IRule to Allow Counries F5 13.0 Software

Problem this snippet solves: Allowing only certain countries How to use this snippet: It is used in the LTM Virtual server list Code : when CLIENT_ACCEPTED { if { ([whereis [IP::client_add...
Published Sep 28, 2017
Version 1.0
iRules
LTM
security

Was this article helpful?

Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Sep 29, 2017

your code is not optimized....

each time you use 

[whereis [IP::client_addr] country]
, there are 2 commands evaluated:

  • [IP::client_addr]
  • [whereis XX country]

it's better to insert it in a variable to prevent to evaluate the same commands multiple times 

when CLIENT_ACCEPTED {
    set client_country [whereis [IP::client_addr] country]
    if {  ($client_country ne "US") && ($client_country ne "GB") && ($client_country ne "IE") && ($client_country ne "DE") } {
        drop
   }
}

This section is to share generic code, so if someone what to filter 10 countries, use switch, list or datagroup

with switch :

when CLIENT_ACCEPTED {
    switch [whereis [IP::client_addr] country] {
        "US" -
        "GB" -
        "IE" -
        "DE" {
             do nothing
        }
        default {
            drop
        }
    }
}

with list :

 when CLIENT_ACCEPTED {
 set allowed_countries {"US" "GB" "IE" "DE"}
 if { [lsearch -exact $allowed_countries [whereis [IP::client_addr] country]] == -1 } {
        drop
   }
}

with datagroup :

create a data group 

allowed_countries
with values

  • US
  • GB
  • IE
  • DE

and use this code

 when CLIENT_ACCEPTED {
 if { ![class match [whereis [IP::client_addr] country]] equals allowed_countries]  } {
        drop
   }
}