Port range iRule

Question

We have a requirement for a wildcard virtual server and to allow access to the application servers on port range between 30000 and 32768.
When I apply the below iRule, I'm unable to reach the servers. 
when CLIENT_ACCEPTED {
if { {expr [TCP::client_port] &lt; 30000] or [expr [TCP::client_port] &gt; 32768} } {
  reject
  }
}

I'm getting client resets on the pool members when the iRule is applied.
192.168.20.142.53464 &gt; 10.18.142.64.31090: Flags [S], cksum 0xe5ad (incorrect -&gt; 0x12c3), seq 371331784, win 4380, options [mss 1460,nop,nop,TS val 3830442533 ecr 0,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/applicationname-any-vs
17:47:16.391284 IP (tos 0x0, ttl 62, id 26705, offset 0, flags [DF], proto TCP (6), length 40)
10.18.142.64.31090 &gt; 192.168.20.142.53464: Flags [R.], cksum 0x571b (correct), seq 0, ack 371331785, win 0, length 0 in slot1/tmm0 lis=/Common/applicationname-any-vs

As soon as the iRule is removed, traffic connects successfully.

kai_wilke · Answer

Hi Zuke,
the if command has a build inmplicit expression. No need for the explicit [expr] command.
when CLIENT_ACCEPTED {
    if { ( [TCP::client_port] &lt; 30000 ) or ( [TCP::client_port] &gt; 32768 ) } then {
        reject
    }
}

Just for learning purposes the iRules below will work too. But they are more complex and also slower, since you basically pipe the output of the explicit [expr] command (0 or 1) to the implicit expression of the if command...
when CLIENT_ACCEPTED {
    if { [expr { [TCP::client_port] &lt; 30000 }] or [expr { [TCP::client_port] &gt; 32768 }]} then {
        reject
    }
}
when CLIENT_ACCEPTED {
    if { [expr { ( [TCP::client_port] &lt; 30000 ) or ( [TCP::client_port] &gt; 32768 ) }] } then {
        reject
    }
}

Cheers, Kai

charlescs · Answer

In this context, TCP::client_port refers to the ephemeral port that the client system uses to connect to the virtual server. To specify the virtual server's port range, use TCP::local_port instead. Also, "then" is redundant and may cause an error.
when CLIENT_ACCEPTED {
    if { ( [TCP::local_port] &lt; 30000 ) or ( [TCP::local_port] &gt; 32768 ) } {
        reject
    }
}

Forum Discussion

Port range iRule

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

Assistance with iRule using port ranges

Policy to forward to a range of ports

iRule [string range...] not chunking data properly

irule ports

SSL Offloading for specific IPs or range of IPs