02-Jul-2020 00:23
Hi
We have one virtual server that has two different irules that somehow conflict each other and denying traffic that should not be denied.
The first iRule is permitting traffic to one URI to only IP addresses exist in one datagroup.
The second iRule is permitting traffic to another and different URI to only IP addresses exist in another and different datagroup.
First iRule:
when CLIENT_ACCEPTED {
set allowed 0
if { [class match -- [IP::client_addr] equals Allow_To_uri1]
} {
set allowed 1
}
}
when HTTP_REQUEST {
if { [string tolower [HTTP::uri] ] equals "/uri1" } {
if { ! $allowed } {
reject
#log local0. "Blocked client IP: [IP::client_addr] to uri1]"
}
}
}
The Second iRule:
when CLIENT_ACCEPTED {
set allowed 0
if { [class match -- [IP::client_addr] equals Allow_to_uri2]
} {
set allowed 1
}
}
when HTTP_REQUEST {
if { [string tolower [HTTP::uri] ] equals "/uri2" } {
if { ! $allowed } {
reject
#log local0. "Blocked client IP: [IP::client_addr] to uri2]"
}
}
}
The weird issue is that I need to add the permitted IP to both datagroups for both URIs two work ! ... both datagroups should have the same IP addresses ?
why ? ......
Those are two different irules .. two diffrenet URIs .. two different datagroup .. why they've impact on each other ?
Wer'e Running LTM v13.1.1.5
Please advise
Solved! Go to Solution.
02-Jul-2020 01:23
Hello,
can you please share the content of your datagroups ?
Also one thing I would try is change the $allowed variable to $allowed_for_uri1 in irule 1 and $allowed_for_uri2 for irule 2 for example (it seems they shouldn't be shared, but considering the strange behaviour you have).
02-Jul-2020 01:23
Hello,
can you please share the content of your datagroups ?
Also one thing I would try is change the $allowed variable to $allowed_for_uri1 in irule 1 and $allowed_for_uri2 for irule 2 for example (it seems they shouldn't be shared, but considering the strange behaviour you have).
02-Jul-2020 02:24
Hi
Thanks! Changing the $allowed variable to $allowed_for_uri1 resolved the problem.
But I'm not sure why they conflict .. This is strange.
02-Jul-2020 02:51
Glad it helped.
In fact, local irules variables remain present for the length of the TCP connection, as explained here: https://devcentral.f5.com/s/articles/irules-101-03-variables .
So you might have cases where:
02-Jul-2020 08:56
I cannot recall where I heard/read this but different iRules are compiled together when attached to a VIP so that you effectively have one big virtual irule processing all the policy together. It'd be nice if you could see that combined policy but I understand that it is critical to avoid reuse of objects between them if there will be a conflict.