reject

Description¶

Causes the connection to be rejected, returning a reset as appropriate for the protocol. Subsequent code in the current event in the current iRule or other iRules on the VS are still executed prior to the reset being sent.

If the VS is using FastHTTP, reject commands will not work, at least under 11.3.0.

Syntax¶

reject

reject¶

Causes the connection to be rejected, returning a reset as appropriate for the protocol. In the case of TCP, the client will receive a TCP segment with the RST bit set. In the case of UDP, an ICMP unreachable message will be generated.
The system connection table entry associated with the flow is also removed.
Subsequent code in the current event is still executed prior to the reset being sent. If there are other iRules with the same event, those event(s) will also be executed. See the second example below for details.

Examples¶

when CLIENT_ACCEPTED {
  if { [TCP::local_port] != 443 }{
    reject
  }
}

Example showing how code in a second iRule in the same event will still execute after reject is called

# Rule 1 on VS1
when HTTP_REQUEST priority 100 {
   # This event in this iRule runs first
   reject
   log local0. "Rejecting this request"
}
# Rule 2 on VS1
when HTTP_REQUEST priority 200 {
   # This event in this iRule runs second
   log local0. "This will still execute"
}

Example showing how code in a second iRule in the same event can be prevented from executing after reject is called

# Rule 1 on VS1
when HTTP_REQUEST priority 100 {
   # This event in this iRule runs first
   reject
   log local0. "rejected"

   # Disable future events in this or any other iRule on the virtual server
   event disable all

   # Exit this event of this iRule immediately
   return

   # This never gets executed
   log local0. "not hit"
}

# Rule 2 on VS1
when HTTP_REQUEST priority 200 {
   # This event in this iRule runs second but won't be executed
   log local0. "This will still execute"
}

Related Information¶

Related Commands:

drop - drops the packet silently and removes the connection entry

UDP::drop - drops the UDP packet, without removing the connection entry

Valid Events:

ALL_EVENTS, GLOBAL_GTM

Warning

The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.

Sample Code:

Access Control Based On Network Or Host - This iRule allows administrators to allow or deny access to a virtual server based IP/networks and ports. This particular example is designed for use with an IP forwarding virtual server co…
Client Cert Request by URI with OCSP Checking - Request a client SSL certificate by URI and validate it using OCSP
Client Certificate CN Checking - These iRules will check the presented client certificate for a valid CN. allowing or rejecting
Client Certificate Request by URI with OCSP Checking (v10.1 - v10.2.x) - Request a client SSL certificate by URI and validate it using OCSP for v10.1 - 10.2.x
How To Avoid SSL Handshake When No Pool Member Available - Rejects connection before handshake if no pool members are available
Limit Connections From Client - Limit the number of TCP connections to a virtual server from client IP addresses.
Path Traversal Detection - This iRule tries to detect all Path Traversal attempts against web sites in query string parameters
virtual server connection rate limit with tables - Limit the rate of connections to a virtual server to prevent overloading of pool members

Introduced: BIGIP-9.0.0
Introduced: GTM-9.2.2

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.