Forum Discussion

squeezebox_2829's avatar
squeezebox_2829
Icon for Nimbostratus rankNimbostratus
Aug 10, 2016

Multiple Switch statements in a single iRule

Hi there,

 

I have several ranges of addresses which I want to see if traffic is coming from and deny traffic. Say the ranges are as follows as an example:

 

10.11.0.0/16 10.12.0.0/16 10.13.13.0/22 10.14.14.0/22 10.23.23.0/24 10.24.24.0/24

 

I am wondering if I can have multiple switch statements in the CLIENT_ACCEPTED section of code such as (obviously some default statement would need to be added somewhere along the line or an overarching check to bypass this lookup if it is not required):

 

when CLIENT_ACCEPTED {
    switch -glob [IP::addr [IP::client_addr]/16] {
        "10.11.0.0" { 
             some action
        }
        "10.12.0.0" { 
             some action
        }
    }

    switch -glob [IP::addr [IP::client_addr]/22] {                                                                                                                                                                                                            switch -glob [IP::addr [IP::client_addr]/22] {
        "10.13.13.0" { 
             some action
        }
        "10.14.14.0" { 
             some action
        }
    }

    switch -glob [IP::addr [IP::client_addr]/24] {                                                                                                                                                                                                            switch -glob [IP::addr [IP::client_addr]/22] {
        "10.23.23.0" { 
             some action
        }
        "10.24.24.0" { 
             some action
        }
    }
}
  • Yes, but what you really want to do is use a Data Group. Let's say you have a Data Group that looks like this:

    create ltm data-group internal dg-address-matchers type ip \
      records add { 10.11.0.0/16 { data "action1" } \
                    10.12.0.0/16 { data "action2" } \
                    10.13.13.0/22 { data "action3" } ... }
    

    You would then use it thusly:

    when CLIENT_ACCEPTED {
        set indicator [class lookup [IP::client_addr] dg-address-matchers]
            
        switch [class lookup [IP::client_addr] dg-address-matchers] {
            action1 {
                 ... do something ...
            }
                    
            action2 {
                 ... do something else ...
            }
            
             ... etc ... 
            
            "" {
                 this means the IP matches no netblocks in the data-group
            }
        }
    }
    
  • Vernon_97235's avatar
    Vernon_97235
    Historic F5 Account

    Yes, but what you really want to do is use a Data Group. Let's say you have a Data Group that looks like this:

    create ltm data-group internal dg-address-matchers type ip \
      records add { 10.11.0.0/16 { data "action1" } \
                    10.12.0.0/16 { data "action2" } \
                    10.13.13.0/22 { data "action3" } ... }
    

    You would then use it thusly:

    when CLIENT_ACCEPTED {
        set indicator [class lookup [IP::client_addr] dg-address-matchers]
            
        switch [class lookup [IP::client_addr] dg-address-matchers] {
            action1 {
                 ... do something ...
            }
                    
            action2 {
                 ... do something else ...
            }
            
             ... etc ... 
            
            "" {
                 this means the IP matches no netblocks in the data-group
            }
        }
    }
    
    • squeezebox_2829's avatar
      squeezebox_2829
      Icon for Nimbostratus rankNimbostratus

      Thanks for this information, I have two questions:

       

      1) I am currently operating on Firmware version 10.2.4, is this the correct format for this version? 2) Second, I am trying to get some more information on how this comparison is going to work. I was under the impression I would need to provide a netmask for [IP::client_addr] to convert it to its given class IP address (network IP) ie. 192.168.1.45/24 == 192.168.1.0 for comparison purposes. Is the provided data-group performing that operation natively due to the data-group type ip? I am searching for more information on this.

       

      Thanks,

       

  • Yes, but what you really want to do is use a Data Group. Let's say you have a Data Group that looks like this:

    create ltm data-group internal dg-address-matchers type ip \
      records add { 10.11.0.0/16 { data "action1" } \
                    10.12.0.0/16 { data "action2" } \
                    10.13.13.0/22 { data "action3" } ... }
    

    You would then use it thusly:

    when CLIENT_ACCEPTED {
        set indicator [class lookup [IP::client_addr] dg-address-matchers]
            
        switch [class lookup [IP::client_addr] dg-address-matchers] {
            action1 {
                 ... do something ...
            }
                    
            action2 {
                 ... do something else ...
            }
            
             ... etc ... 
            
            "" {
                 this means the IP matches no netblocks in the data-group
            }
        }
    }
    
    • squeezebox_2829's avatar
      squeezebox_2829
      Icon for Nimbostratus rankNimbostratus

      Thanks for this information, I have two questions:

       

      1) I am currently operating on Firmware version 10.2.4, is this the correct format for this version? 2) Second, I am trying to get some more information on how this comparison is going to work. I was under the impression I would need to provide a netmask for [IP::client_addr] to convert it to its given class IP address (network IP) ie. 192.168.1.45/24 == 192.168.1.0 for comparison purposes. Is the provided data-group performing that operation natively due to the data-group type ip? I am searching for more information on this.

       

      Thanks,

       

  • The data group format is somewhat different in v10:

    but as long as the entries are declared as network, it should work.

    If a Data Group is declared to be type ip then the

    equals
    operator will perform network-wise comparisons against IP addresses.

    • squeezebox_2829's avatar
      squeezebox_2829
      Icon for Nimbostratus rankNimbostratus

      I see, yes it seems to be working. When working with an external file to be used for a datagroup is there a way to program-atically trigger the BIGIP to re-read the file after a change has been made? It seems that changes to the file are not picked up until I go in via the GUI and update the data-group linked to the external file. Is there an API call I can issue to cause an updated file to be used? Thanks,

       

  • Vernon_97235's avatar
    Vernon_97235
    Historic F5 Account

    The data group format is somewhat different in v10:

    but as long as the entries are declared as network, it should work.

    If a Data Group is declared to be type ip then the

    equals
    operator will perform network-wise comparisons against IP addresses.

    • squeezebox_2829's avatar
      squeezebox_2829
      Icon for Nimbostratus rankNimbostratus

      I see, yes it seems to be working. When working with an external file to be used for a datagroup is there a way to program-atically trigger the BIGIP to re-read the file after a change has been made? It seems that changes to the file are not picked up until I go in via the GUI and update the data-group linked to the external file. Is there an API call I can issue to cause an updated file to be used? Thanks,

       

  • As you observe, loading an external data-group file really just loads its contents into an internal data store. It is a one-time activity. Changes to the original source file do not change the internal store. You can use

    tmsh
    to update the file, as well. You could create an iCall periodic script to check for changes to a source file that is local to the BIG-IP, then invoke the appropriate
    tmsh
    command if it has changed. Alternatively, you could use iControl to load the file from an off-box source. Testing whether the file changed would be the domain of some external script. Since 10.x is about to go end-of-life, you presumably will be upgrading to 11.x (at least 11.4) or 12.x soon. If so, then both mechanisms should be available.