IRule to Allow Counries F5 13.0 Software
Problem this snippet solves:
Allowing only certain countries
How to use this snippet:
It is used in the LTM Virtual server list
Code :
when CLIENT_ACCEPTED {
if { ([whereis [IP::client_addr] country] ne "US") && ([whereis [IP::client_addr] country] ne "GB") && ([whereis [IP::client_addr] country] ne "IE") && ([whereis [IP::client_addr] country] ne "DE") } {
drop
}
}Tested this on version:
13.0Published Sep 28, 2017
Version 1.0
1 Comment
Stanislas_Piro2Cumulonimbus
your code is not optimized....
each time you use
, there are 2 commands evaluated:[whereis [IP::client_addr] country]- [IP::client_addr]
- [whereis XX country]
it's better to insert it in a variable to prevent to evaluate the same commands multiple times
when CLIENT_ACCEPTED { set client_country [whereis [IP::client_addr] country] if { ($client_country ne "US") && ($client_country ne "GB") && ($client_country ne "IE") && ($client_country ne "DE") } { drop } }This section is to share generic code, so if someone what to filter 10 countries, use switch, list or datagroup
with switch :
when CLIENT_ACCEPTED { switch [whereis [IP::client_addr] country] { "US" - "GB" - "IE" - "DE" { do nothing } default { drop } } }with list :
when CLIENT_ACCEPTED { set allowed_countries {"US" "GB" "IE" "DE"} if { [lsearch -exact $allowed_countries [whereis [IP::client_addr] country]] == -1 } { drop } }with datagroup :
create a data group
with valuesallowed_countries- US
- GB
- IE
- DE
and use this code
when CLIENT_ACCEPTED { if { ![class match [whereis [IP::client_addr] country]] equals allowed_countries] } { drop } }