For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Romel_77740's avatar
Romel_77740
Icon for Nimbostratus rankNimbostratus
Nov 15, 2011

irule performance question

Is it better to have 10 different irules applied to the same virtual server that do similar thing or is it better to combine in one script? Or either way doesn't matter? Eg pseudo scripts with 26 irules:::

 

irule A: if (src ip 10.1.1.1) then pool A

 

irule B: if (src ip 10.1.1.2) then pool B

 

..

 

irule Z: if (src ip 10.1.1.26) then pool Z

 

 

 

Or is it better to do:

 

just 1 irule:: if (src ip 10.1.1.1) then pool A else if src ip 10.1.1.2) then pool B... else pool Z (or do a case statement for this in a single irule)

 

application delivery
dev
devops
iRules

4 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 15, 2011
    if we code the irule something like this, will a number of irule reduce?

     

     

    [root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.65.152:http
   ip protocol tcp
   rules myrule
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
        if {[class match -- [IP::client_addr] equals xyz]} {
                log local0. "client is [IP::client_addr]:[TCP::client_port], action is [class match -value [IP::client_addr] equals xyz]"
        }
}
}
[root@ve1023:Active] config  b class xyz list
class xyz {
   {
      network 172.28.19.0/24 { "action2" }
      host 192.168.204.7 { "action1" }
   }
}

[root@ve1023:Active] config  tail -f /var/log/ltm
Nov 15 08:48:30 local/tmm info tmm[4766]: Rule myrule : client is 192.168.204.7:54379, action is action1
Nov 15 08:48:38 local/tmm info tmm[4766]: Rule myrule : client is 172.28.19.253:59039, action is action2
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Nov 16, 2011
    Hi Romel,

     

     

    If multiple iRules are applied to a Virtual Server the iRules are "combined" at runtime by the iRule Priority assigned to the iRule.

     

     

    If no priority is set then the iRules per event are added in the order that the iRules are applied to the Virtual Server.

     

     

    iRules with no Priority Applied -

     

     

    iRule 1:

     

    when HTTP_REQUEST {

     

    do something...

     

    }

     

     

    iRule 2:

     

    when HTTP_REQUEST {

     

    do something else...

     

    }

     

     

    They would be processed as:

     

    when HTTP_REQUEST {

     

    do something...

     

    do something else...

     

    }

     

     

    The same holds true for other events. So it is a matter of what works best for you.

     

     

    Hope this helps.
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Nov 16, 2011
    Also, when the iRUles are combined, the namespace is shared. So a variable called $MyVar in iRule1 will be the SAME variable in iRule2...

     

     

    e.g. If you init to 1 in CLIENT_CONNECT in both iRule1, then to 2 in CLIENT_CONNECT in iRule2, when HTTP_REQUEST fires in iRUle 1, the variable will have the value of 2... Not 1...

     

     

    H
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Nov 16, 2011
    Excellent Point Hamish.

     

     

    I have seen instances where the first iRule contains nothing but the variable settings used in all of the other attached iRules (so that if there was a Variable Change it only had to be made in a single iRule instead of every iRule attached to a Virtual Server.