For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

brad_anton_1025's avatar
brad_anton_1025
Icon for Nimbostratus rankNimbostratus
Feb 17, 2006

pool selection based on client ip

i am trying to do a basic pool selection i have this, but its just not working

 

 

 

userlista is datagroup

 

 

 

 

when CLIENT_ACCEPTED {

 

if { [ matchclass [IP::client_addr] equals $::UserListA ]} {

 

pool pool1

 

}

 

}
application delivery
dev
devops
iRules

6 Replies

  • brad_anton_1025's avatar
    brad_anton_1025
    Icon for Nimbostratus rankNimbostratus
    Feb 17, 2006
    this is so depressing, nothing is working: my latest attempt:

     

     

     

    when RULE_INIT {

     

    log local0. "qa-rule --BRAD"

     

    }

     

     

     

    when CLIENT_ACCEPTED {

     

    if { [ matchclass [IP::remote_addr] equals $::test ] } {

     

    pool qa-01-101-7200

     

    } else {

     

    [ drop ]

     

    }

     

    }

     

     

    its like nothing is loading, also i noticed some wierd thing in the ltm after the b load, (and the qa-rule --BRAD didnt show up in the ltm) it looks like all the audit logs are 3 hours begin the others... pretty strange..

     

     

    SOMEONE PLEASE HELP!@
  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Feb 20, 2006
    You clearly have something going wrong. You should contact support.

     

     

    BTW, you don't need the [] around the drop command (the [] mean evaluate the command and use the results, as opposed to simply evaluate the command).

     

     

  • brad_anton_1025's avatar
    brad_anton_1025
    Icon for Nimbostratus rankNimbostratus
    Feb 21, 2006
    funny, support told me to post here..

     

     

    can you confirm that the irule itself should work?
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Feb 21, 2006
    I'd like to see the data group that's associated with your rule.

    I think your first attempt was closer, as you were using the client_addr variable.

    Try something like:

    
when RULE_INIT {
  log local0. "qa-rule --BRAD"
}
when CLIENT_ACCEPTED {
  if { [ matchclass [IP::client_addr] equals $::test ] > 0 } {
    pool qa-01-101-7200
  } else {
    drop
  }
}

    But yes, things look fine in general, and that rule should allow you to select a pool based on the IP.

    -Colin
  • brad_anton_1025's avatar
    brad_anton_1025
    Icon for Nimbostratus rankNimbostratus
    Feb 27, 2006
    ok so i finally figured it all out...my problems where as follows:

     

     

    1. the drop wasnt fully dropping, the connection was being passed on to the server, but the client-to-bigip was still being held..

     

     

    solution: use TCP::close

     

     

    2. data group names with hyphens dont work! i guess it sees it as a subtraction sign or something nonetheless i couldnt get anything to match because the it would reference the whole data group

     

     

    solution DONT use datagroup names with hyphens in them

     

     

    i think that pretty much does it [moderated]
  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Mar 02, 2006
    Two things regarding RULE_INIT:

     

    First, RULE_INIT is common to all rules. It is also only executed when rules are initially loaded or when anything in the entire rule has changed. The RULE_INIT event is evaluated regardless of whether the rule is associated to any virtuals.

     

     

    Second, the default namespace for RULE_INIT is the global namespace. So, a local variable is actually in the global namespace. EG, "set dirt hello" in RULE_INIT is equivalent to "set ::dirt hello".

     

     

    Hope that helps!