For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Roland00's avatar
Roland00
Icon for Altocumulus rankAltocumulus
Jul 22, 2019

Unset a static variable

We have an iRule that compares the host-header against a list of host names in an internal data-group. The iRule is assigning the data-group to a static variable in RULE_INIT, which leads to some odd...
cjunior's avatar
cjunior
Icon for Nacreous rankNacreous
Jul 22, 2019

Hi,

Are you facing issue on data group values or iRule deployment that not reflect on requests?

In static variable, you are storing the data group name. Maybe I'm wrong, but It don't make sense to not reflect that data group updates as you are checking those values on the fly.

Can you confirm that issue occurs both to a new and existing connections?

Have you tried to log the data group count and values to know what are ready to be matched?

It is just an idea to troubleshooting.

e.g.

when HTTP_REQUEST {  
    log local0. "DG Name: $static::badDomains | DG count: [class size $static::badDomains] | DG items: [class names $static::badDomains]"
}

The unset command make sense when you are defining and using variables and then need to delete it from memory:

when HTTP_REQUEST {
    set myVar "devcentral"
    log local0. "myVar value is: $myVar"
    unset myVar
    if { not [info exists myVar] } {
       log local0. "myVar was deleted"
    }
}

Regards

  • Roland00's avatar
    Roland00
    Icon for Altocumulus rankAltocumulus
    Jul 23, 2019

    Thanks for the response. I'm not sure I understand your first question. If we add a domain to the data-group, we generally see requests for the new 'bad domain' do not match the condition. We see the similar behavior when we remove a 'bad domain'. I assume this is a result of using a static variable which only updates during initiation of the iRule (or unsetting). I don't know the best way to force it to update, though. I've had limited success unassigning the iRule.

     

    I've never used a static before; If I were writing it myself, I would just reference the data-group directly in the 'if' condition. I believe a static was used because the data-group is only modified once a month. Additionally, it is applied to a high volume website so I assume there are some efficiencies in using a static.

     

    I was using curl to test, so I did confirm the behavior occurs with new connections, but I will do some more testing with a log statement similar to what you provided. I wasn't sure the best way to get insight into the data-group and static.

     

    Thanks

    • cjunior's avatar
      cjunior
      Icon for Nacreous rankNacreous
      Jul 24, 2019

      Sorry for the inconvenience.

      The RULE_INIT event is in a global scope, so when you declare a static variable, you are setting it for all contexts. When you update the static variable values, it should affect all running contexts when iRule is updated.

      Working with local variables, usually the old connections will not take the new iRule version and values. So, only the new connections will take the new values and updates.

      Furthermore, It sounds weird to me that you can not read the entries changes on the data group since you are storing the data group name reference to match that list at runtime, right?

       

      See:

      https://clouddocs.f5.com/api/irules/RULE_INIT.html?highlight=rule_init

       

      Regards.