IRule to Allow Counries F5 13.0 Software

Problem this snippet solves:

Allowing only certain countries

How to use this snippet:

It is used in the LTM Virtual server list

Code :

when CLIENT_ACCEPTED {

    if {  ([whereis [IP::client_addr] country] ne "US") && ([whereis [IP::client_addr] country] ne "GB") && ([whereis [IP::client_addr] country] ne "IE") && ([whereis [IP::client_addr] country] ne "DE") } {

        drop
   }
}

Tested this on version:

13.0
Published Sep 28, 2017
Version 1.0
iRules
LTM
security
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 29, 2017

    your code is not optimized....

    each time you use 

    [whereis [IP::client_addr] country]
    , there are 2 commands evaluated:

    • [IP::client_addr]
    • [whereis XX country]

    it's better to insert it in a variable to prevent to evaluate the same commands multiple times 

    when CLIENT_ACCEPTED {
    set client_country [whereis [IP::client_addr] country]
    if {  ($client_country ne "US") && ($client_country ne "GB") && ($client_country ne "IE") && ($client_country ne "DE") } {
        drop
   }
}

    This section is to share generic code, so if someone what to filter 10 countries, use switch, list or datagroup

    with switch :

    when CLIENT_ACCEPTED {
    switch [whereis [IP::client_addr] country] {
        "US" -
        "GB" -
        "IE" -
        "DE" {
             do nothing
        }
        default {
            drop
        }
    }
}

    with list :

     when CLIENT_ACCEPTED {
 set allowed_countries {"US" "GB" "IE" "DE"}
 if { [lsearch -exact $allowed_countries [whereis [IP::client_addr] country]] == -1 } {
        drop
   }
}

    with datagroup :

    create a data group 

    allowed_countries
    with values

    • US
    • GB
    • IE
    • DE

    and use this code

     when CLIENT_ACCEPTED {
 if { ![class match [whereis [IP::client_addr] country]] equals allowed_countries]  } {
        drop
   }
}