For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tom_Bortels_112's avatar
Tom_Bortels_112
Icon for Nimbostratus rankNimbostratus
Dec 29, 2013

reject not rejecting?

I have to be missing something simple here... setting up a new irule to do a simple whitelist. Here's the whole thing (stolen shamelessly from somewhere else on DevCentral): when HTTP_REQUEST { ...
application delivery
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Dec 30, 2013

fasthttp profile does not work here too. i have not yet found existing bug. you can open a support case to confirm.

this is mine.

 config
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.4.1
  Build    608.0
  Edition  Final
  Date     Wed Aug 14 17:23:43 PDT 2013

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.15:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        fasthttp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 32
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when CLIENT_ACCEPTED {
  reject
  log local0. "reject"
}
}

 trace

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:21:56.224539 IP 172.28.20.20.47507 > 172.28.20.15.80: S 3556529537:3556529537(0) win 5840  in slot1/tmm1 lis=
16:21:56.224606 IP 172.28.20.15.80 > 172.28.20.20.47507: S 1313924097:1313924097(0) ack 3556529538 win 4380  out slot1/tmm1 lis=/Common/bar
16:21:56.226454 IP 172.28.20.20.47507 > 172.28.20.15.80: . ack 1 win 5840 in slot1/tmm1 lis=/Common/bar
16:21:56.227436 IP 172.28.20.20.47507 > 172.28.20.15.80: P 1:156(155) ack 1 win 5840 in slot1/tmm1 lis=/Common/bar
16:21:56.227650 IP 200.200.200.14.49961 > 200.200.200.101.80: S 2835644534:2835644534(0) win 4380  out slot1/tmm1 lis=/Common/bar
16:21:56.229374 IP 200.200.200.101.80 > 200.200.200.14.49961: S 1298715936:1298715936(0) ack 2835644535 win 5840  in slot1/tmm1 lis=/Common/bar
16:21:56.229394 IP 200.200.200.14.49961 > 200.200.200.101.80: . ack 1 win 4380 out slot1/tmm1 lis=/Common/bar
16:21:56.229402 IP 200.200.200.14.49961 > 200.200.200.101.80: P 1:156(155) ack 1 win 5840 out slot1/tmm1 lis=/Common/bar
16:21:56.231633 IP 200.200.200.101.80 > 200.200.200.14.49961: . ack 156 win 6432 in slot1/tmm1 lis=/Common/bar
16:21:56.232282 IP 200.200.200.101.80 > 200.200.200.14.49961: P 1:244(243) ack 156 win 6432 in slot1/tmm1 lis=/Common/bar
16:21:56.232363 IP 172.28.20.15.80 > 172.28.20.20.47507: P 1:244(243) ack 156 win 6432 out slot1/tmm1 lis=/Common/bar
16:21:56.233272 IP 172.28.20.20.47507 > 172.28.20.15.80: . ack 244 win 6432 in slot1/tmm1 lis=/Common/bar
16:21:56.234500 IP 172.28.20.20.47507 > 172.28.20.15.80: F 156:156(0) ack 244 win 6432 in slot1/tmm1 lis=/Common/bar
16:21:56.234510 IP 172.28.20.15.80 > 172.28.20.20.47507: F 244:244(0) ack 157 win 4380 out slot1/tmm1 lis=/Common/bar
16:21:56.235416 IP 172.28.20.20.47507 > 172.28.20.15.80: . ack 245 win 6432 in slot1/tmm1 lis=/Common/bar
16:21:56.333705 IP 200.200.200.14.49961 > 200.200.200.101.80: . ack 244 win 4380 out slot1/tmm1 lis=/Common/bar

 /var/log/ltm

[root@ve11a:Active:In Sync] config  tail /var/log/ltm
Dec 30 16:21:56 ve11a info tmm1[2836]: Rule /Common/myrule : reject