Forum Discussion
Altocumulusweird iRule behaviour UDP/TCP profiles data leak?
Hi guys,
I just noticed something weird. Here are the steps to reproduce this. My version is v11.2.1-HF4.
1) create a standard virtual server on a 'normal' IP, say for port 80
2) use a TCP profile for the VS
3) link the following iRule:
Rule INIT
when RULE_INIT {
set static::log_verbosity 1
set static::log_prefix ""
set ::base_protocol "UDP"
log local0. "Base Protocol: $::base_protocol"
}
All Client Request events
Connection stuff
when CLIENT_ACCEPTED {
set source_port_construct "\[${::base_protocol}::remote_port\]"
set destination_port_construct "\[${::base_protocol}::local_port\]"
eval "set source_port $source_port_construct"
eval "set destination_port $destination_port_construct"
log local0. "Source Port: $source_port ($source_port_construct)"
log local0. "Destination Port: $destination_port ($destination_port_construct)"
}
4) Observe how the /var/log/ltm file shows source and destination ports while the iRule shouldn't even be able to obtain this information since it has no UDP profile.
5) Tell me why this happens :)
Note: I know that the editor tells you that you need a UDP profile if you want to use UDP:: statements, but if you override this using an eval statement, weird things start t happen. It somehow fills the UDP struct with data from a TCP connection.
Why is this done?
Is it simply memory/resource-optimization in such that the fields in UDP:: and TCP:: are mere pointers to another, the same for both, struct in memory?
If this is correct, how would I be able to detect if a TCP or UDP profile is used on the virtual server, using the iRule (this was the goal...)
Kind regards,
Thomas
2 Replies
- nitass
Employee
i do not think it is data leakage.
this is mine.[root@ve10:Active] config b rule myrule list rule myrule { when RULE_INIT { set static::cmd "UDP::client_port" } when CLIENT_ACCEPTED { log local0. "\[IP::client_addr\]:\[TCP::client_port\] [IP::client_addr]:[TCP::client_port]" log local0. "\[IP::client_addr\]:\[eval $static::cmd\] [IP::client_addr]:[eval $static::cmd]" } } [root@ve10:Active] config tail -f /var/log/ltm Mar 20 11:49:00 local/tmm info tmm[4950]: Rule myrule : [IP::client_addr]:[TCP::client_port] 172.28.19.251:44396 Mar 20 11:49:00 local/tmm info tmm[4950]: Rule myrule : [IP::client_addr]:[eval UDP::client_port] 172.28.19.251:44396
how would I be able to detect if a TCP or UDP profile is used on the virtual server, using the iRule (this was the goal...)instead of checking virtual server's profile, may we check from client traffic by using IP::protocol?
IP::protocol wiki
https://devcentral.f5.com/wiki/irules.IP__protocol.ashx 
Thomas_Schocka1Hi nitass,
The idea was to create an iRule which you can hand to a customer to obtain some visibility about his virtual server and its connections, regardless of its configuration.
I'm looking for an explanation why something in the UDP:: struct would be filled out when there is no udp profile attached to the virtual server.
Code-wise I can imagine it is just a reference to an address in memory containing the ports and that this address is the same for the UDP and TCP structs. What I don't get is why the UDP struct is initialized even though there is no UDP profile attached to the virtual server. This would lead me to conclude that unneccesary amounts (however small) of memory are being used for never-used variables. So I was wondering if I could get a confirmation on this, or even better, an explanation of why I'm wrong if I'm wrong. :)
I think that it is the goal of the iRule editor (on F5 or the standalone program) to not let you enter iRules that are invalid. So when I manage to enter something invalid anyways (like referencing UDP:: when there is no UDP profile - something the iRule editor aptly says I cannot do), the last thing I expect to see is that it is actually working, even though it is not a valid statement.
Kind regards,
Thomas
