Forum Discussion
NimbostratusDatalist Group I rule function
when CLIENT_ACCEPTED { if { not [matchclass [IP::client_addr] equals $::Pool_Test_Allowed_List] } { Comment the line below to turn off logging. log local0. "Invalid client IP: [IP::client_addr] - discarding traffic" discard } else { Uncomment the line below to turn on logging. log local0. "Valid client IP: [IP::client_addr] - forwarding traffic" } }
I have created a new VIP on our F5 and the client requested only a certain network can access the services. I created a whitelist datalist group with the above rule. As this was used for a different service I only changed the destination of the Pool.
From reading this IRule Am I right in saying when client accepted and it equals the IP from the datalist group it will allow anything else will get dropped?
3 Replies
Michael_JenkinsCirrostratus
I think your code looks good. Depending on what version you're running, you could use class instead of matchclass.
when CLIENT_ACCEPTED { if {[class match [IP::client_addr] equals Pool_Test_Allowed_List]} { Uncomment the line below to turn on logging. log local0. "Valid client IP: [IP::client_addr] - forwarding traffic" } else { Comment the line below to turn off logging. log local0. "Invalid client IP: [IP::client_addr] - discarding traffic" discard } }
avnishvyas_1974Hi Michael J
Thanks for your response the code im running is BIG-IP 10.2.2 Build 930.0 Hotfix HF3 The reason i selected Matchclass is because I have another rule working the same function for a different whitelist I will have to try both out if this code allows me to use class instead of matchclass.
Cheers AV
- Michael_JenkinsGotcha. We're on v11.x, so part of the matchclass syntax fails (you can check out the matchclass wiki page for details). According to that wiki page, the matchclass is 'deprecated' in v10 in favor of the class command instead too.
