For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JBengtsson_1773's avatar
JBengtsson_1773
Icon for Nimbostratus rankNimbostratus
Sep 15, 2015

iRule "set table" doesn't get committed between sessions.

I have a iRule that gets triggered on every client packet, the theory is that the user if accessing the network on port 80/443 should be "virtually prompted" with a logon-page. The page itself is working fine and the user actually gets prompted, and this is the code that does it:

 

priority 10

when CLIENT_ACCEPTED {
    log local0.info "Route domain: [ROUTE::domain]"

    set status true

    log local0.info "Checking if IP has session: [IP::client_addr] -- Lookup: [table lookup -subtable "okinloggning" [IP::client_addr]]"

    if { [table lookup -subtable "okinloggning" [IP::client_addr]] eq "true" } {

        log local0. "[IP::remote_addr] in table([table lookup -notouch -subtable [IP::client_addr] publikt_pbr]): accepting request"
        set status false

    } else {

        log local0.info "[IP::client_addr] not in table -- [table lookup -notouch -subtable [IP::client_addr] publikt_pbr]"

        foreach ipObj $::publikt_exclusion_list {

            if { [IP::addr [IP::remote_addr] equals $ipObj] } {

                set status false
                log local0.info "[IP::remote_addr] in exclusion list( $ipObj ). Adding [IP::remote_addr] to table and bypassing APM portal"

                Set client ip in table, timeout in 20h
                table add -subtable "okinloggning" [IP::client_addr] 1 72000

                break
            }

        }

    }

    if {($status && [TCP::local_port] eq 80) || ($status && [TCP::local_port] eq 443)} {
        virtual vs-rsguest-apm-portal
    }

}

 

The above is only used to check the table data for a specific IP, if the IP isn't present the bottom if case is triggered and the portal is shown, and the code that handles the actual "setting table values" looks like this:

 

priority 1

when ACCESS_POLICY_AGENT_EVENT {

    if {[ACCESS::policy agent_id] == "rsguest-accept-agreement-event"} {

        log local0.info "Agreenment checked: [ACCESS::session data get "session.logon.last.agreement"]"

        set session_agreement [ACCESS::session data get "session.logon.last.agreement"]

        If input validated, go ahead and add the table reccord to allow the user Internet access
        if { $session_agreement eq 1 } {

            log local0.alert "Checking IP: [IP::client_addr]"

            ACCESS::session data set session.logon.last.username "[IP::client_addr]"

            table set -subtable "okinloggning" [IP::client_addr] "true" 72000

            log local0.info "Checking if IP has session: [IP::client_addr] -- Lookup: [table lookup -subtable "okinloggning" [IP::client_addr]]"

        }

    }

}

 

The odd thing is, that in the later code block the last log local0.info ... actually shows the value to be stored. But when doing a page refresh to access the internet the user is supplied with "webpage not available" and the log from the first code block [table lookup -subtable "okinloggning" [IP::client_addr]] gives me NULL, meaning the value isn't actually set in the table by my programming standards.

I have no real way of looking this up as it appears as if the table never actually gets created between sessions and the qkview file or log files for that matter doesn't say much, at least nothing obvious.

This is working in 11.6 test environment but not in 11.5.1 production, anyone seen anything similar? Thank you for any feedback what so ever, i'm in debt!

//Anton

application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
LTM
security
No RepliesBe the first to reply