For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jun 14, 2007

TCP port logging/decision-making with a FastL4 profile

Hello, Can someone provide more info on why MCP validation of iRules prevents using TCP:: commands with a forwarding IP virtual server/fastL4 profile? The reason I ask, is that I'd like to g...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 14, 2007
Hi,

You can use the example workaround from above to get the TCP source and/or destination port, without disabling the MCP validation. The destination port is the port the client made the request to.


when CLIENT_ACCEPTED {
    log the client IP address:port -> destination IP address:port
   set src_port_cmd TCP::client_port
   set src_port [eval $src_port_cmd]
   set dest_port_cmd TCP::local_port
   set dest_port [eval $dest_port_cmd]
   log local0. "client: [IP::client_addr]:$src_port -> [IP::local_addr]:$dest_port"
   if {$dest_port > 1024}{
       requested port was over 1024, so drop it
      drop
   } elseif {$dest_port > 100 and $dest_port <= 1024}{
       port was over 100 and less than 1024 so forward the request
      forward
   } else {
       requested port was less than 100, send a RST
      reject
   }
}

Aaron