Help with iRule - Access Control Based on IP

Jose_Cruz · ‎17-Mar-2023

I am trying to use Access Control Based on IP irule to restrict access to a virtual server.

However when i apply the iRule the connection gets rejected and i see this in the logs (this is all in my lab):

TCL error: /jeclab/allowed_clients_2 <CLIENT_ACCEPTED> - can't read "::trustedAddresses": no such variable while executing "matchclass [IP::client_addr] equals $::trustedAddresses"

iRule, datagroup and virtual config attached.

Paulius · ‎17-Mar-2023

@Jose_Cruz The reason for this error is because your variable is entered in incorrectly and should be $trustedAddresses but you have $::trustedAddresses with the two : between the $ and the data-group name.

JRahm · ‎20-Mar-2023

Hi @Jose_Cruz,

matchclass was deprecated in v10, and that iRule should look like instead:

when CLIENT_ACCEPTED priority 500 {
    if { [class match -- [IP::client_addr] equals trustedAddresses] } {
        #Uncomment the line below to turn on logging.
        log local0. "Valid client IP: [IP::client_addr] - forwarding traffic"
        forward
    } else {
        #Uncomment the line below to turn on logging.
        log local0. "Invalid client IP: [IP::client_addr] - discarding"
        discard
    }
}

Your data-group has the same value as the key, is this intended? Not sure what use that is, if you are not using values, you do not need to set them.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

DevCentral

Help with iRule - Access Control Based on IP

Register For AppWorld 2024

DevCentral Podcasts