For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Matthew_McCleme's avatar
Matthew_McCleme
Icon for Nimbostratus rankNimbostratus
Oct 11, 2007

ClamAV iRule

ClamAV has an FTP'esque protocol in that initial connections are made via a control connection, which then requests a stream port to send the actual files to be scanned on. I've written and tested the...
application delivery
dev
devops
iRules
Matthew_McCleme's avatar
Matthew_McCleme
Icon for Nimbostratus rankNimbostratus
Oct 16, 2007
Updated iRule to get around the fact that ::port is global and to avoid possible stomping of the variable. Although I'm guessing that no one is all that interested in load balancing ClamAV considering how quickly this topic started sinking to the bottom.


when RULE_INIT {
    array set ::clamp { }
}
when SERVER_CONNECTED {
    log "server connected"
    TCP::collect 1
}
when SERVER_DATA {
    log "server data"
    set sdata [TCP::payload]
    if { $sdata contains "PORT" } {
        set ::clamp([IP::client_addr][TCP::client_port]) [regexp -inline {[0-9]+} [TCP::payload]]
        log "I have $::clamp([IP::client_addr][TCP::client_port])"
        listen {
            proto 6
            timeout 10
            bind [LINK::vlan_id] [peer {IP::local_addr}] $::clamp([IP::client_addr][TCP::client_port])
            server [LB::server addr] $::clamp([IP::client_addr][TCP::client_port])
            allow [IP::client_addr]
        }
    array unset ::clamp([IP::client_addr][TCP::client_port])
    }
    TCP::release
    TCP::collect 1
}
  • MattB_MA_170307's avatar
    MattB_MA_170307
    Icon for Nimbostratus rankNimbostratus
    Mar 17, 2017

    FWIW: We're standing up a pool of ClamAV containers to check incoming SMTP services post-decryption, and this iRule worked flawlessly. Thanks very much for taking the time to write it out!