F5iRule规则编写详解

1、f5 irule详详解解 f5 networks2l4和和l7交换的本质区别交换的本质区别l2payloadl3l4l7header full payload对不定址，不定长的特征码不定址，不定长的特征码进行的交换是l7交换的特征l2l3l4l7特征码macipport？地址长度对l7交换特征的提取-irule f5 networks3irules的的组组成元素成元素 irules是基于事件驱动事件驱动(event-driven)的 由ltm系统触发你在irules中指定/期望的事件 irules是由以下的基本元素构成： 事件声明 操作符 irules命令 f5 networks4irules

2、的基本格式的基本格式事件声明 表达式 irules 命令when client_accepted if ip:addr ip:remote_addr equals “/24” discard f5 networks5irule的的创创建和管理（建和管理（1） ） f5 networks6datagroup的的创创建（建（2） ） f5 networks7irule editor f5 networks8irule的引用（的引用（1） ） -新建新建virtual server f5 networks9irule的引用（的引用（2） ）-已有已有virtual server

3、 f5 networks10 irule案例（案例（1） ）when http_request if http:uri starts_with /csp/dwr/ and http:uri ends_with .js pool csp6_cache_pool elseif http:uri starts_with /csp/js/ pool csp6_cache_pool elseif http:uri starts_with /csp/resources/ pool csp6_cache_pool elseif http:uri starts_with /csp_help/ pool csp

4、6_cache_pool elseif http:uri starts_with /csp/esales/ pool csp6_esales_pool else pool csp6_professional_pool f5 networks11irule例子（例子（2） ）when http_request if http:header exists x-up-calling-line-id persist uie http:header values x-up-calling-line-id # log local0. the phonenumber is-http:header value

5、s x-up-calling-line-id- 根据根据http数据包中的手机号数据包中的手机号码码做会做会话话保持保持 f5 networks12irule例子（例子（3） ）when http_request if matchclass http:uri ends_with $:class_end pool pool_gatewaylog local0. the uri is $http:uri, match uri class“ elseif matchclass http:host contains $:class_domain pool pool_gatewaylog local0.

6、 the domain name is $http:host, match class_domain“ else pool css-w3log local0. the uri is $http:uri, use cache$: 全局全局变变量，在量，在v10在不要再采用，而是直接把在不要再采用，而是直接把$:去掉去掉class class_domain class class_end .aspx .cfm .cgi .jsp .php .phtml .shtml“ f5 networks13irule案例（案例（4） ）when client_accepted log local0. the

7、client is ip:remote_addr, the server is ip:local_addr if (ip:addr ip:local_addr equals /23 | ip:addr ip:local_addr equals /23 | ip:addr ip:local_addr equals /23) & (ip:addr ip:remote_addr equals 06 | ip:addr ip:remote_addr equals 09 | ip:ad

8、dr ip:remote_addr equals 13 | ip:addr ip:remote_addr equals 14) snat 33log local0. snat to 33 elseif (ip:addr ip:local_addr equals /23 | ip:addr ip:local_addr equals /23 | ip:addr ip:local_addr equals /23) & (ip:addr i

9、p:remote_addr equals 32 | ip:addr ip:remote_addr equals 35 | ip:addr ip:remote_addr equals 39) snat 19log local0. snat to 19 else snat 30log local0. snat to 30 f5 networks14irule调试调试log命令命令log的输出会放在/var/log/ltm中，/var/log

10、/ltmirule本身如果有错误，也会放在/var/log/ltm可以增加一些debug语句，来验证irule的运行log local0. “start of the rulelog local0. “middle of the rulelog local0. “end of the rule f5 networks15log 命令的命令的输输出出the argument for the log statement is the facility dot levelfacilities are: local0 is /var/log/ltm local1 is /var/log/em loca

11、l2 is /var/log/gtm local3 is /var/log/asm local4 is /var/log/ltm local5 is /var/log/pktfilter local6 is /var/log/httpd/httpd_errors local7 is /var/log/boot.log注意注意log命令会消耗命令会消耗资资源，源，请请在正式生在正式生产产上，一定要注上，一定要注释释掉掉 f5 networks16irule的的资资源源http:/ f5 networks17irule论坛论坛http:/ f5 networks18irule其他其他请注意 一定要

