Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

JRahm's avatar
JRahm
Icon for Admin rankAdmin
Jan 22, 2026

AppWorld DC Booth Kiosk Generator

Welcome to AppWorld, community! You may or may not be with us in person, but you can watch this thread for iRules that are either generated or described by the Distributed Cloud AI Assistant.
application delivery
dc kiosk
irules
JimmyPackets's avatar
JimmyPackets
Icon for Cirrus rankCirrus
Mar 12, 2026

iRule Explanation - from the iRules Toolbox

Source: vip_to_vip_redirection.txt

# Create an F5 iRule that redirects client connections based on the source port. The iRule should check if the client is connecting on port 80, and if so, internally redirect the connection to a specific virtual server named "HTTP_virtual" while maintaining transparency to the client.

when CLIENT_ACCEPTED priority 500 {
    # This event triggers as soon as a client connection is accepted by the virtual server
    
    # Check if the client is connecting on port 80 (standard HTTP port)
    # This allows selective processing based on the client's source port
    if {[TCP::remote_port] == 80} {
        # If the client is connecting on port 80, redirect the connection internally
        # to another virtual server named "HTTP_virtual"
        # This is a VIP-to-VIP redirection that happens transparently to the client
        # The client remains unaware that their traffic is being handled by a different virtual server
        virtual HTTP_virtual
    }
    # If the client is connecting on any other port, the connection continues
    # to be processed by the current virtual server (implicit else case)
}

Explanation (generated by F5 Distributed Cloud AI Assistant):


Objective
• This iRule triggers when a client connection is accepted and examines the TCP port used by the client.
• If that port equals 80, it internally redirects the session to the virtual server named “HTTP_virtual.”
• The redirection is performed transparently (VIP-to-VIP), so the client sees no change in endpoint.

Execution Flow
• The CLIENT_ACCEPTED event with priority 500 fires as soon as the BIG-IP accepts a new client connection (iRule code line 1).
• [TCP::remote_port] is evaluated in the clientside context to obtain the client’s source port (Docs: TCP::remote_port Description).
• The rule compares that port to 80; if true, it invokes virtual HTTP_virtual to route the connection to that virtual server (Docs: virtual for VIP-to-VIP redirection).
• If the port is not 80, no action is taken and processing continues on the original virtual server (implicit else).

Potential Logic Concerns
• The rule checks [TCP::remote_port] == 80, but in a clientside context this returns the client’s ephemeral source port, not the listening port; the condition will almost never be true, so the intended redirect won’t occur. (high confidence)


Overall Summary
• The iRule correctly implements a VIP-to-VIP redirect based on a port check, but it uses the wrong port qualifier.
• Updating the condition to [TCP::local_port] == 80 will ensure HTTP traffic is properly redirected to “HTTP_virtual.”
F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind.