For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ukitsysadmin_95's avatar
ukitsysadmin_95
Icon for Nimbostratus rankNimbostratus
Aug 18, 2009

Redirect accourding to source IP ranges

Referring to the previous post: http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=34863     I'm looking to create an iRule whereby visitors to a specific website are redirect...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Aug 20, 2009
Hi,

 

 

Can you use the second format, trim out all but a handful of entries, reload your configuration using 'b load', and then test the iRule further? I believe that if you modify the external class file, the change isn't read into memory until the config is reloaded.

 

 

Try adding a log statement of the client IP address, the datagroup contents and the value of the matchclass command. This should give you a good indication of all the relevant data.

 

 

log local0. "[IP::client_addr]:[TCP::client_port]: class contents: $::UK_Allowed_IP, matchclass result: [matchclass [IP::client_addr] equals $::UK_Allowed_IP]"

 

 

Also, once you have the class check working, you could move it to CLLIENT_ACCEPTED and set a variable if the client needs to be redirected. That way you do the check once per TCP connection instead of for every HTTP request. You could also forcibly close the TCP connection with TCP::close after the HTTP redirect to ensure the client doesn't retry the request on the same TCP connection if they'll never be allowed to reach the pool.

 

 

Aaron