Forum Discussion

PGI_28560's avatar
PGI_28560
Icon for Nimbostratus rankNimbostratus
Nov 14, 2011

Drop Traffic based on HTTP Header

This is my first entry into the world in iRules, however I don't have much programming expierence, so I just wanted to run this by the community.       I am looking to make an iRule based...
application delivery
dev
devops
iRules
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Nov 16, 2011
I don't think drop or discard should cause TMM to send a TCP reset immediately--just remove the connection table entry. TMM should send a reset in response to the next packet the client or server sends on the connection. That next packet could be a long ways out. So intermediate hosts in the chain between the client and TMM might have the connection open unnecessarily long. Also, if you use drop, the client will generally timeout after an idle timeout rather than knowing immediately that the connection is invalid. The only time I think it makes sense to drop a packet is if you're trying to avoid telling a malicious client that their connection is invalid. And like you say George, if you've already had TMM accept the TCP connection, a malicious client already knows the service is answering.

 

 

tl;dr: just use reject if you're blocking an HTTP request or TCP connection on an LTM VS with a TCP profile.

 

 

Aaron