Forum Discussion

Thiyagu's avatar
Thiyagu
Icon for Cirrus rankCirrus
Oct 07, 2024

Need help to understand the flow logic of the irule

Hi Team, 

Below is the irule which I have worked. Could you please help me to know on the following:

1 - What is the difference in using reject and Return in an iRule?

2 - Why do we need to set debug 0 in an irule?

3 - Will the same logic will work without an debug?

4 - What is the use or array set in an irule?

 

 

when CLIENTSSL_CLIENTCERT {
  set debug 0
   # Check if client presented a cert after it was requested
    if {[SSL::cert 0] eq ""}{
        reject 
    } else { 
        set ssl_cert [SSL::cert 0]  
        log local0. "cert is $cert"
        set subject [X509::subject [SSL::cert 0]]
        array set subject_fields [split $subject ",="]
        log local0. "subject is $subject"
    }
}

when HTTP_REQUEST {
    log local0. "The X-common-name <---> $subject"
    if {[info exists subject_fields(CN)]} {
      HTTP::header insert X-Common-Name "$ubject_fields(CN)"
       log local0. "The X-common-name-to-server <---> $subject"
        HTTP::header insert X-Source-Ip [IP::remote_addr]
    }
     # If there is no CN then respond with a error 403
    else {
     HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache

}
}

application delivery
irule
LTM
  • Lucas_Thompson's avatar
    Lucas_Thompson
    Icon for Employee rankEmployee
    Oct 08, 2024

    1 - What is the difference in using reject and Return in an iRule?

    "return" returns back from a proc(edure), if used there.

    https://clouddocs.f5.com/api/irules/Procs.html

    "return" also returns back from a fired event, if used in an event

    https://clouddocs.f5.com/api/irules/Events.html

     

    "reject" is slightly more complicated: All iRule events run based on events that "fire" upon certain checkpoints inside a network flow. When the irule event fires, the flow is temporarily paused and the iRule code runs. When "reject" is called, the flow is marked for removal. Once the code is done and processing resumes on the flow, BIG-IP sends a RST to any TCP-connected endpoints so they stop sending traffic, and the flow is removed from the flow table.

    Flows:

    https://my.f5.com/manage/s/article/K9077

    Reject:

    https://clouddocs.f5.com/api/irules/reject.html

     

    2 - Why do we need to set debug 0 in an irule?  3 - Will the same logic will work without an debug?

    The "set" command is used to set a variable to a specific value:

    Getting Started with iRules: Variables | DevCentral

    "debug" doesn't have any special meaning in irules or TCL, but that variable name is commonly used to "turn off and on" extra logging by iRule authors. If the author wrote the code to operate differently depending on the value of that variable, then it will do whatever the author wrote it to do.

     

    4 - What is the use or array set in an irule?

    Arrays are a type of variable used in TCL/iRules to hold lists of values:

    Arrays | DevCentral

     

    Hope it helps. If you've further questions about the behavior of your rule, feel free to ask.