Forum Discussion
Scott_Larson
Nimbostratus
NimbostratusBlock until NAME::lookup returns?
For my iRule, I need to perform a reverse DNS lookup, and determine if a client IP is from a domain ending in .mil or .gov. This determines whether or not they need to authenticate. The authentication works fine; even the NAME::lookup works fine (thru much trial and tribulation due to lacking documentation!!!) The problem is that since NAME::lookup is an asynchronous function, I need to block (wait) all HTTP requests until the lookup returns and I can determine whether the client is or isn't from .mil/.gov. The lookup is quick - nearly immediate - but it's not synchronous.
How does one block until the NAME_RESOLVED event fires?
Or, is there a synchronous version of the NAME::lookup function? or a TCL version of the function that might work?
Or does anyone have any other ideas?
11 Replies
Chris_Proctor_1I know this is a bit off topic, but isn't using the reverse lookup to bypass authentication inherently insecure? If the person making the attempt controls their own reverse lookup then they can respond with anything they'd like to.
I don't know if there is a whois capability in irules, but that would be the only way I would "trust" who truly owns the source IP. Even there, the would be some challenges. Reverse lookups by themselves though... hmm. My security feelers are tingling.
