Forum Discussion

Ed_Barlow_22's avatar
Ed_Barlow_22
Historic F5 Account
Apr 13, 2007

Routing based on packet content

I am building a solution where HTTP traffic is inspected and routed to a pool member based on an iRule and all other traffic is forwarded straight out of the default gateway.

 

 

I have a wildcard VIP 0.0.0.0:80 with the following iRule that simply checks some Headers forwards to the HTTP VIP, and forwards the rest through the default Gateway.

 

 

when CLIENT_ACCEPTED {

 

TCP::collect

 

}

 

when CLIENT_DATA {

 

if {([TCP::payload] contains "HTTP") and ([TCP::payload] contains "Host:") }{

 

log "Success"

 

virtual Auction

 

} else {

 

log "failed direct"

 

forward

 

}

 

TCP::release

 

}

 

 

Everything is wonderful and iRules rock:D!!!!!!!

 

 

Except when someone smart decides to use something like SSH, FTP, HTTPS, etc through port 80. Please don't ask why and I've already debated the rights and wrongs of this.......it just sometimes happens.

 

 

In this case we block this type of traffic. Unless I am mistaken the TCP profile will mean we proxy the traffic, therefore the client expects us to complete the handshake. The iRule will not work without a TCP profile.

 

 

Is there anyway of inspecting the traffic without causing this problem....

 

 

.........strikes me it is a little bit chicken and egg. I need to know what the content is without inspecting the content using the TCP events:-(

 

 

Thanks for any input.

 

 

Ed

 

application delivery
dev
devops
iRules
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Oct 01, 2007
    You "chicken and egg" comment is accurate here. There's no way of inspecting content before some sort of connection has been established which, for TCP data, includes the necessary handshake.

     

     

    Is there some way you could establish the connection, inspect the content, and then forward it on to the desire destination?

     

     

    Colin