Append to list stored in table key
Hi, First of all I wonder if this is good idea to store list in sub/table key - considering performance nad memory consummatum. Let's say it could be list containing no more that 10 IPs. Second I wonder if there is faster more elegant way to actually add new value to the list. My idea is: set c_val [table lookup -subtable ip [IP::client_addr]] lappend c_val $new_val table set -subtable ip [IP::client_addr] $c_val Seems to be a lot overhead here, so maybe there is better way? Piotr
table command causing abort of rule event HTTP_REQUEST
Hello everyone, This is my first dig into iRules, and I'm hitting an issue with the table command that is aborting my rule. I'm essentially trying to rate limit requests per URI per ASPNET Session ID. I've been working with the iRule for a couple days, so I know it's not at its best and has excessive logging (for the purposes of figuring this out). I'm testing with a backend server that doesn't use ASP, so I'm setting it statically in the iRule as a failsafe for now. I'm building that up now for testing.. but hit some snags. The main issue is the table command aborting the rule execution. I was originally putting many of the table lookups directly into the if statements, but I was able to resolve an abort earlier in the rule by setting to a variable first. Here are the logs: [admin@LTM1:ModuleNotLicensed:Active:Standalone] ~ tail /var/log/ltm Jun 6 11:07:23 LTM1 info tmm1[8579]: 01220009:6: Pending rule event HTTP_REQUEST aborted for 192.168.21.102:58079->10.202.20.170:80 (listener: /Common/Drupal_HTTP) Jun 6 11:07:23 LTM1 info tmm[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: HTTP_REQUEST Matched Jun 6 11:07:23 LTM1 info tmm[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: No session cookie found. Quitting.. Jun 6 11:07:23 LTM1 info tmm[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: Got URI, /drupal/themes/garland/images/bg-content-right.png, making key: session1_/drupal/themes/garland/images/bg-content-right.png Jun 6 11:07:23 LTM1 info tmm[8579]: 01220009:6: Pending rule event HTTP_REQUEST aborted for 192.168.21.102:58080->10.202.20.170:80 (listener: /Common/Drupal_HTTP) Jun 6 11:07:23 LTM1 info tmm1[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: HTTP_REQUEST Matched Jun 6 11:07:23 LTM1 info tmm1[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: No session cookie found. Quitting.. Jun 6 11:07:23 LTM1 info tmm1[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: Got URI, /drupal/themes/garland/images/bg-content-right.png, making key: session1_/drupal/themes/garland/images/bg-content-right.png Jun 6 11:07:23 LTM1 info tmm1[8579]: Rule /Common/JSESSIONRateLimit : iRule_Rate-Limiter: Matched second else.. not following conditionals. Jun 6 11:07:23 LTM1 info tmm1[8579]: 01220009:6: Pending rule event HTTP_REQUEST aborted for 192.168.21.102:58081->10.202.20.170:80 (listener: /Common/Drupal_HTTP) ` Here is the rule: `when HTTP_REQUEST { log local0. "iRule_Rate-Limiter: HTTP_REQUEST Matched" set maxReqs 5 set cooldownTimer 30 set sampleTimer 30 set timeout 30 if { [HTTP::cookie exists "ASP.NET_SessionId"] } { set aspid [HTTP::cookie ASP.NET_SessionId] log local0. "iRule_Rate-Limiter: SESSION Cookie present: $aspid" } else { log local0. "iRule_Rate-Limiter: No session cookie found. Quitting.." pool Drupal_Pool event HTTP_REQUEST disable set aspid "session1" } set reqURI [string tolower [HTTP::uri]] set key "$aspid" append key "_$reqURI" log local0. "iRule_Rate-Limiter: Got URI, $reqURI, making key: $key" set onCooldown [table lookup -subtable "Cooldowns" $key] if { $onCooldown != "" } { log local0. "iRule_Rate-Limiter: Key: $key is already on cooldown, sending HTTP:429 status code." HTTP::respond 429 } else { log local0. "iRule_Rate-Limiter: Matched second else.. not following conditionals." set currCount [table add $key 1] if { $currCount == "" } { table set $key 1 $timeout $sampleTimer log local0. "iRule_Rate-Limiter: First attempt for $key, adding to table for tracking." } else { if { ($currCount <= $maxReqs) } { table incr $key 1 incr currCount log local0. "iRule_Rate-Limiter: $key not on timeout, but not first request. Incrementing count to $currCount in session table." } else { HTTP::respond 429 table set -subtable "Cooldowns" $key "yes" $timeout $cooldownTimer log local0. "iRule_Rate-Limiter: $key triggered cooldown with $currCount attempts. Adding to cooldown table." } } } } Note that the rule is aborting at this line of code (line 31): set currCount [table add $key 1] Any help here is greatly appreciated, as I can't find anything outlining why this occurs. It's a small rule, and a simple lookup so I don't see why it would cause the rule to suspend indefinitely. Thanks! Ryan
iRule table usage in FLOW_INIT event
Hi, According tohttps://clouddocs.f5.com/api/irules/table.html table command is valid for all events except RULE_INIT Valid Events: ALL, exceptRULE_INIT I'm trying to use table command in FLOW_INIT event but always get empty value, while at CLIENT_ACCEPTED event the table return non empty value. when FLOW_INIT { set srcip [IP::client_addr] set test_ip [table lookup -subtable "blacklist" $srcip] log local0. "$srcip , table value: $test_ip" } log is "192.0.0.1 , table value: " while same code in CLIENT_ACCEPTED event when CLIENT_ACCEPTED{ set srcip [IP::client_addr] set test_ip [table lookup -subtable "blacklist" $srcip] log local0. "$srcip , table value: $test_ip" } log is "192.0.0.1 , table value: block" Thanks
Using "table" iRule command inside the ACESS_SESSION_CLOSED APM event
