For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Vince_Beltz_959's avatar
Vince_Beltz_959
Icon for Nimbostratus rankNimbostratus
Oct 22, 2009

Drop Doesn't

I've implemented the following iRule to filter out certain user agents from connecting to our servers. Testing with Firefox and the Modify Headers add-on, it seems to work - I get a disconnected messa...
application delivery
dev
devops
iRules
Vince_Beltz_959's avatar
Vince_Beltz_959
Icon for Nimbostratus rankNimbostratus
Nov 13, 2009
Just an update (thanks for all your suggestions so far, Hoolio). I happen to be in an F5 iRule training this week, and rewrote the first part of the rule. In the process, I've pinned down the weirdness. The following rule *partially* works, when tested with the User-Agent value "Azureus" (note upper-case "A") - instead of the full target redirect page, a "connection reset" page is displayed on the client, the redirect URL is shown in the address bar, and client tcpdump shows a server connection being established.

 

 

when RULE_INIT {

 

set ::uablock [list torrent azureus windows-media-player microsoft-webdav-miniredir ""]

 

}

 

when HTTP_REQUEST {

 

if { [matchclass [HTTP::header value "User-Agent"] contains $::uablock] } {

 

TCP::close

 

}

 

else {

 

HTTP::redirect http://domainnotfound.optimum.net/cablevassist/dnsassist/main/?domain=[HTTP::host]

 

}

 

}

 

 

Since without a string tolower operation "Azureus" shouldn't match "azureus", I don't know why the full normal redirect isn't happening. Adding a string tolower function to the matchclass results in the exact same TCP::close doing what I want, dropping the connection immediately and completely.

 

 

when RULE_INIT {

 

set ::uablock [list torrent azureus windows-media-player microsoft-webdav-miniredir ""]

 

}

 

when HTTP_REQUEST {

 

if { [matchclass [string tolower [HTTP::header value "User-Agent"] ] contains $::uablock] } {

 

TCP::close

 

}

 

else {

 

HTTP::redirect http://domainnotfound.optimum.net/cablevassist/dnsassist/main/?domain=[HTTP::host]

 

}

 

}

 

 

The other issue is that in order to easily apply the User-Agent filtering function to multiple VIPs using different redirects, I'd like to split these items into two separate iRules attached to the same VIP. Unfortunately, even with string tolower, this also triggers the TCP::close partial redirect behavior.

 

 

Rule 1

 

when RULE_INIT {

 

set ::uablock [list torrent azureus windows-media-player microsoft-webdav-miniredir ""]

 

}

 

when HTTP_REQUEST priority 500 {

 

if { [matchclass [string tolower [HTTP::header value "User-Agent"] ] contains $::uablock] } {

 

TCP::close

 

}

 

}

 

 

And this:

 

 

Rule 2

 

when HTTP_REQUEST priority 1000 {

 

HTTP::redirect http://domainnotfound.optimum.net/cablevassist/dnsassist/main/?domain=[HTTP::host]

 

}