Forum Discussion

Ashish_Gupta_15's avatar
Ashish_Gupta_15
Icon for Nimbostratus rankNimbostratus
Dec 23, 2016

iControl - Datagrouplist - address type with country

I need to detect if the incoming IP in the request is in the subnets listed and fetch the corresponding country. For this I created an address type list with subnets and the corresponding country (see sample 1) and you can see the list created (sample 2). Then I created an iRule to check If the incoming IP falls in the subnet and get the corresponding country [Sample 3]. All good till now.

However, the list is getting longer and I will have to use iControl to automate the addition.

How do I add/delete/retrieve the mask/country members (same format as I added them using "tmsh create ltm data-group") via iControl? As you can see the Sample 4, I am trying to retrieve the country value and all am getting is the address and network mask although the list has the country name (see Sample 5). How can I then add a new one in the same format using iControl.

Sample 1

create ltm data-group internal OFAC_BLOCKED_CIDR_LIST records add { 5.100.192.0/19 { data "Belarus" } 41.66.0.0/18 {data "IvoryCoast"} 152.206.0.0/15 {data "Cuba"}  41.75.64.0/20 {data "Congo"} 91.186.192.0/19 { data "Iran" } 91.243.160.0/20 { data "Iran" } 5.42.192.0/19 {data "Iraq"} 41.57.80.0/20 {data "Liberia"} 115.84.64.0/18 {data "NorthKorea"} 41.67.0.0/18 {data "Sudan"} 5.0.0.0/16 {data "Syria"} 41.57.64.0/20 {data "Zimbabwe"}} type ip

Sample 2 (/Common)(tmos) ltm data-group internal OFAC_BLOCKED_CIDR { 5.42.192.0/19 { data Iraq } 5.100.192.0/19 { data Belarus } 41.57.64.0/20 { data Zimbabwe } 41.57.80.0/20 { data Liberia } 41.66.0.0/18 { data IvoryCoast } 41.67.0.0/18 { data Sudan } 41.75.64.0/20 { data Congo } 91.186.192.0/19 { data Iran } 91.243.160.0/20 { data Iran } 115.84.64.0/18 { data NorthKorea } 152.206.0.0/15 { data Cuba } } type ip }

Sample 3

set client_ip [getfield [IP::client_addr] "%" 1]
set origin_country [class match -value ${fake_client_ip} equals OFAC_BLOCKED_CIDR]

log local0. "Country - ${origin_country} IP address - ${client_ip}"
if { ${origin_country} ne "" }
{ 
   log local0. "Client Source IP: ${client_ip} from country ${origin_country} has been denied access to: [IP::local_addr]:[TCP::local_port]" 
   HTTP::respond 200 content [ifile get noaccessimage] "Content-Type" "image/png"
}
else
{
   log local0. "Client Source IP: ${client_ip} has been allowed access to: [IP::local_addr]:[TCP::local_port]" 
}

Sample 4

$DataGroup = "OFAC_BLOCKED_CIDR"
$ClassInfo = $ic.LocalLBClass.get_address_class($DataGroup);
$name = $ClassInfo[0].name;
Write-Host "Class: $name";
$members = $ClassInfo[0].members
Write-host $members[0].value
foreach($member in $members) {
    Write-Host "$member "
    $a = $member.address
    Write-Host "  $a";
    $b = $member.netmask
        }

Sample 5 Class: OFAC_BLOCKED_CIDR

5.0.0.0 255.255.0.0

5.42.192.0 255.255.224.0

5.100.192.0 255.255.224.0

41.57.64.0 255.255.240.0

41.57.80.0 255.255.240.0

41.66.0.0 255.255.192.0

41.67.0.0 255.255.192.0

41.75.64.0 255.255.240.0

application delivery
BIG-IP
data group
iControl
security

1 Reply

Sort By
  • Ashish_Gupta_15's avatar
    Ashish_Gupta_15
    Icon for Nimbostratus rankNimbostratus
    Dec 23, 2016

    I made some headway into this and wanted to post my progress here in case It helps someone. Will comeback in case I face any issue or better will post the complete solution If and when I am done. Please feel free to opine on this.

     

    Basically each data group list member can be associated with a value. You associate this list of values to the data group class in the same sequence you are associating the members to the datagroup list. If you want to retrieve the value, you retrieve all the values from the datagroup class all at once and can access them in the same sequence you put them earlier.

     

    There are GET and SET functions in the iControl.

     

    Get the data member value https://devcentral.f5.com/wiki/iControl.LocalLB__Class__get_address_class_member_data_value.ashx

     

    $DataGroup = "OFAC_BLOCKED_CIDR" $ClassInfo = $ic.LocalLBClass.get_address_class($DataGroup); $c = $ic.LocalLBClass.get_address_class_member_data_value($ClassInfo) Write-Host $c[0][0];

     

    $c will return data values associated with each class member, organized in the same manner as the class member IP addresses

     

    Set the data member value https://devcentral.f5.com/wiki/iControl.LocalLB__Class__set_address_class_member_data_value.ashx