NimbostratusHi
We have an HTTP request which is going towards Internet from the WAP Gateway server.
Now we have the requirement to read the IP address present in the Cookie value of HTTP request and insert this IP into the SOURCE IP address of the HTTP request going out towrds Internet.
Is it feasible ? if yes how ?
CirrostratusAre there likely to be many values for the source IP? My thinking is that if there are not too many, you could create an SNAT for each one, then read the header and chose the appropriate SNAT based on it's value. This way the F5 will track the connection and all that good stuff.
Employee
HTTP State Management Mechanism
http://tools.ietf.org/html/rfc6265section-3
this is my testing using http header instead of cookie.
[root@ve10:Active] config b virtual bar list
virtual bar {
translate service disable
pool gw
destination any:80
mask 0.0.0.0
ip protocol 6
rules myrule
profiles {
http {}
tcp {}
}
}
[root@ve10:Active] config b pool gw list
pool gw {
members 172.28.19.254:any {}
}
[root@ve10:Active] config b rule myrule list
rule myrule {
when HTTP_REQUEST {
if { [scan [HTTP::header value "SNAT-IP-ADDRESS"] {%d.%d.%d.%d} a b c d] == 4 } {
snat ${a}.${b}.${c}.${d}
}
}
}
on client
curl -I http://8.8.8.8 -H "SNAT-IP-ADDRESS: 1.1.1.1"
on bigip
[root@ve10:Active] config tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
16:38:23.155717 IP 200.200.200.101.49839 > 8.8.8.8.80: S 1788555863:1788555863(0) win 5840
16:38:23.155769 IP 8.8.8.8.80 > 200.200.200.101.49839: S 2802155735:2802155735(0) ack 1788555864 win 4380
16:38:23.156811 IP 200.200.200.101.49839 > 8.8.8.8.80: . ack 1 win 46
16:38:23.156852 IP 200.200.200.101.49839 > 8.8.8.8.80: P 1:177(176) ack 1 win 46
16:38:23.165656 IP 1.1.1.1.49839 > 8.8.8.8.80: S 2419732630:2419732630(0) win 4380 8.8.8.8.80: S 444058119:444058119(0) win 5840
16:39:40.602656 IP 8.8.8.8.80 > 200.200.200.101.49840: S 4032979623:4032979623(0) ack 444058120 win 4380
16:39:40.603846 IP 200.200.200.101.49840 > 8.8.8.8.80: . ack 1 win 46
16:39:40.603881 IP 200.200.200.101.49840 > 8.8.8.8.80: P 1:177(176) ack 1 win 46
16:39:40.604010 IP 2.2.2.2.49840 > 8.8.8.8.80: S 2964909812:2964909812(0) win 4380
Vijay, can you confirm it the source IP is actually in a cookie or a header please?
Employee
i checked rfc again and i think ip is valid cookie value.
[root@ve10:Active] config b rule myrule list
rule myrule {
when HTTP_REQUEST {
foreach acookie [HTTP::header values "Set-Cookie"] {
if { [scan $acookie {SNAT-IP-ADDRESS=%d.%d.%d.%d} a b c d] == 4 } {
snat ${a}.${b}.${c}.${d}
break
}
}
}
}
on client
curl -I http://8.8.8.8 -H "Set-Cookie: test=1234" -H "Set-Cookie: SNAT-IP-ADDRESS=10.10.10.10; path=/" -H "Set-Cookie: foo=abcd"
on bigip
[root@ve10:Active] config tcpdump -nni 0.0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 108 bytes
19:59:09.615782 IP 200.200.200.101.49858 > 8.8.8.8.80: S 3734643271:3734643271(0) win 5840
19:59:09.615832 IP 8.8.8.8.80 > 200.200.200.101.49858: S 702811879:702811879(0) ack 3734643272 win 4380
19:59:09.616803 IP 200.200.200.101.49858 > 8.8.8.8.80: . ack 1 win 46
19:59:09.616826 IP 200.200.200.101.49858 > 8.8.8.8.80: P 1:245(244) ack 1 win 46
19:59:09.616992 IP 10.10.10.10.49858 > 8.8.8.8.80: S 16523661:16523661(0) win 4380