Forum Discussion
NimbostratusHow to view session table created with iRule
Hi, I have created the following iRule. I know the reject is commented out and the limit is high. But for now, I want to monitor what the iRule actually catches. Is there a way for me to view the tables created by the iRule? Maybe something similar to 'tmsh show sys connection'? Thanks.
when CLIENT_ACCEPTED {
set tbl "connlimit:[IP::client_addr]"
set key "[TCP::client_port]"
table set -subtable $tbl $key "ignored" 180
if { [table keys -subtable $tbl -count] > 5000 } {
table delete -subtable $tbl $key
event CLIENT_CLOSED disable
reject
} else {
set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] }
}
when CLIENT_CLOSED {
after cancel $timer
table delete -subtable $tbl $key }
21 Replies
Don't think you can use TMSH, but you should be able to use an iRule for that. Beware of the following, it's like table inception. 🙂
First add a meta table to your original iRule (you might want to touch the meta table entry whenever the connlimit table is refreshed).
when CLIENT_ACCEPTED { set tbl "connlimit:[IP::client_addr]" set key "[TCP::client_port]" table set -subtable metatable "connlimit:[IP::client_addr]" 1 table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > 5000 } { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject } else { set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] } } when CLIENT_CLOSED { after cancel $timer table delete -subtable $tbl $key }Then you can add this iRule to another virtual server (or add a condition to show the information on the current server):
when HTTP_REQUEST { set response "" foreach tablename [table keys -subtable "metatable"] { foreach $key [table keys -subtable $tablename] { set value [table lookup -notouch -subtable $key] set response "$response $key = $value" } } HTTP::respond 200 content $response }
jrmorris_151361Thanks Patrik,
How do access this new html page? I applied the iRule you provided to a new VS.
So I would assume I would go to to view the metatable. But nothing comes up. Do I need to append any URI?
Hi!
I'm currently attending agility in Washington and since my charger just broke I'm stuck with the iPad. Sadly I can't read the full rule on it.
Have you added the line that adds keys to the metatable? Even if you don't have any entries you should get some reply I think. Do you get a connection reset? Have you checked the ltm log?
I tested the rule myself before, but with uri and host as keys instead of the connlimit and that one worked fine. Did not try this particular one though.
/Patrik
Hi!
I'm currently attending agility in Washington and since my charger just broke I'm stuck with the iPad. Sadly I can't read the full rule on it.
Have you added the line that adds keys to the metatable? Even if you don't have any entries you should get some reply I think. Do you get a connection reset? Have you checked the ltm log?
I tested the rule myself before, but with uri and host as keys instead of the connlimit and that one worked fine. Did not try this particular one though.
/Patrik
Hi!
Had the pleasure of borrowing a charger so I could test the rule. I made a mistake in the one I sent to you above. Sorry about that, I should've tested it. 🙂
Try this one instead (to show the entries):
when HTTP_REQUEST { set response "" foreach tablename [table keys -subtable "metatable"] { foreach $key [table keys -subtable $tablename] { set value [table lookup -notouch -subtable $tablename $key] set response "$response $key = $value" } } HTTP::respond 200 content $response }/Patrik
- jrmorris_151361
Thanks Patrik,
I applied the metatableentry to the connection limit irule, and added the new irule you sent in a separate VS. The page is getting a connection reset. And I see the following error in the logs.
TCL error: /Common/TEST_View_Tables_2 - can't read "key": no such variable while executing "foreach $key [table keys -subtable $tablename] { set value [table lookup -notouch -subtable $key] set response "$response ..." ("foreach" body line 3) invoked from within "foreach tablename [table keys -subtable "metatable"] { foreach $key [table keys -subtable $tablename] { set value [table lookup -..."Here are my iRules:
when CLIENT_ACCEPTED { set tbl "connlimit:[IP::client_addr]" set key "[TCP::client_port]" table set -subtable metatable "connlimit:[IP::client_addr]" 1 table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > 5000 } { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject } else { set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] } } when CLIENT_CLOSED { after cancel $timer table delete -subtable $tbl $key }when HTTP_REQUEST { set response "" foreach tablename [table keys -subtable "metatable"] { foreach $key [table keys -subtable $tablename] { set value [table lookup -notouch -subtable $key] set response "$response $key = $value" } } HTTP::respond 200 content $response } Yeah, there was a dollar too much there. 🙂
when HTTP_REQUEST { set response "" foreach tablename [table keys -subtable "metatable"] { foreach key [table keys -subtable $tablename] { set value [table lookup -notouch -subtable $key] set response "$response $key = $value" } } HTTP::respond 200 content $response }/Patrik
- jrmorris_151361
Thanks, I changed the iRule and am no longer seeing the log error or connection reset. Now, the VS on which I put the View iRule just loads as a blank page. I have the same iRule as above on my source VS. Any more ideas? I think this is close and I like the concept you are going for. Thanks.
