Dynamic Pool Names

This post is about using dynamic pool names.

 

 

First, some background: A powerful new feature in v9.x is the ability to select pools using a dynamically created name (eg, using a variable). This new feature will sometimes allow simplification of a complex rule that is choosing among many pools (for example, you could use a class and the findclass command to pick a pool name instead of using a whole lotta if statements).

 

 

However, there is a potential issue with the use of dynamic pool names that you must be aware of and careful not to implement. If the source of the pool name is derived from an external input (eg, by directly taking the name from the uri, header, or cookie), then a user could exploit your iRule.

 

 

If you must derive the name from external input, then it is highly recommended that you use a class or if statements to map the external input to a pool name or use a class to at least validate the pool name. Additionally, if the pool command is given a pool name that does not exist, it will fail with a Tcl error, reject the connection and log the failure.

 

 

Basically, if you find yourself using a variable to select a pool, you should really question whether that is absolutely necessary and/or whether it buys you any simplification.