Forum Discussion
Tom_Bortels_112
Nimbostratus
Nimbostratusreject not rejecting?
I have to be missing something simple here... setting up a new irule to do a simple whitelist. Here's the whole thing (stolen shamelessly from somewhere else on DevCentral):
when HTTP_REQUEST {
if { [class match [IP::client_addr] equals trusted_ips] } {
log local0. "[IP::client_addr]:[TCP::client_port]: Client is in data group so do not redirect. DG: [class get trusted_ips]"
} else {
log local0. "[IP::client_addr]:[TCP::client_port]: Client is not in data group bail"
reject
}
}
The "trusted_ips" datagroup has a single dummy entry, 1.2.3.4, not my requesting IP. When I try to hit the vip this irule is attached to, I get the destination page (a simple static page on an apache server), and the log entry:
Sun Dec 29 13:09:26 PST 2013 info slot1/DCA2400VPRA tmm1[9649] Rule /Common/trusted_ips_only : 162.195.xxx.xxx:53465: Client is not in data group bailSo - the irule is executing, but the "reject" isn't seemingly rejecting. I tried "discard" and "drop", same behavior. (and HTTP::respond gave me back an error about HTTP or ICAP profiles that I can't seem to find any docs on). What I'd really like is a 404 error, frankly.
I've been using irules in 10.2.4 for years - but this is on new iron, a Viprion running 11.4, and either something changed or I'm missing something simple somewhere, not for the first time.
Any tips? Thanks in advance for your time.
12 Replies
Thomas_GobetHi,
Did you check your cache on your browser ?
Are you using any proxy between your client and your BIG-IP ?And last thing, maybe you can try to this iRule to send a 404 response :
when HTTP_REQUEST { if { [class match [IP::client_addr] equals trusted_ips] } { log local0. "[IP::client_addr]:[TCP::client_port]: Client is in data group so do not redirect. DG: [class get trusted_ips]" } else { log local0. "[IP::client_addr]:[TCP::client_port]: Client is not in data group bail" HTTP::respond 404 } }
Tom_Bortels_112No, no cache, no proxies - I can reproduce this with curl on the command line. Changing "reject" to "HTTP::respond 404" causes this error on trying to save the iRule: 01070394:3: HTTP::respond in rule (/Common/trusted_ips_only) requires an associated HTTP or ICAP profile on the virtual server (/Common/test). Interestingly - this is the error I've seen before, I thought at runtime. The profile associated with thisw VIP is the default you get when you select http and port 80 - "Performance (HTTP)" with "fasthttp" listed as the profile (the only choice there).
- Thomas_Gobet_91
Cirrostratus
Hi,
Did you check your cache on your browser ?
Are you using any proxy between your client and your BIG-IP ?And last thing, maybe you can try to this iRule to send a 404 response :
when HTTP_REQUEST { if { [class match [IP::client_addr] equals trusted_ips] } { log local0. "[IP::client_addr]:[TCP::client_port]: Client is in data group so do not redirect. DG: [class get trusted_ips]" } else { log local0. "[IP::client_addr]:[TCP::client_port]: Client is not in data group bail" HTTP::respond 404 } }- Tom_Bortels_112No, no cache, no proxies - I can reproduce this with curl on the command line. Changing "reject" to "HTTP::respond 404" causes this error on trying to save the iRule: 01070394:3: HTTP::respond in rule (/Common/trusted_ips_only) requires an associated HTTP or ICAP profile on the virtual server (/Common/test). Interestingly - this is the error I've seen before, I thought at runtime. The profile associated with thisw VIP is the default you get when you select http and port 80 - "Performance (HTTP)" with "fasthttp" listed as the profile (the only choice there).
nitass_89166Noctilucent
the irule is executing, but the "reject" isn't seemingly rejecting. I tried "discard" and "drop", same behavior.
can you try CLIENT_ACCEPTED instead of HTTP_REQUEST?
HTTP::respond gave me back an error about HTTP or ICAP profiles that I can't seem to find any docs on.
have you assigned http profile to the virtual server?
