F5-iRule-规则编写详解课件.ppt

1、F5 iRule详详解解 F5 Networks2L4和和L7交换的本质区别交换的本质区别L2PayloadL3L4L7Header Full Payload对不定址，不定长的特征码不定址，不定长的特征码进行的交换是L7交换的特征L2L3L4L7特征码MACIPPort？地址长度对L7交换特征的提取-iRule F5 Networks3What is an iRule?iRule是一种脚本语言工具 它的语法是基于TCL语言的 大部分TCL语言的功能都被支持 同时还有很多iRule的扩展功能 它能帮你实现许多扩展功能 当你在CLI/GUI介面无法找到对应的命令/菜单 请相信iRule！F5 Ne

2、tworks4iRules的的组组成元素成元素 iRules是基于事件驱动事件驱动(Event-Driven)的 由LTM系统触发你在iRules中指定/期望的事件 iRules是由以下的基本元素构成：事件声明 操作符 iRules命令 F5 Networks5iRules的基本格式的基本格式事件声明 表达式 iRules 命令when CLIENT_ACCEPTED if IP:addr IP:remote_addr equals“202.101.1.0/24”discard F5 Networks6iRule的的创创建和管理（建和管理（1）F5 Networks7iRule的的创创建和管理

3、（建和管理（2）F5 Networks8Datagroup的的创创建（建（1）F5 Networks9Datagroup的的创创建（建（2）F5 Networks10iRule Editor F5 Networks11iRule的引用（的引用（1）-新建新建virtual server F5 Networks12iRule的引用（的引用（2）-已有已有virtual server F5 Networks13 iRule案例（案例（1）when HTTP_REQUEST if HTTP:uri starts_with/csp/dwr/and HTTP:uri ends_with.js pool

4、csp6_cache_pool elseif HTTP:uri starts_with/csp/js/pool csp6_cache_pool elseif HTTP:uri starts_with/csp/resources/pool csp6_cache_pool elseif HTTP:uri starts_with/csp_help/pool csp6_cache_pool elseif HTTP:uri starts_with/csp/esales/pool csp6_esales_pool else pool csp6_professional_pool F5 Networks14

5、iRule例子（例子（2）when HTTP_REQUEST if HTTP:header exists x-up-calling-line-id persist uie HTTP:header values x-up-calling-line-id#log local0.the phonenumber is-HTTP:header values x-up-calling-line-id-根据根据http数据包中的手机号数据包中的手机号码码做会做会话话保持保持 F5 Networks15iRule例子（例子（3）when HTTP_REQUEST if matchclass HTTP:uri

6、ends_with$:class_end pool pool_gatewaylog local0.the uri is$HTTP:uri,match uri class“elseif matchclass HTTP:host contains$:class_domain pool pool_gatewaylog local0.the domain name is$HTTP:host,match class_domain“else pool CSS-W3log local0.the uri is$HTTP:uri,use cache$:全局全局变变量，在量，在v10在不要再采用，而是直接把在不要

7、再采用，而是直接把$:去掉去掉class class_domain class class_end .aspx .cfm .cgi .jsp .php .phtml .shtml“F5 Networks16iRule案例（案例（4）when CLIENT_ACCEPTED log local0.the client is IP:remote_addr,the server is IP:local_addr if (IP:addr IP:local_addr equals 10.64.238.0/23|IP:addr IP:local_addr equals 10.64.69.0/23|IP:a

8、ddr IP:local_addr equals 10.64.208.0/23)&(IP:addr IP:remote_addr equals 192.168.68.106|IP:addr IP:remote_addr equals 192.168.68.109|IP:addr IP:remote_addr equals 192.168.68.113|IP:addr IP:remote_addr equals 192.168.68.114)snat 10.228.69.133log local0.snat to 10.228.69.133 elseif (IP:addr IP:local_ad

9、dr equals 10.64.238.0/23|IP:addr IP:local_addr equals 10.64.69.0/23|IP:addr IP:local_addr equals 10.64.208.0/23)&(IP:addr IP:remote_addr equals 192.168.68.132|IP:addr IP:remote_addr equals 192.168.68.135|IP:addr IP:remote_addr equals 192.168.68.139)snat 192.168.68.219log local0.snat to 192.168.68.21

