Forum Discussion
franl_104847
Nimbostratus
Nimbostratusdrop connection on stream match
Hi,
Following the recent thread entitled "Log IMAP user name", I found the code needed to extract the user name from an imaps session terminated on the ltm. Thanks! That was really handy.
I have been asked to drop the connection if the user is not in an allowed list. After setting up a class of valid users called ok_users, the irule below seems to accomplish this, though I am not sure if it is the best way.
when CLIENT_ACCEPTED {
STREAM::enable
STREAM::expression @LOGIN\ .*@
}
when STREAM_MATCHED {
set loguser [getfield [STREAM::match] " " 2]
set baduser 0
if { [matchclass $loguser equals $::ok_users] } {
log local0.info "valid user $loguser"
} else {
log local0.info "illegal user $loguser"
set baduser 1
}
STREAM::disable
if { $baduser == 1 } {
log local0.info "dropping connection for $loguser"
drop
}
}
I was figuring it would be better to remove setting and checking the baduser variable and just call drop when checking the class but am not sure if having STREAM::disable after the drop is ok.
I was also hoping someone may help in my basic understanding of an iRule event's context? The wiki entry for the drop command says, "Causes the current packet or connection (depending on the context of the event) to be discarded." Is there a means by which one determines the context of an event?
Thanks,
Fran
franl_104847This seems to work ok too...when CLIENT_ACCEPTED { STREAM::enable STREAM::expression @LOGIN\ .*@ } when STREAM_MATCHED { set loguser [getfield [STREAM::match] " " 2] STREAM::disable if { [matchclass $loguser equals $::ok_users] } { log local0.info "allow valid user $loguser" } else { log local0.info "drop illegal user $loguser" drop } }
Thanks,
Fran