Traffic policy not evaluating TCL commands

Question

I've setup a traffic policy to check if a header exists and if it doesn't then to add it.  That bit of the logic works however it doesn't add what I need it to - it basically doesn't evaluate the tcl command I put in.
I've tried it using with and without quotes and basically the output I get into the XFF header is the string so either "tcl:[IP::client_addr]" or just tcl:[IP::client_addr]
        actions {
            0 {
                http-header
                replace
                name X-Forwarded-for
                value \"tcl:[IP::client_addr]\"
            }

or 
            actions {
                0 {
                    http-header
                    replace
                    name X-Forwarded-for
                    value tcl:[IP::client_addr]
                }
There are good reasons why I am not using the standard Insert XFF in the HTTP profile and whilst it could easily be done by an iRule I really need this to work, as it should do, in a traffic policy.
I am running 11.5.1 HF7

ianb · Answer

Prior to BigIP 12.0.0, TCL command substitution was currently only implemented in two policy actions:
http-uri rewrite value
http-reply redirect location

Additional actions were added in BigIP 12.0.0, and documented here

kai_wilke · Answer

Hi Parknook,
I share your opinion, to not use the HTTP profile "Insert X-Forwarded-For" option, when security is somehow a concern. 
But keep in mind that a replace header action is also not the right choice to sanitize every existing instance of X-Forwarded-For from the received HTTP request. The replace action would only modify the last occurrence of X-Forwarded-For but your application may use the first one. So a combination of remove and insert is the most secure syntax you can pull of...
To be able to set those headers with LTM Policies prior to v12, you may pass a [HTTP::header remove "X-Forwarded-For"] and [HTTP::header insert "X-Forwarded-For" [IP::client_addr]] syntax using the TCL policy action. Well, the TCL action is originally not intended to manipulate request information, but works like a charm and also supports a rich TCL substitution...
ltm policy Insert_X-Forwarded-For {
    requires { http }
    rules {
        Rule1 {
            actions {
                0 {
                    tcl
                    set-variable
                    expression "[HTTP::header remove \"X-Forwarded-For\"]"
                    name x_forward_for
                }
                1 {
                    tcl
                    set-variable
                    expression "[HTTP::header insert \"X-Forwarded-For\" [IP::client_addr]]"
                    name x_forward_for
                }
            }
            ordinal 1
        }
    }
    strategy first-match
}

Note: Personally I wouldn't recommend to use a LTM Policy to issue native TCL commands. But if you require a pure LTM Policy based configuration, then this approach would be one of the last options before migrating to v12...
Cheers, Kai

Forum Discussion

Traffic policy not evaluating TCL commands

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

iRule operator evaluation order OR/AND

fellow traffic

Would the irule command: event disable all cause LTM traffic policies not to be evaluated?

Evaluate WAF Policy with BIG-IQ Policy Analyzer

big-iq stuck running evaluation task