Last Modified: Nov 07, 2022
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 11.6.4, 11.6.5, 184.108.40.206, 220.127.116.11, 18.104.22.168, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 12.1.4, 126.96.36.199, 12.1.5, 188.8.131.52, 184.108.40.206, 220.127.116.11, 12.1.6
Opened: Jun 06, 2016 Severity: 3-Major Related Article:
Related Article: K03745530
The Master Control Program Daemon (MCPD) validation may incorrectly allow you to configure a packet filter rule that the Traffic Management Microkernel (TMM) does not support. As a result of this issue, you may encounter one or more of the following symptoms: -- An affected packet filter configuration is saved without error or warning. -- The affected packet filter configuration appears normally when viewed in the tmsh utility or the Configuration utility. -- The affected packet filter rule is not enforced.
Packet filter rules are not enforced as they are represented in the configuration.
This issue occurs when you configure a packet filter rule that uses an expression or filter definition that results in a Berkley Packet Filter (BPF) code loop. The MCPD is not as strict as TMM and will allow you to save a packet filter rule that is dropped by TMM. The affected packet filter configuration appears normally when you view it using the Traffic Management Shell (tmsh) or the Configuration utility. However, TMM silently rejects the filter and the rule is never triggered. For example, ip6 protochain 6 is a valid pcap expression accepted by MCP. However, TMM silently rejects the filter and the rule is never triggered because it results in a BPF code loop.
There is no workaround for this issue. However, you may be able to mitigate this issue by ensuring that your packet filter rules use expressions or definitions that do not result in a loop, and also test configured packet filter rules to ensure that they are being enforced as expected. Impact of mitigation: The impact of the suggested mitigation depends on the specific environment. F5 recommends that you test any such changes during a maintenance window and consider the possible impact on your specific environment.
In this release, when a packet filter definition results in a loop, or another unsupported expression, the system posts a message similar to the following: 01070087:3: Packet filter rule '/Common/protochain': This filter expression is not supported.