Forum Discussion
Irule to filter access to VIP -- F5 V.9.4.7
Hi Guys,
I am very new to implementing irules and I need your expert advices. We're trying to implement an irule that will filter access to Virtual Servers. We have a list of subnets (approx 5000 lines of subnets) to be used.
I am thinking of creating an external file (Drop_Subnet) that would list those networks on the below format:
network x.x.x.x mask x.x.x.x,
network x.x.x.x mask x.x.x.x,
...
and so on..
Then after creating the file, i will create the following class which will point to the file i just created:
Class Drop_Subnet_Class extern {
filename "/Config/Drop_Subnet"
type ip
}
and rule like:
rule Drop_AV_Subnets {
when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals $::Drop_Subnet_Class] }{
discard
} else {
forward
}
}
I believe I cannot use $:: as it will break CMP compatibility though. Please feel free to correct if you find some other errors apart from it. Can someone perhaps provide me how to implement it properly? TIA!!
BIG-IP 3600
BIG-IP Version 9.4.7 330.0
Thank you,
Vince
- hoolio
Cirrostratus
Hi Vince, - Hamish
Cirrocumulus
If you're using v10 or later, I'd change the matchless to use the (Newer) [class ...] syntax. That'll get rid of your $:: namespace problems and enable CMP mode.when CLIENT_ACCEPTED { if { [class lookup [IP::client_addr] "Drop_Subnet_Class"] }{ discard } }
- Vincent_95925
Nimbostratus
@ Aaron and Hamish, Thank you both so much :D Appreciate it a lot!! :D
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com