12、充分测试 f5 support只支持命令的语法，但无法支持客户的irule应用逻辑 有顾问服务可以购买，一起开发 f5 networks19演示 f5 networks21tcl foundational 变量 表达式 流程控制 if-then-else switch for f5 networks22变变量量 基本操作 set unset append incr f5 networks23变变量量 列表 set lst item 1 item 2 item 3 lindex lindex lindex lindex $a 1 2 3 lindex $a 1 2 3 lappend linse

13、rt 在index之前插入内容 lreplace 替换first至last之间的内容 如果变量不足，则删除对应部分 llength f5 networks24变变量量 全局变量 rule_init内定义的均为全局变量 :varname 为全局变量 使用全局使用全局变变量将量将导导致致 cmp 失效，即只能失效，即只能单单cpu处处理流量，理流量，这这在在v10以后的版本一定非常注意以后的版本一定非常注意 f5 networks25表达式与操作符表达式与操作符:tcl standardoperatorsdescription （按照（按照优优先先级级由高到低）由高到低）- + ! 一元运算加、减

14、、按位取反、逻辑非。不适用于字符串。按位取反仅适用于整数型变量。* / % 乘、除、取模。不适用于字符串。+ -加、减。仅适用于数值运算。左移、右移运算。仅适用于整数。右移运算继承符号位。 = 小于、大于、小于等于、大于等于。返回布尔型。适用于数值与字符串。大小写敏感。= != 等于、不等于。返回布尔型。适用于所有类型。eq ne 等于、不等于。返回布尔型。仅适用于字符串&按位与。仅适用于整数型变量。按位异或。仅适用于整数型变量。|按位或。仅适用于整数型变量。&逻辑与。返回布尔型。仅适用于布尔、数值运算。 |逻辑或。返回布尔型。仅适用于布尔、数值运算。 x?y:zif x th

15、en return y else return z f5 networks26表达式与操作符表达式与操作符:irules extended 关联操作符 contains matches ( 参考tcl “string match”， *，? ) equals starts_with ends_with matches_regex ( 参考常用简单正则表达式 ) 逻辑操作符 not ! and & or | f5 networks27表达式表达式:关于字符串比关于字符串比较较 tcl语语言言习惯习惯性的将字符串性的将字符串转换为转换为数数值进值进行行比比较较 3 2 0 , =, , =

16、, =, != 建建议议使用使用 eq, ne f5 networks28flow controlif then elseif then else notice: then and else are optional注意：注意：请请采用尽量少的采用尽量少的elseif/elseif f5 networks29flow controlswitch option - # do something else. default # dont do anything. * 尽可能多的使用switch，而不是if f5 networks30flow control:switch options optio

17、n description-exact严格的字符串比较。缺省参数。-nocase忽略大小写-glob对于字符串使用glob类型比较 。(参考 matches). -regexp对于字符串使用正则表达式类型比较 。 (参考 re_syntax). - -标记参数结尾. 当string是以”-”开头时使用此参数。 f5 networks31convert if to switchifswitchif a or b do cswitch m a - b do c if a and b do cswitch m a switch n b do c f5 networks32flow control:f

18、orfor for set i 3 $i 12 incr i puts i inside second loop: $i“ f5 networks33irule foundational 1 全局命令全局命令 功能函数功能函数 功能命令功能命令 事件事件 f5 networks34irules命令命令 irule 命令类型 数据流控制命令（statement） 数据流的目的地选择 是否进行snat 没有返回值 数据提取命令（query） 获取数据流中指定的内容 数据操作命令（data manipulation） 修改数据流中指定的内容 实用工具命令（utility） 一组功能函数，提供常用的数

19、据解析功能 f5 networks35irules命令命令:全局命令全局命令 1commanddescriptiondiscard / drop丢弃当前的数据包或连接，必须与 if 结构结合使用。forward使此连接转发ip包。请求会严格的根据路由设置进行转发，不会有任何的地址翻译操作，同时忽略此vs上的pool等相关设定。reject拒绝连接，并且根据情况返回resetreturn立即从当前事件中返回 f5 networks36irules命令命令:全局命令全局命令 2commanddescriptionclientside 由于每个事件都关联一个缺省的环境，你可以通过关键字 peer 或

20、或 clientside 或或 serverside 为每一个在irule中指定的事件重新指定它们的环境。serverside peer when server_connected if ip:addr clientside ip:remote_addr equals 0 discard f5 networks37irules命令命令:全局命令全局命令 3commanddescriptionpool pool member 分配流量到指定的pool或者member，忽略monitor的状态。node 分配流量到指定的node server。clone pool clone po

