Forum Discussion
8 Replies
- nitassEmployee
CLIENT_ACCEPTED is triggered when connection is established. if connection is already established, it won't work.
another method is to keep collecting/releasing payload (e.g. TCP::collect/TCP::release) and check client ip against data group and then drop/reject it when matching. data group is needed because you can add/modify/remove ip in data group without changing irule. as you may know, configuration change does not affect existing connection.
sol13253: Configuration changes to local traffic objects do not affect existing connections
- Robert_47833Altostratusyeah,I know configuration change doesn't affect existing connection,but datagroup in irule can work around this. tcp:collect/tcp:release? does it affect perfermance? I assume tcp::collect only collect payload in layer7 or in layer4(not sure),not ip address which locates in layer3
- nitass_89166Noctilucent
CLIENT_ACCEPTED is triggered when connection is established. if connection is already established, it won't work.
another method is to keep collecting/releasing payload (e.g. TCP::collect/TCP::release) and check client ip against data group and then drop/reject it when matching. data group is needed because you can add/modify/remove ip in data group without changing irule. as you may know, configuration change does not affect existing connection.
sol13253: Configuration changes to local traffic objects do not affect existing connections
- Robert_47833Altostratusyeah,I know configuration change doesn't affect existing connection,but datagroup in irule can work around this. tcp:collect/tcp:release? does it affect perfermance? I assume tcp::collect only collect payload in layer7 or in layer4(not sure),not ip address which locates in layer3
- nitass_89166Noctilucent
tcp:collect/tcp:release?
e.g.
configuration root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:22 ip-protocol tcp mask 255.255.255.255 pool foo profiles { tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 5 } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:22 { address 200.200.200.101 } } } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal blacklist ltm data-group internal blacklist { type ip } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when CLIENT_ACCEPTED { log local0. "\[class get blacklist\]=[class get blacklist]" } when CLIENT_DATA { log local0. "\[class get blacklist\]=[class get blacklist]" if { [class match -- [IP::client_addr] equals blacklist] } { log local0. "reject" reject return } TCP::release TCP::collect } when SERVER_CONNECTED { log local0. "" clientside { TCP::collect } } } /var/log/ltm [root@ve11c:Active:In Sync] config tail -f /var/log/ltm May 8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : May 8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:20 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:21 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:21 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:22 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:28 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=192.168.206.0/23 {} May 8 16:28:28 ve11c info tmm[15145]: Rule /Common/qux : reject
does it affect perfermance?
nothing has no impact. 🙂
- Robert_47833Altostratusha,I don't understand this,need time to pick it up.
- nitassEmployee
tcp:collect/tcp:release?
e.g.
configuration root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:22 ip-protocol tcp mask 255.255.255.255 pool foo profiles { tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 5 } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:22 { address 200.200.200.101 } } } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal blacklist ltm data-group internal blacklist { type ip } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when CLIENT_ACCEPTED { log local0. "\[class get blacklist\]=[class get blacklist]" } when CLIENT_DATA { log local0. "\[class get blacklist\]=[class get blacklist]" if { [class match -- [IP::client_addr] equals blacklist] } { log local0. "reject" reject return } TCP::release TCP::collect } when SERVER_CONNECTED { log local0. "" clientside { TCP::collect } } } /var/log/ltm [root@ve11c:Active:In Sync] config tail -f /var/log/ltm May 8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : May 8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:15 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:16 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:18 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:20 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:21 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:21 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:22 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]= May 8 16:28:28 ve11c info tmm[15145]: Rule /Common/qux : [class get blacklist]=192.168.206.0/23 {} May 8 16:28:28 ve11c info tmm[15145]: Rule /Common/qux : reject
does it affect perfermance?
nothing has no impact. 🙂
- Robert_47833Altostratusha,I don't understand this,need time to pick it up.