Forum Discussion
Piotr_Lewandows
Altostratus
AltostratusLocal Traffic Policy and iRule events
Hi,
I was reading some post about order of execution, in other words if Local Traffic Policy (LTP) executes before or after iRule.
Seems that answer is both 🙂
Scenario:
- VS with all ports allowed
- LTP with TCP port is not equal to any of 80; 443 and action Reset traffic
- iRule with CLIENT_ACCEPTED, HTTP_REQUEST, ACCESS_SESSION_STARTED events (actually few more are in iRule)
Without any mods to iRule effect is like that:
- All commands in CLIENT_ACCEPTED are executed
- LTP is triggered to reset traffic (log action is performed, so I can see it triggers)
- All commands in HTTP_REQUEST are performed
- No command in ACCESS_SESSION_STARTED is executed
- RST-ACK is send to client
- CLIENT_CLOSED event is triggered
So LTP is not preventing CLIENT_ACCEPTED and HTTP_REQUEST events to be triggered but disables other events and resets connection.
I can understand why CLIENT_ACCEPTED is triggered but why HTTP_REQUEST? And why using only matching at TCP connection in LTP causes LTP parameter $1 have http included?
I am as well setting variable via LTP. From logging it is obvious that this variable is not yet created when CLIENT_CONNECTED event is executed but it is when HTTP_REQUEST triggers.
So for some events iRule is executed first for other LTP. Main question is why LTP allows HTTP_REQUEST to be triggered at all? Matching and actions in LTP are only for TCP protocol not HTTP.
Reason I am asking is that I planned to use LTP to limit traffic to specified ports but seems it is not a good solution. Seems that it has to be performed in iRule at least when there is some code to be executed in CLIENT_ACCEPTED as there is no way to disable this event anyhow - or maybe there is?
Implementation of Reset traffic is a bit weird. It is using TCP RST for that even if it is still allowing HTTP request to be processed. I understand that LTP is targeting HTTP traffic handling but then instead of TCP RST we should be able to use HTTP respond to more gracefully end client connection.
I am able to disable HTTP_REQUEST by setting variable in LTP and checking it in HTTP_REQUEST but not in CLIENT_ACCEPTED.
That could be avoided if LTP would not allow HTTP_REQUEST to be triggered.
I guess that limiting traffic for all port VS is then possible in two ways:
- AFM policy
- iRule
Or there is some other way?
Piotr
Stanislas_Piro2Cumulonimbus
LTP events trigger before same Irule event, but LTP action doesn't prevent Irule event.
I already shared a workaround to prevent Irule execution when LTP action is redirect.
You can try if LTP reset action return a different value in command [POLICY::targets]
- Stanislas_Piro2
I can understand why CLIENT_ACCEPTED is triggered but why HTTP_REQUEST? And why using only matching at TCP connection in LTP causes LTP parameter requires { http tcp } have http included?
I had the same strange behavior... LTP is a feature to replace HTTP-CLASS in versions before 13.0.
In version 11.X, we could select manually policy requirements, since version 12.0, this is done automatically and some requirements are wrong:
- http is always enabled
- when we want to add a condition on SSL sever name, it requires ssl-persistence and not clientssl...