For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

TJ_Vreugdenhil's avatar
TJ_Vreugdenhil
Icon for Cirrus rankCirrus
Apr 13, 2014

TCL error for basic ACL iRule

Does someone know why this TCL error is happening? I'm running 11.4.1 HF2

Apr 13 11:28:49 F5-AS400-LB-ACTIVE err tmm3[12193]: 01220001:3: TCL error: /Common/source_filter  - bad action "172.17.1.250": must be match, search, lookup, element, type, exists, size, names, get, startsearch, nextelement, anymore, or donesearch     while executing "class [IP::client_addr] equals allowed_datagroup"

    when RULE_INIT {
     v1.0 - basic ACL.
     January, 2014
    
     Purpose: 
       Bind this rule to a virtual server to simply allow or disallow traffic based on source IP. 
       This rule expects a datagroup that lists the addresses you wish to allow. 
       By default, traffic will be dropped.
    }
    when CLIENT_ACCEPTED  {

            if { [class [IP::client_addr] equals allowed_datagroup] }{

                    Uncomment the line below to turn on logging.
                    log local0.  "Valid client IP: [IP::client_addr] - forwarding traffic"
                    forward
            } else {

                    Uncomment the line below to turn on logging.
                    log local0. "Invalid client IP: [IP::client_addr] - discarding"
                    discard
            }

    }
application delivery
design
devops
iRules
LTM

5 Replies

  • TJ_Vreugdenhil's avatar
    TJ_Vreugdenhil
    Icon for Cirrus rankCirrus
    Apr 13, 2014
    Here is the datagroup: ltm data-group internal /Common/allowed_datagroup { records { 10.12.20.0/22 { } 10.12.25.0/24 { } 10.12.28.0/24 { } 172.18.50.0/24 { } } type ip }
  • TJ_Vreugdenhil's avatar
    TJ_Vreugdenhil
    Icon for Cirrus rankCirrus
    Apr 23, 2014

    This was the fix. I removed 'forward' too. 

    when RULE_INIT {
     v1.0 - basic ACL.
     January, 2014
    
     Purpose: 
       Bind this rule to a virtual server to simply allow or disallow traffic based on source IP. 
       This rule expects a datagroup that lists the addresses you wish to allow. 
       By default, traffic will be dropped.
    }
    when CLIENT_ACCEPTED  {

            if { [class match [IP::client_addr] equals allowed_datagroup] }{

                    Uncomment the line below to turn on logging.
                    log local0.  "Valid client IP: [IP::client_addr] - forwarding traffic"
            } else {

                    Uncomment the line below to turn on logging.
                    log local0. "Invalid client IP: [IP::client_addr] - discarding"
                    discard
            }

    }
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 23, 2014

    Can simplify it a bit:

    when RULE_INIT {
     v1.0 - basic ACL.
     January, 2014
    
     Purpose: 
       Bind this rule to a virtual server to simply allow or disallow traffic based on source IP. 
       This rule expects a datagroup that lists the addresses you wish to allow. 
       By default, traffic will be dropped.
    }
    when CLIENT_ACCEPTED  {
            if { ! [class match [IP::client_addr] equals allowed_datagroup] }{
                    log local0. "Invalid client IP: [IP::client_addr] - discarding"
                    discard
            }
    }