For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

UniFirst1_22521's avatar
UniFirst1_22521
Icon for Nimbostratus rankNimbostratus
Dec 10, 2015

iRules Blocking Traffic

I have an iRule that is suppose to only change an idle timer on certain traffic. However, when I enable it is seems to only allow the traffic defined the the iRule and no other connections can be made. Any help would be appreciated. Here is the Irule:

 

when HTTP_REQUEST { if { [IP::addr [IP::client_addr] equals 172.17.101.60] or [IP::addr [IP::client_addr] equals 172.17.101.149] and ([HTTP::uri] equals "soaprod.corp.unifirst.com") } { log local0. "original timeout: [IP::idle_timeout]" IP::idle_timeout 10800 log local0. "updated timeout: [IP::idle_timeout]" set serverside_idle_timeout 1 } } when SERVER_CONNECTED { log local0. "original timeout: [IP::idle_timeout]" if {$serverside_idle_timeout} { IP::idle_timeout 10800 log local0. "updated timeout: [IP::idle_timeout]" } }

 

application delivery
iRules

4 Replies

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Dec 10, 2015

    Hi,

    the condition 

    ([HTTP::uri] equals "soaprod.corp.unifirst.com")
    is wrong...

    it must be 

    ([HTTP::host] equals "soaprod.corp.unifirst.com")

    do not create condition like : 

    a or b and c

    but 

    (a or b) and c
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 10, 2015

    Hi UniFirst,

     

    your iRule is almost identical with the provided example of: https://devcentral.f5.com/wiki/iRules.IP__idle_timeout.ashx

     

    Stanislav already told you how to combine AND & OR operators to chain multiple conditions in a single [if].

     

    The connection reset you're experiencing may occour because the variable $serverside_idle_timeout is not alway set and therefor may break your connection. The provided example contains an additional [info exist] error handle within SERVER_CONNECTED event to check if the variable $serverside_idle_timeout is set right before accessing it.

     

    Cheers, Kai

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Dec 10, 2015

    You did not set the serverside_idle_timeout to 0 as default value...

    so it raise a tcl error...

    2 solutions:

    when HTTP_REQUEST {
    set serverside_idle_timeout 0
    if { ([IP::addr [IP::client_addr] equals 172.17.101.60] or [IP::addr [IP::client_addr] equals 172.17.101.149]) and ([HTTP::host] equals "soaprod.corp.unifirst.com") }  { log local0. "original timeout: [IP::idle_timeout]"
        IP::idle_timeout 10800
        log local0. "updated timeout: [IP::idle_timeout]"
        set serverside_idle_timeout 1
    }
}
when SERVER_CONNECTED {
    log local0. "original timeout: [IP::idle_timeout]"
    if {$serverside_idle_timeout} {
        IP::idle_timeout 10800
        log local0. "updated timeout: [IP::idle_timeout]"
    }
}

    or

    when HTTP_REQUEST {
    if { ([IP::addr [IP::client_addr] equals 172.17.101.60] or [IP::addr [IP::client_addr] equals 172.17.101.149]) and ([HTTP::host] equals "soaprod.corp.unifirst.com") }  { log local0. "original timeout: [IP::idle_timeout]"
        IP::idle_timeout 10800
        log local0. "updated timeout: [IP::idle_timeout]"
        set serverside_idle_timeout 1
    }
}
when SERVER_CONNECTED {
    log local0. "original timeout: [IP::idle_timeout]"
    if {([info exists serverside_idle_timeout]) && ($serverside_idle_timeout)} {
        IP::idle_timeout 10800
        log local0. "updated timeout: [IP::idle_timeout]"
    }
}