Bug ID 424383: drop command allows packet through before tearing down the flow

Last Modified: Nov 22, 2021

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:

Fixed In:
11.3.0 HF8

Opened: Jul 02, 2013

Severity: 2-Critical

Related Article: K14590


Packets from an iRule that uses the [drop] command pass through to the other side of the connection.


For stateless/message-based protocols (UDP, SIP), or given a mid-connection call to drop (HTTP_REQUEST, for example), this passes data before tearing down the protocol control block. Depending on the application, this can be dangerous. In the case of a stateful protocol (TCP, SCTP) using the drop command in CLIENT_ACCEPTED, the next segment will result in a RST packet or ABORT chunk, so there is less impact.


An iRule calls drop.



Fix Information

Add a temporary flag to note that the connection has been asynchronously aborted, and avoid delivering the packet when this is set.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips