For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Abhilash_37247's avatar
Abhilash_37247
Icon for Nimbostratus rankNimbostratus
Aug 08, 2014

Need suggestion on how to resolve the issue with a TCL error happening due to a HTTP::respond in another irule attached to the same Virtual Server

Hi, We have a virtual server which has four irules configured on it. The irule(irule) with the highest priority has a logic which would perform a HTTP::respond during the HTTP_REQUEST event with a status of 503 back to the client if the IP address matches one that is part of a configured blacklist of IPs specified in a datagroup. There is another irule(irule2) that is of lower priority that has a logic to remove a header and add it with a different value. HTTP::header remove testHeader HTTP::header add testHeader testvalue

 

What we are observing is that there are errors during the irule execution with stack trace as follows. 2014 Aug 8 11:48:54 server name local0 err err tmm1[4798]: 01220001:3: TCL error: irule2 - Operation not supported (line 1) invoked from within "HTTP::header remove "testHeader""

 

We have been looking at different threads in DevCentral and found the following links that were helpful.

 

https://devcentral.f5.com/questions/how-to-disable-irule-processing-on-keep-alive-per-request-when-using-httprespond https://devcentral.f5.com/wiki/irules.drop.ashx https://devcentral.f5.com/wiki/iRules.detect_prior_http_redirect_or_respond.ashx

 

We would like to know if performing drop after HTTP::respond in irule1 is a good practice. Additionally we would like to know what is the suggestion of a good practice for the solution in this scenario.

 

Thanks and Regards, Abhilash

 

application delivery
design
devops
iRules
LTM
performance
security

3 Replies

  • IheartF5_45022's avatar
    IheartF5_45022
    Icon for Nacreous rankNacreous
    Aug 09, 2014

    Hi - You just need to issue "event HTTP_REQUEST disable" to prevent further iRule processing.

     

    I don't think issuing a 'drop' after HTTP::respond would help - pretty sure you'd still get a TCL error, and in addition it might not send the response

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 10, 2014

    There is another irule(irule2) that is of lower priority that has a logic to remove a header and add it with a different value. HTTP::header remove testHeader HTTP::header add testHeader testvalue

     

    another approach is to move rule2 to HTTP_REQUEST_SEND event.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 10, 2014

    e.g.

     config

root@(B6900-R69-S40)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 100.100.100.41:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        rule1
        rule2
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 5
}
root@(B6900-R69-S40)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(B6900-R69-S40)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm rule rule1
ltm rule rule1 {
    when HTTP_REQUEST {
  if { [HTTP::uri] ne "/" } {
    HTTP::redirect "http://www.google.com/"
  }
}
}
root@(B6900-R69-S40)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm rule rule2
ltm rule rule2 {
    when HTTP_REQUEST_SEND {
  clientside {
    HTTP::header remove testHeader
    HTTP::header insert testHeader testvalue
  }
}
}

 trace

[root@B6900-R69-S40:Active:Standalone] config  ssldump -Aed -nni 0.0 port 80
New TCP connection 1: 100.100.100.3(34895) <-> 100.100.100.41(80)
1407680420.8779 (0.0211)  C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 100.100.100.41
Accept: */*
testHeader: 1234

---------------------------------------------------------------

New TCP connection 2: 200.200.200.40(34895) <-> 200.200.200.101(80)
1407680421.0482 (0.1696)  C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 100.100.100.41
Accept: */*
testHeader: testvalue

---------------------------------------------------------------

[root@B6900-R69-S40:Active:Standalone] config  ssldump -Aed -nni 0.0 port 80
New TCP connection 1: 100.100.100.3(34896) <-> 100.100.100.41(80)
1407680465.4821 (0.0006)  C>S
---------------------------------------------------------------
HEAD /something HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 100.100.100.41
Accept: */*
testHeader: 1234

---------------------------------------------------------------

1407680465.4822 (0.0000)  S>C
---------------------------------------------------------------
HTTP/1.0 302 Found
Location: http://www.google.com/
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

---------------------------------------------------------------