iRule to restrict TCP and UDP to the same range of ports.

Question

Like the title says, I'm trying to make an iRule to restrict ports to a VS.&nbsp;
I was trying to use the following, but getting an error.
when CLIENT_ACCEPTED {
    if {([TCP::local_port] &gt;= 10514 ) &amp;&amp; ([TCP::local_port] &lt;= 10526) || 
([TCP::local_port] &gt;= 514 ) &amp;&amp; ([TCP::local_port] &lt;= 515) } {
      pool Pool_Name
    } 
    elseif {([UDP::local_port] &gt;= 10514 ) &amp;&amp; ([UDP::local_port] &lt;= 10526) || 
([UDP::local_port] &gt;= 514 ) &amp;&amp; ([UDP::local_port] &lt;= 515) } {
      pool Pool_Name
    } else reject
}&nbsp;
The error doesn't help me understand where my mistake is.
01070151:3: Rule [/Common/SPL-PRD-SYS-restricted] error: /Common/SPL-PRD-SYS-restricted:6: error: [undefined procedure: elseif][elseif {([UDP::local_port] &gt;= 10514 ) &amp;&amp; ([UDP::local_port] &lt;= 10526) || 
([UDP::local_port] &gt;= 514 ) &amp;&amp; ([UDP::local_port] &lt;= 515) } {
pool Pool_Name
} else reject]&nbsp;
Thanks&nbsp;

patrik_jonsson · Answer

You're missing some curly brackets. Try this:
when CLIENT_ACCEPTED {
    if {([TCP::local_port] &gt;= 10514 ) &amp;&amp; ([TCP::local_port] &lt;= 10526) || ([TCP::local_port] &gt;= 514 ) &amp;&amp; ([TCP::local_port] &lt;= 515) } {
        pool Pool_Name
    } elseif {([UDP::local_port] &gt;= 10514 ) &amp;&amp; ([UDP::local_port] &lt;= 10526) || ([UDP::local_port] &gt;= 514 ) &amp;&amp; ([UDP::local_port] &lt;= 515) } {
        pool Pool_Name
    } else {
        reject
    }
}

/Patrik

patrik_jonsson · Answer

I might do it like this instead as it's easier to read.
when CLIENT_ACCEPTED {

Check which protocol and set the port variable
    if { [IP::protocol] == 6 } {
        6 means TCP
        set port [TCP::local_port]
    } elseif { [IP::protocol] == 17 } {
        17 means UDP
        set port [UDP::local_port]
    } else {
        Unhandled protocol
        set port 0
    }

Make sure the ports are between 10514 and 10526 OR 514, the select the pool
    if { ($port &gt;= 10514 &amp;&amp; $port &lt;= 10526) || $port == 514 } {
        pool Pool_Name
    } else {
        reject
    }
}

/Patrik

Forum Discussion

iRule to restrict TCP and UDP to the same range of ports.

2 Replies

Recent Discussions

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Related Content

Office 365 Tenant Restrictions

F5 iRule Geolocation restriction

Irule for restricting access

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

Assistance with iRule using port ranges