For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_18457's avatar
Chris_18457
Icon for Cirrus rankCirrus
Jan 02, 2013

TCP::close, connection clean up

In the iRule I am writing, I have a condition where if too many errors are seen from the client, I want to error back to them and close out of TCP connection using the TCP::close command. Currently, I only issue this command on the clientside, particularly in the CLIENT_DATA section on my iRule.

 

My question is, does the TCP::close command issued on the client, also clean up the connection on the server side as well? Sorry if this is a repeated question, but I searched a number of places on devcentral and could find an answer. Most of the iRule I reference only show it TCP::close action issued on one side and not both. Because our LTM will be in a highly utilized environment, I want to make sure my coding is a clean/efficient as possible.

 

Thanks for the help!

 

application delivery
dev
devops
iRules

1 Reply

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 03, 2013
    in my lab, bigip sends FIN on both sides (client and server side). it is shown at line (1) and (2) in tcpdump when using TCP::close command below. 

    [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.252:23
   ip protocol 6
   rules myrule
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:23 {}
}
[root@ve10:Active] config  b self 200.200.200.10 list
self 200.200.200.10 {
   netmask 255.255.255.0
   vlan internal
   allow default
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
        TCP::collect 1 0
}
when CLIENT_DATA {
        if { [TCP::payload] eq "z" } {
                TCP::close
                return
        }
        TCP::release
        TCP::collect
}
}

 tcpdump when exiting normally (exit command)

14:56:09.431776 IP 200.200.200.101.23 > 200.200.200.10.60462: FP 216:230(14) ack 81 win 46
14:56:09.431792 IP 200.200.200.10.60462 > 200.200.200.101.23: . ack 231 win 4609
14:56:09.431798 IP 172.28.19.252.23 > 192.168.206.33.60462: FP 216:230(14) ack 81 win 3860
14:56:09.433824 IP 192.168.206.33.60462 > 172.28.19.252.23: . ack 231 win 259
14:56:09.434854 IP 192.168.206.33.60462 > 172.28.19.252.23: F 81:81(0) ack 231 win 259
14:56:09.434868 IP 172.28.19.252.23 > 192.168.206.33.60462: . ack 82 win 3860
14:56:09.434872 IP 200.200.200.10.60462 > 200.200.200.101.23: F 81:81(0) ack 231 win 4609
14:56:09.435837 IP 200.200.200.101.23 > 200.200.200.10.60462: . ack 82 win 46

 tcpdump when using TCP::close (press z)

(1) 14:56:49.971766 IP 200.200.200.10.60464 > 200.200.200.101.23: F 75:75(0) ack 210 win 4589
(2) 14:56:49.971773 IP 172.28.19.252.23 > 192.168.206.33.60464: F 210:210(0) ack 76 win 3855
14:56:49.972820 IP 200.200.200.101.23 > 200.200.200.10.60464: F 210:210(0) ack 76 win 46
14:56:49.972838 IP 200.200.200.10.60464 > 200.200.200.101.23: . ack 211 win 4589
14:56:49.973879 IP 192.168.206.33.60464 > 172.28.19.252.23: . ack 211 win 260
14:56:49.973889 IP 192.168.206.33.60464 > 172.28.19.252.23: F 76:76(0) ack 211 win 260
14:56:49.973899 IP 172.28.19.252.23 > 192.168.206.33.60464: . ack 77 win 3855