Forum Discussion
Douglas_Wilson_
Nimbostratus
NimbostratusApplying rules to Real Media Streams
I'm tossing this out here as a last ditch attempt --
We'd love to be able to filter real media files that are requested through an F5 using rules, but can't figure out a way to do it.
The more granular http rules don't work because this is not HTTP.
The tcp_content rules don't work, because the first few packets exchanged in the Real Media Session are negotiation between the client and the server, and don't include the file name. So the only thing I can think of is trying to come up with a rule that ignores the beginning of the session, and then grabs the file name. I have no idea if this is even possible with the 4.x ruleset. We can't deploy v 9.x for a while for this system (and even then, I don't know if it is possible).
If anyone has any experience with anything like this, suggestions would be appreciated.
Doug
- A cut'n'paste from chapter 5 of the reference guide:
"An accumulate statement terminates rules processing until another another packet containing additional data is received from the originating client. This statement is useful with the http_content and tcp_content rule variables, when not enough data has been received to be successfully evaluated. For information on these rule variables, see Variables."
I've never tested it with real networks stuff, but I'd be surprised if some combination of tcp_content, tcp_bytes_collected, and the accumulate statement wouldn't do what you want.
As a matter of practice, if you have several files you want to include, I'd add them to their own "allowedRealStreamFiles" class and do something like the (untested) following:assumption: you want an deny what's not allowed approach for streams b class allowedRealStreamFiles '{ "test1.ra" "test2.ram" "zzz.ra" }' replace the 3600 with something from testing b rule realMediaFilter { if(tcp_content contains one of allowedRealStreamFiles) { use pool outboundgateways } else if(tcp_bytes_collected < 3600) { accumulate } else { discard } }
Or something like that. . .I don't have easy access to a real server.
Good luck!
--Brad 
Douglas_Wilson_sorry to follow up so late -- but thanks a bunch! I got pulled of onto other projects, but we are going to test this in our lab now. I'll let you know how it turns out.
Doug- After re-reading my response, I became worried I wasn't explanatory enough.
3600 was an arbitrarily chosen number to illustrate the concept of using an accumulator. When you do your testing, you'll need to run tcpdumps concurrently and tweak the number appropriately (it'll probably be significantly smaller) based on the format of the Real (tm) client request.
Sorry if I wasn't clear enough before. - Douglas_Wilson_understood -- we have packet captures in our environment we are basing it on. I'll let you know how it turns out (lab time is hard to get).
Doug