10、9 else snat 172.16.0.130log local0.snat to 172.16.0.130 F5 Networks17iRule调试调试log命令命令Log的输出会放在/var/log/ltm中，/var/log/ltmiRule本身如果有错误，也会放在/var/log/ltm可以增加一些debug语句，来验证iRule的运行log local0.“Start of the rulelog local0.“Middle of the rulelog local0.“End of the rule F5 Networks18Log 命令的命令的输输出出The argument

11、 for the log statement is the facility dot levelFacilities are:local0 is/var/log/ltm local1 is/var/log/em local2 is/var/log/gtm local3 is/var/log/asm local4 is/var/log/ltm local5 is/var/log/pktfilter local6 is/var/log/httpd/httpd_errors local7 is/var/log/boot.log注意注意log命令会消耗命令会消耗资资源，源，请请在正式生在正式生产产上，

12、一定要注上，一定要注释释掉掉 F5 Networks19iRule的的资资源源http:/ F5 Networks20iRule论坛论坛http:/ F5 Networks21iRule其他其他请注意 一定要充分测试 F5 support只支持命令的语法，但无法支持客户的iRule应用逻辑 有顾问服务可以购买，一起开发 F5 Networks22演示 F5 Networks24TCL Foundational 变量 表达式 流程控制 if-then-else switch for F5 Networks25变变量量 基本操作 set unset append incr F5 Networks2

13、6变变量量 列表 set lst item 1 item 2 item 3 lindex lindex lindex lindex$a 1 2 3 lindex$a 1 2 3 lappend linsert 在index之前插入内容 lreplace 替换first至last之间的内容 如果变量不足，则删除对应部分 llength F5 Networks27变变量量 全局变量 RULE_INIT内定义的均为全局变量:varname 为全局变量 使用全局使用全局变变量将量将导导致致 CMP 失效，即只能失效，即只能单单CPU处处理流量，理流量，这这在在v10以后的版本一定非常注意以后的版本一定

14、非常注意 F5 Networks28表达式与操作符表达式与操作符:TCL StandardOperatorsDescription （按照（按照优优先先级级由高到低）由高到低）-+!一元运算加、减、按位取反、逻辑非。不适用于字符串。按位取反仅适用于整数型变量。*/%乘、除、取模。不适用于字符串。+-加、减。仅适用于数值运算。左移、右移运算。仅适用于整数。右移运算继承符号位。=小于、大于、小于等于、大于等于。返回布尔型。适用于数值与字符串。大小写敏感。=!=等于、不等于。返回布尔型。适用于所有类型。eq ne 等于、不等于。返回布尔型。仅适用于字符串&按位与。仅适用于整数型变量。按位异或。仅适用

15、于整数型变量。|按位或。仅适用于整数型变量。&逻辑与。返回布尔型。仅适用于布尔、数值运算。|逻辑或。返回布尔型。仅适用于布尔、数值运算。x?y:zIf x then return y else return z F5 Networks29表达式与操作符表达式与操作符:iRules Extended 关联操作符 contains matches(参考Tcl“string match”，*，?)equals starts_with ends_with matches_regex(参考常用简单正则表达式)逻辑操作符 not !and&or|F5 Networks30表达式表达式:关于字符串比关于字符

16、串比较较 TCL语语言言习惯习惯性的将字符串性的将字符串转换为转换为数数值进值进行行比比较较 3 2 0,=,=,=,!=建建议议使用使用 eq,ne F5 Networks31Flow Controlif then elseif then else Notice:then and else are optional注意：注意：请请采用尽量少的采用尽量少的elseif/elseif F5 Networks32Flow Controlswitch option -#do something else.default#dont do anything.*尽可能多的使用switch，而不是if F5

17、 Networks33Flow Control:Switch Options Option Description-exact严格的字符串比较。缺省参数。-nocase忽略大小写-glob对于字符串使用glob类型比较。(参考 matches).-regexp对于字符串使用正则表达式类型比较。(参考 re_syntax).-标记参数结尾.当String是以”-”开头时使用此参数。F5 Networks34Convert If to SwitchIFSWITCHIf a or b do cSwitch M a-b do c If a and b do cSwitch M a switch N b

