For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

amolari's avatar
amolari
Icon for Cirrostratus rankCirrostratus
Jan 29, 2015

apm irule, unexpected result - variable scope not standard?

I have the following iRule

when RULE_INIT {
   set entrypoint "/Reports/Pages/ReportViewer.aspx?%2fWelcome&rs:Command=Render"
   set backend_host "aa.bbb.com"
}

when ACCESS_POLICY_COMPLETED {
   if { [ACCESS::policy result] eq "allow" }{
       set initialpath [ACCESS::session data get session.server.landinguri]
       log local0. "POLICY_COMPLETED - host=[ACCESS::session data get session.server.network.name] - path=$initialpath" 
       if { not ($initialpath equals $entrypoint) }{
            ACCESS::session data set session.custom.entrypoint.redirect "1"
            log local0. "setting session.custom.entrypoint.redirect var to 1"
        }
    }
    log local0. "Acces_policy_compl, entrypoint value= $entrypoint"
}

when ACCESS_ACL_ALLOWED {
    if { [ACCESS::session data get session.custom.entrypoint.redirect] eq "1" }{
        HTTP::uri $entrypoint
        log local0. "Reporting : rewrite initial URI to $entrypoint done"
        ACCESS::session data set session.custom.entrypoint.redirect "0"
    }
    set vs_host [HTTP::host]
    HTTP::header replace Host $backend_host 
}

in the logs I see

tmm1[8580]: Rule /Common/reporting_apm : POLICY_COMPLETED - host= - path=/
tmm1[8580]: Rule /Common/reporting_apm : setting session.custom.entrypoint.redirect var to 1
tmm1[8580]: Rule /Common/reporting_apm : Acces_policy_compl, entrypoint value= /Common/
tmm[8580]: 01220001:3: TCL error: /Common/reporting_apm  - can't read "entrypoint": no such variable     while executing "HTTP::uri $entrypoint"
tmm[8580]: 01220001:3: TCL error: /Common/reporting_apm  - can't read "entrypoint": no such variable     while executing "HTTP::uri $entrypoint"

  • variables are not passed from ACCESS_POLICY_COMPLETED to ACCESS_ACL_ALLOWED.. As a "workaround" I've set APM variables. Any reason why?

  • why the entrypoint variable cannot be read in th ACCESS_ACL_ALLOWED event and has a "corrupted" value in the ACCESS_POLICY_COMPLETED ?

Would be thankful for any tip

Alex

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
security

1 Reply

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Jan 29, 2015

    Firstly, to get an understanding of the flow, you can check out this article describing the APM event flow. Because you won't have a single request that ends up hitting both 

    ACCESS_POLICY_COMPLETED
    and 
    ACCESS_ACL_ALLOWED
    , you can't share variables between them (since variables live and die with the request). Session variables are more persistent and can be accessed as throughout the session. I think that should help answer your first question.

    For your second question, RULE_INIT sets a variable when you save the iRule, so it's a global variable. Try changing your irule to use 

    set ::entrypoint
    and 
    set ::backend_host
    instead and then reference them the same way (e.g. 
    HTTP::uri $::entrypoint
    ). See if that helps.