For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Stan_Hurton_111's avatar
Stan_Hurton_111
Icon for Nimbostratus rankNimbostratus
Oct 06, 2009

Irule broken after upgrade from v9.x to v10.0.1

We had an Irule validating a group with a list of approved IP addresses, but the rule stopped working after upgrading to v10.0.1

 

 

The 10.0.1 version doesn't complain about the syntax, the rule just stopped working and blocks every IP.

 

 

Here is the rule as it worked in v9.x:

 

 

when CLIENT_ACCEPTED {

 

if {$::WSAnonAddresses contains [IP::client_addr]} {

 

pool WSAnon}

 

else {

 

discard}

 

}

 

 

 

Does anyone know what the problem may be?

 

application delivery
dev
devops
iRules

1 Reply

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 06, 2009
    Hi,

     

     

    Sorry to hear that the rule took down the VIP. I wonder if your iRule would have been converted automatically if you'd been using 'matchclass [IP::client_addr] equals $::WSAnonAddresses' to evaluate the client IP address against the datagroup. What you have would have done a less efficient string comparison in 9.x. I haven't tested this in an upgrade before. In general, it's a good idea to do full regression testing of your iRules in a dev environment when upgrading to a new feature release.

     

     

    To fix this, try replacing the contains expression with the new class command (Click here):

     

     

    Replace this:

     

     

    if {$::WSAnonAddresses contains [IP::client_addr]} {

     

     

    with this:

     

     

    if {[class match [IP::client_addr] equals WSAnonAddresses]}{

     

     

    where WSAnonAddresses is an address type datagroup.

     

     

    Aaron
Related Content