Forum Discussion
Vince_Beltz_959
Nimbostratus
NimbostratusiRule Bypass?
We have a GTM passing traffic down to a pair of LTMs, both of which host a VIP with this very simple rule applied:
when HTTP_REQUEST priority 500 {
if { ( [HTTP::uri] contains "stringa" or [HTTP::uri] contains "stringb" ) } {
TCP::close
event disable all
}
}
If we tcpdump incoming traffic to the pool servers behind the VIP, we still see a trickle of http requests containing the blocked strings. If we *remove* the iRule, we see a surge in the requests, so we know that it is having an effect, just not 100% blocking. What threshold, if any, does an LTM have where it stops trying to apply an iRule and just passes traffic through? There are no other VIPs pointed at the server pools in question, and trying to figure out why this simple block is "leaking" is driving us nuts. Whenever we test by sending a request to the VIP with the block strings, our connection is properly dropped, but we're still seeing *something* get through. Reluctant to turn on logging, as this is Prod traffic and hardware.
Vince_Beltz_959Addendum:
Doing a tcpdump on the LTM filtered for the external interface and a public IP we've seen in our pool server captures, I've seen 20-40 hits in 60sec. Doing the same tcpdump against the internal interface, consistently much less, twice none at all.
How can we see when/why traffic is being allowed past the filter iRule without logging *every* packet that comes through?- Vince_Beltz_959http::uri includes http::query, yes? That seems to have been the case in our testing, but we're grasping at straws for an explanation.