NAME_RESOLVED not firing

Hi,

 

 

I have a kind of similar problem. I am new to iRules so forgive me if this is some stupid mistake of mine.

 

Want to write a simple proxy which gets http request on port 7777, reads Host: header and forwards request according to it with its own source IP instead of the original client. The iRules are below (notice line 17 commented out below and dummy 18 inserted).

 

 

When I test it Host: header is found, NAME:lookup works for it, DNS is queried and then NAME_RESOLVED fires. However HTTP_REQUEST runs without any delay or waiting for NAME_RESOLVED thus I am unable to forward connection properly.

 

 

I can see this having the following outputs in the log:

 

May 27 01:36:17 tmm tmm[1785]: Rule az-proxy : AAA:cnn.com

 

May 27 01:36:17 tmm tmm[1785]: Rule az-proxy : YYY xxxx YYY in HTTP REQ

 

May 27 01:36:17 tmm tmm[1785]: Rule az-proxy : in name-resolved

 

May 27 01:36:17 tmm tmm[1785]: Rule az-proxy : XXX 157.166.224.25 XXX in NAME RESOLVED

 

 

But when I uncomment 17 as it should be while commenting out 18 I have following output:

 

May 27 01:35:29 tmm tmm[1785]: Rule az-proxy : AAA:cnn.com

 

May 27 01:35:29 tmm tmm[1785]: Rule az-proxy : YYY xxxx YYY in HTTP REQ

 

May 27 01:35:29 tmm tmm[1785]: 01220001:3: TCL error: az-proxy - bad IP address format while executing "node $real_server 80"

 

 

which clearly shows that initial value of "xxxx" got into 18 and NAME_RESOLVED was even not able to start.

 

How to make this wait for resolver to finish? I see no special 'wait'-like commands (also this would be at least suboptimal to insert something like this). Any suggestions highly appreciated

 

 

Many Regards

 

Andrzej

 

 

1 when RULE_INIT {

 

2 set ::debug 1

 

3 }

 

4

 

5 when HTTP_RESPONSE {

 

6 HTTP::header insert ViaP AZ

 

7 }

 

8

 

9 when HTTP_REQUEST {

 

10 set real_server "xxxx"

 

11 if {$::debug}{log local0. "AAA:[HTTP::host]"}

 

12

 

13 NAME::lookup [HTTP::host]

 

14 snat automap

 

15

 

16 if {$::debug}{log local0. "YYY $real_server YYY in HTTP REQ"}

 

17 node $real_server 80

 

18 node 10.10.10.10 80

 

19

 

20

 

21 }

 

22

 

23 when NAME_RESOLVED {

 

24 set real_server [lindex [split [NAME::response] " "] 0]

 

25 log local0. "in name-resolved"

 

26 if {$::debug}{log local0. "XXX $real_server XXX in NAME RESOLVED"}

 

27

 

28 }

 

What you need to do is hold up HTTP processing until you've gotten a DNS response. The command to do that is "HTTP::collect". In NAME_RESOLVED, you can run "HTTP::release" to continue processing.

 

 

The reason you never see the NAME_RESOLVED event if you uncomment line 17 is because the error you encounter causes the connection to be killed, which causes the event to never fire.

I think you may need to issue an HTTP::release before you can use the node command. HTTP::collect will essentially keep the connection on the 'client' side, collect, and defer server-side activities until you HTTP::release in some other event (like NAME_RESOLVED). Someone please correct me if I am wrong here.

 

 

Try issuing the node command inside the NAME_RESOLVED event after you HTTP::release.

 

 

-Matt

Hi Matt,

 

 

Unfortunately node command seems to be simply ignored in NAME_RESOLVED. I mean variables are set properly and my messages logged but node does not work. I can see with tcpdump that whenever node command is in HTTP_REQUEST (dummy 'node 10.10.10.10 80' in fact) then I see SYN packets sent out. But when I move node command to NAME_RESOLVED tcpdump shows literally nothing. Just NAME_RESOLVED below.

