For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Svevak_211593's avatar
Svevak_211593
Icon for Nimbostratus rankNimbostratus
Feb 16, 2016

whitelist for IPs in iRule

Hello,

 

I would like to whitelist some IPs in an iRule. The IPs are defined in a datagroup.

 

Here is my code, but I'm not sure if this works...

 

when CLIENT_ACCEPTED {
    if { ([class match [IP::client_addr] equals datagroup-ntvSamsungSmartTVApp]) } {
         pool SmartTV-pool

    }
}
        else {
            reject
            }
}

in Datagroup "datagroup-ntvSamsungSmartTVApp" are the allowd IPs.

 

Thank you! 🙂

 

iRules
security

3 Replies

  • Ryannnnnnnnn's avatar
    Ryannnnnnnnn
    Icon for Altocumulus rankAltocumulus
    Feb 16, 2016
    when CLIENT_ACCEPTED {
if { [matchclass [IP::client_addr] equals datagroup-ntvSamsungSmartTVApp]) } {
     pool SmartTV-pool

} else {
        reject
        }
}
  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Feb 17, 2016

    matchclass
    was deprecated starting in v10: https://devcentral.f5.com/wiki/iRules.matchclass.ashx. That first rule does have a couple of extra squirly-braces and unnecessary (though otherwise not harmful) parentheses, which I suspect is the thing ryan was primarily working to clean up. Taken together:

    when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals datagroup-ntvSamsungSmartTVApp] } {
         pool SmartTV-pool
    }
    else {
         reject
    }
}

    If this is the only logic, however, I believe it is more sensible to assign SmartTV-pool as the default pool to Virtual Server, then do the following:

    when CLIENT_ACCEPTED {
    if { ![class match [IP::client_addr] equals datagroup-ntvSamsungSmartTVApp] } {
        reject
    }
}

    When the pool is assigned to the VS by configuration, the Virtual Server status is explicitly bound to this pool, rather than implicitly bound via the iRule.

    And, of course, if you have a device with a Better or Best license, AFM performs this function substantially faster.

  • Svevak_211593's avatar
    Svevak_211593
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2016

    Thank you guys! I think it works this way:)

    I got one more question. I would like to add Geoblocking to this iRule. But it doesn't work for me.

    So Whitelist for one IP + Geoblocking:

    when CLIENT_ACCEPTED {
        switch[ whereis [IP::client_addr] country ] {
            "DE" { set allowed 1 }
            "AT" { set allowed 1 }
            "CH" { set allowed 1 }
            "LI" { set allowed 1 }
            "LU" { set allowed 1 }
                default { set allowed 0 }
        }
                elseif {
                         if {
            [matchclass [IP::client_addr] equals datagroup whitelistIP ] } {
            pool datagroup-whitelistIP
        }   
        else {
            reject
        }
    }

    Is this correct?