F5BigFwRulelist¶
Overview¶
The F5BigFwRulelist Custom Resource (CR) consists an array of ACL rules. Rulelist has the same features as standard ACL rules.
This document guides you through understanding, configuring and installing a simple F5BigFwRulelist CR.
CR parameters¶
The tables below describe the F5BigFwRulelist CR parameters.
metadata¶
| Parameter | Description |
|---|---|
name |
The name of the F5BigFwRuleList. |
namespace |
The Kubernetes Namespace the firewall rule list will install to. |
spec¶
| Parameter | Description |
|---|---|
rule.name |
The name of the firewall rule. |
rule.ipProtocol |
Specifies the IP protocol against which the packet will be compared. The default value is "any". The F5BigFwRulelist IP Protocols document contains the full list of supported protocols. |
rule.source.addresses |
Specifies a list of IPv4 or IPv6 source addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20. |
rule.source.addressLists |
Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. The ACL/NAT rule is disabled internally and is not used for matching traffic while:- This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source address |
rule.source.ports |
Specifies a list of source service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard. |
rule.source.portLists |
Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. The ACL/NAT rule is disabled internally and is not used for matching traffic while:- This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source port |
rule.source.vlans |
Specifies a list of F5BigNetVlans in an array. |
rule.source.zones |
Specifies an array of VLAN ZONE names (strings) and will be an empty array by default. For more information, refer to F5BigCneZone guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more zones and - All of these zones are empty or do not exist (soft-reference case) or refer to only non-existent VLANs |
rule.destination.addresses |
Specifies a list of IPv4 or IPv6 destination addresses against which the packet will be compared: host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20. |
rule.destination.ports |
Specifies a list of destination service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard. |
rule.destination.zones |
Specifies an array of VLAN ZONE names (strings) and will be an empty array by default. For more information, refer to F5BigCneZone guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more zones and - All of these zones are empty or do not exist (soft-reference case) or refer to only non-existent VLANs |
rule.destination.addressLists |
Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. The ACL/NAT rule is disabled internally and is not used for matching traffic while:- This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination address |
rule.destination.portLists |
Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. The ACL/NAT rule is disabled internally and is not used for matching traffic while:- This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination port |
rule.action |
Specifies the action that will be applied to packet that matches ACL rule: "accept-decisively", "accept", "drop", or "reject". |
rule.logging |
Enables ACL rule match logging: true or false (default). |
CR Example¶
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwRulelist
metadata:
name: "rulelist2"
namespace: "cnf-gateway"
spec:
rule:
- name: rule1
ipProtocol: tcp
source:
addresses:
- "11.45.43.22.102"
zones:
- "zone1"
- "zone2"
destination:
ports:
- "80"
zones:
- “zone3“
- “zone4“
addresses:
- "22.55.44.44.102"
action: "accept"
logging: true
- name: rule2
ipProtocol: tcp
source:
addresses:
- "11.45.43.22.103"
zones:
- "zone1"
- "zone2"
destination:
ports:
- "80"
zones:
- “zone3“
- “zone4“
addresses:
- "22.55.44.44.103"
action: "accept"
logging: true
Maximum rule size¶
When F5BigFwRulelist CRs are installed into the cluster, the firewall rule list set is declared in the metadata.annotations section of the installed CR. It is important to note that Kubernetes does not allow the metadata.annotations section to exceed 262144 bytes of data, and will log an error message stating this size limitation.
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigFwRulelist CR shortName is fwrl.
View CR instance:
kubectl get <fwrl> -n <namespace>
View CR configuration:
kubectl get <fwrl> -n <namespace> -o yaml
Creating Firewall Rule List¶
To create an Firewall rule list using the F5BigFwRulelist CR, you must specify the firewall rule list name within the F5BigFwPolicy CR. For additional details, refer to the F5BigFwPolicy CR.
Installation¶
Use these steps to install the example F5BigFwRulelist CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.
Tip: Open a second shell to view the CNFs Event Logs while installing.
The example F5BigFwPolicy CR allows two firewall ACL rules. Copy and paste the example into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigFwPolicy metadata: name: "cnf-fw-policy" namespace: "cnf-gateway" spec: rule: - name: ACL-rule-1 rulelist: rulelist1 - name: ACL-rule-2 ipProtocol: tcp source: addresses: - "55.45.42.21.100" zones: - "zone1" - "zone2" destination: addresses: - "58.48.48.29.100" zones: - "zone3" - "zone4" action: "accept" logging: true
Install the F5BigFwPolicy CR:
kubectl apply -f cnf-fw-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigFwPolicy CR was added/updated:
I0202 12:00:00.12346 1 event.go:282 Event(v1.ObjectReference{Kind:"F5FirewallPolicy", FirewallPolicy cnf-gateway/cnf-fw-policy was added/updated
The example F5BigFwRulelist CR allows firewall rule list. Copy and paste the example into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigFwRulelist metadata: name: "rulelist1" namespace: "cnf-gateway" spec: rule: - name: rule1 ruleList: rulelist1
Install the F5BigFwRulelist CR:
kubectl apply -f f5-cnf-rulelist.yaml
In this example, the BIG-IP Controller logs indicate the F5BigFwRulelist CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5Rulelist", Rulelist cnf-gateway/cnf-rulelist was added/updated
Continue Firewall Rule List statistics sections.
Firewall Rule List statistics¶
If the TMM Debug sidecar is enabled (default), use the steps below to verify firewall rule list statics.
Log in to the TMM debug Pod:
In this example, the TMM debug container is in the cnf-gateway namespace:
kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
Verify the F5BigFwRulelist statistics:
tmctl -d blade fw_rule_stat
context_type context_name ------------ ------------------------------------------ virtual cnf-gateway-cnf-fw-policy-SecureContext_vs rule_name micro_rules counter last_hit_time action ------------------------------------ ----------- ------- ------------- ------ ACL-rule-2-firewallpolicyrule 1 0 0 2 rulelist1-firewallrulelist1 1 1 16904491000 2
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.