I figured out that the only event that can trigger this kind of behaviour is "CLIENT_DATA" event that I need to trigger using TCP::collect.
Than I tried to match for a specific protocol pattern (COTP) but it seems that "table timeout" and "table set" are not working in this event. Someone have any idea/suggestion about that? Thanks.
Below the iRule used:
when CLIENT_ACCEPTED {
set clientip [IP::client_addr]
TCP::collect 10
log local0. "DEMO L4 iRule triggered"
if { [table lookup -subtable XXX $clientip] == "" } {
log local0. "DEMO Client IP $clientip NOT Authorized"
reject
} else {
table timeout -subtable XXX $clientip 14400
log local0. "DEMO Client IP $clientip AUTHORIZED"
}
}
when CLIENT_DATA {
TCP::collect 10
set payload [TCP::payload]
The hexbinary code we want to decode is stored in $payload
format string for hexdump output
set p 0 ; buf ptr
set sl [string length $payload]
set inPkt "\n\n"
while { $p < $sl } {
set s [string range $payload $p [expr {$p+16}] ]
binary scan $s H*@0a* hex ascii
regsub -all -- {[^[:graph:] ]} $ascii {.} ascii
set hex1 [string range $hex 0 15]
set hex2 [string range $hex 16 31]
set ascii1 [string range $ascii 0 7]
set ascii2 [string range $ascii 8 15]
Convert the hex to pairs of hex digits
regsub -all -- {..} $hex1 {& } hex1
regsub -all -- {..} $hex2 {& } hex2
append inPkt "[format {%08x %-24s %-24s %-8s %-8s} $p $hex1 $hex2 $ascii1 $ascii2]\n"
set p [expr {$p + 16}]
}
puts "Input PKT: $inPkt" ; print the output to /var/log/tmm
log local0. "DEMO PAYLOAD $inPkt"
TCP::release
if { $inPkt contains "02 f0 80"} {
table timeout -subtable XXX $clientip 14400
table set -subtable XXX $clientip 14400 0
log local0. "DEMO MATCH!"
}
TCP::collect
}