18、 do c F5 Networks35Flow Control:Forfor for set i 3$i 12 incr i puts I inside second loop:$i“F5 Networks36iRule Foundational 1 全局命令全局命令 功能函数功能函数 功能命令功能命令 事件事件 F5 Networks37iRules命令命令 iRule 命令类型 数据流控制命令（Statement）数据流的目的地选择 是否进行SNAT 没有返回值 数据提取命令（Query）获取数据流中指定的内容 数据操作命令（Data manipulation）修改数据流中指定的内容 实用

19、工具命令（Utility）一组功能函数，提供常用的数据解析功能 F5 Networks38iRules命令命令:全局命令全局命令 1CommandDescriptiondiscard/drop丢弃当前的数据包或连接，必须与 if 结构结合使用。forward使此连接转发IP包。请求会严格的根据路由设置进行转发，不会有任何的地址翻译操作，同时忽略此VS上的pool等相关设定。reject拒绝连接，并且根据情况返回RESETreturn立即从当前事件中返回 F5 Networks39iRules命令命令:全局命令全局命令 2CommandDescriptionclientside 由于每个事件都关

20、联一个缺省的环境，你可以通过关键字 peer 或或 clientside 或或 serverside 为每一个在iRule中指定的事件重新指定它们的环境。serverside peer when SERVER_CONNECTED if IP:addr clientside IP:remote_addr equals 10.1.1.80 discard F5 Networks40iRules命令命令:全局命令全局命令 3CommandDescriptionpool pool member 分配流量到指定的pool或者member，忽略monitor的状态。node 分配流量到指定的node se

21、rver。clone pool clone pool member 克隆流量到指定的pool或者member，忽略monitor的状态。virtual Return the name of the associated virtual server or selects another virtual server.listen proto timeout bind server allow Sets up a related ephemeral listener to allow an incoming related connection to be established.F5 Netw

22、orks41iRules命令命令:全局命令全局命令 4CommandDescriptionnexthop nexthop Sets the nexthop of an IP connection.lasthop lasthop Sets the lasthop of an IP connection.rateclass Causes the system to select the specified rate class to use when transmitting packets.F5 Networks42iRules命令命令:全局命令全局命令 5CommandDescriptions

23、nat|none|automap 指定snat地址snatpool member 制定snat地址池when CLIENT_ACCEPTED if TCP:local_port equals 531 snatpool chat_snatpool elseif TCP:local_port equals 25 snatpool smtp_snatpool member 10.20.30.40 F5 Networks43iRules命令命令:全局命令全局命令 6CommandDescriptionlog-noname :.将信息输出到 Syslog-ng可能产生大量的数据，导致磁盘空间耗尽。每条l

24、og记录的最大长度为1024字节，超长的部分将被忽略。event enable|disable event enable all|disable all对于某一个连接允许/禁止TMOS对指定/全部时间的响应。iRules仍然继续运行直至结束。F5 Networks44iRules命令命令:全局命令全局命令 7CommandDescriptioncpu usage 1sec|5secs|15secs|1min|5mins|15mins|all_seconds|all_minutes The cpu usage command returns the average TMM cpu load fo

25、r the given interval.All averages are exponential weighted moving averages over the interval.when HTTP_REQUEST if cpu usage 5sec=1 pool www else HTTP:redirect http:/ F5 Networks45iRules命令命令:全局命令全局命令 8CommandDescriptionpersistCauses the system to use the named persistence profile to persist the conne

26、ction.sessionUtilizes the persistence table to store arbitrary information based on the same keys as persistence.*将在会将在会话话保持保持专题专题中介中介绍绍 F5 Networks46iRules命令命令:功能函数功能函数FunctionDescriptionactive_members-list 列出pool内活动的member，或返回其数量active_nodes Returns the alias for active members of the specified po