21、ol member 克隆流量到指定的pool或者member，忽略monitor的状态。virtual return the name of the associated virtual server or selects another virtual server. listen proto timeout bind server allow sets up a related ephemeral listener to allow an incoming related connection to be established. f5 networks38irules命令命令:全局命令全

22、局命令 4commanddescriptionnexthop nexthop sets the nexthop of an ip connection. lasthop lasthop sets the lasthop of an ip connection. rateclass causes the system to select the specified rate class to use when transmitting packets. f5 networks39irules命令命令:全局命令全局命令 5commanddescriptionsnat | none | automa

23、p 指定snat地址snatpool member 制定snat地址池when client_accepted if tcp:local_port equals 531 snatpool chat_snatpool elseif tcp:local_port equals 25 snatpool smtp_snatpool member 0 f5 networks40irules命令命令:全局命令全局命令 6commanddescriptionlog -noname : . 将信息输出到 syslog-ng可能产生大量的数据，导致磁盘空间耗尽。每条log记录的最大长度为10

24、24字节，超长的部分将被忽略。event enable|disable event enable all|disable all对于某一个连接允许/禁止tmos对指定/全部时间的响应。irules仍然继续运行直至结束。 f5 networks41irules命令命令:全局命令全局命令 7commanddescriptioncpu usage 1sec | 5secs | 15secs | 1min | 5mins | 15mins | all_seconds | all_minutes the cpu usage command returns the average tmm cpu load

25、 for the given interval. all averages are exponential weighted moving averages over the interval.when http_request if cpu usage 5sec = 1 pool www else http:redirect http:/ f5 networks42irules命令命令:全局命令全局命令 8commanddescriptionpersistcauses the system to use the named persistence profile to persist the

26、 connection. sessionutilizes the persistence table to store arbitrary information based on the same keys as persistence.*将在会将在会话话保持保持专题专题中介中介绍绍 f5 networks43irules命令命令:功能函数功能函数functiondescriptionactive_members -list 列出pool内活动的member，或返回其数量active_nodes returns the alias for active members of the spec

27、ified pool (for big-ip version 4.x compatibility). rmd160 returns the ripemd-160 message digest of the specified string. htonl 转换无符号整型数主机字节顺序到网络字节顺序htons 转换无符号短整型数主机字节顺序到网络字节顺序ntohl 转换无符号整型数网络字节顺序到主机字节顺序ntohs 转换无符号短整型数网络字节顺序到主机字节顺序 f5 networks44irules命令命令:功能函数功能函数functiondescriptiondomain 以“点”分割字符串，

28、返回最后的n个部分getfield splits a string on a character or string, and returns the string corresponding to the specific field. idx from 1 to nfindclass (separator) searches a data group list for a member that starts with a specified string and returns the data-group member string. matchclass matchclass per

29、forms comparison against a class f5 networks45irules命令命令:功能函数功能函数functiondescriptionfindstr finds a string within another string and returns the string starting at the offset specified from the match. substr returns a sub-string named , based on the values of the and arguments.从0开始，表示跳过前n个字符如果为数值，可以

30、认为是substr的长度如果为字符串，可以认为是substr的终结字符如果此字符串未能检索到，则为的结尾findstr http:payload “fid=“ 4 “&”http:/ f5 networks46irules命令命令:tcl string funccommanddescriptionstring compare -nocase -length val 比较两个字符串string first startindex返回str2出现的位置string last lastindex反向搜索str2的位置string length 获取字符串的长度string map -nocas

31、e 批量替换string match -nocase 同matchesstring range 获取一部分字符串string replace newstring字符串替换string tolower/toupper 转换为小写/大写string trimleft/trimright 除去左侧/右侧空白 f5 networks47irules命令命令:tcl scancommanddescriptionscan scan tcp:payload 4 %d command_length%d十进制数字%o八进制数字%x十六进制数字%c任意字符%s字符串%e%f%g浮点数%n本次匹配字符串的总长度 f

32、5 networks48irules命令命令:tcl binary scancommanddescriptionbinary scan binary scan tcp:payload 16 4a8a4 oper_code status* 将在将在irule foundational 2中介中介绍绍 f5 networks49tmos commands 祥解祥解 lb/oneconnect相关命令 tcp/ip相关命令 http/cache/dns相关命令 f5 networks50tmoscmd:lbcommanddescriptionlb:statusreturns the status o

