For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

KPS_149915's avatar
KPS_149915
Icon for Nimbostratus rankNimbostratus
Apr 06, 2017

IRule based on src IP LTM

Hi   My plan is to allow from 2 subnets and direct to a pool, below irule is not working, if any one knows why it is not working, please share,   when CLIENT_ACCEPTED { if { [IP::addr [IP::cl...
devops
iRules
LTM
security
Ed_Summers's avatar
Ed_Summers
Icon for Nimbostratus rankNimbostratus
Apr 06, 2017

This would be a good application for a data group. Not only would it make the rule easier to update and scale, it will make the tcl code much simpler.

Create a data group (give it a descriptive name...I'll just use 'allowed-subnets'):

create ltm data-group internal allowed-subnets type ip records add { 10.x.x.x/24 10.y.y.y/24 }

Now you can use this data group for matching in your iRule

 

when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] eq allowed-subnets] } {
        pool my.pool
    }
}

 

In the future, allowing additional subnets (or even host addresses) is a matter of adding to the data group. No changes to the iRule would be required.