 

 

when NAME_RESOLVED {

 

set real_server [lindex [split [NAME::response] " "] 0]

 

log local0. "in name-resolved"

 

if {$::debug}{log local0. "XXX $real_server XXX in NAME RESOLVED"}

 

HTTP::release

 

node $real_server 80

 

node 10.10.10.10 80

 

if {$::debug}{log local0. "UUU $real_server UUU in NAME RESOLVED"}

 

}

 

 

 

Regards

 

 

Andrzej

Hi,

 

 

The above iRule works all right on my lab system. However on the customer site I see a difference when it comes to DNS name resolving:

 

 

1. When trying to ping something directly from customer's 1600 (2.4.21-9.4.5.1049.0smp 2 SMP) it resolves the query without problem:

 

[root@f5-1:Active] config ping www.cnn.com

 

PING www.cnn.com (157.166.226.25) 56(84) bytes of data.

 

 

2. However when the query comes from request generated by incoming connection and NAME:resolve (in fact by telnet from 1600 itself as well) then it ignores its defined nameservers but rather starts to traverse everything to the top-level (in fact I am not sure how it gets all these names below):

 

 

12:33:29.060935 10.159.1.11.32925 > 128.8.10.90.domain: 57452 [1au] A? www.cnn.com. (40) (DF)

 

12:33:31.465794 10.159.1.11.32925 > 128.63.2.53.domain: 18473 [1au] A? www.cnn.com. (40) (DF)

 

12:33:33.875554 10.159.1.11.32925 > 192.36.148.17.domain: 25538 [1au] A? www.cnn.com. (40) (DF)

 

12:33:36.285542 10.159.1.11.32925 > 193.0.14.129.domain: 55243 [1au] A? www.cnn.com. (40) (DF)

 

12:33:38.695527 10.159.1.11.32925 > 199.7.83.42.domain: 54524 [1au] A? www.cnn.com. (40) (DF)

 

12:33:41.105769 10.159.1.11.32925 > 202.12.27.33.domain: 24915 [1au] A? www.cnn.com. (40) (DF)

 

12:33:43.515514 10.159.1.11.32925 > 192.228.79.201.domain: 26852 A? www.cnn.com. (29) (DF)

 

12:33:45.925754 10.159.1.11.32925 > 192.112.36.4.domain: 40513 A? www.cnn.com. (29) (DF)

 

12:33:48.335747 10.159.1.11.32925 > 198.41.0.4.domain: 2810 A? www.cnn.com. (29) (DF)

 

12:33:50.745737 10.159.1.11.32925 > 192.203.230.10.domain: 56159 A? www.cnn.com. (29) (DF)

 

12:33:53.155732 10.159.1.11.32925 > 192.5.5.241.domain: 16256 A? www.cnn.com. (29) (DF)

 

12:33:55.565718 10.159.1.11.32925 > 192.58.128.30.domain: 55341 A? www.cnn.com. (29) (DF)

 

12:33:57.975715 10.159.1.11.32925 > 192.33.4.12.domain: 16374 A? www.cnn.com. (29) (DF)

 

 

Why the difference?

 

Resolv.conf contains just two nameserver lines. Named.conf seems fine to me as well, recursive queries are on and everything is treated in this same way:

 

 

[root@f5-1:Active] config cat /var/named/config/named.conf

 

restrict rndc access to local machines

 

use the key in the default place: /config/rndc.key

 

controls { inet 127.0.0.1 port 953 allow { 127.0.0.1 ;}; };

 

logging {

 

channel logfile {

 

syslog daemon;

 

severity error;

 

print-category yes;

 

print-severity yes;

 

print-time yes;

 

};

 

category default {

 

logfile;

 

};

 

category config {

 

logfile;

 

};

 

category notify {

 

logfile;

 

};

 

};

 

options {

 

listen-on port 53 { 127.0.0.1; };

 

listen-on-v6 port 53 { ::1; };

 

set this to yes when you want to resolve off

 

box. setting it to yes when you dont actuallly

 

have a bind server configured will result in

 

bind timeouts for many commmands

 

recursion no;

 

recursion yes;

 

forward only;

 

directory "/config/namedb";

 

allow-transfer {

 

localhost;

 

};

 

check-names master warn;

 

change to "no" if you want to be able to add

 

MX records that do not reference a record that has an A record

 

check-integrity yes;

 

};

 

acl "zrd-acl-000-000" {

 

127.10.0.0;

 

localnets;

 

};

 

view "external" {

 

match-clients { "zrd-acl-000-000"; any; };

 

};

 

 

Regards

 

Andrzej