For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Macaron's avatar
Macaron
Icon for Nimbostratus rankNimbostratus
Jun 27, 2016

iRule - Source Port persistence for a specific subnet else only source addr persistence

Hi, I need an iRule help. I want to apply source port persistence on a specific subnet (10.1.1.0/24) and for all the other traffic coming to the same VIP, I just want to Source address persistence. I created a datagroup which contain a subnet for port persistence. The thing i am not sure is how to write the else part in iRule for Source address persistence for all the other traffic other then the specific subnet.

 when CLIENT_ACCEPTED {
   if {[class match [IP::client_addr] equals "datagroup_dg"]}{
     set client_ip_port "[IP::client_addr]:[TCP::client_port]"
     persist uie $client_ip_port
   }
   else {
          .........
   }
}
application delivery
iRules
LTM

4 Replies

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Jun 27, 2016

    I am assuming that you are using the iRule in an UIE persistence profile that is attached to the VS.

    In the iRule example that I have provided, persistence is based on "Client IP & Client Port" if the client IP matches the "datagroup_dg" and for client IP not matching the datagroup, persistence is based on just the "Client IP"

    In the else statement use 

    persist uie [IP::client_addr]

     when CLIENT_ACCEPTED {
   if {[class match [IP::client_addr] equals "datagroup_dg"]} {
     set client_ip_port "[IP::client_addr]:[TCP::client_port]"
     persist uie $client_ip_port
   }
   else {
     persist uie [IP::client_addr]
   }
}

    When you add information for the "value" field (seen in GUI) within the data group, you will be able to see the "data" keyword in the CLI within the datagroup like this:

    ltm data-group internal CLASS-IP-DATA {
    records {
        10.10.10.0/24 {
            data abcd
        }
    }
    type ip
}

    Datagroup format:

    ltm data-group internal CLASS-IP-DATA {
    records {
        1.1.1.1/32 { }
    }
    type ip
}
  • Macaron's avatar
    Macaron
    Icon for Nimbostratus rankNimbostratus
    Jun 27, 2016

    Thanks Odaah, I am not using persistence profile for this VIP. Do I have to ? and so the the complete iRule would looks like this. Please verify !!!

     when CLIENT_ACCEPTED {
   if {[class match [IP::client_addr] equals "datagroup_dg"]}{
     set client_ip_port "[IP::client_addr]:[TCP::client_port]"
     persist uie $client_ip_port
   }
   else {
          persist uie [IP::client_addr]
   }
}

    and also I wanted to know the datagroup format can you please verify the following:

    ltm data-group internal addr_testclass {
    records {
        10.1.1.0/24 { }
        {
            data "what is this part for ?"
        }
    }
    type ip
}
    • Vijay_E's avatar
      Vijay_E
      Icon for Cirrus rankCirrus
      Jun 27, 2016
      I recommend using the UIE persistence profile. If not, we would have to add "persist add uie [IP::client_addr]" or similar such function in order to add the persistence record to the F5. Using the UIE persistence profile helps us to keep the iRule simple. Also, my 1st reply has been edited to answer the data group question. Let me know if everything has been addressed.
  • Macaron's avatar
    Macaron
    Icon for Nimbostratus rankNimbostratus
    Jun 27, 2016

    Thanks Odaah, Sorry new to this datagroup formating. I saved the datagroup in a text file and import it from system>File management>data group file list > import but getting following error 0107169a:3: The data group external file (/config/filestore/.stage_d/179660_d/Common_d/data_group_d/:Common:ss_dg_57708_1) has an invalid format, line: 1.

             in value filed (GUI) there is already ":="