Forum Discussion

yaoxu_11146's avatar
yaoxu_11146
Icon for Nimbostratus rankNimbostratus
May 29, 2008

how to write universal ACL iRule

we have a F5 device,which is supporting a lot of VSs, and these VSs require the same ACL, which means these VSs only accept access from our Corp intranet. below is our iRule for certain pool:

 

when CLIENT_ACCEPTED {

 

if {[matchclass [IP::remote_addr] equals $::Client_Intranet]} {

 

pool Pool_DestinationPool

 

} else {drop

 

}

 

}

 

Note: Client_Intranet is the data group.

 

 

the pain is that we have to write individual iRule for each pool. i'm wondering whether there is a way to write a universal iRule that works for all VSs which requires the same ACL. sth like below?

 

 

if {[matchclass [IP::remote_addr] not equals $::Client_Intranet]} {

 

drop

 

}

 

 

any advice will be highly appreciated~~

 

application delivery
dev
devops
iRules
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 29, 2008
    Your second rule should work fine to drop any requests which are made from clients not defined in the intranet datagroup. Any other request will be sent to the default pool defined on the virtual server.

     

     

    If you did want to get the default pool of the VIP without hard coding it, you could use 'set default_pool [LB::server]' before modifying the pool with the pool command. This doesn't look to be necessary in your scenario though.

     

     

    Aaron
  • yaoxu_11146's avatar
    yaoxu_11146
    Icon for Nimbostratus rankNimbostratus
    May 29, 2008
    thanks hoolio, finally i find out it should be this way

     

     

    if { not [matchclass [IP::remote_addr] equals $::Client_Intranet]} {

     

    drop

     

    }

     

     

    while the sentence below has gram erros

     

    if {[matchclass [IP::remote_addr] not equals $::Client_Intranet]} {

     

    drop

     

    }

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 29, 2008
    Ah, sorry, I didn't notice the syntax error.

     

     

    Aaron
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    May 29, 2008
    That's correct. Since the iRules are only associated on a per-VIP basis, you'd have to apply this particular rule to every VIP you wanted to be governed by this ACL. The nice part, at least, is that they would all be referencing the same iRule, so any changes would be globally applied.

     

     

    Colin
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 30, 2008
    If you want to enforce a global ACL across all VIPs (and even self IPs), you can use packet filters. For more details, you can take a look at the LTM network and systems configuration guide for your version on AskF5.com. Here's a link to the 9.4 section on packet filters (Click here).

     

     

    Aaron