Local traffic policies and irules together

Problem this snippet solves:

Local traffic policies are very useful to define URL-based redirection, virtual servers and pool assignments, host header rewriting...

But some actions can't be done with Local traffic policies and there are some deployments with both Policies and irules applied on the same VS.

for HTTP_REQUEST event, Policies are executed before irules. If Policy action is http-reply redirect, the irule is executed but all HTTP changes raise TCL error (insert header, modify cookies, URI rewriting)

This code allow to detect this policy action and disable event and exit irule.

How to use this snippet:

import this irule on the appliance and enable it on the VS (to disable irule event) or insert following line on top of each irule assigned to the VS (to exit the current irule):

if {[POLICY::targets http-reply] } {return}

As http-reply respond with HTTP/1.0 version, the TCP connection will be closed after the reply and no other request will be sent to the F5, the event can be disabled.

Code :

when HTTP_REQUEST priority 1 {
    if {[POLICY::targets http-reply] } {
        log local0. "LTM Policy action contains redirect. Disabling event"
        event disable
        return
    }
}

Tested this on version:

11.6

Updated Jun 06, 2023

Version 2.0

iRules

local traffic policies

4 Comments

David_Klima
Nimbostratus
Oct 28, 2016
This is great! THX a lot
Martin_Robbins
Nimbostratus
Dec 07, 2016
We had the same issues but we are also using the 'reset' response option in the LTM policy, this caused all sorts of issues and hideous errors within events that were still trying to run in the HTTP_REQUEST event.

The 'reset' action logs as 'forward' in the POLICY::targets so is not possible to distinguish from a pool selection.

I found a workaround, it seems to work fine on 11.6.1 and 12.1.1 but I am not sure if it will cause issues on other versions.

Adding a set-variable with any name but with the expression

tcl:[event disable all]

So in the properties I have something like:

Name Conditions Actions reset http-uri path starts-with /reset forward reset tcl set-variable name iRuleDisable expression tcl:[event disable all]

This will cause all iRule events (usually with a reset only HTTP_REQUEST and CLIENT_CLOSED) to be switched off but if you are resetting the connection that probably makes sense anyway.
brad_11480
Nimbostratus
Jan 25, 2019
Can this type of 'direct tcl' using variable assignment work for other commands? specifically i need to assign a pool based on the hostname. the forward to pool only allows for the pools that are defined to be used.

i tried...

tcl:[pool pool_[substr [string tolower [URI::decode [HTTP::host]]] 0 \".\"]_SSL]

but it results in the logging of an error:

Execution of action 'tcl set-variable name=dummy expression=tcl:[pool pool_[substr [string tolower [URI::decode [HTTP::host]]] 0 "."]_SSL]' failed, error ERR_TCL
mawan_revera
Altostratus
Oct 06, 2019
Hi - i have a Question -
i have a policy that does a redirect - meaning if URI path is / redirect to /abc
for maintenance window i have a i rule that detects time and should redirect to a maintenance page
but the rule gives "Multiple redirect/respond invocations not allowed" -- how can i resolve this - meaning execute this irule

set static::start_date "2019-05-05 10:09"
set static::end_date "2019-05-05 10:10"
set static::start [clock scan $static::start_date]
set static::end [clock scan $static::end_date]
}
when HTTP_REQUEST timing on {
set now [clock seconds]
if { not [class match [IP::client_addr] equals private_net] } {
if {$now > $static::start and $now < $static::end}{

HTTP::redirect "http://mytedirect-maintenance"