IRule to Allow Counries F5 13.0 Software

RickF_333914 · ‎28-Sep-2017

Problem this snippet solves:

Allowing only certain countries

How to use this snippet:

It is used in the LTM Virtual server list

Code :

when CLIENT_ACCEPTED {

    if {  ([whereis [IP::client_addr] country] ne "US") && ([whereis [IP::client_addr] country] ne "GB") && ([whereis [IP::client_addr] country] ne "IE") && ([whereis [IP::client_addr] country] ne "DE") } {

        drop
   }
}

Tested this on version:

13.0

Stanislas_Piro2 · ‎29-Sep-2017

your code is not optimized....

each time you use [whereis [IP::client_addr] country], there are 2 commands evaluated:

[IP::client_addr]
[whereis XX country]

it's better to insert it in a variable to prevent to evaluate the same commands multiple times

when CLIENT_ACCEPTED {
    set client_country [whereis [IP::client_addr] country]
    if {  ($client_country ne "US") && ($client_country ne "GB") && ($client_country ne "IE") && ($client_country ne "DE") } {
        drop
   }
}

This section is to share generic code, so if someone what to filter 10 countries, use switch, list or datagroup

with switch :

when CLIENT_ACCEPTED {
    switch [whereis [IP::client_addr] country] {
        "US" -
        "GB" -
        "IE" -
        "DE" {
             do nothing
        }
        default {
            drop
        }
    }
}

with list :

 when CLIENT_ACCEPTED {
 set allowed_countries {"US" "GB" "IE" "DE"}
 if { [lsearch -exact $allowed_countries [whereis [IP::client_addr] country]] == -1 } {
        drop
   }
}

with datagroup :

create a data group allowed_countries with values

US
GB
IE
DE

and use this code

 when CLIENT_ACCEPTED {
 if { ![class match [whereis [IP::client_addr] country]] equals allowed_countries]  } {
        drop
   }
}

DevCentral

IRule to Allow Counries F5 13.0 Software