Forum Discussion
darwinperez_kyn
Nimbostratus
NimbostratusInsert host name in TCP data
Hello,
We have a scenario where a Mainframe is sending a transactional data(tcp) to F5 that needs to have a host name inserted to it. The problem is that, even irule or local policy is not making it work.
VS is set to standard.
I have a sample pcap below, and it shows that F5 with or without irule/policy, is not forwarding the traffic to the pool members--
Below is the sample irule --
when CLIENT_ACCEPTED {
TCP::collect 32
}
when CLIENT_DATA {
[TCP::payload 32] insert "Host" "xxxx.yyyy.zzzz"
TCP::release
}
Sample Policy --
Conditions
TCP address matches 'mainframe_ip_add' at client accepted time.
Actions
Insert HTTP Header named 'Host' with value 'xxxx.yyyy.zzzz' at request time.
My questions are-
- How F5 is handling the TCP Payload, is it possible to insert a hostname on a tcp data?
- Is there any other way to get this host name inserted?
- Why F5 is not doing a tcp 3-way handshake to the backend servers?
Will appreciate any help!
Thank you.
Darwin
2 Replies
- This feature has been requested several times and will be added to a subsequent version of the product. However, you can enforce the limit using iRules. I would prefer that you attempt to write the rule first, and I will help if you get stuck. You can use the session command to add an entry in the session table for each client IP. The session table will automatically expire old entries if you specify a timeout. If the limit is exceeded, you can reject the connection. Hope this helps.
kanokwut_thanaddrteeh,
Could you please give me a format of session command?
I could not found this command in a Configuration Guide manual.
Thank you for your response,
Kanokwut
session add []
session lookup
session delete
= | { [any [virtual|service|pool] | pool ...] }
= simple | source_addr | sticky | dest_addr | ssl | uie | universal | hash
UnRuley might have posted this in the past. You should probably search the old forum posts. Good luck!- Here is a sample rule that uses cookies to track a given client and limit the total number of clients to 50. This rule uses a Tcl array to track the current clients:
rule session_limit { when RULE_INIT { array set ::active_sessions { } set ::total_active_clients 0 set ::max_active_clients 50 } when HTTP_REQUEST { if { not [info exists client_id] } { if { [HTTP::cookie exists "ClientID"] } { set client_id [HTTP::cookie "ClientID"] set need_cookie 0 } else { set client_id [string range [AES::key 128] 8 end] set need_cookie 1 } if { not [info exists ::active_sessions($client_id)] } { if { $::total_active_clients >= $::max_active_clients } { HTTP::redirect "http://yoursiteisdown.com/" return } incr ::total_active_clients set ::active_sessions($client_id) 1 } else { incr ::active_sessions($client_id) } } } when HTTP_RESPONSE { if { $need_cookie } { HTTP::cookie insert name "ClientID" value $client_id set need_cookie 0 } } when CLIENT_CLOSED { if { [info exists client_id] and [info exists ::active_sessions($client_id)] } { incr ::active_sessions($client_id) -1 if { $::active_sessions($client_id) <= 0 } { unset ::active_sessions($client_id) incr ::total_active_clients -1 } } } }
The above example can easily be converted to simply track the client IP's:rule session_limit { when RULE_INIT { array set ::active_clients { } } when CLIENT_ACCEPTED { set client_ip [IP::remote_addr] if { [info exists $::active_clients($client_ip)] and $::active_clients($client_ip) > 10 } { log "Client $client_ip has too many connections" reject return } incr ::active_clients($client_ip) } when CLIENT_CLOSED { if { [info exists ::active_clients($client_ip)] } { incr ::active_clients($client_ip) -1 if { $::active_clients($client_ip) <= 0 } { unset ::active_clients($client_ip) } } } }
NOTE: a problem has been discovered with the session command in that it causes the tmm to restart when used in the CLIENT_CLOSED event. This makes using the session command for this kind of problem less useful. This will be fixed in a future release (CR46047). - This code will work on 9.0.4...
when RULE_INIT { array set ::active_clients { } log local0. "phase1" } when CLIENT_ACCEPTED { set client_ip [IP::remote_addr] if { [info exists ::active_clients($client_ip)] } { if {$::active_clients($client_ip) > 10 } { log "Client $client_ip has too many connections" reject return } else { log local0. "$::active_clients($client_ip)" incr ::active_clients($client_ip) } } else { set ::active_clients($client_ip) 1 } } when CLIENT_CLOSED { if { [info exists ::active_clients($client_ip)] } { incr ::active_clients($client_ip) -1 if { $::active_clients($client_ip) <= 0 } { unset ::active_clients($client_ip) } } }
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}
