For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

VictorC's avatar
VictorC
Icon for Nimbostratus rankNimbostratus
Jun 21, 2011

HTTP VS: Only allow specific client IP but open specific /uri for all.

Hi,

 

 

Currently I have an iRule on a HTTP VS that discards requests if the client IP is not in the allow class. Now I have to add an extra requirement to allow 'all' if a specific /uri is given. Here's my current iRule (thanks to previous posts found in the forum).

 

 

 

class myallowedclients {

 

host 111.22.33.1

 

host 111.22.33.2

 

}

 

 

rule restrict-rule {

 

when CLIENT_ACCEPTED {

 

if { [matchclass [IP::client_addr] equals $::myallowedclients] }{

 

Do nothing...irule will complete and request will be sent to the pool based on virtual server definition

 

 

} else {

 

 

discard }

 

 

}

 

}

 

 

 

I may have to use this requirement for multiple HTTP VS with the same client allow list, but different pools so it'd be great if I can use one rule for all.

 

 

Thanks in advance.

 

Victor

 

application delivery
dev
devops
iRules

25 Replies

Show More
  • VictorC's avatar
    VictorC
    Icon for Nimbostratus rankNimbostratus
    Jun 21, 2011
    Thanks guys, it works great now. Appreciate your time.

     

     

    Victor
  • VictorC's avatar
    VictorC
    Icon for Nimbostratus rankNimbostratus
    Jun 22, 2011
    I had to keep the "Set allowed_ip 0" because otherwise I get this error in the log

     

     

     

    Jun 22 07:25:26 tmm tmm[1085]: 01220001:3: TCL error: Rule restrict-rule - can't read "allowed_ip": no such variable while executing "if {$allowed_ip}{ Exit this event in this rule return }"

     

     

     

    All else is working great. Thanks again.

     

  • VictorC's avatar
    VictorC
    Icon for Nimbostratus rankNimbostratus
    Jun 22, 2011
    I had to keep the "Set allowed_ip 0" because otherwise I get this error in the log

     

     

     

    Jun 22 07:25:26 tmm tmm[1085]: 01220001:3: TCL error: Rule restrict-rule - can't read "allowed_ip": no such variable while executing "if {$allowed_ip}{ Exit this event in this rule return }"

     

     

     

    All else is working great. Thanks again.

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 22, 2011
    if you use info exists allowed_ip you can remove the set statement.
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Jun 22, 2011
    Yeah, it would end up looking like

     

     

     

    when HTTP_REQUEST {

     

    Skip the URI checking if the client IP is allowed

     

    if {[info exists allowed_ip]} {

     

    Exit this event in this rule

     

    return

     

    }

     

    ...

     

     

     

    This performs the same check but uses a function to do so (the info command) rather than just innately evaluating the variable which, if it doesn't exist, will throw an error like the one you're seeing.

     

     

    Colin