- Tom_Bortels_112CLIENT_ACCEPTED has the same behavior - it logs that the connection is denied, but I still get back the content to the client. The virtual server profile is "fasthttp" - the only one visible in the dropdown. Here's the actual config (slightly censored): ltm virtual /Common/test { description "test for bortels" destination /Common/63.xx.xx.xx:80 ip-protocol tcp mask 255.255.255.255 pool /Common/testweb profiles { /Common/fasthttp { } } rules { /Common/trusted_ips_only } source 0.0.0.0/0 translate-address enabled translate-port enabled }
- nitass
Employee
the irule is executing, but the "reject" isn't seemingly rejecting. I tried "discard" and "drop", same behavior.
can you try CLIENT_ACCEPTED instead of HTTP_REQUEST?
HTTP::respond gave me back an error about HTTP or ICAP profiles that I can't seem to find any docs on.
have you assigned http profile to the virtual server?
- Tom_Bortels_112CLIENT_ACCEPTED has the same behavior - it logs that the connection is denied, but I still get back the content to the client. The virtual server profile is "fasthttp" - the only one visible in the dropdown. Here's the actual config (slightly censored): ltm virtual /Common/test { description "test for bortels" destination /Common/63.xx.xx.xx:80 ip-protocol tcp mask 255.255.255.255 pool /Common/testweb profiles { /Common/fasthttp { } } rules { /Common/trusted_ips_only } source 0.0.0.0/0 translate-address enabled translate-port enabled }
- Tom_Bortels_112
Interestingly - if I change the type to "Standard" rather than "Performance (HTTP)" - this workd (in that I get rejected now, which was the expected behavior).
I guess this modifies the question a bit - why would choosing the Performance/fasthttp profile allow irule execution - but not honor the reject (silently!)?
- Tom_Bortels_112The ugly continues - having seen it block, I add my IP into the datagroup - and it posts the "do not redirect" log line in the original script... but on the client... it just hangs until timeout. Very, very odd - never had these issues in 10.2.4; there's got to be something fundamental I'm missing...
- nitass
fasthttp profile does not work here too. i have not yet found existing bug. you can open a support case to confirm.
this is mine.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys version Sys::Version Main Package Product BIG-IP Version 11.4.1 Build 608.0 Edition Final Date Wed Aug 14 17:23:43 PDT 2013 root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.20.15:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { fasthttp { } } rules { myrule } source 0.0.0.0/0 source-address-translation { type automap } vs-index 32 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when CLIENT_ACCEPTED { reject log local0. "reject" } } trace [root@ve11a:Active:In Sync] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:21:56.224539 IP 172.28.20.20.47507 > 172.28.20.15.80: S 3556529537:3556529537(0) win 5840 in slot1/tmm1 lis= 16:21:56.224606 IP 172.28.20.15.80 > 172.28.20.20.47507: S 1313924097:1313924097(0) ack 3556529538 win 4380 out slot1/tmm1 lis=/Common/bar 16:21:56.226454 IP 172.28.20.20.47507 > 172.28.20.15.80: . ack 1 win 5840 in slot1/tmm1 lis=/Common/bar 16:21:56.227436 IP 172.28.20.20.47507 > 172.28.20.15.80: P 1:156(155) ack 1 win 5840 in slot1/tmm1 lis=/Common/bar 16:21:56.227650 IP 200.200.200.14.49961 > 200.200.200.101.80: S 2835644534:2835644534(0) win 4380 out slot1/tmm1 lis=/Common/bar 16:21:56.229374 IP 200.200.200.101.80 > 200.200.200.14.49961: S 1298715936:1298715936(0) ack 2835644535 win 5840 in slot1/tmm1 lis=/Common/bar 16:21:56.229394 IP 200.200.200.14.49961 > 200.200.200.101.80: . ack 1 win 4380 out slot1/tmm1 lis=/Common/bar 16:21:56.229402 IP 200.200.200.14.49961 > 200.200.200.101.80: P 1:156(155) ack 1 win 5840 out slot1/tmm1 lis=/Common/bar 16:21:56.231633 IP 200.200.200.101.80 > 200.200.200.14.49961: . ack 156 win 6432 in slot1/tmm1 lis=/Common/bar 16:21:56.232282 IP 200.200.200.101.80 > 200.200.200.14.49961: P 1:244(243) ack 156 win 6432 in slot1/tmm1 lis=/Common/bar 16:21:56.232363 IP 172.28.20.15.80 > 172.28.20.20.47507: P 1:244(243) ack 156 win 6432 out slot1/tmm1 lis=/Common/bar 16:21:56.233272 IP 172.28.20.20.47507 > 172.28.20.15.80: . ack 244 win 6432 in slot1/tmm1 lis=/Common/bar 16:21:56.234500 IP 172.28.20.20.47507 > 172.28.20.15.80: F 156:156(0) ack 244 win 6432 in slot1/tmm1 lis=/Common/bar 16:21:56.234510 IP 172.28.20.15.80 > 172.28.20.20.47507: F 244:244(0) ack 157 win 4380 out slot1/tmm1 lis=/Common/bar 16:21:56.235416 IP 172.28.20.20.47507 > 172.28.20.15.80: . ack 245 win 6432 in slot1/tmm1 lis=/Common/bar 16:21:56.333705 IP 200.200.200.14.49961 > 200.200.200.101.80: . ack 244 win 4380 out slot1/tmm1 lis=/Common/bar /var/log/ltm [root@ve11a:Active:In Sync] config tail /var/log/ltm Dec 30 16:21:56 ve11a info tmm1[2836]: Rule /Common/myrule : reject - nitass
it seems it does not work in 10.2.4 too.