33、f a node address or pool member. lb:serverreturns information about the currently selected server lb: lb: node lb: pool member sets the status of a node or pool member as being up/down. if you specify no arguments, the status of the currently-selected node is modified. lb:detachdisconnects the serve

34、r side connection lb:modesets the load balancing mode lb:reselectadvance the load balancing pointer lb:persistlb:snat f5 networks51tmoscmd:oneconnectcommanddescriptiononeconnect:detach enable|disable detaches server-side oneconnect connections when enableoneconnect:reuse disablecloses server-side co

35、nnection after server response. (server-side connection will not be re-used.) oneconnect:reuse enableallows server-side connection to be reused according to the settings of the oneconnect profile. f5 networks52tmoscmd:linkcommanddescriptionlink:lasthopreturns the mac address of the last hop. link:ne

36、xthopreturns the mac address of the next hop. link:qosreturns the qos level set on the packet. link:vlan_idreturns the vlan tag of the packet. f5 networks53tmoscmd:ipcommanddescriptionip:remote_addr返回远端ip地址ip:local_addr返回本地ip地址(通常为vsip, selfip)ip:client_addr返回客户端ipip:server_addr返回服务端ipip:addr / equa

37、ls / 比较两个ipwhen client_accepted if ip:addr ip:client_addr equals 0 pool my_pool f5 networks54tmoscmd:tcpcommanddescriptiontcp:remote_portreturns the remote tcp port/service number of a tcp connection. tcp:local_portreturns the local tcp port/service number of a tcp connection.tcp:client_po

38、rtreturns the remote tcp port/service number of the clientside tcp connection. tcp:server_portreturns the remote tcp port/service number of the serverside tcp connection. tcp:unused_port returns an unused tcp port for the specified ip tuple, using the value of as a starting point if it is supplied.

39、if no appropriate unused local port could be found, 0 is returned. f5 networks55tmoscmd:tcpcommanddescriptiontcp:collect收集tcp payload数据，每次收到packet都触发client_data 事件. tcp:collect 收集指定长度的tcp payload数据，完成后触发client_data 事件. tcp:collect 跳过部分数据之后，再收集指定长度的tcp payload数据，完成后触发clienta 事件. * delay connecting当当

40、skip_bytes 存在，即使存在，即使为为0，将，将导导致致 delay connecting 失效失效建建议议如果要有用，如果要有用，请请充分充分测试测试 f5 networks56tmoscmd:tcpcommanddescriptiontcp:payload 返回全部或指定长度的payload内容tcp:payload replace 使用替换payload中自偏移量开始，长度为的内容tcp:payload length 返回payload内功的长度tcp:offsetreturns the number of bytes currently held in memory via t

41、cp:collect. tcp:release releases and flushes collected data, and resumes processing. returns the number of bytes actually released. f5 networks57tmoscmd:tcpcommanddescriptiontcp:respond sends the specified data directly to the peer. tcp:closecloses the tcp connection. when server_connected peer tcp:

42、collect 4 when client_data if tcp:payload starts_with ehlo tcp:respond 500 5.3.3 unrecognized commandrn tcp:payload replace 0 tcp:payload length tcp:release f5 networks58tmoscmd:httpcommanddescriptionhttp:method返回http request methodhttp:uri返回或设置urihttp:path返回或设置pathhttp:query返回query http:version返回或设

43、置http version(请求/响应)http:host返回http host header. http:username返回username(http basic authentication)http:password返回password(http basic authentication)http:status返回response status code f5 networks59tmoscmd:http:headercommanddescriptionhttp:header namesreturns a list of all the headers present in the r

44、equest or response.http:header count namereturns the number of http headers present in the request or responsewith that name.http:header at returns the http header name that the system finds at the zero-based index value. http:header exists returns true if the named header is present on the request

45、or response. http:header value returns the value of the http header named . note that the command will operate on the value of the last header if there are multiple headers with the same name. http:header values returns value(s) of the http header named . f5 networks60tmoscmd:http:headercommanddescr

46、iptionhttp:header insert lws +inserts the named http header(s) and value(s) onto the end of the http request or response. http:header replace replaces the value of the last occurrence of the named header with the string . this command performs a header insertion if the header was not present. http:h

