Bug ID 527885: DOSL7::enable with profile requires full path but is not validated

Last Modified: Jun 10, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Opened: Jun 14, 2015
Severity: 4-Minor

Symptoms

When using an iRule with the DOSL7::enable command and supplying a DoS profile as argument, the full path must be used. However, there is no configuration validation to support the requirement. This causes the following log message to appear repeatedly in /var/log/tmm*: notice CONF|NTCE|dosl7_update_application_conf_external:0769|could not find conf for profile crc 2884018011, name dos_profile The log message appears for every relevant request, so depending on the iRule, it might fill the log.

Impact

-- Traffic does not go through the profile specified in the iRule. -- Flooding of log messages in /var/log/tmm*. -- There is no validation to prevent the incorrect syntax.

Conditions

-- Use the DOSL7::enable iRule command. -- Supply a DoS profile without the profile's full path.

Workaround

Supply the profile name with its full path when using the DOSL7::enable iRule command, for example: Use this syntax: -- DOSL7::enable /Common/dos_profile Not this syntax: -- DOSL7::enable dos_profile The syntax that you use to write iRules is based on the Tool Command Language (Tcl) programming standard. Thus, you can use many of the standard Tcl commands, plus a robust set of extensions that Local Traffic Manager provides to help you further increase load balancing efficiency. Important: When referencing an object within an iRule, you must include the full path name of the object. Examples are: HTTP::class select /Common/$asm_class and set file [ ifile get "/Common/ifileURL" ]. For example: 'DOSL7::enable /Common/dos_profile' is valid, while 'DOSL7::enable dos_profile' is invalid.

Fix Information

None

Behavior Change