i do not think you can use FTP Session Logging codeshare as a template because the 1st SERVER_DATA happens before the 1st CLIENT_DATA.
e.g.
[root@ve10:Active] config b virtual bar list
virtual bar {
snat automap
pool foo
destination 172.28.19.252:21
ip protocol 6
rules myrule
profiles {
ftp {}
tcp {}
}
}
[root@ve10:Active] config b rule myrule list
rule myrule {
when CLIENT_ACCEPTED {
log local0. "-"
TCP::collect 0 0
}
when CLIENT_DATA {
log local0. "-"
log local0. [TCP::payload]
TCP::release
TCP::collect
}
when SERVER_CONNECTED {
log local0. "-"
TCP::collect
}
when SERVER_DATA {
log local0. "-"
log local0. [TCP::payload]
TCP::release
TCP::collect
}
}
[root@ve10:Active] config tail -f /var/log/ltm
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule : -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule : -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule : -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule : 220 (vsFTPd 2.0.5)
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule : -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule : AUTH GSSAPI
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule : -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule : 530 Please login with USER and PASS.
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule : -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule : AUTH KERBEROS_V4
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule : -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule : 530 Please login with USER and PASS.
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule : -
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule : USER anonymous
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule : -
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule : 331 Please specify the password.
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule : -
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule : PASS
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule : -
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule : 230 Login successful.
instead, i think you should use FTP proxy v10 to proxy client connection until receiving username.
FTP proxy v10 by Bhattman
https://devcentral.f5.com/wiki/irules.FTP-Proxy.ashx
e.g.
[root@ve10:Active] config b virtual bar list
virtual bar {
snat automap
destination 172.28.19.252:21
ip protocol 6
rules myrule
profiles {
ftp {}
tcp {}
}
}
[root@ve10:Active] config b pool foo1 list
pool foo1 {
members 200.200.200.101:21 {}
}
[root@ve10:Active] config b pool foo2 list
pool foo2 {
members 200.200.200.111:21 {}
}
[root@ve10:Active] config b rule myrule list
rule myrule {
when CLIENT_ACCEPTED {
log local0. "-"
log local0. "220\r\n"
TCP::respond "220\r\n"
TCP::collect
}
when CLIENT_DATA {
log local0. "-"
log local0. [TCP::payload]
if { [TCP::payload] starts_with "USER" } {
scan [TCP::payload] {USER%s} cuser
switch $cuser {
"garfield" { pool foo1 }
default { pool foo2 }
}
TCP::payload replace 0 [string length [TCP::payload]] ""
TCP::release
return
}
TCP::payload replace 0 [string length [TCP::payload]] ""
log local0. "530 Please login with USER and PASS.\r\n"
TCP::respond "530 Please login with USER and PASS.\r\n"
}
when SERVER_CONNECTED {
log local0. "-"
log local0. "client [IP::client_addr]:[TCP::client_port] server [IP::remote_addr]:[TCP::release]"
TCP::collect
}
when SERVER_DATA {
log local0. "-"
log local0. [TCP::payload]
if { [TCP::payload] starts_with "220" } {
TCP::respond "USER $cuser\r\n"
TCP::payload replace 0 [string length [TCP::payload]] ""
}
TCP::release
}
}
anonymous
[root@centos251 ~] ftp 172.28.19.252
Connected to 172.28.19.252.
220
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.28.19.252:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (172,28,19,252,122,137)
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 May 30 2011 pub
226 Directory send OK.
[root@ve10:Active] config tail -f /var/log/ltm
Jan 19 17:14:52 local/tmm info tmm[4884]: Rule myrule : client 172.28.19.251:44457 server 200.200.200.111:0
garfile
[root@centos251 ~] ftp 172.28.19.252
Connected to 172.28.19.252.
220
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.28.19.252:root): garfield
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (172,28,19,252,193,201)
150 Here comes the directory listing.
226 Directory send OK.
[root@ve10:Active] config tail -f /var/log/ltm
Jan 19 17:15:35 local/tmm info tmm[4884]: Rule myrule : client 172.28.19.251:44459 server 200.200.200.101:0