Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Weird iRules issue

Go to solution
Abed_AL-R
Cirrostratus
Cirrostratus

‎02-Jul-2020 00:23

Hi

 

We have one virtual server that has two different irules that somehow conflict each other and denying traffic that should not be denied.

 

The first iRule is permitting traffic to one URI to only IP addresses exist in one datagroup.

The second iRule is permitting traffic to another and different URI to only IP addresses exist in another and different datagroup.

 

First iRule:

when CLIENT_ACCEPTED {    set allowed 0   if { [class match --  [IP::client_addr]  equals  Allow_To_uri1]      } {      set allowed 1    } } when HTTP_REQUEST { if {  [string tolower [HTTP::uri] ] equals "/uri1"  } { if   { ! $allowed } { reject #log local0.  "Blocked client IP: [IP::client_addr] to uri1]" } } }

 

The Second iRule:

when CLIENT_ACCEPTED {    set allowed 0   if { [class match --  [IP::client_addr]  equals  Allow_to_uri2]      } {      set allowed 1    } } when HTTP_REQUEST { if {  [string tolower [HTTP::uri] ] equals "/uri2"  } { if   { ! $allowed } { reject #log local0.  "Blocked client IP: [IP::client_addr] to uri2]" } } }

 

The weird issue is that I need to add the permitted IP to both datagroups for both URIs two work ! ... both datagroups should have the same IP addresses ?

why ? ......

Those are two different irules .. two diffrenet URIs .. two different datagroup .. why they've impact on each other ?

 

Wer'e Running LTM v13.1.1.5

 

Please advise

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
BLacaze
Altostratus
Altostratus

‎02-Jul-2020 01:23

Hello,

can you please share the content of your datagroups ?

 

Also one thing I would try is change the $allowed variable to $allowed_for_uri1 in irule 1 and $allowed_for_uri2 for irule 2 for example (it seems they shouldn't be shared, but considering the strange behaviour you have).

 

View solution in original post

4 REPLIES 4

Go to solution
BLacaze
Altostratus
Altostratus

‎02-Jul-2020 01:23

Hello,

can you please share the content of your datagroups ?

 

Also one thing I would try is change the $allowed variable to $allowed_for_uri1 in irule 1 and $allowed_for_uri2 for irule 2 for example (it seems they shouldn't be shared, but considering the strange behaviour you have).

 

Go to solution
Abed_AL-R
Cirrostratus
Cirrostratus
In response to BLacaze

‎02-Jul-2020 02:24

Hi

 

Thanks! Changing the $allowed variable to $allowed_for_uri1 resolved the problem.

But I'm not sure why they conflict .. This is strange.

 

0 Kudos

Go to solution
BLacaze
Altostratus
Altostratus
In response to Abed_AL-R

‎02-Jul-2020 02:51

Glad it helped.

In fact, local irules variables remain present for the length of the TCP connection, as explained here: https://devcentral.f5.com/s/articles/irules-101-03-variables .

 

So you might have cases where:

  • CLIENT_ACCEPTED for irule 1 is executed
  • then CLIENT_ACCEPTED for irule 2 is executed (which might modify $allowed)
  • then HTTP_REQUEST for irule 1 is executed, and here you have your mismatch 🙂
0 Kudos

Go to solution
Mark_Gallagher
Altocumulus
Altocumulus

‎02-Jul-2020 08:56

I cannot recall where I heard/read this but different iRules are compiled together when attached to a VIP so that you effectively have one big virtual irule processing all the policy together. It'd be nice if you could see that combined policy but I understand that it is critical to avoid reuse of objects between them if there will be a conflict.

0 Kudos
Copyright © 2022 Khoros, LLC