For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

IRule to Allow Counries F5 13.0 Software

Problem this snippet solves: Allowing only certain countries How to use this snippet: It is used in the LTM Virtual server list Code : when CLIENT_ACCEPTED { if { ([whereis [IP::client_add...
Published Sep 28, 2017
Version 1.0
iRules
LTM
security
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Sep 29, 2017

your code is not optimized....

each time you use 

[whereis [IP::client_addr] country]
, there are 2 commands evaluated:

  • [IP::client_addr]
  • [whereis XX country]

it's better to insert it in a variable to prevent to evaluate the same commands multiple times 

when CLIENT_ACCEPTED {
    set client_country [whereis [IP::client_addr] country]
    if {  ($client_country ne "US") && ($client_country ne "GB") && ($client_country ne "IE") && ($client_country ne "DE") } {
        drop
   }
}

This section is to share generic code, so if someone what to filter 10 countries, use switch, list or datagroup

with switch :

when CLIENT_ACCEPTED {
    switch [whereis [IP::client_addr] country] {
        "US" -
        "GB" -
        "IE" -
        "DE" {
             do nothing
        }
        default {
            drop
        }
    }
}

with list :

 when CLIENT_ACCEPTED {
 set allowed_countries {"US" "GB" "IE" "DE"}
 if { [lsearch -exact $allowed_countries [whereis [IP::client_addr] country]] == -1 } {
        drop
   }
}

with datagroup :

create a data group 

allowed_countries
with values

  • US
  • GB
  • IE
  • DE

and use this code

 when CLIENT_ACCEPTED {
 if { ![class match [whereis [IP::client_addr] country]] equals allowed_countries]  } {
        drop
   }
}