Forum Discussion
Ege_Sargin_2638
Nimbostratus
NimbostratusDiameter_AVP
Dear Experts, We'd like to add an irule for the diameter responses that's received from diameter_server.
The irule should drop the packet by checking the field in Diameter_Result_Code AVP. For instance if the value of Diameter_Result_Code AVP is 4011 then the packet should be dropped and not sent to Diameter_Client. Otherwise F5 should forward the packet.
Can that be done by defining a diameter irule?
Thanks/Ege
nitassEmployee
what version are you running? is it v10 or v11?- nitassthis is not applicable for CEA message.
[root@ve1100:Active] config tmsh root@ve1100(Active)(/Common)(tmos) show sys version Sys::Version Main Package Product BIG-IP Version 11.0.0 Build 8131.0 Edition Hotfix HF1 Date Tue Oct 4 18:28:31 PDT 2011 root@ve1100(Active)(/Common)(tmos) list ltm virtual vs_scapv2 ltm virtual vs_scapv2 { destination 172.28.19.252:3868 ip-protocol tcp mask 255.255.255.255 pool diameter_pool profiles { diameter { } mblb { } tcp { } } rules { myrule } snat automap vlans-disabled } root@ve1100(Active)(/Common)(tmos) list ltm pool diameter_pool ltm pool diameter_pool { members { 200.200.200.101:3868 { address 200.200.200.101 } } } root@ve1100(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when DIAMETER_INGRESS { if {[DIAMETER::is_response]} { log local0. "[IP::remote_addr]:[TCP::remote_port]>[IP::local_addr]:[TCP::local_port]|[DIAMETER::result]" switch [DIAMETER::result] { 4011 { DIAMETER::drop } } } } when DIAMETER_EGRESS { if {[DIAMETER::is_response]} { log local0. "[IP::local_addr]:[TCP::local_port]>[IP::remote_addr]:[TCP::remote_port]|[DIAMETER::result]" } } } [root@ve1100:Active] config tail -f /var/log/ltm Nov 25 11:24:37 tmm info tmm[5633]: Rule /Common/myrule : 200.200.200.101:3868>200.200.200.11:51479|2001 Nov 25 11:24:37 tmm info tmm[5633]: Rule /Common/myrule : 172.28.19.252:3868>172.28.19.251:51479|2001 [root@ve1100:Active] config tail -f /var/log/ltm Nov 25 11:27:14 tmm info tmm[5633]: Rule /Common/myrule : 200.200.200.101:3868>200.200.200.11:51480|4011 Nov 25 11:27:15 tmm info tmm[5633]: Rule /Common/myrule : 200.200.200.101:3868>200.200.200.11:51480|4011 Nov 25 11:27:16 tmm info tmm[5633]: Rule /Common/myrule : 200.200.200.101:3868>200.200.200.11:51480|4011 - nitassthis is TCP::collect version. i did not test it in v10 but i think it could be okay.
this version is also applied to CEA; anyway, i have not found command to silently drop CCA message.root@ve1100(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when SERVER_CONNECTED { TCP::collect } when SERVER_DATA { binary scan [TCP::payload] II a b set comcode [expr {$b & 0xffffff}] set mlen [expr {$a & 0xffffff}] set rflag [expr {($b >> 31)&1}] if { !($rflag) } { switch $comcode { 280 - 282 { } default { set index 20 while {$index < $mlen} { binary scan [TCP::payload $mlen] @${index}II avp_code avp_len set avp_len [expr {$avp_len & 0xffffff}] set avp_len_pad [expr {(($avp_len + 3)/4)*4}] if {$avp_code == 268} { binary scan [TCP::payload $mlen] @[expr {$index + 8}]I result break } incr index $avp_len_pad } if {$result == 4011} { reject return } } } } TCP::release TCP::collect } }