cancel
Showing results for 
Search instead for 
Did you mean: 

Weird iRules issue

Abed_AL-R
Cirrostratus
Cirrostratus

Hi

 

We have one virtual server that has two different irules that somehow conflict each other and denying traffic that should not be denied.

 

The first iRule is permitting traffic to one URI to only IP addresses exist in one datagroup.

The second iRule is permitting traffic to another and different URI to only IP addresses exist in another and different datagroup.

 

First iRule:

when CLIENT_ACCEPTED {    set allowed 0   if { [class match --  [IP::client_addr]  equals  Allow_To_uri1]      } {      set allowed 1    } } when HTTP_REQUEST { if {  [string tolower [HTTP::uri] ] equals "/uri1"  } { if   { ! $allowed } { reject #log local0.  "Blocked client IP: [IP::client_addr] to uri1]" } } }

 

The Second iRule:

when CLIENT_ACCEPTED {    set allowed 0   if { [class match --  [IP::client_addr]  equals  Allow_to_uri2]      } {      set allowed 1    } } when HTTP_REQUEST { if {  [string tolower [HTTP::uri] ] equals "/uri2"  } { if   { ! $allowed } { reject #log local0.  "Blocked client IP: [IP::client_addr] to uri2]" } } }

 

The weird issue is that I need to add the permitted IP to both datagroups for both URIs two work ! ... both datagroups should have the same IP addresses ?

why ? ......

Those are two different irules .. two diffrenet URIs .. two different datagroup .. why they've impact on each other ?

 

Wer'e Running LTM v13.1.1.5

 

Please advise

1 ACCEPTED SOLUTION

BLacaze
Altostratus
Altostratus

Hello,

can you please share the content of your datagroups ?

 

Also one thing I would try is change the $allowed variable to $allowed_for_uri1 in irule 1 and $allowed_for_uri2 for irule 2 for example (it seems they shouldn't be shared, but considering the strange behaviour you have).

 

View solution in original post

4 REPLIES 4

BLacaze
Altostratus
Altostratus

Hello,

can you please share the content of your datagroups ?

 

Also one thing I would try is change the $allowed variable to $allowed_for_uri1 in irule 1 and $allowed_for_uri2 for irule 2 for example (it seems they shouldn't be shared, but considering the strange behaviour you have).

 

Hi

 

Thanks! Changing the $allowed variable to $allowed_for_uri1 resolved the problem.

But I'm not sure why they conflict .. This is strange.

 

Glad it helped.

In fact, local irules variables remain present for the length of the TCP connection, as explained here: https://devcentral.f5.com/s/articles/irules-101-03-variables .

 

So you might have cases where:

  • CLIENT_ACCEPTED for irule 1 is executed
  • then CLIENT_ACCEPTED for irule 2 is executed (which might modify $allowed)
  • then HTTP_REQUEST for irule 1 is executed, and here you have your mismatch 🙂

Mark_Gallagher
Altocumulus
Altocumulus

I cannot recall where I heard/read this but different iRules are compiled together when attached to a VIP so that you effectively have one big virtual irule processing all the policy together. It'd be nice if you could see that combined policy but I understand that it is critical to avoid reuse of objects between them if there will be a conflict.