Forum Discussion

Zuke_254875's avatar
Zuke_254875
Icon for Altostratus rankAltostratus
Apr 03, 2019

Port range iRule

We have a requirement for a wildcard virtual server and to allow access to the application servers on port range between 30000 and 32768.

When I apply the below iRule, I'm unable to reach the servers. 

when CLIENT_ACCEPTED {
if { {expr [TCP::client_port] < 30000] or [expr [TCP::client_port] > 32768} } {
  reject
  }
}

I'm getting client resets on the pool members when the iRule is applied.

192.168.20.142.53464 > 10.18.142.64.31090: Flags [S], cksum 0xe5ad (incorrect -> 0x12c3), seq 371331784, win 4380, options [mss 1460,nop,nop,TS val 3830442533 ecr 0,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/applicationname-any-vs
17:47:16.391284 IP (tos 0x0, ttl 62, id 26705, offset 0, flags [DF], proto TCP (6), length 40)
10.18.142.64.31090 > 192.168.20.142.53464: Flags [R.], cksum 0x571b (correct), seq 0, ack 371331785, win 0, length 0 in slot1/tmm0 lis=/Common/applicationname-any-vs

As soon as the iRule is removed, traffic connects successfully.

application delivery
iRules
LTM
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Apr 03, 2019

    Hi Zuke,

    the 

    if
    command has a build inmplicit expression. No need for the explicit 
    [expr]
    command.

    when CLIENT_ACCEPTED {
    if { ( [TCP::client_port] < 30000 ) or ( [TCP::client_port] > 32768 ) } then {
        reject
    }
}

    Just for learning purposes the iRules below will work too. But they are more complex and also slower, since you basically pipe the output of the explicit 

    [expr]
    command (0 or 1) to the implicit expression of the 
    if
    command...

    when CLIENT_ACCEPTED {
    if { [expr { [TCP::client_port] < 30000 }] or [expr { [TCP::client_port] > 32768 }]} then {
        reject
    }
}
when CLIENT_ACCEPTED {
    if { [expr { ( [TCP::client_port] < 30000 ) or ( [TCP::client_port] > 32768 ) }] } then {
        reject
    }
}

    Cheers, Kai

  • CharlesCS's avatar
    CharlesCS
    Icon for Cirrus rankCirrus
    Apr 03, 2019

    In this context, 

    TCP::client_port
    refers to the ephemeral port that the client system uses to connect to the virtual server. To specify the virtual server's port range, use 
    TCP::local_port
    instead. Also, "then" is redundant and may cause an error.

    when CLIENT_ACCEPTED {
    if { ( [TCP::local_port] < 30000 ) or ( [TCP::local_port] > 32768 ) } {
        reject
    }
}