Forum Discussion

tux143's avatar
tux143
Icon for Cirrus rankCirrus
Oct 29, 2019

iRules performance measuring

I wrote following iRules to stop DDoS from various User-Agent: because my app has specific User-Agent string which is "My_Client" which i only care, so i wrote rule to tell drop everything which doesn't contain "My_Client"

when HTTP_REQUEST {
  if { not ( [HTTP::header "User-Agent"] contains "My_Client" ) } { 
  drop
  }
}

Now when i am look at status i am seeing following but i have no idea what i should consider from following output, what is CPU cycle and how do i measure that its hammering my CPU or not, overall CPU usage is around 30% on dashboard.

[root@F5-ab:Active:In Sync] config # tmsh show ltm rule User_Agent_Filter

--------------------------------------------------
Ltm::Rule Event: User_Agent_Filter:HTTP_REQUEST
--------------------------------------------------
Priority                    500
Executions
  Total                    3.2M
  Failures                    0
  Aborts                      0
CPU Cycles on Executing
  Average                 22.1K
  Maximum                440.6K
  Minimum                  5.9K 

Can you help me to understand above output.

  • While that statistic refers to CPU Cycle, what is actually meant is an Instruction cycle

     

    Every time a programmer tells a computer to do something, the end result is a sequence of Instructions for the CPU, and these instructions take a number of Instruction cycles to perform.

    For a compiled language like C/C++, the C statements are compiled into a series of instructions by a compiler.

    For an interpreted language like TCL, as the TCL statements are read, the interpreter takes specific compiled paths to execute the TCL statements and run the script.

     

    In tmm, the TCL interpreter will report on how many instruction cycles a specific irule function takes to perform, and this information is collected for overall statistics. The reporting includes the average cycles, the minimum cycles and the maximum cycles. Sadly, it does not include the variance or standard deviation which might be more useful.

     

    These values are not really useful in an absolute sense, but are useful for comparison.

     

    If your CPU is running at about 30%, that seems to be fine, but you would want to look more closely at the data-plane CPU cores, as they are the ones of interest.

    K23505424:  Overview of the HTSplit feature

     

    A high volume irule that averages 22k cycles with occasional runs of 440k cycles isn't likely to cause a CPU issue.

    If the same irule was averaging 440k cycles, it probably would be.

    A low execution rate irule that averages 500k cycles is probably OK.

     

    Looking at the cycles per execution also helps to identify inefficient irules, or irules that may be refactored to use less CPU cycles. Things like regex are CPU intensive, and should be avoided in a high-execution rate irule.

     

    Transitioning to Local Traffic Policies where possible is much more efficient, as well.