For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

leozou_80567's avatar
leozou_80567
Historic F5 Account
Oct 15, 2008

what iRule event would be triggered by Non-TCP/non-UDP/non-SCTP protocol?

Dear All,

 

We have one virtual server: 0.0.0.0/0 , VS type is performance L4, protocol is all protocol. We want to use Client_ACCEPTED to capture the packet’s source address to do UIE persistence (enable across virtual server).

 

when CLIENT_ACCEPTED {

 

set client_ip [IP::remote_addr]

 

if {$::ms_log}{log local0. " client ip is $client_ip"}

 

persist uie $client_ip

 

}

 

 

We find that udp/tcp packet would trigger this event, but other non-tcp and non-udp protocol like icmp would not trigger this event. Does anyone has experiment about this ? what iRule event would be triggered by Non-TCP/non-UDP/non-SCTP protocol?

 

Thanks!

 

application delivery
dev
devops
iRules

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 15, 2008
    Hi there,

    I don't know the exact answer, but I believe CLIENT_ACCEPTED is only triggered when a "connection" is added to the connection table. In a quick test on 9.4.5HF2, ICMP through a fastL4 VIP did generate a connection table entry and did trigger the CLIENT_ACCEPTED event. I'm not sure how other protocols are handled, but it looks somewhat promising for you.

    Have you tried testing other protocols and seen an issue? 

       
   virtual forwarding_vs {   
      snatpool snat_pool   
      pool live_gateway_pool   
      destination any:any   
      mask none   
      rules fastl4_logging_rule   
      profiles loose_open_close_fastl4   
   }   
   profile fastL4 loose_open_close_fastl4 {   
      defaults from fastL4   
      idle timeout 7200   
      loose initiation enable   
      loose close enable   
   }   
   rule fastl4_logging_rule {   
      when CLIENT_ACCEPTED {   
       Get time for start of connection in milleseconds   
      set tcp_start_time [clock clicks -milliseconds]   
      
       Log the start of a new TCP connection   
      log local0. "New connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]"   
   }   
   when CLIENT_CLOSED {   
       Log the end time of the TCP connection   
      log "Closed connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]\ 
         (open for: [expr [clock clicks -milliseconds] - $tcp_start_time]ms)"   
   }   
   }

    The connection table entry:

    VIRTUAL any:any <-> NODE 100.100.100.100:8 TYPE any

    CLIENTSIDE 10.0.0.1:22143 <-> 100.100.100.100:8

    (pkts,bits) in = (6, 588) out = (0, 0)

    SERVERSIDE 10.1.0.61:22143 <-> 100.100.100.100:8

    (pkts,bits) in = (0, 0) out = (6, 588)

    PROTOCOL icmp UNIT 1 IDLE 302 (7200) LASTHOP 4094 00:01:d7:00:00:0f

    Log output:

    Rule fastl4_logging_rule : New connection from 10.0.0.1:22143 to 100.100.100.100:8

    Aaron
  • leozou_80567's avatar
    leozou_80567
    Historic F5 Account
    Oct 16, 2008
    Hi Aaron,

     

    Thanks for your reponse. ENE did this testing for me, ICMP can trigger the CLIENT_ACCEPTED. What different with ENE testing is:

     

    ENE can trigger this event every packet.

     

    In My test lab, If there is connection record or persistence record for this icmp here, the icmp can’t trigger the event. After I delete the connect record and persistence recored, the icmp can trigger the event.

     

     

    Thanks!