how to write universal ACL iRule

Question

we have a F5 device,which is supporting a lot of VSs, and these VSs require the same ACL, which means these VSs only accept access from our Corp intranet. below is our iRule for certain pool: 
&nbsp;    when CLIENT_ACCEPTED { 
&nbsp;    if {[matchclass [IP::remote_addr] equals $::Client_Intranet]} { 
&nbsp;        pool Pool_DestinationPool 
&nbsp;        } else {drop 
&nbsp;        } 
&nbsp; } 
&nbsp;     Note: Client_Intranet is the data group.  
&nbsp;  
&nbsp;     the pain is that we have to write individual iRule for each pool. i'm wondering whether there is a way to write a universal iRule that works for all VSs which requires the same ACL. sth like below? 
&nbsp;     
&nbsp;      if {[matchclass [IP::remote_addr] not equals $::Client_Intranet]} { 
&nbsp;        drop 
&nbsp;        }  
&nbsp;       
&nbsp;    any advice will be highly appreciated~~ 
&nbsp;

hoolio · Answer

Your second rule should work fine to drop any requests which are made from clients not defined in the intranet datagroup.  Any other request will be sent to the default pool defined on the virtual server. 
&nbsp;  
&nbsp; If you did want to get the default pool of the VIP without hard coding it, you could use 'set default_pool [LB::server]' before modifying the pool with the pool command.  This doesn't look to be necessary in your scenario though. 
&nbsp;  
&nbsp; Aaron

yaoxu_11146 · Answer

thanks hoolio, finally i find out it should be this way 
&nbsp;  
&nbsp; if { not [matchclass [IP::remote_addr] equals $::Client_Intranet]} {  
&nbsp; drop  
&nbsp; }  
&nbsp;  
&nbsp;   while the sentence below has gram erros 
&nbsp;   if {[matchclass [IP::remote_addr] not equals $::Client_Intranet]} {  
&nbsp;   drop  
&nbsp;   }  &nbsp;

hoolio · Answer

Ah, sorry, I didn't notice the syntax error. 
&nbsp;  
&nbsp; Aaron

colin_walker_12 · Answer

That's correct. Since the iRules are only associated on a per-VIP basis, you'd have to apply this particular rule to every VIP you wanted to be governed by this ACL.  The nice part, at least, is that they would all be referencing the same iRule, so any changes would be globally applied. 
&nbsp;  
&nbsp; Colin

hoolio · Answer

If you want to enforce a global ACL across all VIPs (and even self IPs), you can use packet filters.  For more details, you can take a look at the LTM network and systems configuration guide for your version on AskF5.com.  Here's a link to the 9.4 section on packet filters (Click here). 
&nbsp;  
&nbsp; Aaron

Forum Discussion

how to write universal ACL iRule

5 Replies

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

IPv8 Would Fix My Routing Tables. It Will Never Ship.

Recent Discussions

SSL Forward Proxy, iRules and Client Hello

Errors with AS3 3.56.0 with F5 17.5.1.6

F5 ASM/AWAF – violations logged but no learning suggestions generated

F5 VELOS Backplane Inter-Tenants Communication

migrate from serie I to R. Cluster LTM-GTM

Related Content

Hey DeepSeek, can you write iRules?

Hey Claude, can you write iRules?

Hey ChatGPT, can you write iRules?

XFF Universal Persistence iRule

iRule, Traffic Policy or Re-Write Policy