Forum Discussion

wsanders_233261's avatar
wsanders_233261
Icon for Nimbostratus rankNimbostratus
Jan 09, 2018

"event disable all" does not stop further ltm rule processing

I have been let to believe from documentation and community answers that "event disable all" i supposed to stop further ltm rule processing in a virtual. But have the following code that still results in a "err tmm[12160]: 01220001:3: TCL error: /Common/my-net-access-only-RULE - Operation not supported. Multiple redirect/respond invocations not allowed". Here:

 

ltm virtual /Common/some-virtual {
...
    rules {
        /Common/my-net-access-only-RULE
        /Common/some-other-RULE-that-might-redirect
        /Common/some-other-RULE-that-might-redirect
...
ltm rule my-net-access-only-RULE {
    when HTTP_REQUEST {
        if { not [class match [IP::client_addr] equals my-net-CLASS ] } {
        log local0. "===== D R O P P E D : ====================="
        log local0.debug "IP::client_addr: [IP::client_addr]"
        HTTP::respond 403 content {403 Forbidden}
        event disable all
            }
    }
}

Is there a reliable way to not process subsequent ltm rules after an "exception" is raised, other than consolidating all the rules of kludgily passing some global flag?

 

application delivery
iRules
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jan 09, 2018

    the error message "err tmm[12160]: 01220001:3: TCL error: /Common/my-net-access-only-RULE - Operation not supported. Multiple redirect/respond invocations not allowed" means there is some redirect executed before this irule.

     

    maybe there is a LTM policy assigned to the VS or one of other irules are defined with priority less than 500.

     

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Jan 09, 2018

    Hello,

    "event disable all" stop the current iRule processing and all subsequent iRules from processing as well. You can use just "return", it Causes immediate exit from the currently executing event... So I advise you to use "return" in your case instead "event disable all". Then disable only other subsequent event if needed...

    You have to let process this irule

    if { not [class match [IP::client_addr] equals my-net-CLASS ] } {
log local0. "===== D R O P P E D : ====================="
log local0.debug "IP::client_addr: [IP::client_addr]"
HTTP::respond 403 content {403 Forbidden}
event disable all
    }

    For this modify "event disable all" by "return". I think if you use "event disable all" in this case you will have multiple redirect: First 

    HTTP::respond 403 content {403 Forbidden}
    Then server response because you disable event process... this as to impact HTTP::respond.

    Let me now if i can help you. regards