Forum Discussion

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Jul 02, 2020

Weird iRules issue

Hi

We have one virtual server that has two different irules that somehow conflict each other and denying traffic that should not be denied.

The first iRule is permitting traffic to one URI to only IP addresses exist in one datagroup.

The second iRule is permitting traffic to another and different URI to only IP addresses exist in another and different datagroup.

First iRule:

when CLIENT_ACCEPTED {
   set allowed 0
  if { [class match --  [IP::client_addr]  equals  Allow_To_uri1]  
   } {
     set allowed 1
   }
}

when HTTP_REQUEST {
if {  [string tolower [HTTP::uri] ] equals "/uri1"  } {
if   { ! $allowed } {

reject
#log local0.  "Blocked client IP: [IP::client_addr] to uri1]"
}
}
}

The Second iRule:

when CLIENT_ACCEPTED {
   set allowed 0
  if { [class match --  [IP::client_addr]  equals  Allow_to_uri2]  
   } {
     set allowed 1
   }
}

when HTTP_REQUEST {
if {  [string tolower [HTTP::uri] ] equals "/uri2"  } {
if   { ! $allowed } {

reject
#log local0.  "Blocked client IP: [IP::client_addr] to uri2]"
}
}
}

The weird issue is that I need to add the permitted IP to both datagroups for both URIs two work ! ... both datagroups should have the same IP addresses ?

why ? ......

Those are two different irules .. two diffrenet URIs .. two different datagroup .. why they've impact on each other ?

Wer'e Running LTM v13.1.1.5

Please advise

application delivery
iRules
LTM
  • BLacaze's avatar
    BLacaze
    Jul 02, 2020

    Hello,

    can you please share the content of your datagroups ?

     

    Also one thing I would try is change the $allowed variable to $allowed_for_uri1 in irule 1 and $allowed_for_uri2 for irule 2 for example (it seems they shouldn't be shared, but considering the strange behaviour you have).

     

  • BLacaze's avatar
    BLacaze
    Icon for Altostratus rankAltostratus
    Jul 02, 2020

    Hello,

    can you please share the content of your datagroups ?

     

    Also one thing I would try is change the $allowed variable to $allowed_for_uri1 in irule 1 and $allowed_for_uri2 for irule 2 for example (it seems they shouldn't be shared, but considering the strange behaviour you have).

     

    • Abed_AL-R's avatar
      Abed_AL-R
      Icon for Cirrostratus rankCirrostratus
      Jul 02, 2020

      Hi

       

      Thanks! Changing the $allowed variable to $allowed_for_uri1 resolved the problem.

      But I'm not sure why they conflict .. This is strange.

       

      • BLacaze's avatar
        BLacaze
        Icon for Altostratus rankAltostratus
        Jul 02, 2020

        Glad it helped.

        In fact, local irules variables remain present for the length of the TCP connection, as explained here: https://devcentral.f5.com/s/articles/irules-101-03-variables .

         

        So you might have cases where:

        • CLIENT_ACCEPTED for irule 1 is executed
        • then CLIENT_ACCEPTED for irule 2 is executed (which might modify $allowed)
        • then HTTP_REQUEST for irule 1 is executed, and here you have your mismatch :)
  • Mark_Gallagher's avatar
    Mark_Gallagher
    Icon for Altocumulus rankAltocumulus
    Jul 02, 2020

    I cannot recall where I heard/read this but different iRules are compiled together when attached to a VIP so that you effectively have one big virtual irule processing all the policy together. It'd be nice if you could see that combined policy but I understand that it is critical to avoid reuse of objects between them if there will be a conflict.