsh modify ltm data-group internal MAINTMODE_SWITCH records modify { maintenance { data 1 } }

Alternatively, you can issue an iControl call using your favorite language (Powershell, Perl, Python, .NET, Java, etc.). There are a lot of choices here too, so I won't get into the details of each.