Forum Discussion

Akshay_SK's avatar
Akshay_SK
Icon for Nimbostratus rankNimbostratus
Apr 08, 2020

Best practices for usage of table command

I am quite still a newbie at writing iRules. I have written an iRule that performs temporary blocking of IP addresses in case I detect any unusual/malicious content in a request received at my load balancer. To achieve this i have extensively made use of table commands to temporary store IP addresses for a period of 10 mins to reject traffic being received from these stored IPs. After applying this iRule into Production, I started receiving a peculiar error in syslogs saying :

Pending rule : Connection aborted from cientIP - > destinationIP.

 

As far as I have understood, these errors can be ignored. Also when trying to get data from a table using its commands, the other cores of the loadbalancer wait for the response and hence the action on other requests received at that time is delayed, leading the client to close the connection. I wanted to know if there is any other way to avoid the Pending rule to be seen in the syslogs. How can I make the table commands work without impacting the performance at my Production environment. Requesting your help in solving this issue as it has been troubling us for quite some days. Also does TMM memory play an important part in iRules? Can increasing this memory solve my issue?

1 Reply

  • Hello Akshay

     

    I guess you are facing this kind of events:

    "For example, if a client establishes a connection and sends an HTTP request to an affected virtual server, the associated iRule performs a lookup in the HTTP_REQUEST event and waits for the response. While the iRules event is waiting for the response, the client sends an RST to close the connection. When the iRules event finally receives the response and completes its processing, there will be no connection for the iRules event to act upon."

    REF - https://support.f5.com/csp/article/K15415

     

    If it is your case, you can ignore them without problem.

     

    Anyway, I recommend you to try this block iRule for your purpose:

    REF - https://devcentral.f5.com/s/articles/iRule-for-Brute-Force-Password-Guessing-Attacks

     

    KR,

    Dario.