For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Burrell's avatar
Burrell
Icon for Nimbostratus rankNimbostratus
Feb 18, 2016

Help with iRule Port Switch statement

I have an application with 2 nodes running 4 discrete services across a group of 4 pool ranges.

I have configured a FastL4 vs with port 0 and use an iRule switch to match the port and select the correct pool.

I have source port set to Preserve Strict, and port translation disabled. 

when CLIENT_ACCEPTED { 
    switch [TCP::local_port]
    {
        26000..26009 { pool RTS_PROD_pool1 }
        26500..26509 { pool RTS_PROD_pool2 }
        27000..27009 { pool RTS_PROD_pool3 }
        27500..27509 { pool RTS_PROD_pool4 }
        default { reject }
    }
}

What i want to happen is Request:26000 > VS:26000 > Pool1-NodeX(1 or 2):26000 match the requested port to the client.

I cannot get the above rule to maintain connections, it connects and then closes the connection to the node.

f5 self IP, but not preserving port as its configured, however it only does this if i replace the reject command with the pool1 selection, if i leave reject, all request appear to get rejected despite incoming to ports within the ranges defined

10.1.41.247:51881 2016/02/16 16:02:54.220 A-200007 TCPCOM1 F00357 : Socket closed.(10.1.41.247:51881 ) 2016/02/16 16:02:54.376 A-200005 TCPCOM1 F00357 : Incoming Connected 10.1.41.247 (10.1.41.247:51826,66) on port 26000 with Packetization(TCP_AJBFIPAY) Default Block Mode (Timeout 0 sec)

application delivery
devops
iRules
LTM

2 Replies

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 18, 2016

    Hi Burrell,

    its kinda complicated to match port-ranges using the 

    [switch]
    command, so you may try a 
    [if]
    based sytax as outlined below...

    when CLIENT_ACCEPTED {
    if { ( [TCP::local_port] >= 26000 ) and ( [TCP::local_port] <= 26009 ) } then {
        pool RTS_PROD_pool1
    } elseif { ( [TCP::local_port] >= 26500 ) and ( [TCP::local_port] <= 26509 ) } then {
        pool RTS_PROD_pool2
    } elseif { ( [TCP::local_port] >= 27000 ) and ( [TCP::local_port] <= 27009 ) } then {
        pool RTS_PROD_pool3
    } elseif { ( [TCP::local_port] >= 27500 ) and ( [TCP::local_port] <= 27509 ) } then {
        pool RTS_PROD_pool4 
    } else {
        reject
    }
}

    Cheers, Kai

  • Burrell's avatar
    Burrell
    Icon for Nimbostratus rankNimbostratus
    Feb 18, 2016

    Thanks for the info, I will try your suggestion and confirm with the application team if it operates as desired!

     

    Am I correct in my understanding that the self IP request should originate with the client side port if Preserve Strict is the source port setting?