For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Azzeddine_S's avatar
Azzeddine_S
Icon for Cirrus rankCirrus
Mar 24, 2017

Retrieve Value from Data Group record

Hi all

i am trying to write an irule to drop client paket by source IP, but instead of calling the IP in the rule as a condition , i want to add a location as a data value in the data group and apply the conditin on it my data group looks like :

ltm data-group internal Locations {

records {
    10.1.1.0/24 {
        data paris/allow
    }
    10.1.2.0/24 {
        data ny/allow
    }
    10.10.1.100/32 {
        data my_self/drop
    }
    172.16.1.0/24 {
        data tokyo/allow
    }
    192.168.1.0/24 {
        data London/drop
    }
    192.168.100.0/24 {
        data moon/allow
    }
}
type ip

}

the condition is stored in the data group

wy question is how to get data from the records and since we can have multiple match how can we get data.

hope my question is enough clear ...

application delivery
LTM

3 Replies

  • Jeremy_Church_3's avatar
    Jeremy_Church_3
    Icon for Cirrus rankCirrus
    Mar 25, 2017

    Hello,

    When using a data-group of 

    type ip
    , the longest match wins.

    In the example data-group you provide, I don't see overlapping entries so I'll provide an example that does have entries that overlap.

    ltm data-group internal Locations {
    records {
        10.1.1.0/24 {
            data "paris allow"
        }
        10.1.2.0/24 {
            data "ny allow"
        }
        10.1.2.96/29 {
            data "lab drop"
        }
        10.10.1.100/32 {
            data "my_self drop"
        }
        172.16.1.0/24 {
            data "tokyo allow"
        }
        192.168.1.0/24 {
            data "London drop"
        }
        192.168.100.0/24 {
            data "moon allow"
        }
    }
    type ip
}
ltm rule ALLOW_BY_IP {
    when RULE_INIT {
     test Locations data-group
    if {[TMM::cmp_unit] == 0} {
        foreach IP {10.1.1.1 10.1.2.10 10.1.2.99 10.10.1.100 192.168.100.230 172.30.1.1} {
            log local0. "address ${IP}: matches entry \
            \x22[class match -name $IP equals Locations]\x22 \
            and has value of \x22[class lookup $IP Locations]\x22"
        } else {
            log local0. "no match found for address $IP"
        }
    }
}
when CLIENT_ACCEPTED {
    set VAL [class lookup [IP::client_addr] Locations]
    switch -- [lindex $VAL 1] {
        allow   {
            log local0. "allow  connection from [lindex $VAL 0] \
            w/IP [IP::client_addr]: entry [class match -name [IP::client_addr] equals Locations]"
        }
        drop    {
            log local0. "reject connection from [lindex $VAL 0] \
            w/IP [IP::client_addr]: entry [class match -name [IP::client_addr] equals Locations]"
            reject
        }
        default { log locla0. "no match found or the match did not have allow/drop" }
    }
}
}
    Notes
    1. Instead of the syntax name/action, I chose "name action". This skips the step of having to split them manually in the iRule.
    2. Added a 
      RULE_INIT
      event with a foreach loop to test several addresses and hopefully demonstrate how longest match functions. Since 
      RULE_INIT
      fires once for each TMM, I use 
      TMM::cmp_unit
      to only execute on TMM 0 so the test doesn't cause redundant logging.
    3. In the 
      CLIENT_ACCEPTED
      event, switch statement is used to match 
      allow
      /
      drop
      or log if neither matched.

    Is this what you were looking for?

    • Azzeddine_S's avatar
      Azzeddine_S
      Icon for Cirrus rankCirrus
      Mar 26, 2017

      thanks a lot

       

      the answer is more than what i expected

       

      i really apriciate the effort and i will give you a feed back about the result as soon i deploy it

       

      once again thanks a lot