Are you testing table viewing iRule directly after you connect to the virtual server with the connection limit iRule?
My config looks like this (the respond iRule is just a replacement for a web server):
ltm rule /Common/connlimit { when CLIENT_ACCEPTED { set tbl "connlimit:[IP::client_addr]" set key "[TCP::client_port]" table set -subtable metatable "connlimit:[IP::client_addr]" 1 table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > 5000 } { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject } else { set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] } } when CLIENT_CLOSED { after cancel $timer table delete -subtable $tbl $key } } ltm rule /Common/tableview { when HTTP_REQUEST { set response "" foreach tablename [table keys -subtable "metatable"] { foreach key [table keys -subtable $tablename] { set value [table lookup -notouch -subtable $tablename $key] set response "$response $key = $value" } } HTTP::respond 200 content $response } } ltm rule /Tssec/respond { when HTTP_REQUEST { HTTP::respond 200 content "Hello world" } } ltm virtual /Common/connlimit { destination /Common/192.168.1.249:80 ip-protocol tcp mask 255.255.255.255 profiles { /Common/http { } /Common/tcp { } } rules { /Common/connlimit /Common/respond } source 0.0.0.0/0 translate-address enabled translate-port enabled } ltm virtual /Common/tableview { destination /Common/192.168.1.248:80 ip-protocol tcp mask 255.255.255.255 profiles { /Common/http { } /Common/tcp { } } rules { /Common/tableview } source 0.0.0.0/0 translate-address enabled translate-port enabled }Then when I access the VIP with the connection limit I get:
http://192.168.1.249/ Hello worldThen when I access the VIP with the tableview iRule I get:
http://192.168.1.248/ 64545 = ignoredHope that helps.
/Patrik
- jrmorris_151361
Patrik,
I'm sorry, but I still get a blank results page. I have copied what you have here exactly.
ltm rule TEST_Connection_Limit_2 { when CLIENT_ACCEPTED { set tbl "connlimit:[IP::client_addr]" set key "[TCP::client_port]" table set -subtable metatable "connlimit:[IP::client_addr]" 1 table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > 5000 } { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject } else { set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] } } when CLIENT_CLOSED { after cancel $timer table delete -subtable $tbl $key } } ltm rule TEST_Disable_Persistence { when LB_SELECTED { log local0. "" log local0. "client src - [IP::client_addr]:[TCP::client_port], client dst - [clientside {IP::local_addr}]:[clientside {TCP::local_port}]" log local0. "cs server [clientside {IP::local_addr}]:[clientside {TCP::local_port}]" log local0. "ss client [IP::local_addr]:[TCP::local_port]" log local0. "ss server [IP::remote_addr]:[TCP::remote_port]" log local0. "LB Server [LB::server]" log local0. "LB SNAT [LB::snat]" log local0. "LB Status [LB::status]" log local0. "LB Server Selected [LB::server addr]" log local0. "Persist [LB::persist]" if { [IP::addr [IP::client_addr] equals 10.42.32.18] } { persist none } } } ltm rule TEST_View_Tables_2 { when HTTP_REQUEST { set response "" foreach tablename [table keys -subtable "metatable"] { foreach key [table keys -subtable $tablename] { set value [table lookup -notouch -subtable $tablename $key] set response "$response $key = $value" } } HTTP::respond 200 content $response } } ltm virtual vs_lbtest.stjude.org_http { destination 10.200.44.40:http ip-protocol tcp mask 255.255.255.255 persist { source_addr { default yes } } pool lbtestpool1_http_pool profiles { http { } tcp { } } rules { TEST_Connection_Limit_2 TEST_Disable_Persistence } source 0.0.0.0/0 vs-index 36 } ltm virtual vs_lbtest_tables { destination 10.200.44.38:http ip-protocol tcp mask 255.255.255.255 profiles { http { } tcp { } } rules { TEST_View_Tables_2 } source 0.0.0.0/0 vs-index 35 }When I access I get load balanced between my two test web servers. When I try to view the table, I get a 200 return, but it is a blank page. The inspector just shows:
Thanks.
- I'll check it out tomorrow in our lab. :) /Patrik
