For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chuck_Adkins_13's avatar
Chuck_Adkins_13
Icon for Nimbostratus rankNimbostratus
Sep 25, 2006

Hash persistence using iRule

We have an application that requires two connections to be made to the same member. The pool has 150+ members with several "instances" of each server on each node. I need to persist the second connection to the same member

as the original. Our connections are static - so once the second connection is persisted - I have no need for the persistance record.

We have some customers behind NATs and I want to minimize the chance that they all get stuck to the same node. I was hoping to use an iRule to play games with the persistance table. When I use the rule below I can see new persist records getting created - but all connections from teh same source go to the same member - instead of getting spread.

Here is my VIP


virtual vip1{
   destination 1.1.1.1:https
   mirror enable
   ip protocol tcp
   profile fastL4
   persist hash
   pool test-ssl
   rule TestRule
}

and the rule


when RULE_INIT {    
    
         initialize global variable for counting active ssl clients     
        array set ::active_sslclients { } 
set ::MAX_PER_CLIENT_IP  6
        log local0. "ssl_vip_rule.RULE_INIT: Initialized active_sslclients global variable" 
    }  
 
    when CLIENT_ACCEPTED {    
        set client_ip [IP::remote_addr]  
         
         increment the count of active ssl clients for the given client ip address
        if { [info exists ::active_sslclients($client_ip)] and $::active_sslclients($client_ip) >= 0 } {
            incr ::active_sslclients($client_ip)        
        } else {
            set ::active_sslclients($client_ip) 1
        }
        
        log local0. "ssl_vip_rule.CLIENT_ACCEPTED: client ip - $client_ip,  active ssl connections - $::active_sslclients($client_ip) using MAX $::MAX_PER_CLIENT_IP" 
        
         get the batch_number so that we don't have more than MAX_PER_CLIENT_IP in one persistence hash key 
         for a client ip address       
        set batch_number [ expr ($::active_sslclients($client_ip) -1) / $::MAX_PER_CLIENT_IP ]
        set hashkey "$client_ip.$batch_number"   
        if { [ expr ($::active_sslclients($client_ip) -1) % $::MAX_PER_CLIENT_IP] == 0}{
set batch_number0 [ expr (($::active_sslclients($client_ip) -1) / $::MAX_PER_CLIENT_IP) -1]
set hashkey0 "$client_ip.$batch_number0"   
log local0. "Deleting old key $hashkey0 using new $hashkey"
persist delete hash $hashkey0 
}
        log local0. "ssl_vip_rule.CLIENT_ACCEPTED: client ip - $client_ip, persist hashkey - $hashkey"            
        persist hash $hashkey 30         
   
} 
    when CLIENT_CLOSED {  
    
         decrease the count of acitve ssl connections for the given client ip address      
        if { [info exists ::active_sslclients($client_ip)] } {      
            incr ::active_sslclients($client_ip) -1      
            if { $::active_sslclients($client_ip) <= 0 } {        
                unset ::active_sslclients($client_ip)   
                log local0. "ssl_vip_rule.CLIENT_CLOSED: client ip - $client_ip, active count 0, unset its couunt variable"                 
            }   
        }   
    }
application delivery
dev
devops
iRules

1 Reply