Forum Discussion
Stop processing iRule by referencing a variable
I've set a variable in iRule named "stop_rule_processing" and its value is set to 1 if a particular iRule has a hit:
priority 300
when HTTP_REQUEST {
if { [string tolower [HTTP::path]] starts_with "/staging" } {
if { !([matchclass [IP::client_addr] equals IP_private_access])} {
log local0. "Source address [IP::client_addr] not from Private pool, session discarded" } {
discard
set stop_rule_processing 1
}
}
}
The other iRule check if that variable is set to 1 and if it is i want to use "event disable" stop rule processing immediately:
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::path]] {
"/staging*" {
log local0. "PreProd URL detected from [IP::client_addr] , sending to preprod pool"
pool PL-staging-pool
}
"/production*" {
log local0. "Prod URL detected [IP::client_addr] , sending to prod pool"
pool PL-production-pool
}
}
}
However I don't know how to check that variable at the beginning of second rule. I've tried to use multiple syntax versions of "if" command but can't get the syntax right.
- IheartF5_45022Nacreous
You need to ensure the variable is set to 0 if it's not set to 1 - so maybe in CLIENT_ACCEPTED;-
when CLIENT_ACCEPTED { set stop_rule_processing 0 }
Then in your other iRule you just need to say
if {$stop_rule_processing} { event disable return }
- Jasa_74968Nimbostratus
Thanks IheartF5, what I can't figure out is the syntax of how to call on the variable in the second rule that uses switch. I'm ok to change that to if/elseif conditional if that would make it easy, but at the moment I simply don't know how to get my second iRule to parse
- hooleylistCirrostratus
Hi Jasa,
Can you try this? Also, event disable all will stop all future iRule events from triggering for the rest of the connection. The client could continue making additional HTTP requests after the current one and those will not be processed by any iRule. If you only want to skip running the iRule code from the second iRule for that request, you could use just 'return' instead.
Aaron
when HTTP_REQUEST { if {$stop_rule_processing==1}{ event disable all return } switch -glob [string tolower [HTTP::path]] { "/staging*" { log local0. "PreProd URL detected from [IP::client_addr] , sending to preprod pool" pool PL-staging-pool } "/production*" { log local0. "Prod URL detected [IP::client_addr] , sending to prod pool" pool PL-production-pool } } }
- Jasa_74968Nimbostratus
I've tried what you suggested hoolio and the variable gets assigned, but unfortunately it doesn't stop processing in the second rule. I've tried both "return" and "event disable" and the staging pool still gets assigned and clients are given access regardless of where they're coming from.
What I'd like to achieve is filter access to "staging" environment to be allowed only for internal users defined by the address data group.
I thought those two iRules will do the trick, but they aren't.
- hooleylistCirrostratus
Can you try this for your first rule and then add a log statement to your second iRule to see if it is successfully avoided altogether?
priority 300 when HTTP_REQUEST { if { [string tolower [HTTP::path]] starts_with "/staging" } { if { !([matchclass [IP::client_addr] equals IP_private_access])} { log local0. "Source address [IP::client_addr] not from Private pool, session discarded" } { discard event disable all return } } }
Aaron
- Jasa_74968Nimbostratus
Tried that and I get 2 hits in the log: - first one from the "discard" rule (Source address x.x.x.x not from Private pool, session discarded) -second one from the following iRule that assigns pool (Staging URL detected from Client:123.243.180.52 , sending to staging pool) And access to application is unfortunately allowed.
- hooleylistCirrostratus
Just to test can you try reject instead of discard?
Thanks, Aaron
- Jasa_74968Nimbostratus
Tried reject, same entries in the log, same result for the client
- hooleylistCirrostratus
Which LTM version are you running? I did a quick test on 11.4.1 and reject; event disable all, return; works as expected.
Can you open a case with F5 Support on this. It should "just work".
tmsh list ltm rule reject* ltm rule reject_1_rule { when HTTP_REQUEST { if {[HTTP::uri] starts_with "/reject"}{ log local0. "Calling reject" reject event disable all return log local0. "Called reject" } } when HTTP_REQUEST priority 501 { log local0. "Called reject (501)" } } ltm rule reject_2_rule { when HTTP_REQUEST { log local0. "reject_2_rule" } }
/var/log/ltm output showing the second iRule doesn't get triggered:
Mar 31 20:47:30 ve11a info tmm1[8891]: Rule /Common/reject_1_rule : Calling reject Mar 31 20:47:30 ve11a err tmm1[8891]: 01230140:3: RST sent from 10.1.0.120:80 to 10.1.0.111:46397, [0x1776da3:4998] iRule execution (reject command)
If I comment out the return statement in the first iRule, I see the rest of that event executed but not anything from the second iRule. This is expected.
If I comment out the return and event disable all statement in the first iRule, I see the rest of iRule 1 executed as well as the second iRule. This is also expected.
Aaron
- Jasa_74968Nimbostratus
I'll open a case because my code is 11.4.1 HF2 so I'd expect it to work similar as yours. Thanks for all the effort mate.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com