Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Matthew_McCleme's avatar
Matthew_McCleme
Icon for Nimbostratus rankNimbostratus
Oct 11, 2007

ClamAV iRule

ClamAV has an FTP'esque protocol in that initial connections are made via a control connection, which then requests a stream port to send the actual files to be scanned on. I've written and tested the...
application delivery
dev
devops
irules
Matthew_McCleme's avatar
Matthew_McCleme
Icon for Nimbostratus rankNimbostratus
Oct 16, 2007
Updated iRule to get around the fact that ::port is global and to avoid possible stomping of the variable. Although I'm guessing that no one is all that interested in load balancing ClamAV considering how quickly this topic started sinking to the bottom.


when RULE_INIT {
    array set ::clamp { }
}
when SERVER_CONNECTED {
    log "server connected"
    TCP::collect 1
}
when SERVER_DATA {
    log "server data"
    set sdata [TCP::payload]
    if { $sdata contains "PORT" } {
        set ::clamp([IP::client_addr][TCP::client_port]) [regexp -inline {[0-9]+} [TCP::payload]]
        log "I have $::clamp([IP::client_addr][TCP::client_port])"
        listen {
            proto 6
            timeout 10
            bind [LINK::vlan_id] [peer {IP::local_addr}] $::clamp([IP::client_addr][TCP::client_port])
            server [LB::server addr] $::clamp([IP::client_addr][TCP::client_port])
            allow [IP::client_addr]
        }
    array unset ::clamp([IP::client_addr][TCP::client_port])
    }
    TCP::release
    TCP::collect 1
}
MattB_MA_170307's avatar
MattB_MA_170307
Icon for Nimbostratus rankNimbostratus
Mar 17, 2017

FWIW: We're standing up a pool of ClamAV containers to check incoming SMTP services post-decryption, and this iRule worked flawlessly. Thanks very much for taking the time to write it out!