iControl - Datagrouplist - address type with country
I need to detect if the incoming IP in the request is in the subnets listed and fetch the corresponding country. For this I created an address type list with subnets and the corresponding country (see sample 1) and you can see the list created (sample 2). Then I created an iRule to check If the incoming IP falls in the subnet and get the corresponding country [Sample 3]. All good till now.
However, the list is getting longer and I will have to use iControl to automate the addition.
How do I add/delete/retrieve the mask/country members (same format as I added them using "tmsh create ltm data-group") via iControl? As you can see the Sample 4, I am trying to retrieve the country value and all am getting is the address and network mask although the list has the country name (see Sample 5). How can I then add a new one in the same format using iControl.
Sample 1
create ltm data-group internal OFAC_BLOCKED_CIDR_LIST records add { 5.100.192.0/19 { data "Belarus" } 41.66.0.0/18 {data "IvoryCoast"} 152.206.0.0/15 {data "Cuba"} 41.75.64.0/20 {data "Congo"} 91.186.192.0/19 { data "Iran" } 91.243.160.0/20 { data "Iran" } 5.42.192.0/19 {data "Iraq"} 41.57.80.0/20 {data "Liberia"} 115.84.64.0/18 {data "NorthKorea"} 41.67.0.0/18 {data "Sudan"} 5.0.0.0/16 {data "Syria"} 41.57.64.0/20 {data "Zimbabwe"}} type ip
Sample 2 (/Common)(tmos) ltm data-group internal OFAC_BLOCKED_CIDR { 5.42.192.0/19 { data Iraq } 5.100.192.0/19 { data Belarus } 41.57.64.0/20 { data Zimbabwe } 41.57.80.0/20 { data Liberia } 41.66.0.0/18 { data IvoryCoast } 41.67.0.0/18 { data Sudan } 41.75.64.0/20 { data Congo } 91.186.192.0/19 { data Iran } 91.243.160.0/20 { data Iran } 115.84.64.0/18 { data NorthKorea } 152.206.0.0/15 { data Cuba } } type ip }
Sample 3
set client_ip [getfield [IP::client_addr] "%" 1]
set origin_country [class match -value ${fake_client_ip} equals OFAC_BLOCKED_CIDR]
log local0. "Country - ${origin_country} IP address - ${client_ip}"
if { ${origin_country} ne "" }
{
log local0. "Client Source IP: ${client_ip} from country ${origin_country} has been denied access to: [IP::local_addr]:[TCP::local_port]"
HTTP::respond 200 content [ifile get noaccessimage] "Content-Type" "image/png"
}
else
{
log local0. "Client Source IP: ${client_ip} has been allowed access to: [IP::local_addr]:[TCP::local_port]"
}
Sample 4
$DataGroup = "OFAC_BLOCKED_CIDR"
$ClassInfo = $ic.LocalLBClass.get_address_class($DataGroup);
$name = $ClassInfo[0].name;
Write-Host "Class: $name";
$members = $ClassInfo[0].members
Write-host $members[0].value
foreach($member in $members) {
Write-Host "$member "
$a = $member.address
Write-Host " $a";
$b = $member.netmask
}
Sample 5 Class: OFAC_BLOCKED_CIDR
5.0.0.0 255.255.0.0
5.42.192.0 255.255.224.0
5.100.192.0 255.255.224.0
41.57.64.0 255.255.240.0
41.57.80.0 255.255.240.0
41.66.0.0 255.255.192.0
41.67.0.0 255.255.192.0
41.75.64.0 255.255.240.0