47、eader remove removes all headers names with the name . http:header sanitize header name+removes all headers except the ones you specify and the following: connection, content-encoding, content-length, content-type, proxy-connection, set-cookie, set-cookie2, and transfer-encoding. f5 networks61tmoscm

48、d:http:headercommanddescriptionhttp:header is_keepalivea synonym for http:is_keepalive. http:header is_redirecta synonym for http:is_redirect. http:header insert_modssl_fields addr service | portnote that this command is only for http requestshttp:header lwsreturns 1 if a header was encountered that

49、 had linear white space, and 0 otherwise. see rfc2616 for more information on lws and http headers. f5 networks62tmoscmd:http:cookiecommanddescriptionhttp:cookie namesreturns a tcl list containing the names of all the cookies present in the http headers. http:cookie countreturns the number of cookie

50、s present in the http headers. http:cookie exists returns a true value if the cookie exists. http:cookie value sets or gets the value of an existing cookie with the given name.http:cookie insert name value path domain version adds a cookie to the http cookie header in requests or set-cookie response

51、 header. the default value for the version is 0. if the cookie already exists, a second cookie will be inserted (tested in 9.2.4). http:cookie remove removes a cookie. http:cookie sanitize attribute+removes all but the specified attributes from the cookie. f5 networks63tmoscmd:http:cookiecommanddesc

52、riptionhttp:cookie version versionsets or gets the version of the cookie. http:cookie path pathsets or gets the cookie path. http:cookie domain domainsets or gets the cookie domain. http:cookie expires seconds absolute|relativesets or gets the expires attribute. applies to version 0 cookies onlyhttp

53、:cookie secure enable|disable sets or gets the value of the secure attribute. f5 networks64tmoscmd:http:cookiecommanddescriptionhttp:cookie maxage secondssets or gets the max-age.applies to version 1 and 2 cookies onlyhttp:cookie ports portlistsets or gets the cookie port lists for version 2 cookies

54、. http:cookie comment commentsets or gets the cookie comment. applies to version 1 and 2 cookies onlyhttp:cookie commenturl commenturlsets or gets the comment url. applies only to version 2 cookieshttp:cookie encrypt 128 | 192 | 256encrypts/decrypts the value for the given cookie using a key generat

55、ed from the pass phrase. the default key length is 128. the encryption method is aes.http:cookie decrypt 128 | 192 | 256 f5 networks65tmoscmd:httpcommanddescriptionhttp:collect 收集指定长度的内容（小心形成死锁）http:payload 返回全部或指定长度的payload内容http:payload length 返回collect的总字节数http:payload rechunk使payload chunked htt

56、p:payload unchunk使payload unchunked http:payload replace 替换指定内容，并修正content-length header f5 networks66tmoscmd:httpcommanddescriptionhttp:respond content + 直接返回内容给clientwhen http_request set ckname app set ckvalue 893 set cookie format %s=%s; path=/; domain=%s $ckname $ckvalue . http:respon

57、d 302 location set-cookie $cookie when http_response if http:status = 302 foreach acookiename http:cookie names set currentcookie $acookiename=http:cookie value $acookiename set cookies $cookiesrnset-cookie: $currentcookie http:respond 200 content forbidden redirect from remote

58、serverthe server is trying to redirect the client to an external site, but it is forbidden set-cookie $cookies f5 networks67tmoscmd:httpcommanddescriptionhttp:release释放http:collect获取的内容http:close关闭http连接http:redirect 立即发送http 302重定向http:fallback指定或者修改fallback hosthttp:is_keepalivereturns a true valu

59、e if this is a keep-alive connection.http:is_redirectreturns a true value if the response is a redirect. http:request_num返回此连接上已经完成的http请求数量(keep-alive)http:request返回完整的http request内容 f5 networks68irules事件事件 如何声明事件 when body an example:when client_accepted if ip:addr ip:remote_addr equals 0

60、pool my_pool1 f5 networks69irules事件事件 事件类型 global events ip events tcp/udp events http/ssl/dns/auth/cache events others (f5还在不断扩充支持的事件类型) sip/xml/rtsp, etc f5 networks70tmos events 祥解祥解 1 第一部分 全局事件 tcp/ip事件 http f5 networks71事件清事件清单单 1event classevents listcachecache_request, cache_response, dnsdns_request, dns_respon