For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Adam_1553's avatar
Adam_1553
Icon for Nimbostratus rankNimbostratus
Aug 22, 2013

Change fastL4 profile in iRule

Hi,

Is it possible to change which fastL4 profile you are using from within an iRule?

My situation is that I need to have an indefinite idle timeout on connections from certain ip addresses, ideally I would modify IP::idle_timeout in the iRule; but there is no valid IP::idle_timeout that will set indefinite. To check if it was possible to set indefinite from within an iRule I changed the fastL4 profile to have indefinite idle timeout then logged the value of IP::idle_timeout

when CLIENT_ACCEPTED {
    if { [IP::addr [IP::client_addr] equals 10.1.1.1] } {
      log local0. "original timeout: [IP::idle_timeout]"
    }
}

This resulted in log lines 

CLIENT_ACCEPTED: original timeout: -1

I tried to set this value from within my iRule


<pre class="prettyprint lang-tcl">`when CLIENT_ACCEPTED {
    if { [IP::addr [IP::client_addr] equals 10.1.1.1] } {
      log local0. "original timeout: [IP::idle_timeout]"
      IP::idle_timeout -1
      log local0. "modified timeout: [IP::idle_timeout]"
    }
}

However this produced the following output

 - invalid timeout value (line 1) invoked from within "IP::idle_timeout -1"

So my next thought was to create multiple fastL4 profiles and one of them can have indefinite timeouts, then I can switch to this profile from within my iRule for the connections that I need an indefinite timeout on. Problem being I cannot see a way to change profile from within an iRule.

Any ideas?

application delivery
devops
iRules

5 Replies

  • uni_87886's avatar
    uni_87886
    Icon for Cirrostratus rankCirrostratus
    Aug 22, 2013

    You can set it to 2147483647 instead. It is not indefinite, but 68 years should be enough. Hopefully the bug will be fixed before your first timeout.

     

    • Adam_1553's avatar
      Adam_1553
      Icon for Nimbostratus rankNimbostratus
      Aug 22, 2013
      Thanks, I'll go with this for now, it's close enough to indefinite that I won't have to worry about it.
  • uni's avatar
    uni
    Icon for Altocumulus rankAltocumulus
    Aug 22, 2013

    You can set it to 2147483647 instead. It is not indefinite, but 68 years should be enough. Hopefully the bug will be fixed before your first timeout.

     

    • Adam_1553's avatar
      Adam_1553
      Icon for Nimbostratus rankNimbostratus
      Aug 22, 2013
      Thanks, I'll go with this for now, it's close enough to indefinite that I won't have to worry about it.
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 22, 2013

    no, you can't change the L4 profiles in stream. What you could do is set up three vips, one front-end vip and two back-end vips, setting the front-end and one back-end to indefinite, then the other back-end to a limited timeout, and use the front-end vip to switch the traffic. Still has the risk of port exhaustion if you get flood attacked on the front-end, but you could add policing logic into your front-end iRule for the connections not specifically allowed for indefinite timeouts.