Forum Discussion
CirrusRestrict access to VS by ip & time
Hi Ashu Aggarwal,
Create a datagroup for always allowed IPs.
Try this iRule:
when RULE_INIT {
array set static::timerange { #change time
Monday {"08:30" "20:00"}
Tuesday {"08:30" "20:00"}
Wednesday {"08:30" "20:00"}
Thursday {"08:30" "20:00"}
Friday {"08:30" "20:00"}
Saturday {}
Sunday {}
}
}
when HTTP_REQUEST {
if { not [class match [IP::client_addr] equals dg-allowed-ip-list-name] } { #change dg name
set now [clock seconds]
set current_day [clock format $now -format {%A}]
set start [lindex $static::timerange($current_day) 0]
set end [lindex $static::timerange($current_day) 1]
if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } {
set denied 0
} else {
set denied 1
}
unset start end
} else {
set denied 0
}
if { $denied } {
drop
}
}
Cirrus: I got the permission to try this i-rule tonight. Just quick question, from where this i-rule will pick the clock/time? Would it pick the time from system clock?
Thanks
Hi,
I test it with this iRule.
when HTTP_REQUEST { log local0. [clock seconds] }Current time log:
Oct 14 18:11:10 f5 info tmm[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1602688267 Oct 14 18:11:10 f5 info tmm[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1602688270 ...after change F5 System Time:
May 11 21:11:18 f5 info tmm2[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1526062278 May 11 21:11:18 f5 info tmm2[18620]: Rule /Common/test_seconds <HTTP_REQUEST>: 1526062298 ...iRule uses system time.
- Ashu_Aggarwal
I hope i am not eating a lot of your time. But how to read it '1526062298'?
Thanks
clock seconds
Returns the current time as an integer number of seconds.
An integer value passed to the clock command that represents an absolute time as a number of seconds from the epoch time of 1 January 1970, 00:00 UTC. Note that the count of seconds does not include any leap seconds; seconds are counted as if each UTC day has exactly 86400 seconds. Tcl responds to leap seconds by speeding or slowing its clock by a tiny fraction for some minutes until it is back in sync with UTC; its data model does not represent minutes that have 59 or 61 seconds.
REF: https://www.tcl.tk/man/tcl8.6/TclCmd/clock.htm#M11
- Ashu_Aggarwal
I tried the rule but it didn't work. it didn't block anything. Below is the rule.
when RULE_INIT {
array set static::timerange { #change time
Monday {}
Tuesday {}
Wednesday {}
Thursday {"03:15" "03:30"}
Friday {}
Saturday {}
Sunday {}
}
}
when HTTP_REQUEST {
if { not [class match [IP::client_addr] equals dg_allow_ip_during_deployment] } { #change dg name
set now [clock seconds]
set current_day [clock format $now -format {%A}]
set start [lindex $static::timerange($current_day) 0]
set end [lindex $static::timerange($current_day) 1]
if { ($start ne "") && ($end ne "") && ($now >= [clock scan $start]) && ($now < [clock scan $end]) } {
set denied 0
} else {
set denied 1
}
unset start end
} else {
set denied 0
}
if { $denied } {
drop
}
}
