Bug ID 424383: drop command allows packet through before tearing down the flow

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:

Fixed In:
11.3.0 HF8

Opened: Jul 02, 2013
Severity: 2-Critical
Related AskF5 Article:


Packets from an iRule that uses the [drop] command pass through to the other side of the connection.


For stateless/message-based protocols (UDP, SIP), or given a mid-connection call to drop (HTTP_REQUEST, for example), this passes data before tearing down the protocol control block. Depending on the application, this can be dangerous. In the case of a stateful protocol (TCP, SCTP) using the drop command in CLIENT_ACCEPTED, the next segment will result in a RST packet or ABORT chunk, so there is less impact.


An iRule calls drop.



Fix Information

Add a temporary flag to note that the connection has been asynchronously aborted, and avoid delivering the packet when this is set.

Behavior Change