Bug ID 597621: MCP validation may incorrectly allow you to configure a packet filter rule that TMM does not support

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Fixed In:
13.0.0

Opened: Jun 06, 2016
Severity: 3-Major
Related Article:
K03745530

Symptoms

The Master Control Program Daemon (MCPD) validation may incorrectly allow you to configure a packet filter rule that the Traffic Management Microkernel (TMM) does not support. As a result of this issue, you may encounter one or more of the following symptoms: -- An affected packet filter configuration is saved without error or warning. -- The affected packet filter configuration appears normally when viewed in the tmsh utility or the Configuration utility. -- The affected packet filter rule is not enforced.

Impact

Packet filter rules are not enforced as they are represented in the configuration.

Conditions

This issue occurs when you configure a packet filter rule that uses an expression or filter definition that results in a Berkley Packet Filter (BPF) code loop. The MCPD is not as strict as TMM and will allow you to save a packet filter rule that is dropped by TMM. The affected packet filter configuration appears normally when you view it using the Traffic Management Shell (tmsh) or the Configuration utility. However, TMM silently rejects the filter and the rule is never triggered. For example, ip6 protochain 6 is a valid pcap expression accepted by MCP. However, TMM silently rejects the filter and the rule is never triggered because it results in a BPF code loop.

Workaround

There is no workaround for this issue. However, you may be able to mitigate this issue by ensuring that your packet filter rules use expressions or definitions that do not result in a loop, and also test configured packet filter rules to ensure that they are being enforced as expected. Impact of mitigation: The impact of the suggested mitigation depends on the specific environment. F5 recommends that you test any such changes during a maintenance window and consider the possible impact on your specific environment.

Fix Information

In this release, when a packet filter definition results in a loop, or another unsupported expression, the system posts a message similar to the following: 01070087:3: Packet filter rule '/Common/protochain': This filter expression is not supported.

Behavior Change