20 Lines or Less #70

What could you do with your code in 20 Lines or Less? That's the question we like to ask from, for, and of (feel free to insert your favorite preposition here) the DevCentral community, and every time we do, we go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head. Thus was born the 20LoL (20 Lines or Less) series many moons ago. Over the years we've highlighted hundreds of iRules examples, all of which were doing downright cool things in less than 21 lines of code.

In this edition, I step in for Colin the Magnificent to bring you some iRules goodness in short form. New capabilities and a few cool iRules await you, so let's get going!

Make Me a Sandwich! iRules Style...

Flying well under the radar in the 11.4.1 TMOS release is a new iRules-capable layer in the BIG-IP Advance Firewall Manager module. With the introduction of the FLOW_INIT event and the ACL::action command, you can now sandwich some iRules logic goodness in between the packet filters at the front door and the beginning of the BIG-IP AFM processing. This gives you the capabilities of overriding ACL action, controlling bandwidth and QoS on client and/or server flows, and routing/blocking traffic. Sweet! New toys! Anyway, this first example is not so much eye-opening in complexity, just an example of reaching a new layer in the stack with which to control.

when FLOW_INIT {
  set ipaddr [IP::client_addr]
  set locale [whereis $ipaddr country]
  log local0. "IP Address/Counry $ipaddr/$locale"
  switch $locale {
    "US" -
    "CA" { return }
    "GB" { ACL::action drop }
    default { ACL::action reset }
  }
}

It's Not Me, It's You(r  Old Domain)

Redirection is well covered in Q&A, with just a thousand (give or take a few hundred) or so different angles on the topic. Community member Martin Thomas asked how to send a permanent redirection from the requested old domain to a new domain, but keeping parts of it. That's pretty easy to manually, but if you have a lot of domains to do this for, it becomes not only tedious in writing the iRule, but, if using if/else statements, could be inefficient as well. Thankfully, IheartF5 came to the rescue, with not one, but yes, you read this correctly, two fine solutions!

Solution 1

This solution uses the getfield command, which is a custom iRules command that essentially performs an lindex-split operation from the native Tcl library.

when HTTP_REQUEST {
    if {[HTTP::host] ends_with ".olddomain.com"} {
        HTTP::respond 301 Location "https://[getfield [HTTP::host] . 1].newdomain.com[HTTP::uri]"
       }
}

Solution 2

This other solution is a little more efficient that then other, using the old faithful string map command. Nice work, IheartF5!

when HTTP_REQUEST {
    if {[HTTP::host] ends_with ".olddomain.com"} {
        HTTP::respond 301 Location "https://[string map {olddomain newdomain} [HTTP::host]][HTTP::uri]"
       }
}

Me Want Cookie...Not So Much

Winning this blog's "shortest iRule of the post" contest is also from IheartF5, answering a question on how to expire a cookie from member Abhishek. Short. Sweet. Powerful. I've used this one myself from time to time. Note that the path information should probably be adjusted accordingly to your app's needs.

when HTTP_RESPONSE {
        HTTP::header insert Set-Cookie "mycookie=xx; Path=/; Expires=Thu, 01 Jan 1970 00:00:01 GMT; HttpOnly"
}

Technorati Tags: iRules,20 lines or less,20LoL
Published Dec 10, 2013
Version 1.0
  • Hi there's actually a typo in the rule above - should say [getfield [HTTP::host] : 1] (not : instead of .) as I was trying to remove any possible port number that's been added to the Host header.