Forum Discussion
Restrict access to VS by ip & time
Hi Ashu Aggarwal,
Create a datagroup for always allowed IPs.
Try this iRule:
when RULE_INIT {
array set static::timerange { #change time
Monday {"08:30" "20:00"}
Tuesday {"08:30" "20:00"}
Wednesday {"08:30" "20:00"}
Thursday {"08:30" "20:00"}
Friday {"08:30" "20:00"}
Saturday {}
Sunday {}
}
}
when HTTP_REQUEST {
if { not [class match [IP::client_addr] equals dg-allowed-ip-list-name] } { #change dg name
set now [clock seconds]
set current_day [clock format $now -format {%A}]
set start [lindex $static::timerange($current_day) 0]
set end [lindex $static::timerange($current_day) 1]
if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } {
set denied 0
} else {
set denied 1
}
unset start end
} else {
set denied 0
}
if { $denied } {
drop
}
}
: I got the permission to try this i-rule tonight. Just quick question, from where this i-rule will pick the clock/time? Would it pick the time from system clock?
Thanks
- Oct 14, 2020
Hi,
I test it with this iRule.
when HTTP_REQUEST { log local0. [clock seconds] }
Current time log:
Oct 14 18:11:10 f5 info tmm[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1602688267 Oct 14 18:11:10 f5 info tmm[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1602688270 ...
after change F5 System Time:
May 11 21:11:18 f5 info tmm2[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1526062278 May 11 21:11:18 f5 info tmm2[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1526062298 ...
iRule uses system time.
- Ashu_AggarwalOct 14, 2020Cirrus
I hope i am not eating a lot of your time. But how to read it '1526062298'?
Thanks
- Oct 14, 2020
clock seconds
Returns the current time as an integer number of seconds.
An integer value passed to the clock command that represents an absolute time as a number of seconds from the epoch time of 1 January 1970, 00:00 UTC. Note that the count of seconds does not include any leap seconds; seconds are counted as if each UTC day has exactly 86400 seconds. Tcl responds to leap seconds by speeding or slowing its clock by a tiny fraction for some minutes until it is back in sync with UTC; its data model does not represent minutes that have 59 or 61 seconds.
REF: https://www.tcl.tk/man/tcl8.6/TclCmd/clock.htm#M11
- Ashu_AggarwalOct 15, 2020Cirrus
I tried the rule but it didn't work. it didn't block anything. Below is the rule.
when RULE_INIT {
array set static::timerange { #change time
Monday {}
Tuesday {}
Wednesday {}
Thursday {"03:15" "03:30"}
Friday {}
Saturday {}
Sunday {}
}
}
when HTTP_REQUEST {
if { not [class match [IP::client_addr] equals dg_allow_ip_during_deployment] } { #change dg name
set now [clock seconds]
set current_day [clock format $now -format {%A}]
set start [lindex $static::timerange($current_day) 0]
set end [lindex $static::timerange($current_day) 1]
if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } {
set denied 0
} else {
set denied 1
}
unset start end
} else {
set denied 0
}
if { $denied } {
drop
}
}
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com