For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Brad_Nelson_102's avatar
Brad_Nelson_102
Icon for Nimbostratus rankNimbostratus
Nov 27, 2006

Large external class files kill TMM

 

Hi,

 

 

I'm having an issue with large external class files in V9.22. These used to load very quickly and cause almost no performance hit in V4.x, even if there were half a million 'host nnn.nnn.nnn.nnn' entries in the file.

 

 

But with V9, if I create an external class file that's 200,000 IPs, and load it with:

 

 

'bigpipe merge /var/class/spammers.class-def'

 

 

then the TMM will restart, causing a failover after about 2-3 minutes. The class never loads.

 

 

The class-def file above looks like:

 

 

class spammers extern {

 

type ip

 

filename "/var/class/spammers.class"

 

}

 

 

In a meeting with some F5 folks a week or so ago, they suggested that there's a way to reference

 

an external file directly from an irule, ie, instead of what I'm currently doing:

 

 

if { ([matchclass [IP::remote_addr] equals $::spammers]) } {

 

....

 

}

 

 

you'd do something like:

 

 

if { ([matchclass [IP::remote_addr] equals [FILE::/var/class/spammers.class]]) } {

 

....

 

}

 

 

(I actually tried the above - but of course it doesn't work.)

 

 

Any help would be wonderful!

 

 

Brad Nelson, TELUS.

 

 

application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 28, 2006
    I've never heard of the ability to access an external class without it being defined in the bigip.conf. Logically, I don't see how it would work. I think it would be better to have the BIG-IP initialize the class at start up, versus trying to load it every time that portion of the rule is executed.

     

     

    If the class loads and works correctly with fewer entries, I think you can be reasonably sure that you're hitting resource limitations on the BIG-IP combined with how BIG-IP is accessing the data.

     

     

    There have been a number of improvements to how external classes are handled in the upcoming 9.4 release, as noted in CR66389.

     

     

    You might consider opening a case with support if you're interested in having these changes backported to 9.2.x.

     

     

    Aaron
  • G__Wesley_Rober's avatar
    G__Wesley_Rober
    Historic F5 Account
    Jan 04, 2007
    Hi,

     

     

    You might be interested in the recently announced Messaging Security Module for LTM:

     

     

    http://www.f5.com/communication/press/2006/release112006.html

     

     

    http://www.securecomputing.com/index.cfm?sKey=1669

     

     

    It uses the TrustedSource IP based reputation DB in real-time, as a turn-key solution, eliminating the need (and false positives) for RBLs.

     

     

    Regards,

     

    Wes
  • Peter_Wohlers_7's avatar
    Peter_Wohlers_7
    Icon for Nimbostratus rankNimbostratus
    Jan 04, 2007
    the syntax for the extenal file class is something like this:

     

     

    class spammers extern {

     

    type ip

     

    filename "/var/class/spammers"

     

    }

     

     

    with the restriction that the external datafile needs to reside in either /var/class or /config.

     

     

    You have to update your config sync config if you use /var/class to include that file.

     

     

    Our situation is slightly different, where the file gets updated dynamically. So, if you update the datafile, you have to either do a 'b load' or add new elements to the list via the 'b class spammers add { host 1.2.3.4 }' construct.

     

     

    It's not super fast, as the command will sort the class file numerically. If you've got 200k elements.

     

     

    The new trick sounds pretty interesting though.