Forum Discussion
NimbostratusiRule for cloned request and response traffic
I have a IDS that I need to send all request and response traffic to. However, to send the cloned traffic from either direction to the IDS I need to change the URI. I've created the following iRule but its not successfully sending any traffic to pool Aand I'm not sure on how to procede in redirecting the response traffic.
when HTTP_REQUEST { if {[HTTP::uri] contains "/WebpageA"}{ pool pool_A HTTP::uri "/ids/sink" clone pool pool_B }
I have to send the response out as normal as well as send the cloned response traffic to the modified URI. }
10 Replies
- Kevin_Stewart
Employee
I'm afraid it doesn't work that way. I use this analogy a lot, but you almost have to think of an event like a "bucket". The bucket gets filled with an aggregate of commands and values, and then gets dumped out and readied for the next request. So in the following example:
when CLIENT_ACCEPTED { set default_pool [LB::server pool] } when HTTP_REQUEST { set orig_uri [HTTP::uri] HTTP::uri "/foo" clone pool clone_pool HTTP::uri $orig_uri pool $default_pool }It does indeed send traffic to both pools, but the resulting URI for both is the URI set in the last HTTP::uri command. Your best may be to perform a sideband call with the modified data. It'll eat up a bit more CPU, but you'll have much more flexibility.
mcaballe_135435Thank you! That helps a lot. How would I go about setting up a sideband call?
- Kevin_Stewart
Give this a shot:
proc send_to_sideband { data server } { set sbserver [connect -protocol TCP -timeout 10 -idle 5 -status conn_status $server] send -status send_status -timeout 10 $sbserver $data } when RULE_INIT { set static::sideband_server "10.80.0.200:80" } when HTTP_REQUEST { set req [HTTP::request] set sb [call send_to_sideband $req $static::sideband_server] }I'm using a proc here. Not totally necessary, but cool nonetheless. The iRule is basically grabbing the entire HTTP request and passing it the sideband. There's no sideband receive function, so it won't listen for a response. You could alter the request data however required.
- mcaballe_135435
For some reason when i tried the code you initally wrote, it wouldn't get to the second set of commands. It would send to the clone pool but not the default pool. Is there some reason it wouldn't execute any code after it redirects to the clone pool?
- Kevin_Stewart
Perhaps add a OneConnect profile to the VIP? Understand of course that it's not going to allow you to modify the URI to the clone pool.
- mcaballe_135435
Shoot. The prober is dependent on the URI being changed. If i made 2 separate iRules and applied them both to the VS would that work in sending the same traffic to both?
- Kevin_Stewart
Multiple iRules applied to a VIP actually get "compiled" into a single iRule, so no. I think you would necessarily have to send clone pool traffic through another VIP and then modify it there. While technically possible to "pool to a VIP", the task is complex. Did you try the sideband?
- mcaballe_135435
I haven't tried the sideband yet. I'm still very green and was hesitant. I'll give it a shot now and let you know how it goes. Thank you for your help.
- mcaballe_135435
Since I'm using 11.3 on my LTM I couldn't make use of proc. I've tried the following, but am getting a timeout error on the send line. It does't seem to be reaching the IDS server at all.
when RULE_INIT { set static::sideband_server "x.x.x.x:7002" } when HTTP_REQUEST { set req [HTTP::request] set sbserver [connect -protocol TCP -timeout 10 -idle 5 -status conn_status $static::sideband_server] log local0. "Connect returns: <$sbserver> and conn status: <$conn_status> " send -status send_status -timeout 10 $sbserver $req pool FgmCtm_Test_pool } - nitass
but am getting a timeout error on the send line. It does't seem to be reaching the IDS server at all.
is the server reachable from bigip (tmm interface) and is it listening on port 7002?