Hello everyone, I'm in version 13.1.0.2 and I'm facing an issue when using the "table" iRule command with the ACCESS_SESSION_CLOSED event : This is an LTM+APM deployement (web application access) I have an empty access policy ( start --> allow ) I have associated the following iRule to the virtual server : when ACCESS_SESSION_STARTED { if { [table lookup "toto"] != "" } { log local0. "found !" } else { log local0. "not found !" } } when ACCESS_SESSION_CLOSED { table set "toto" "myData" 1800 log local0. "adding toto to the shared table !" } I noticed that whenever I kill a perticular session and re establish a new session, the entry is never found in the table (I have choosen a 30min timeout so that I can easly disconnect and reconnect without having the entry times out) After further testing I noticed that whenever I use the "table" command in the ACCESS_SESSION_CLOSED , this entry is deleted right after the session is closed. I found this article K58224211 which describe a known bug, however it should be fixed since version 12.0.0. (btw I also performed the same test in 12.1.2 and 12.1.3 with the same result) am I missing somehting in my iRule ? or did I just hit a new bug ? Any help would be apriciated many thanks,
trouble to remove table due to ACCESS_SESSION_CLOSED event
Hi all, I want to remove a table after clicking the EdgeClient disconnect button: when ACCESS_SESSION_CLOSED { table delete -subtable TableName -all } If I use another browser session with an iRule that does check this table: when HTTP_REQUEST { log local0. [table keys -subtable TableName] } I still get all the content from this table. This looks not normal to me because I deleted this table before with the ACCESS_SESSION_CLOSED event. Does somebody know why that happens? Thank you, smiRule: effect of updating subtable lifetime
if i create a subtable with a certain timeout and lifetime and then later on change the timeout and lifetime it seems that the timeout is correctly updated with the new value which starts counting down again. but the lifetime seems to remember the moment it was created and only calculates the new lifetime value based on the moment of creation. is this expected behavior?, is there an easy way to change that moment of creation? (except for delete and recreate).
Can an "after" job be referenced from a different context?
This is related to a previously un-answered question: https://devcentral.f5.com/questions/periodic-summary-logging-with-table-and-after. I'm trying to accomplish roughly the same thing, but I'm looking for a more specific answer. I'm trying to count the number of times a certain kind of request has been processed, then dump those counts every X seconds. Is it possible to reference an "after" ID that was registered in a different thread of execution? The docs don't explicitly state one way or the other: after info [ …] * Returns information about currently scheduled scripts, or about a specific . * Returns active timer ID(s) ( ...) for the current executing context (i.e., client, server). * If called without supplying or multiple s supplied, return value is TCL list. When I pass a after ID to "after info " that was registered in a different thread (The ID was saved to/retrieved from a session table), I get something like: TCL error: MY_IRULE - Invalid after ID: afterbf8f674 My code looks something like this: set count [ table incr "count_$tbl" ] set after_id [after info [table lookup -subtable ${static::prefix} -notouch count_monitor]] if { [ info exists after_id ]} { do nothing, don't log right now } else { set after_id [after 10000 { log local4.notice "prefix=${static::prefix} -- count=${count}" table delete "count_$tbl" }] table set -subtable ${static::prefix} count_monitor ${after_id} 120000 } When I run that code, it fails on the second line, trying to reference the "after info" by ID. If I log "[after info] by itself, it returns nothing. After some playing around, it appears that after IDs can't be referenced outside of the original context. Is there a way that they can be registered in such a way as to be able to access them from a different context? If not, is there a different (v10-compatible) way that I could achieve some sort of asynchronous "dumping and clearing" of session table data?User ID based pool selection
hi there! I am trying to write one iRule to select the pool based on user ID. For example, when the user tries to login, grab the ID of test1@example.com and send to pool1 and for other user ID test2@example.com send to pool2. Essentially, after successfully logged in have tried to save the user ID in the table. However, the issue is when test1 logs in, test2 cannot login. Not sure what I am doing wrong. Is there any limitation on table? I assumed it should be session based when used from different browsers. Any help on this will be highly appreciated. F5 version: 12.1 Cheers. Best regards HyderScoping of and/or naming limits of subtables
I have a table which I want to be specific to both the virtual server, and the APM policy which is applicable (it is only written/read during Access Policy event iRules). I tried: table -subtable "[virtual][ACCESS::policy agentid]tablename" ... But this fails when using table -subtable "tablename" .... Works fine. I assume that I'm exceeding the length or other restriction on table name, or possibly I've misunderstood "agent_id". I will try the pragmatic "[virtual]tablename" since the reason to depend on policy is incase the rules change for what is in the table with a policy update, I don't need to worry about deletion or upgrade steps. But if it is obvious to anyone what I've misunderstood here, or if anyone knows the rules for subtable name and length, please shout.Table wildcard lookup
Hi, Let's say I am not using subtable, key value is based on variable not know in advance - like value of application cookie. What is simplest way to find all keys - start key name with some constant string like session:session cookie value? If so is that possible to find all keys starting with string before ":" like wildcard lookup? Piotr