27、ol(for BIG-IP version 4.X compatibility).rmd160 Returns the RIPEMD-160 message digest of the specified string.htonl 转换无符号整型数主机字节顺序到网络字节顺序htons 转换无符号短整型数主机字节顺序到网络字节顺序ntohl 转换无符号整型数网络字节顺序到主机字节顺序ntohs 转换无符号短整型数网络字节顺序到主机字节顺序 F5 Networks47iRules命令命令:功能函数功能函数FunctionDescriptiondomain 以“点”分割字符串，返回最后的n个部分ge

28、tfield Splits a string on a character or string,and returns the string corresponding to the specific field.idx from 1 to nfindclass (separator)Searches a data group list for a member that starts with a specified string and returns the data-group member string.matchclass matchclass Performs compariso

29、n against a class F5 Networks48iRules命令命令:功能函数功能函数FunctionDescriptionfindstr Finds a string within another string and returns the string starting at the offset specified from the match.substr Returns a sub-string named,based on the values of the and arguments.从0开始，表示跳过前n个字符如果为数值，可以认为是substr的长度如果为字符串

30、，可以认为是substr的终结字符如果此字符串未能检索到，则为的结尾Findstr HTTP:payload“fid=“4“&”http:/ F5 Networks49iRules命令命令:TCL String FuncCommandDescriptionstring compare-nocase-length val 比较两个字符串string first startindex返回str2出现的位置string last lastindex反向搜索str2的位置string length 获取字符串的长度string map-nocase 批量替换string match-nocase 同m

31、atchesstring range 获取一部分字符串string replace newstring字符串替换string tolower/toupper 转换为小写/大写string trimleft/trimright 除去左侧/右侧空白 F5 Networks50iRules命令命令:TCL SCANCommandDescriptionscan scan TCP:payload 4%d command_length%d十进制数字%o八进制数字%x十六进制数字%c任意字符%s字符串%e%f%g浮点数%n本次匹配字符串的总长度 F5 Networks51iRules命令命令:TCL BIN

32、ARY SCANCommandDescriptionbinary scan binary scan TCP:payload 16 4a8a4 oper_code status*将在将在iRule Foundational 2中介中介绍绍 F5 Networks52TMOS Commands 祥解祥解 LB/OneConnect相关命令 TCP/IP相关命令 HTTP/Cache/DNS相关命令 F5 Networks53TMOSCMD:LBCommandDescriptionLB:statusReturns the status of a node address or pool member

33、.LB:serverReturns information about the currently selected server LB:LB:node LB:pool member Sets the status of a node or pool member as being up/down.If you specify no arguments,the status of the currently-selected node is modified.LB:detachDisconnects the server side connection LB:modeSets the load

34、 balancing mode LB:reselectAdvance the load balancing pointer LB:persistLB:snat F5 Networks54TMOSCMD:OneConnectCommandDescriptionONECONNECT:detach enable|disable Detaches server-side OneConnect connections when enableONECONNECT:reuse disablecloses server-side connection after server response.(server

35、-side connection will not be re-used.)ONECONNECT:reuse enableallows server-side connection to be reused according to the settings of the OneConnect profile.F5 Networks55TMOSCMD:LINKCommandDescriptionLINK:lasthopReturns the MAC address of the last hop.LINK:nexthopReturns the MAC address of the next h

36、op.LINK:qosReturns the QoS level set on the packet.LINK:vlan_idReturns the VLAN tag of the packet.F5 Networks56TMOSCMD:IPCommandDescriptionIP:remote_addr返回远端IP地址IP:local_addr返回本地IP地址(通常为VSIP,SelfIP)IP:client_addr返回客户端IPIP:server_addr返回服务端IPIP:addr /equals /比较两个IPwhen CLIENT_ACCEPTED if IP:addr IP:cl

37、ient_addr equals 10.10.10.10 pool my_pool F5 Networks57TMOSCMD:TCPCommandDescriptionTCP:remote_portReturns the remote TCP port/service number of a TCP connection.TCP:local_portReturns the local TCP port/service number of a TCP connection.TCP:client_portReturns the remote TCP port/service number of t

38、he clientside TCP connection.TCP:server_portReturns the remote TCP port/service number of the serverside TCP connection.TCP:unused_port Returns an unused TCP port for the specified IP tuple,using the value of as a starting point if it is supplied.If no appropriate unused local port could be found,0

