iRules的工作流程详解iRulesPPT课件

1 IntroducingiRules 2005 07 12徐超 Computer xu Oknetxuchao 2 BasiciRuleelements iRulesareevent driven whichmeansthattheLTMsystemtriggersaniRulebasedonaneventthatyouspecifyintheiRule iRulesaremadeupofthesebasicelements EventdeclarationsOperatorsiRulecommands 3 BasiciRuleFormat Eventdeclarations Operators iRulecommands 4 Eventdeclarations Eventdeclarations when eventtype Anexample whenCLIENT ACCEPTED if IP addr IP remote addr equals10 1 1 80 poolmy pool1 5 Eventtypes GlobaleventsHTTPeventsSSLeventsAuthenticationeventsReferrencetoLTM config guide pdfpage302 303 table13 2 6 Eventtypes GlobalEvents CLIENT ACCEPTEDCLIENT DATALB SELECTED beforesendtoserver LB FAILED nonodeavailableforthisvs SERVER CONNECTEDSERVER DATARULE INITCLIENT CLOSEDSERVER CLOSED 7 CLIENT ACCPTED CLIENT DATA LB SELECTED LB FAILED SERVER ACCPTED SERVER DATA CLIENT CLOSED SERVER CLOSED RULE INIT START 8 Eventtypes HTTPEvents HTTP REQUESTHTTP REQUEST DATAHTTP RESPONSEHTTP RESPONSE DATAHTTP RESPONSE CONTINUE 9 HTTP REQUEST HTTP REQUEST DATA HTTP RESPOND HTTP RESPOND DATA START HTTP RESPOND CONTINUE 10 Eventtypes SSLEvents CLIENTSSL HANDSHAKECLIENTSSL CLIENTCERTSERVERSSL HANDSHAKE 11 Eventtypes AuthenticationEvents AUTH FAILUREAUTH ERRORAUTH WANTCREDENTIALAUTH SUCCESS 12 Operators Relationaloperatorscontainsmatches equals equalsstarts withends withmatches regex 参考常用简单正则表达式 Logicaloperatorsnotandor 13 iRulecommands iRuleCommandsTypeStatementcommandsQueryandDatamanipulationcommandsUtilitycommands 14 iRulecommandsStatementcommands1 if elseif 15 iRulecommandsStatementcommands2 clientside serverside peer 16 clientside serverside ForeveryeventthatyouspecifywithinaniRule youcanalsospecifyacontext denotedbythekeywordsclientsideorserverside Becauseeacheventhasadefaultcontextassociatedwithit youneedonlydeclareacontextifyouwanttochangethecontextfromthedefault Anexample whenSERVER CONNECTED if IP addr IP addr clientside IP remote addr equals10 1 1 80 discard 17 iRulecommandsStatementcommands3 event disable disableallDiscontinuesevaluatingthespecifiediRuleevent oralliRuleevents onthisconnection However theiRulecontinuestorun log 18 iRulecommandsStatementcommands4 use pool member use node persist use rateclassmatchclass use snat none use snatpool none 19 iRulecommandsStatementcommands5 discard Causesthecurrentpacketorconnectiontobediscarded Thisstatementmustbeconditionallyassociatedwithanifstatement drop discardforward SetstheconnectiontoforwardIPpacketsreject CausestheconnectiontoberejectedReturn TerminatesexecutionoftheiRuleevent 20 iRulecommandsQueryandDatamanipulationcommands QueryingheaderorcontentdataLinkLayerheadersIPheadersTCPheadersandcontentUDPheadersandcontentHTTPheadersandcontentSSLheadersinHTTPrequests Authenticationdata 21 iRulecommandsQueryandDatamanipulationcommands LinkLayerheadersLINK vlan idReturnstheVLANtagofthepacket LINK vlan qosReturnstheVLANQualityofService QoS valueofthepacket SettheVLANQoSlevelthatyouwantthesystemtousewhentransmittingthepacket 22 iRulecommandsQueryandDatamanipulationcommands LinkLayerheaders Cont1 Anexample whenCLIENT ACCEPTED if LINK qos 2 poolfast pool else poolslow pool 23 iRulecommandsQueryandDatamanipulationcommands IPheadersIP remote addrReturnstheremoteIPaddressofaconnection IP local addrReturnsthelocalIPaddressofaconnection IP client addrReturnstheclientIPaddressofaconnection Thiscommandisequivalenttothecommandclientside IP remote addr IP server addrReturnstheserver sIPaddress Thiscommandisequivalenttothecommandserverside IP remote addr Willreturn0iftheload balancingdecisionhasnotoccurred 24 iRulecommandsQueryandDatamanipulationcommands IPheaders Cont1 IP protocolReturnstheIPprotocolvalue IP tosReturnsthevalueoftheIPprotocol sTypeofService ToS field SetstheIPToSlevelthatyouwantthesystemtousewhentransmittingthepacket IP ttlReturnstheTTLforaninboundIPv4orIPv6packetfromthepeer IP idle timeoutReturnsorsetstheidletimeoutvalue 25 iRulecommandsQueryandDatamanipulationcommands IPheaders Cont2 IP hopsFindsthenearest next highestpoweroftwointherange suchas64 128 