Forum Discussion

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Mar 22, 2021

replacing irule with policy

Hello guys

I'm trying to replace this iRule with policy:

 

when CLIENT_ACCEPTED {
  set allowed 0
  if { [class match -- [whereis [IP::client_addr] country] equals country_list] or 
  [class match [IP::client_addr] equals internal_addresses] } {
   set allowed 1
  }
}
when HTTP_REQUEST {
 if { $allowed } {
    #log local0. "Valid client IP: [whereis [IP::client_addr] country]"
  } else {
   HTTP::respond 403 content {Country Not Allowed}
    #log local0. "Blocked client IP: [IP::client_addr] [whereis [IP::client_addr] country]"
  }
}

 

I already have a policy with implicit rule to forward all traffic to ASM

So I'm trying to add a rule above it to reset all traffic that does not match those two datagroups:

country_list

internal_addresses

But as you can see, when using "is not", the "in datagroup" disabled and cannot be checked

 This only happens in "Geo. IP" condition

I have 13.1.3.4 by the way

What can be does to solve this?

  • I have seen this before with IP list datagroups. As a work around try selecting "any of" from the drop down and specifying a single value (can be anything), save it. Then open this rule again to edit and you should be able to switch it to datagroup in the drop down.

  • This looks more like an error in the UI than a missing/feature. In my lab (15.1.2.1) I could select in datagroup from the dropdown.

     

    I'd check the usual stuff. Different browser. If you have a BIG-IP cluster, check if the same behaviour exists on the second cluster node.

    • Abed_AL-R's avatar
      Abed_AL-R
      Icon for Cirrostratus rankCirrostratus

      It is not a browser issue, since i checked with ff and chrome, same results

       

      I have another F5-VE 15.1.2 and there I can select 'in datagroup' only if I select 'is'

      When I choose 'is not' the option for 'in datagroup' is gone

       

       

      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP

        Uh, my bad. I didn't pay attention the very important is and is not. You are right, this doesn't seem to be possible - datagroup is not available any longer.

        So your datagroup is actually sort of an allow list. If my country code is in the datagroup my connection won't be reset.

         

        I don't have an idea to solve this one.

  • Created in the GUI, I ended up with a test policy similar to what you are describing, with no option to set "is not" on a datagroup:

     

    ltm policy dg_check {
        draft-copy Drafts/dg_check
        last-modified 2021-03-30:02:07:31
        requires { http }
        rules {
            dg_check {
                actions {
                    0 {
                        shutdown
                        client-accepted
                        connection
                    }
                }
                conditions {
                    0 {
                        geoip
                        client-accepted
                        country-code
                        datagroup accepted_country_codes
                    }
                }
            }
        }
        status published
        strategy first-match
    }

     

    However, if you go into the command line and modify this in tmsh, it appears to work:

     

    root@(ltm3)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify ltm policy dg_check legacy rules modify { dg_check { conditions replace-all-with { 0 { geoip client-accepted country-code not datagroup accepted_country_codes } } } }
    root@(ltm3)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm policy dg_check
    ltm policy dg_check {
        draft-copy Drafts/dg_check
        last-modified 2021-03-30:02:09:04
        requires { http }
        rules {
            dg_check {
                actions {
                    0 {
                        shutdown
                        client-accepted
                        connection
                    }
                }
                conditions {
                    0 {
                        geoip
                        client-accepted
                        country-code
                        not
                        datagroup accepted_country_codes
                    }
                }
            }
        }
        status published
        strategy first-match
    }

     

    And then it appears in the GUI as expected (until you mess with it, then it is not recoverable there)

     I was not able to create a draft and then publish in tmsh (likely an error on my part). Using the legacy keyword I was able to work around that, but be advised my example makes immediate changes to the published policy.

    I have NOT confirmed that the not keyword in the condition will function properly in this policy. If it does (please test and let me know) then this is very likely a UI bug and not a problem with functionality.

    • Abed_AL-R's avatar
      Abed_AL-R
      Icon for Cirrostratus rankCirrostratus

      Thanks

      Seems to be risky a little bit since you need to change in CLI because it is not even an option in v15.1 GUI. So I'm not sure if this will be an upgrade obstacle in the future if did it this way when we upgrade from 13 to 15.

      I'll try to find a lab for this and do the tests.

      Thanks again, I appreciate your answer :)