Forum Discussion

Akshay_SK's avatar
Akshay_SK
Icon for Nimbostratus rankNimbostratus
Jan 16, 2020

Catch an error in iRule execution

I would like some help in handling errors in an iRule. Below is the code snippet upto which I have been able to achieve, but haven't been able to get the desired results.

 

when HTTP_REQUEST {

   #If XFF exists then change Source IP to the first IP that you find in XFF which is the origin. Check this at the very start.
   if { [HTTP::header values "X-Forwarded-For"] ne "" } {
       set remoteip [getfield [HTTP::header X-Forwarded-For] "," 1]
   }

   if { [catch {

           if { [class match $remoteip equals MY_BLACKLIST_IPS] && not [class match $remoteip equals MY_PROXY_IPS] } {
               # reject the request here.
            log local0. "Request is rejected here."
            reject
            return
           }
       } err] } {
       log local0. "Error found in the iRule process ${err}"

   }   

   return
}

 

I want to log the error as well due to which the iRule encountered. The error currently is being logged as empty.

BIG-IP
error
iRules
security
  • Philippe_CLOUP's avatar
    Philippe_CLOUP
    Icon for Employee rankEmployee
    Jan 16, 2020

    Hi Akshay,

    i would have created the iRule differently, as more or less, is the remoteip is not found (meaning that there is no X-Forwarded-For in your headers), you can avoid doing the "catch" and this part of the code.

    Anyhow, the way i modified your code a bit is as follow:

    when HTTP_REQUEST {
 
   #If XFF exists then change Source IP to the first IP that you find in XFF which is the origin. Check this at the very start.
   if { [HTTP::header values "X-Forwarded-For"] ne "" } {
       set remoteip [getfield [HTTP::header X-Forwarded-For] "," 1]
   }
 
   catch {
 
           if { [class match $remoteip equals MY_BLACKLIST_IPS] && not [class match $remoteip equals MY_PROXY_IPS] } {
               # reject the request here.
            log local0. "Request is rejected here."
            reject
            return
           }
       } my_error
    if { $my_error ne ""} then {
       log local0. "Error found in the iRule process ${my_error}"
    }
 
}

    the following test provides the following logs:

    curl http://MY_VS_IP:80
 
ltm log :
Rule /Common/myirule <HTTP_REQUEST>: Error found in the iRule process can't read "remoteip": no such variable
 '
-----------
 
curl -H "X-Forwarded-For: 2.3.4.5" http://MY_VS_IP:80
 
nothing in the ltm log (as expected)