For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

genseek_32178's avatar
genseek_32178
Icon for Nimbostratus rankNimbostratus
Jul 11, 2012

matchclass

Hi,

 

 

We ve a external src 10.10.10.52..trying to access dst 10.210.0.10 ( vlan - X )

 

 

dst has its gwy as bigip and bigip has following iRule associated with wild card CS WVS1.

 

 

Vlan X is enabled on the wild card WVS1

 

 

virtual WVS1

 

pool WSpool

 

destn any:any

 

mask 0.0.0.0

 

rule R1

 

profiles PF1

 

vlan X

 

 

iRule is attached.

 

 

Question is - If the src 120.10.10.52 wants to access (ICMP) dst 10.210.0.10...

 

 

does the src network 120.x need to be part of the match class or not?

 

 

thnx-gensk

 

application delivery
dev
devops
iRules

6 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 11, 2012
    Question is - If the src 120.10.10.52 wants to access (ICMP) dst 10.210.0.10...icmp request is coming from vlan X, isn't it?

     

     

    IP::local_addr in client-side context means destination address. so, i do not think 120.x needs to be in the class.

     

     

    IP::local_addr wiki

     

    https://devcentral.f5.com/wiki/iRules.ip__local_addr.ashx
  • genseek_32178's avatar
    genseek_32178
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2012
    NO........icmp request is coming from the external client 10.10.10.52...to dst 10.210.0.10

     

     

    [ IP::local_addr in client-side context means destination address...]

     

     

    here the destination address means....dst IP in the incoming packet from client 10.10.10.52 towards dst 10.210.0.10

     

     

    OR

     

     

    does it mean....dst IP in the outgoing IP packet..outgoing from..Vlan X.( 10.210.0.x) ..which is part of the match class.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 11, 2012
    does it mean....dst IP in the outgoing IP packet..outgoing from..Vlan X.( 10.210.0.x) ..which is part of the match class.i think it could be this one since virtual WVS1 is enabled on vlan X.

     

     

    here the destination address means....dst IP in the incoming packet from client 10.10.10.52 towards dst 10.210.0.10 this should not be handled by virtual WVS1 because incoming vlan is not vlan X, is it?
  • genseek_32178's avatar
    genseek_32178
    Icon for Nimbostratus rankNimbostratus
    Jul 11, 2012

     

    i'm trying to understand...when the iRule gets triggered..here..for outbound traffic srced from match class nwks or for inbound traffic?

     

     

    Is it that the iRule gets triggered...

     

     

    when..there is traffic going OUT from LTM..srced from ANY of the networks that are part of match class

     

     

    OR

     

     

    for traffic coming from ANY ext client..trying to access nodes belonging to any nwks in the match class?

     

     

     

     

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 11, 2012
    i think you had better forget matchclass/irule first.

     

     

    starting at virtual WVS1 setting. since the virtual is enabled on vlan X, only packet which coming from vlan X will be handled by the virtual. as you said, icmp request from 10.10.10.52 is not coming from vlan X, so it won't be accepted by the virtual.

     

     

    for icmp reply from 10.210.0.10, it is coming from vlan X, so it will hit the virtual and irule will be triggered.

     

     

    in the irule, since client_accepted event is client-side context, ip::local_addr is destination address of icmp reply packet.

     

     

    hope this helps.
  • genseek_32178's avatar
    genseek_32178
    Icon for Nimbostratus rankNimbostratus
    Jul 13, 2012
    but destination address of icmp reply is NOT part of the iRule matchclass, rather it is some remote client.