For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sp1at_86630's avatar
sp1at_86630
Icon for Nimbostratus rankNimbostratus
Mar 21, 2009

rule to replace vip ip with pool member

Hi All,

 

How do i rewite the stream on an incomming request to replace the vip address with the ip of the pool member selected?

 

 

here is what i think the rule should look like, is it correct?

 

 

when SERVER_CONNECTED {

 

STREAM::disable

 

STREAM::expression @HOST=10.10.10.10@HOST=[LB::server addr]@

 

STREAM::enable

 

}

 

application delivery
dev
devops
iRules

4 Replies

  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Mar 24, 2009
    I think a stream will only act on the HTTP payload, not the headers. You'll probably want to use an iRule for this...here's something that will hopefully get you close (not tested): 

      
 when HTTP_REQUEST {  
 HTTP::header replace Host [LB::server addr]:[LB::server port]  
 }

    -Matt
  • sp1at_86630's avatar
    sp1at_86630
    Icon for Nimbostratus rankNimbostratus
    Mar 24, 2009
    That will not work for this. It's an oracle connection SID in the tcp payload.

     

     

    Connect Data: (DESCRIPTION=(CONNECT_DATA=(SID=lenvdbq)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=10.10.10.11)(PORT=11500)))

     

     

    My vip address is 10.10.10.11 and I need to replace it with the selected pool members address.

     

     

    -sp1at
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Mar 24, 2009
    In that case, I think you'll work (from a connectivity standpoint) without any issues. Ideally setup the oracle client to point to the virtual server address in tnsnames.ora as opposed to the real server address. The BigIP is a NAT device, so as the traffic flows through the BigIP it'll do destination address translation back to the selected server.

     

     

    Now for the big caveat: if you're looking to load balance read/write operations be super careful - this is an extremely tricky problem to solve. If you're doing read only, you'll likely be OK.

     

     

    -Matt
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 24, 2009
    If you want to rewrite the TCP payload, I think you'd need to enable the stream filter in CLIENT_ACCEPTED. Enabling the stream filter in SERVER_CONNECTED only seems to allow you to rewrite the response from the server to LTM.

    Normally, a load balancing decision isn't made until LB_SELECTED. However, you can force a load balancing decision in CLIENT_ACCEPTED using LB::select (Click here. You could then get the selected server IP using [LB::server addr]. 

      
 when CLIENT_ACCEPTED {  
  
     Make a load balancing decision 
    set lb_select [LB::select]  
  
     Now use the selection 
    eval $lb_select  
  
     Replace the virtual server IP with the selected pool member IP 
 STREAM::expression "@[IP::local_addr]@[LB::server addr]@"  
  
     Enable the stream filter 
    STREAM::enable  
  
    log local0. "Stream expression: @[IP::local_addr]@[LB::server addr]@"  
 }

    Aaron