F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Mar 22, 2021

replacing irule with policy

Hello guys I'm trying to replace this iRule with policy:   when CLIENT_ACCEPTED { set allowed 0 if { [class match -- [whereis [IP::client_addr] country] equals country_list] or [class m...
application delivery
BIG-IP
iRules
policy
JRahm's avatar
JRahm
Icon for Admin rankAdmin
Mar 30, 2021

Created in the GUI, I ended up with a test policy similar to what you are describing, with no option to set "is not" on a datagroup:

 

ltm policy dg_check {
    draft-copy Drafts/dg_check
    last-modified 2021-03-30:02:07:31
    requires { http }
    rules {
        dg_check {
            actions {
                0 {
                    shutdown
                    client-accepted
                    connection
                }
            }
            conditions {
                0 {
                    geoip
                    client-accepted
                    country-code
                    datagroup accepted_country_codes
                }
            }
        }
    }
    status published
    strategy first-match
}

 

However, if you go into the command line and modify this in tmsh, it appears to work:

 

root@(ltm3)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify ltm policy dg_check legacy rules modify { dg_check { conditions replace-all-with { 0 { geoip client-accepted country-code not datagroup accepted_country_codes } } } }
root@(ltm3)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm policy dg_check
ltm policy dg_check {
    draft-copy Drafts/dg_check
    last-modified 2021-03-30:02:09:04
    requires { http }
    rules {
        dg_check {
            actions {
                0 {
                    shutdown
                    client-accepted
                    connection
                }
            }
            conditions {
                0 {
                    geoip
                    client-accepted
                    country-code
                    not
                    datagroup accepted_country_codes
                }
            }
        }
    }
    status published
    strategy first-match
}

 

And then it appears in the GUI as expected (until you mess with it, then it is not recoverable there)

 I was not able to create a draft and then publish in tmsh (likely an error on my part). Using the legacy keyword I was able to work around that, but be advised my example makes immediate changes to the published policy.

I have NOT confirmed that the not keyword in the condition will function properly in this policy. If it does (please test and let me know) then this is very likely a UI bug and not a problem with functionality.

  • Abed_AL-R's avatar
    Abed_AL-R
    Icon for Cirrostratus rankCirrostratus
    Mar 31, 2021

    Thanks

    Seems to be risky a little bit since you need to change in CLI because it is not even an option in v15.1 GUI. So I'm not sure if this will be an upgrade obstacle in the future if did it this way when we upgrade from 13 to 15.

    I'll try to find a lab for this and do the tests.

    Thanks again, I appreciate your answer :)