255 andsubtractsthevalueretrievedbytheIP ttlcommand WiththeIP hopscommand youcanpassivelyestimatethenumberofhopsbetweenasystemanditspeer Ahopof0indicatesthattheclientisonthelocalnetwork Forexample iftheTTLvalueequals55 thenumberofestimatedhopsis9 64minus55 IftheTTLvalueequals127 thenumberofestimatedhopsis1 128minus127 26 iRulecommandsQueryandDatamanipulationcommands IPAddressMatchCommandIP addrequals AnexamplewhenCLIENT ACCEPTED if IP addr IP remote addr equals206 0 0 0 255 0 0 0 poolclients from 206 else poolother clients pool 27 iRulecommandsQueryandDatamanipulationcommands TCPheadersTCP remote portReturnstheremoteTCPport servicenumber TCP local portReturnsthelocalTCPport servicenumber TCP client portReturnstheclient sTCPport servicenumber Equivalenttothecommandclientside TCP remote port TCP server portReturnstheserverTCPport servicenumber Equivalenttothecommandserverside TCP remote port 28 iRulecommandsQueryandDatamanipulationcommands TCPheaders Cont1 TCP rttReturnsthesmoothedround triptimeestimateforaTCPconnection TCP mssReturnstheon wireMaximumSegmentSize MSS foraTCPconnection TCP unused portReturnsanunusedTCPportforthespecifiedIPtuple usingthevalueofasastartingpoint 29 iRulecommandsQueryandDatamanipulationcommands TCPheaders Cont2 TCP offsetReturnsthepositionintheTCPdatastreaminwhichthecollectedTCPdatastarts TCP collectCausesTCPtostartcollectingthespecifiedamountofcontentdata TCP payload ReturnstheaccumulatedTCPdatacontent TCP payload lengthReturnstheamountofaccumulatedTCPdatacontentinbytes 30 iRulecommandsQueryandDatamanipulationcommands TCPheaders Cont3 TCP payloadreplaceReplacescollectedpayloadwiththegivendata TCP releaseCausesTCPtoresumeprocessingtheconnectionandtoflushcollecteddata TCP respondSendsthenameddatadirectlytothepeer ThiscommandisusedtocompleteaprotocolhandshakewithaniRule TCP closeClosestheconnection 31 TCP COLLECT TCP PAYLOAD TCP RELEASE START TCP RESPOND TCP CLOSE TCP PAYLOAD REPLACE 32 iRulecommandsQueryandDatamanipulationcommands TCPheaders Cont3 Anexample whenCLIENT ACCEPTED TCP collect15 whenCLIENT DATA if TCP payload15 contains XYZ poolxyz servers else poolweb servers 33 iRulecommandsQueryandDatamanipulationcommands UDPheadersUDP remote portReturnstheremote sUDPport servicenumber UDP local portReturnsthelocalUDPport servicenumber UDP client portReturnstheclient sUDPport servicenumber Equivalenttothecommandclientside UDP remote port UDP server portReturnstheserverUDPport servicenumber Equivalenttothecommandserverside UDP remote port UDP payload ReturnsthecurrentUDPpayloadcontent UDP payloadlengthReturnstheamountofUDPpayloadcontentinbytes 34 iRulecommandsQueryandDatamanipulationcommands HTTPHeaderHTTP headernamesReturnsalistofalltheheaderspresentontherequestorresponse HTTP headercountReturnsthenumberofHTTPheaderspresentontherequestorresponse HTTP headeratReturnstheHTTPheaderthatthesystemfindsatthezero basedindexvalue HTTP headerexistsReturnstrueifthenamedheaderispresentontherequestorresponse 35 iRulecommandsQueryandDatamanipulationcommands HTTPHeader Cont1 HTTP header value ReturnsvalueoftheHTTPheadernamed Youcanomittheargumentiftheheadernamedoesnotcollidewithanyofthesubcommands HTTP headerinsert lws InsertsthenamedHTTPheaderanditsvalueintotheendoftheHTTPrequestorresponse Ifyouspecify lws thesystemaddslinearwhitespacetolongheadervalues HTTP headerinsert lws n1 v1 n2 v2 n3 v3 PassesaTcllisttoinsertintoaheader Insuchcases thesystemtreatsthelistasalistofname valuepairs Ifyouspecify lws thesystemaddslinearwhitespacetolongheadervalues 36 iRulecommandsQueryandDatamanipulationcommands HTTPHeader Cont2 HTTP header value Setsthevalueofthenamedheader Iftheheaderispresent thecommandreplacestheheader otherwise thecommandaddstheheader Youcanomittheargumentiftheheadernamedoesnotcollidewithanyothervalues HTTP headerreplace Replacesthelastoccurrenceofthenamedheaderwiththestring Thiscommandperformsaheaderinsertioniftheheaderwasnotpresent HTTP headerremoveRemovesthelastoccurrenceofthenamedheaderfromtherequestorresponse 37 iRulecommandsQueryandDatamanipulationcommands