Bug ID 917833: When 'dos.wl_match_mode_include' is set to true, 0.0.0.0 must be specified in the address field.

Last Modified: Dec 20, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2

Opened: Jun 15, 2020

Severity: 3-Major

Symptoms

Adding a whitelist entry, or enabling the 'dos.wl_match_mode_include' variable, fails if a whitelist entry exists with a blank value for the address field. This occurs is because a blank address field in a whitelist entry includes all IPv4 and all IPv6 addresses, but the db variable being set to 'true' is supported only for matching IPv4 addresses.

Impact

The whitelist configuration fails. This is working as designed. The system might report messages: -- 'transaction failed:"" Invalid address format'. This message indicates that "" (blank, which is how it processes the default value of ::(::/0 IPv6)) is not a valid format. -- 'transaction failed:01071dc5:3: Extended white list entries may not contain IPv6 addresses when db variable dos.wl_match_mode_include is set to true'. This message explains that IPv6 addresses are not supported by the 'dos.wl_match_mode_include' db variable.

Conditions

-- Enabling the 'dos.wl_match_mode_include' variable. -- Whitelist entry exists with a blank value for the address field.

Workaround

To match on all supported IP addresses, manually specify all IPv4 addresses in the field using '0.0.0.0'.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips