Forum Discussion

ChristianD_1412's avatar
ChristianD_1412
Icon for Nimbostratus rankNimbostratus
Nov 22, 2012

Collect client IP header to write to payload

Hello all.

 

We have a request to restrict user account access based on the IP from which they come. While this could usually be addressed at the network layer, or even a somewhat simple iRule, it will be very high maintenance and the application team has indicated they can eaily manage it from the app side.

 

I haven't found anything that will collect the IP header akin to TCP::collect, though we log that data today with:

 

when SERVER_CONNECTED {

 

log local0.info "Client Source [IP::client_addr], Port [TCP::client_port], SNAT [IP::local_addr], PORT [TCP::local_port], Server [IP::server_addr], Port [TCP::server_port]"

 

}

 

The question is: Can we collect IP header information and write to the payload in a similar method as TCP::collect or is acquiring this information only doable via parsing the log?

 

If the former, I don't readily see the mechanism to collect that information and get it set to rewrite the TCP payload. Additionally, this is only to be done on the initial connection. We don't need to rewrite on every packet.

 

Some knowns:

 

-We use SNAT and that cannot change, else that'd be easy.

 

-It's TCP over 443

 

-There is no LB decision that needs to be made based on this.

 

 

So is it possible to collect this information in this regard? I'm not an iRule guru by any stretch so your collective assistance is appreciated.

 

Thanks in advance.

 

5 Replies

  • If the app team just want the original source IP address and this is HTTPS being terminated on the F5, I'd recommend the simple solution of inserting an XFF header containing the original client source IP address. But you're gonna tell me we can't right?
  • [IP::client_addr] is accessible in the CLIENT_ACCEPTED event, so you have the client's source on first TCP connection. Are you talking about injecting the IP information into the TCP packet? If so, does the application have a way of retrieving this information?

     

     

    The TCP::options command allows you to read/write into the options block of a TCP header.

     

     

    https://devcentral.f5.com/wiki/iRules.TCP__option.ashx

     

  • The app will eventually. They're writing it now. And yes, that's what I'm referring to. Unfortunately I can't test this in our QA environment yet as we're still on 9.x. And more unfortunately we're soon to migrate only 10.2.1, so based on that document (which I think I've looked at some time ago for a different reason) I can't set the options.
  • All is not lost perhaps. Depending on the protocol, you may be able to insert the IP information into the application data via binary manipulation.