rwendt_291390
Sep 22, 2016Nimbostratus
Solved
How do i send an ICMP Dest port unreachable on an irule?
I have a ip forwarding virtual server that is supposed to reject packets not in my defined datagroup server_pools destined for a subset of the virtual servers we have. This functionality is working. ...
- Sep 24, 2016
It appears (on 12.1.1, at least) that the behavior of the
command differs based on whether address translation is enabled. When it is, as I say, an ICMP Port Unreachable message is returned (for UDP traffic). When it is disabled, the behavior you see occurs.reject
There is no way to send a specific, explicit ICMP response from an iRule. However, a "Reject" type server will send an ICMP Port Unreachable in any case. So, you could create a "Reject" virtual server that is bound to no VLAN:
ltm virtual vs-reject { destination 0.0.0.0:any mask any profiles { fastL4 { } } reject source 0.0.0.0/0 translate-address enabled translate-port enabled vlans-enabled vs-index 6 }
Then, in your iRule, instead of using
, forward rejects to this VS:reject
when CLIENT_ACCEPTED { if { ![class match [IP::client_addr] equals server_pools] }{ virtual vs-reject } }
(Notice that the explicit
branch is unnecessary because the VS type is already Forwarding). For me, this produces an identical result for classicforward
(using UDP segments bound for random high-numbered ports), which you appear to be testing here.traceroute