Forum Discussion
Philippe_CLOUP
Employee
Employeelooking inside persistence table, through different Virtual Servers
I have created an irule to store, using universal persistence, the 2 things:
- the Client-IP adress connected to the VS.
- the Mac adress of the "lasthop" that sent the request t...
hoolio
Cirrostratus
CirrostratusHere's an updated but untested version of the iRule for 10.1.0 or higher:
rule bidirectional_firewall_persistence {
when RULE_INIT {
Log debug to /var/log/ltm? (2=all including debug, 1=only log missing mac2ip datagroup entries, 0=none)
set static::fw_debug 1
Time in seconds to store mappings for
set static::timeout 86400
Pool name for outbound routers
set static::outbound_pool "outbound_pool"
Pool name for inbound routers
set static::inbound_pool "inbound_pool"
Name of string datagroup which maps mac addresses to IP addresses for the routers
set static::mac2ip_class "mac2ip_class"
VLAN ID of upstream clients
set static::client_vlanid 4094
}
when CLIENT_ACCEPTED {
set server ""
set origin_vlan [LINK::vlan_id]
if {$static::fw_debug}{log local0. "vlan ID: $origin_vlan client: [IP::client_addr]"}
Check if this a client originated connection by VLAN ID
if {$origin_vlan == $static::client_vlanid}{
for client originated connections, use server pool & simple persistence
set session_key [IP::client_addr]
if {$static::fw_debug}{log local0. "client connecting from vlan $origin_vlan - session_key = \"$session_key\""}
select inbound pool by name & apply simple persistence
pool $static::ingbound_pool
persist source_addr 86400
create/update session table entry for reciprocal traffic
session add uie [list $session_key any virtual] [LINK::lasthop] $static::timeout
if {$static::fw_debug}{log local0. "$static::router_out_pool pool selected, source_addr persistence & session table entry added for $session_key"}
} else {
for server originated conns, look up nexthop MAC for that dest IP in session table
set session_key [IP::local_addr]
if {$static::fw_debug}{log local0. "server connecting from vlan $origin_vlan - session_key = \"$session_key\""}
set fwMAC [session lookup uie [list $session_key any virtual]]
if {$static::fw_debug}{log local0. "fwMAC found: \"$fwMAC\" - session_key = \"$session_key\""}
if {$fwMAC ne ""}{
If session table entry already exists, refresh to update timeout
session add uie [list $session_key any virtual] $fwMAC $static::timeout
if {$static::fw_debug}{log local0. "session table entry refreshed - session_key = \"$session_key\""}
then look up firewall MAC address in the datagroup to get the firewall IP address
set fwIP [class match -value $fwMAC equals $static::mac2ip_class]
if {$static::fw_debug}{log local0. "fw IP \"$fwIP\" found for MAC $fwMAC - session_key = \"$session_key\""}
if {$fwIP ne ""}{
if fw IP address is found in the class for this MAC, directly select fw node
if {$static::fw_debug}{log local0. "directly selecting fw node $fwIP - session_key = \"$session_key\""}
node $fwIP 0
} else {
if no fw IP address was found in the class for this MAC, log an error
This should never happen if class list contains the correct data in the correct format
if {$static::fw_debug}{log local0. "No IP address found for MAC $fwMAC Check class list for proper entries."}
if {$static::fw_debug}{log local0. "LB'ing outbound conn to $static::outbound_pool pool - session_key = \"$session_key\""}
select outbound pool by name
pool $static::outbound_pool
}
} else {
if no session table entry found, load balance the connection
if {$static::fw_debug}{log local0. "No session table entry for $session_key. LB'ing outbound conn to $static::outbound_pool pool."}
select outbound pool by name
pool $static::outbound_pool
}
}
}
when LB_FAILED {
detach and choose a new server if the selected server fails to respond.
LB::detach
LB::reselect
}
}
Aaron
