For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Azzeddine_S's avatar
Azzeddine_S
Icon for Cirrus rankCirrus
Mar 24, 2017

Retrieve Value from Data Group record

Hi all i am trying to write an irule to drop client paket by source IP, but instead of calling the IP in the rule as a condition , i want to add a location as a data value in the data group and app...
application delivery
LTM
Jeremy_Church_3's avatar
Jeremy_Church_3
Icon for Cirrus rankCirrus
Mar 25, 2017

Hello,

When using a data-group of 

type ip
, the longest match wins.

In the example data-group you provide, I don't see overlapping entries so I'll provide an example that does have entries that overlap.

ltm data-group internal Locations {
    records {
        10.1.1.0/24 {
            data "paris allow"
        }
        10.1.2.0/24 {
            data "ny allow"
        }
        10.1.2.96/29 {
            data "lab drop"
        }
        10.10.1.100/32 {
            data "my_self drop"
        }
        172.16.1.0/24 {
            data "tokyo allow"
        }
        192.168.1.0/24 {
            data "London drop"
        }
        192.168.100.0/24 {
            data "moon allow"
        }
    }
    type ip
}
ltm rule ALLOW_BY_IP {
    when RULE_INIT {
     test Locations data-group
    if {[TMM::cmp_unit] == 0} {
        foreach IP {10.1.1.1 10.1.2.10 10.1.2.99 10.10.1.100 192.168.100.230 172.30.1.1} {
            log local0. "address ${IP}: matches entry \
            \x22[class match -name $IP equals Locations]\x22 \
            and has value of \x22[class lookup $IP Locations]\x22"
        } else {
            log local0. "no match found for address $IP"
        }
    }
}
when CLIENT_ACCEPTED {
    set VAL [class lookup [IP::client_addr] Locations]
    switch -- [lindex $VAL 1] {
        allow   {
            log local0. "allow  connection from [lindex $VAL 0] \
            w/IP [IP::client_addr]: entry [class match -name [IP::client_addr] equals Locations]"
        }
        drop    {
            log local0. "reject connection from [lindex $VAL 0] \
            w/IP [IP::client_addr]: entry [class match -name [IP::client_addr] equals Locations]"
            reject
        }
        default { log locla0. "no match found or the match did not have allow/drop" }
    }
}
}
Notes
  1. Instead of the syntax name/action, I chose "name action". This skips the step of having to split them manually in the iRule.
  2. Added a 
    RULE_INIT
    event with a foreach loop to test several addresses and hopefully demonstrate how longest match functions. Since 
    RULE_INIT
    fires once for each TMM, I use 
    TMM::cmp_unit
    to only execute on TMM 0 so the test doesn't cause redundant logging.
  3. In the 
    CLIENT_ACCEPTED
    event, switch statement is used to match 
    allow
    /
    drop
    or log if neither matched.

Is this what you were looking for?

Azzeddine_S's avatar
Azzeddine_S
Icon for Cirrus rankCirrus
Mar 26, 2017

thanks a lot

 

the answer is more than what i expected

 

i really apriciate the effort and i will give you a feed back about the result as soon i deploy it

 

once again thanks a lot