For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Peter_Wohlers_7's avatar
Peter_Wohlers_7
Icon for Nimbostratus rankNimbostratus
Dec 28, 2006

hash persistence based on source ip network

We have an application that requires persistence, but causes the client to initiate two near-simultaneous connections.

 

 

Initially I tried using a persistence profile:

 

 

profile persist source_slash24 {

 

defaults from source_addr

 

mask 255.255.255.0

 

}

 

 

The use of a /24 was necessary, because it seems that a significant number of our customers/readers are coming from proxies and will appear with slightly different source ip addresses.

 

 

However, the persistence records don't really get set properly because the second connection often gets initiated before the completion of the first connection.

 

 

So, I'm thinking about using an irule to set hash persistence, but instead of something simple like:

 

 

rule persnickety_application {

 

when HTTP_REQUEST {

 

pool temperamentalapplication_servers

 

set key [crc32 [IP::remote_addr]]

 

persist hash $key

 

}

 

}

 

 

which would work, were it not for the prevalence of proxies used in europe/aol, etc...

 

 

Is there a way to create a hash key for a source network, like a /24?

 

 

Any input greatly appreciated.

 

 

Thanks,

 

Peter

 

 

application delivery
dev
devops
iRules

3 Replies

  • Peter_Wohlers_7's avatar
    Peter_Wohlers_7
    Icon for Nimbostratus rankNimbostratus
    Dec 28, 2006
    I've come up with something that looks like it might work:

     

     

    rule persnickety_application {

     

    when HTTP_REQUEST {

     

    set first [ getfield [IP::remote_addr] "." 1]

     

    set second [ getfield [IP::remote_addr] "." 2 ]

     

    set third [ getfield [IP::remote_addr] "." 3 ]

     

    pool temperamental_servers

     

    set client_net [ crc32 [ concat $first $second $third ] ]

     

    persist hash $client_net

     

    }

     

    }

     

     

    but is there a way to consolidate the three getfield operations into a single stroke?

     

     

    Thoughts on how well this might work?

     

     

    Thanks,

     

    Peter
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Dec 29, 2006
    Hi Peter -

    Try this:
    scan [IP::remote_addr] "%u.%u.%u.%u" first second third fourth

    HTH

    /deb
  • Peter_Wohlers_7's avatar
    Peter_Wohlers_7
    Icon for Nimbostratus rankNimbostratus
    Jan 02, 2007
    This worked beautifully!

     

     

    Here's the final iteration of the rule:

     

     

    rule persnickety_application {

     

    when HTTP_REQUEST {

     

    scan [IP::client_addr] "%u.%u.%u.%u" first second third fourth

     

    pool temperamental_servers

     

    set client_net [ crc32 [ concat $first $second $third ] ]

     

    persist hash $client_net

     

    }

     

    }

     

     

     

    It almost seems like a better way to do source address/network persistence since it doesn't rely upon the completion of an initial connection in order to fix a destination member server. Same network/host will always go to the same destination pool member.

     

     

    Thanks again,

     

    Peter