For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MikeM_44778's avatar
MikeM_44778
Icon for Nimbostratus rankNimbostratus
Jan 19, 2007

FTP iRule

Here's a fun one . . . Is it possible to setup 2 FTP nodes behind a single VIP and have iRules forward users to their correct server based on username to the FTP site? For example, say I wanted to foward usernames that begin with A - L to FTP node1 and M - Z to Node2.
application delivery
dev
devops
iRules

3 Replies

  • Greg_Phillips_3's avatar
    Greg_Phillips_3
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2007
    Hi,

     

    I'm trying to do something similar in that I want to grab the uid and write it to a logfile. In playing w/your example when using the CLIENT_ACCEPTED statement I am not able to connect at all (ie it hangs w/out prompting for login). Any idea why? I am currently doing a SERVER_CONNECTED statement to log the src IP address as the pool is SNAT'd but I wanted to also grab the uid for the log as well.

     

     

    Here's the rule:

     

    *I've changed CLIENT_ACCEPTED to CLIENT_DATA and am just trying to get it to write a line to the log acknowledging that it read a USER string

     

     

    when SERVER_CONNECTED {

     

    log local0. "FTP connection from [IP::client_addr]:[TCP::client_port]. \

     

    Mapped to [serverside {IP::local_addr}]:[serverside {TCP::local_port}] \

     

    -> [IP::server_addr]:[serverside {TCP::remote_port}]"

     

    }

     

    when CLIENT_DATA {

     

    TCP::collect 100

     

    set user [regexp -inline {(?:USER\ )(\S+)} [TCP::payload]]

     

    if {[string length $user] > 0} {

     

    log local0. "If statement true"

     

    TCP::release

     

    }

     

    }

     

     

    Here's what gets logged:

     

     

    Jan 25 19:50:10 tmm tmm[1011]: Rule log_ftp_connections_gp-test : FTP connection from clientIP:3693. Mapped to Big/IP IP:3693 -> Pool Member IP:21

     

     

    For some reason CLIENT_DATA is never true although after I login via ftp I do several directory changes and listings.

     

     

    thanks

     

    Greg
  • Greg_Phillips_3's avatar
    Greg_Phillips_3
    Icon for Nimbostratus rankNimbostratus
    Jan 28, 2007
    Thanks Colin,

     

     

    I'd tried placing the TCP::collect in the SERVER_CONNECTED function but my login hung unless it had small value (I think 10 or less) but CLIENT_DATA still didn't seem to become "true". I will try it again though and repost my iRule. I have a scenario where the pool is SNAT'd and I want to give my customer the source IP which is done via logging but I also want to give them the login ID if possible.

     

     

    Thanks,

     

    -Greg
  • jake_55327's avatar
    jake_55327
    Icon for Nimbostratus rankNimbostratus
    Mar 06, 2007
    Has anyone been able to parse the FTP traffic? I have the same requirement as the original post - 2 FTP nodes behind a single VIP and have iRules forward users to their correct server based on username to the FTP site? For example, say I wanted to foward usernames that begin with A - L to FTP node1 and M - Z to Node2.

     

     

    I have tried Colin's irule but with no luck. It would appear that the FTP server needs to respond to the client and request the username before the client sends it. If the irule is collecting the data then the ftp server has never send the request for username. Is there anyway to have the iRule simulate this and then pass the collected traffic to the correct node?

     

    Thanks