Forum Discussion
NimbostratusWeird iRule issue with short hostname.
I have a use case where I needed to reject connections to port 990 on a VIP if the host comes in as a certain set of values. Since this is not http traffic, I am having to look at the TCP payload. The iRule works perfectly fine in all tested cases except one. If the host name is 2 letters or less, the connection just hangs up regardless of if it is the datagroup to be rejected or not. Hostnames of 3 letters are longer work fine and are allowed or rejected based off of if they are in the DG or not. I added some logging and the 2 letter host name is included in the TCP payload and it looks correct so i am not sure what the issue is
For example:
ab.domain.com does not work if the iRule is applied to the VIP even if it is in not in the DG
abc.domain.com works or is rejected as expected depending on if it is in the DG or not
abcd.domain.com works or is rejected as expected depending on if it is in the DG or not
when CLIENT_ACCEPTED {
TCP::collect 250
}
when CLIENT_DATA {
log local0. "TCP payload contains [TCP::payload 250]"
if {[matchclass [TCP::payload 250] contains FTPSReject] } {
reject
log local0. "TCP payload rejected"
}
TCP::release
}
4 Replies
stan_pironCumulonimbus
Hi,
It seems this irule is to detect ftps host.
I guess you are trying to detect Servername tls extension. If true, there are some existing irule to extract the exact value... or you can do it with a local traffic policy.
JGI think that is because there is not enough data for
to finish collecting, and the eventTCP::collect 250
could not be triggered as the result.CLIENT_DATA- stan_piron
If you want to do it with irule, use this code I wrote to decode tcp packet
https://devcentral.f5.com/codeshare/sni-based-pool-selection-without-clientssl-profile-1119
K-DubbIn case it was not clear above, the resolution to my issue was to change the byte size from from 250 to 245.