config root@ve10(Active)(tmos) show sys version |grep -A 6 Main\ Package Main Package Product BIG-IP Version 10.2.4 Build 817.0 Edition Hotfix HF7 Date Mon May 20 15:08:56 PDT 2013 root@ve10(Active)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.20.17:http ip-protocol tcp mask 255.255.255.255 pool foo profiles { fasthttp { } } rules { myrule } snat automap } root@ve10(Active)(tmos) list ltm rule myrule ltm rule myrule { when CLIENT_ACCEPTED { reject log local0. "reject" } } trace [root@ve10:Active] config tcpdump -nni 0.0 -s0 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 10:52:38.784277 IP 172.28.20.20.51828 > 172.28.20.17.80: S 4111390735:4111390735(0) win 5840 in slot1/tmm0 lis= 10:52:38.784329 IP 172.28.20.17.80 > 172.28.20.20.51828: S 413864687:413864687(0) ack 4111390736 win 4380 out slot1/tmm0 lis=bar 10:52:38.785331 IP 172.28.20.20.51828 > 172.28.20.17.80: . ack 1 win 5840 in slot1/tmm0 lis=bar 10:52:38.785337 IP 172.28.20.20.51828 > 172.28.20.17.80: P 1:156(155) ack 1 win 5840 in slot1/tmm0 lis=bar 10:52:38.785441 IP 200.200.200.16.65423 > 200.200.200.101.80: S 3491750769:3491750769(0) win 4380 out slot1/tmm0 lis= 10:52:38.786573 IP 200.200.200.101.80 > 200.200.200.16.65423: S 920090142:920090142(0) ack 3491750770 win 5840 in slot1/tmm0 lis= 10:52:38.786583 IP 200.200.200.16.65423 > 200.200.200.101.80: . ack 1 win 4380 out slot1/tmm0 lis= 10:52:38.786588 IP 200.200.200.16.65423 > 200.200.200.101.80: P 1:156(155) ack 1 win 5840 out slot1/tmm0 lis= 10:52:38.787350 IP 200.200.200.101.80 > 200.200.200.16.65423: . ack 156 win 6432 in slot1/tmm0 lis= 10:52:38.788472 IP 200.200.200.101.80 > 200.200.200.16.65423: P 1:244(243) ack 156 win 6432 in slot1/tmm0 lis= 10:52:38.788483 IP 172.28.20.17.80 > 172.28.20.20.51828: P 1:244(243) ack 156 win 6432 out slot1/tmm0 lis=bar 10:52:38.789596 IP 172.28.20.20.51828 > 172.28.20.17.80: . ack 244 win 6432 in slot1/tmm0 lis=bar 10:52:38.789607 IP 172.28.20.20.51828 > 172.28.20.17.80: F 156:156(0) ack 244 win 6432 in slot1/tmm0 lis=bar 10:52:38.789613 IP 172.28.20.17.80 > 172.28.20.20.51828: F 244:244(0) ack 157 win 4380 out slot1/tmm0 lis=bar 10:52:38.791293 IP 172.28.20.20.51828 > 172.28.20.17.80: . ack 245 win 6432 in slot1/tmm0 lis=bar 10:52:38.889555 IP 200.200.200.16.65423 > 200.200.200.101.80: . ack 244 win 4380 out slot1/tmm0 lis= /var/log/ltm [root@ve10:Active] config tail /var/log/ltm Dec 31 10:52:38 local/tmm info tmm[4922]: Rule myrule : reject
