For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_FP's avatar
Chris_FP
Icon for Cirrus rankCirrus
Feb 09, 2016

Traffic policy not evaluating TCL commands

I've setup a traffic policy to check if a header exists and if it doesn't then to add it. That bit of the logic works however it doesn't add what I need it to - it basically doesn't evaluate the tcl command I put in.

I've tried it using with and without quotes and basically the output I get into the XFF header is the string so either "tcl:[IP::client_addr]" or just tcl:[IP::client_addr]

        actions {
            0 {
                http-header
                replace
                name X-Forwarded-for
                value \"tcl:[IP::client_addr]\"
            }

or actions { 0 { http-header replace name X-Forwarded-for value tcl:[IP::client_addr] }

There are good reasons why I am not using the standard Insert XFF in the HTTP profile and whilst it could easily be done by an iRule I really need this to work, as it should do, in a traffic policy.

I am running 11.5.1 HF7

application delivery
local traffic policy
LTM
TMOS

2 Replies

  • IanB's avatar
    IanB
    Icon for Employee rankEmployee
    Feb 09, 2016

    Prior to BigIP 12.0.0, TCL command substitution was currently only implemented in two policy actions:

    http-uri rewrite value
http-reply redirect location

    Additional actions were added in BigIP 12.0.0, and documented here

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 10, 2016

    Hi Parknook,

    I share your opinion, to not use the HTTP profile "Insert X-Forwarded-For" option, when security is somehow a concern.

    But keep in mind that a 

    replace
    header action is also not the right choice to sanitize every existing instance of 
    X-Forwarded-For
    from the received HTTP request. The 
    replace
    action would only modify the last occurrence of 
    X-Forwarded-For
    but your application may use the first one. So a combination of 
    remove
    and 
    insert
    is the most secure syntax you can pull of...

    To be able to set those headers with LTM Policies prior to v12, you may pass a 

    [HTTP::header remove "X-Forwarded-For"]
    and 
    [HTTP::header insert "X-Forwarded-For" [IP::client_addr]]
    syntax using the TCL policy action. Well, the TCL action is originally not intended to manipulate request information, but works like a charm and also supports a rich TCL substitution...

    ltm policy Insert_X-Forwarded-For {
    requires { http }
    rules {
        Rule1 {
            actions {
                0 {
                    tcl
                    set-variable
                    expression "[HTTP::header remove \"X-Forwarded-For\"]"
                    name x_forward_for
                }
                1 {
                    tcl
                    set-variable
                    expression "[HTTP::header insert \"X-Forwarded-For\" [IP::client_addr]]"
                    name x_forward_for
                }
            }
            ordinal 1
        }
    }
    strategy first-match
}

    Note: Personally I wouldn't recommend to use a LTM Policy to issue native TCL commands. But if you require a pure LTM Policy based configuration, then this approach would be one of the last options before migrating to v12...

    Cheers, Kai