HTTPHeader Cont3 HTTP headerinsert modssl fields options InsertsHTTPheaderfieldsneededtoduplicateModSSLbehavior Notethattousethiscommand youmustalsoenabletheModSSLMethodssettingwithinanSSLprofile FormoreinformationonModSSLoptions seeChapter7 ManagingSSLTraffic HTTP headersanitize Removesallbuttheheadersyouspecify TheexceptiontothisissomeessentialHTTPheaders 38 iRulecommandsQueryandDatamanipulationcommands HTTPHeader Cont4 HTTP methodReturnsthetypeofHTTPrequestmethod HTTP statusReturnstheresponsestatuscode HTTP version 0 9 1 0 1 1 ReturnsorsetstheHTTPversionoftherequestorresponse HTTP usernameReturnstheusernamepartoftheHTTPbasicauthorization HTTP passwordReturnsthepasswordpartoftheHTTPbasicauthorization 39 iRulecommandsQueryandDatamanipulationcommands HTTPHeader Cont5 HTTP path ReturnsthepathpartoftheHTTPrequest HTTP uri ReturnsthecompleteURIoftherequest HTTP query ReturnsthequerypartoftheHTTPrequest HTTP is keepaliveReturnsatruevalueifthisisaKeep Aliveconnection 40 iRulecommandsQueryandDatamanipulationcommands HTTPHeader Cont6 HTTP is redirectReturnsatruevalueiftheresponseisacertaintypeofredirect HTTP redirectRedirectsaHTTPrequestorresponsetothespecifiedURL Notethatthiscommandsendstheresponsetotheclientimmediately Therefore youcannotspecifythiscommandmultipletimesinaniRule norcanyouspecifyanyothercommandsthatmodifyheaderorcontent afteryouspecifythiscommand 41 iRulecommandsQueryandDatamanipulationcommands HTTPHeader Cont7 HTTP collect Collectstheamountofdatathatyouspecifywiththe length argument Whenthesystemcollectsthespecifiedamountofdata itcallstheTcleventHTTP REQUEST DATAorHTTP RESPONSE DATA Usegreatcautionwhenomittingthevalueofthecontentlength Eventhoughthisisallowedincertaincases doingsoorusingavaluelargerthanthesizeoftheactuallengthcanstalltheconnection 42 iRulecommandsQueryandDatamanipulationcommands HTTPHeader Cont8 HTTP payload ReturnsthecontentthattheHTTP collectcommandhascollectedthusfar Ifyoudonotspecifyasize thesystemreturnsthecollectedcontent HTTP payloadlengthReturnsthesizeofthecontentthatthecommandhascollectedthusfar notincludingtheHTTPheaders HTTP payloadreplaceReplacestheamountofcontentthatyouspecifiedwiththeargument startingatwith 43 iRulecommandsQueryandDatamanipulationcommands HTTPHeader Cont9 HTTP releaseReleasesthecollecteddata UnlessasubsequentHTTP collectcommandwasissued thereisnoneedtousetheHTTP releasecommandinsideoftheHTTP REQUEST DATAandHTTP RESPONSE DATAevents sinceinthesecases thedataisimplicitlyreleased HTTP closeInsertsaConnection CloseheaderandclosetheHTTPconnection 44 iRulecommandsQueryandDatamanipulationcommands HTTPHeader Cont10 HTTP respond content ThisisapowerfulAPIthatallowsuserstogenerateorrewriteaclientrequestoraserverresponse Whenthesystemrunsthecommandontheclientside itsendstheresponsetotheclientwithoutanyloadbalancingtakingplace Ifthesystemrunsthecommandontheserverside thecontentfromtheactualserverisdiscardedandreplacedwiththeinformationprovidedtothisAPI NotethatbecausethesystemsendstheresponsedataimmediatelyafterthisiRuleruns werecommendthatyounotrunanymoreiRulesafterthisAPI HTTP request numReturnsthenumberofHTTPrequeststhataclientmadeontheconnection forHTTP 1 1keepalive 45 iRulecommandsQueryandDatamanipulationcommands HTTPHeaderUtilityURI protocolExtractstheprotocolpartfromtheURIstringthatyouspecify URI basenameExtractsthebasenamepartfromtheURIstringthatyouspecify URI pathExtractsthepathfromtheURIstringthatyouspecify URI queryExtractsthequerypartfromtheURIstringthatyouspecify 46 iRulecommandsQueryandDatamanipulationcommands HTTPHeaderUtility Cont1 URI hostExtractsthehostpartfromtheURIstringthatyouspecify URI compareComparesURIsasrecommendedbyRFC2616section3 2 3 URI decodeReturnsthedecodedURIstring URI encodeReturnstheencodedURIstringURI portExtractstheportpartfromtheURIstringthatyouspecify 47 iRulecommandsQueryandDatamanipulationcommands HTTPHeaderUtility Cont7 ExampleswhenHTTP REQUEST if HTTP uri ends with cgi poolcgi pool elseif HTTP uri starts with abc poolabc servers 48 iRulecommandsQueryandDatamanipulationcommands SSLheader