For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

aschi's avatar
aschi
Icon for Nimbostratus rankNimbostratus
Dec 01, 2015

Assign a Pool regarding to the Destination Port.

I need to assign a Pool regarding to the Destination Port. I found different Solutions and would like to ask what the best solution would be.

 

Solution1:

 

when CLIENT_ACCEPTED {

 

if { [TCP::local_port] < 30000 or [TCP::local_port] > 30050} {

 

pool Poola

 

if { [TCP::local_port] eq 22} {

 

pool Poolb

 

}

 

} else { drop }

 

}

 

If I could specify a Pool like pool_[TCP::local_port] for each of the Ports between 30000 and 30050 than I wouldn't have to use nested if. But I have to specify 50 different Pools. Is there a way to optimize this?

 

Solution2:

 

when CLIENT_ACCEPTED {

 

switch [TCP::local_port] {

 

"30000" { pool Poola }

 

...

 

...

 

"30050" { pool Poola }

 

"22" { pool Poolb }

 

default { drop }

 

}

 

}

 

Would it be possibe to use a Portrange in solution 2 that I don't have to add 50 lines for each Port?

 

In my Optinion is Solution1 the one I should go for. Best Regards, Roger

 

application delivery
iRules
LTM

4 Replies

  • Vik_K_236702's avatar
    Vik_K_236702
    Historic F5 Account
    Dec 01, 2015

    Hi Roger

     

    Do you have 50 pools for ( one on each port in the range) on that particular URL ?

     

    Also in the first solution, wouldn't it just redirect to one pool instead of 50 different ones. Moreover I guess you need a pool for 30000-30050 , the statement is like <30000 or >30050 . I guess it should rather be >30000 or <30050 ( or whatever port range you need )

     

    The first solution is idle if you have one pool for that range of ports between 30000-30050. Or else your would need the switch case or if else if statements to accomplish this.

     

    Regards, Vikram Khatri

     

  • aschi's avatar
    aschi
    Icon for Nimbostratus rankNimbostratus
    Dec 02, 2015

    No, i just have one Pool for all of These Ports.

     

    Yes, you're right. >30000 or <30050 correct. I made a mistake.

     

    I just thought there's maybe a better Solution then if else if.

     

    Best Regards, Roger

     

  • Vik_K_236702's avatar
    Vik_K_236702
    Historic F5 Account
    Dec 02, 2015

    Hi Roger

     

    If that is the case , the switch case would be too vague for you. If , else if statement suits you better I would say. Even a while command doesn't match your situation here.

     

    Basically what we are doing here is checking if the port is in our interested port range A, then assign pool A or else if its equal to our desired port B, assign Pool B.

     

    When both the conditions don't match, we don't want the LTM to process the request so we give a final result of drop for everything else. ( using an else statement ).

     

    However lets see if we can get a better solution for this :) .

     

    Cheers! Vikram (Vik )

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Dec 02, 2015

    Hi Aschi,

    using ">30000 or <30050" will cause every single port to trigger, since port :1 would be lower than :30050 and port :65535 would be higher than 30000. The problem is caused by the "OR" operator which requires "at least one" of the expression to be "true" to trigger the desired action...

    The right snipped for your task would make use of an "AND" operator...

    if { ( [TCP::local_port] > 30000 ) and ( [TCP::local_port] < 30050 ) } then {
    pool poola
} elseif { [TCP::local_port] == 22 } then {
    pool poolb
} else {
    drop
}

    By doing so, the port must be above :30000 AND below :30050 to trigger the desired action. Furthermore "elseif" is your friend to chain several independent expressions in a single "If" command.

    Cheers, Kai