39、is returned.F5 Networks58TMOSCMD:TCPCommandDescriptionTCP:collect收集TCP payload数据，每次收到packet都触发CLIENT_DATA 事件.TCP:collect 收集指定长度的TCP payload数据，完成后触发CLIENT_DATA 事件.TCP:collect 跳过部分数据之后，再收集指定长度的TCP payload数据，完成后触发CLIENTA 事件.*Delay Connecting当当 skip_bytes 存在，即使存在，即使为为0，将，将导导致致 Delay Connecting 失效失效建建议议如

40、果要有用，如果要有用，请请充分充分测试测试 F5 Networks59TMOSCMD:TCPCommandDescriptionTCP:payload 返回全部或指定长度的payload内容TCP:payload replace 使用替换payload中自偏移量开始，长度为的内容TCP:payload length 返回payload内功的长度TCP:offsetReturns the number of bytes currently held in memory via TCP:collect.TCP:release Releases and flushes collected data,

41、and resumes processing.Returns the number of bytes actually released.F5 Networks60TMOSCMD:TCPCommandDescriptionTCP:respond Sends the specified data directly to the peer.TCP:closeCloses the TCP connection.when SERVER_CONNECTED peer TCP:collect 4 when CLIENT_DATA if TCP:payload starts_with EHLO TCP:re

42、spond 500 5.3.3 Unrecognized commandrn TCP:payload replace 0 TCP:payload length TCP:release F5 Networks61TMOSCMD:HTTPCommandDescriptionHTTP:method返回HTTP request methodHTTP:uri返回或设置URIHTTP:path返回或设置pathHTTP:query返回query HTTP:version返回或设置HTTP version(请求/响应)HTTP:host返回HTTP Host header.HTTP:username返回us

43、ername(HTTP basic authentication)HTTP:password返回password(HTTP basic authentication)HTTP:status返回response status code F5 Networks62TMOSCMD:HTTP:HeaderCommandDescriptionHTTP:header namesReturns a list of all the headers present in the request or response.HTTP:header count nameReturns the number of HTT

44、P headers present in the request or responsewith that name.HTTP:header at Returns the HTTP header name that the system finds at the zero-based index value.HTTP:header exists Returns true if the named header is present on the request or response.HTTP:header value Returns the value of the HTTP header

45、named.Note that the command will operate on the value of the last header if there are multiple headers with the same name.HTTP:header values Returns value(s)of the HTTP header named.F5 Networks63TMOSCMD:HTTP:HeaderCommandDescriptionHTTP:header insert lws +Inserts the named HTTP header(s)and value(s)

46、onto the end of the HTTP request or response.HTTP:header replace Replaces the value of the last occurrence of the named header with the string.This command performs a header insertion if the header was not present.HTTP:header remove Removes all headers names with the name.HTTP:header sanitize header

47、 name+Removes all headers except the ones you specify and the following:Connection,Content-Encoding,Content-Length,Content-Type,Proxy-Connection,Set-Cookie,Set-Cookie2,and Transfer-Encoding.F5 Networks64TMOSCMD:HTTP:HeaderCommandDescriptionHTTP:header is_keepaliveA synonym for HTTP:is_keepalive.HTTP

48、:header is_redirectA synonym for HTTP:is_redirect.HTTP:header insert_modssl_fields addr service|portNote that this command is only for HTTP requestsHTTP:header lwsReturns 1 if a header was encountered that had linear white space,and 0 otherwise.See RFC2616 for more information on lws and HTTP header

49、s.F5 Networks65TMOSCMD:HTTP:CookieCommandDescriptionHTTP:cookie namesReturns a TCL list containing the names of all the cookies present in the HTTP headers.HTTP:cookie countReturns the number of cookies present in the HTTP headers.HTTP:cookie exists Returns a true value if the cookie exists.HTTP:coo

50、kie value Sets or gets the value of an existing cookie with the given name.HTTP:cookie insert name value path domain version Adds a cookie to the HTTP Cookie header in requests or Set-Cookie response header.The default value for the version is 0.If the cookie already exists,a second cookie will be i