Forum Discussion

rwendt_291390's avatar
rwendt_291390
Icon for Nimbostratus rankNimbostratus
Sep 22, 2016

How do i send an ICMP Dest port unreachable on an irule?

I have a ip forwarding virtual server that is supposed to reject packets not in my defined datagroup server_pools destined for a subset of the virtual servers we have. This functionality is working. ...
  • Vernon_97235's avatar
    Sep 24, 2016

    It appears (on 12.1.1, at least) that the behavior of the

    reject
    command differs based on whether address translation is enabled. When it is, as I say, an ICMP Port Unreachable message is returned (for UDP traffic). When it is disabled, the behavior you see occurs.

    There is no way to send a specific, explicit ICMP response from an iRule. However, a "Reject" type server will send an ICMP Port Unreachable in any case. So, you could create a "Reject" virtual server that is bound to no VLAN:

    ltm virtual vs-reject {
        destination 0.0.0.0:any
        mask any
        profiles {
            fastL4 { }
        }
        reject
        source 0.0.0.0/0
        translate-address enabled
        translate-port enabled
        vlans-enabled
        vs-index 6
    }
    

    Then, in your iRule, instead of using

    reject
    , forward rejects to this VS:

    when CLIENT_ACCEPTED {
       if { ![class match [IP::client_addr] equals server_pools] }{
           virtual vs-reject
       }
    }
    

    (Notice that the explicit

    forward
    branch is unnecessary because the VS type is already Forwarding). For me, this produces an identical result for classic
    traceroute
    (using UDP segments bound for random high-numbered ports), which you appear to be testing here.