For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Vince_Beltz_959's avatar
Vince_Beltz_959
Icon for Nimbostratus rankNimbostratus
Oct 22, 2009

Drop Doesn't

I've implemented the following iRule to filter out certain user agents from connecting to our servers. Testing with Firefox and the Modify Headers add-on, it seems to work - I get a disconnected messa...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Oct 22, 2009
Hi Vince,

 

 

I was just testing the drop command with HTTP responses. What F5 came back with was that the command would prevent the response body from being sent to the client, but the HTTP headers which had already been parsed would be sent back to the client. I didn't test calling drop from HTTP_REQUEST, but I'd guess that a similar behavior would be expected where the HTTP headers would be sent to the server, but any body from the request would be dropped. That's just a guess though.

 

 

 

From C574762:

 

 

1. If I check a status code in HTTP_RESPONSE, see it's one I don't like, and call 'drop' or 'discard', does it just prevent the current payload from being sent to the client?

 

 

Calling "drop" or "discard" in the HTTP_RESPONSE event prevents LTM from accepting (ACKing) the TCP packet which contains the HTTP body (packet is processed); additionally, only the HTTP headers will be forwarded to the client and the client side of the connection will abort (RST).

 

 

 

 

In the tcpdumps on the server side (or on the server itself), do you see a connection attempt being made, or a connection attempt being made and HTTP headers being sent?

 

 

Maybe it would be better to close the clientside TCP connection using TCP::close rather than using drop? Could you try this and check the client and serverside behavior?

 

 

Thanks,

 

Aaron