Forum Discussion
X-Fowraded-For with a UDP profile?
Hey, all. I have a request from a customer that they want to see the originating source IP (i.e. not the IP of the VIP) for logs they are receiving. Currently this is setup using a UDP protocol and UDP profile. Can I just use a simple irule to insert the x-forward-for headers into the datagram? I was thinking something like I have below, but for UDP, but there is no "when UDP::request" argument in an irule.
Is there a way to have an irule do this or is there a way without using an irule?
when http_request {
if {[http::header exists X-Fowraded-For]}
http::header replace X-Forwarded-For "[http::header X-Forwaded-For], [IP::client_addr]"
} else {
http::header insert X-Forwaded-For [IP::client_addr]
}
}
Thanks.
In order to have any chance at doing this, you will need to do a stream rewrite or a payload and append operation. Since BigIP doesn't have a protocol parser for UDP, and since Syslog is not a request/response protocol, there are only when CLIENT_DATA events.
You will need to map out the current syslog message format and your rule might look very roughly like:
when CLIENT_DATA {
set sNewMsg "SourceIP:[IP::client_addr]:[UDP::payload]"
UDP::payload replace 0 0 $sNewMsg
}
- Stephen_Anders1Employee
In order to have any chance at doing this, you will need to do a stream rewrite or a payload and append operation. Since BigIP doesn't have a protocol parser for UDP, and since Syslog is not a request/response protocol, there are only when CLIENT_DATA events.
You will need to map out the current syslog message format and your rule might look very roughly like:
when CLIENT_DATA {
set sNewMsg "SourceIP:[IP::client_addr]:[UDP::payload]"
UDP::payload replace 0 0 $sNewMsg
}
- gdoyleCirrostratus
Thank you, this is exactly what I needed for a great starting point.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com