Forum Discussion

Fearghus's avatar
Fearghus
Icon for Nimbostratus rankNimbostratus
Feb 06, 2025
Solved

Possible to combine multiple DataGroupLists for IP-Check?

Hello F5 Community,

I am working on an irule to check on two datagroup-lists and country, but I am not sure if this is possible like I want to implement this. It should check if the IP is in the list1 or list2 or its part of FR and US and if true it should allow the traffic otherwise it should be dropped.

My questions would be is it possible to check against two datagroup lists, like i did in the my irule example. Or should avoid this? 

when HTTP_REQUEST {
    set client_ip [getfield [IP::client_addr] "%" 1]
    set from_country [whereis $client_ip country]
    if { not (([class match $client_ip equals /Common/list1]) || ([class match $client_ip equals /Common/list2]) || ($from_country eq "FR") || ($from_country eq "US"))} { drop }
    switch -glob -- [string tolower [HTTP::path]] {
        default { pool /Common/pool1 }
    }
}

 

Thank you.

 

  • From experience there are no issues with using multiple data group as most customers I have worked with have 1 global data group that has the list of globally allowed or blocked objects and it is in the irule for every Virtual server and some Virtual servers have an irule referencing 1 more that specific to that virtual server.

     

    Before the limit was 100K entries in a Data group and I suggest the combined number of the 2 data groups to just not go over that even if nowadays it could be bigger but I couldn't find in the newer versions what it is.

  • Hello, 

    I see your question has been up for some time with no response and would like to offer 2 possible paths to get assistance if you are still interested. Both will depend on having appropriate support for your device. The first would be our professional services team as they are the experts in new set up and irules.  Second if you are making changes to an existing configuration, I would direct you to create a support case through myf5.

    If outside of DevCentral you have already been able to obtain an answer, please let us know. 

    Thank you for posting your question! 

  • f51's avatar
    f51
    Icon for Cumulonimbus rankCumulonimbus

    Yes, it's definitely possible to check against two datagroup lists within an iRule. The logic you've written seems to be on the right track for what you're trying to accomplish. Your iRule checks if the client's IP address is in either list1 or list2, or if the IP originates from France (FR) or the United States (US). If none of these conditions are met, the traffic is dropped.

    Try this iRule and please let me know.

    when HTTP_REQUEST {
        # Get the client's IP address
        set client_ip [getfield [IP::client_addr] "%" 1]
        
        # Determine the country of origin for the client's IP address
        set from_country [whereis $client_ip country]
        
        # Check if the IP is in either datagroup list or if it originates from FR or US
        if { not (([class match $client_ip equals /Common/list1]) || 
                  ([class match $client_ip equals /Common/list2]) || 
                  ($from_country eq "FR") || 
                  ($from_country eq "US")) } {
            drop
        }
        
        # Forward traffic to the default pool if none of the paths matched
        switch -glob -- [string tolower [HTTP::path]] {
            default { pool /Common/pool1 }
        }
    }

     

     

  • From experience there are no issues with using multiple data group as most customers I have worked with have 1 global data group that has the list of globally allowed or blocked objects and it is in the irule for every Virtual server and some Virtual servers have an irule referencing 1 more that specific to that virtual server.

     

    Before the limit was 100K entries in a Data group and I suggest the combined number of the 2 data groups to just not go over that even if nowadays it could be bigger but I couldn't find in the newer versions what it is.

  • Thanks everyone for the feedback.

    I implemented it and it worked without issues .