F5-iRule-规则编写详解课件.ppt

上传人:牧羊曲112 文档编号:1284668 上传时间:2022-11-03 格式:PPT 页数:87 大小:1.29MB
返回 下载 相关 举报
F5-iRule-规则编写详解课件.ppt_第1页
第1页 / 共87页
F5-iRule-规则编写详解课件.ppt_第2页
第2页 / 共87页
F5-iRule-规则编写详解课件.ppt_第3页
第3页 / 共87页
F5-iRule-规则编写详解课件.ppt_第4页
第4页 / 共87页
F5-iRule-规则编写详解课件.ppt_第5页
第5页 / 共87页
点击查看更多>>
资源描述

《F5-iRule-规则编写详解课件.ppt》由会员分享,可在线阅读,更多相关《F5-iRule-规则编写详解课件.ppt(87页珍藏版)》请在三一办公上搜索。

1、F5 iRule详解,F5 iRule详解,L4和L7交换的本质区别,L2,Payload,L3,L4,L7,Header,Full Payload,对不定址,不定长的特征码进行的交换是L7交换的特征,对L7交换特征的提取-iRule,L4和L7交换的本质区别L2PayloadL3L4L7Hea,What is an iRule?,iRule是一种脚本语言工具它的语法是基于TCL语言的大部分TCL语言的功能都被支持同时还有很多iRule的扩展功能它能帮你实现许多扩展功能当你在CLI/GUI介面无法找到对应的命令/菜单请相信iRule!,What is an iRule?iRule是一种脚本语言

2、工,iRules的组成元素,iRules是基于事件驱动(Event-Driven)的由LTM系统触发你在iRules中指定/期望的事件iRules是由以下的基本元素构成:事件声明操作符iRules命令,iRules的组成元素iRules是基于事件驱动(Event,iRules的基本格式,事件声明 表达式 iRules 命令,when CLIENT_ACCEPTED if IP:addr IP:remote_addr equals “202.101.1.0/24” discard,iRules的基本格式事件声明 when CLIENT_,iRule的创建和管理(1),iRule的创建和管理(1)

3、,iRule的创建和管理(2),iRule的创建和管理(2),Datagroup的创建(1),Datagroup的创建(1),Datagroup的创建(2),Datagroup的创建(2),iRule Editor,iRule Editor,iRule的引用(1) -新建virtual server,iRule的引用(1) -新建virtual server,iRule的引用(2)-已有virtual server,iRule的引用(2)-已有virtual server,iRule案例(1),when HTTP_REQUEST if HTTP:uri starts_with /csp/dwr

4、/ and HTTP:uri ends_with .js pool csp6_cache_pool elseif HTTP:uri starts_with /csp/js/ pool csp6_cache_pool elseif HTTP:uri starts_with /csp/resources/ pool csp6_cache_pool elseif HTTP:uri starts_with /csp_help/ pool csp6_cache_pool elseif HTTP:uri starts_with /csp/esales/ pool csp6_esales_pool else

5、 pool csp6_professional_pool ,iRule案例(1)when HTTP_REQUEST ,iRule例子(2),when HTTP_REQUEST if HTTP:header exists x-up-calling-line-id persist uie HTTP:header values x-up-calling-line-id # log local0. the phonenumber is-HTTP:header values x-up-calling-line-id- 根据http数据包中的手机号码做会话保持,iRule例子(2)when HTTP_RE

6、QUEST ,iRule例子(3),when HTTP_REQUEST if matchclass HTTP:uri ends_with $:class_end pool pool_gatewaylog local0. the uri is $HTTP:uri, match uri class“ elseif matchclass HTTP:host contains $:class_domain pool pool_gatewaylog local0. the domain name is $HTTP:host, match class_domain“ else pool CSS-W3log

7、 local0. the uri is $HTTP:uri, use cache$: 全局变量,在v10在不要再采用,而是直接把$:去掉,class class_domain class class_end .aspx .cfm .cgi .jsp .php .phtml .shtml“ ,iRule例子(3)when HTTP_REQUEST ,iRule案例(4),when CLIENT_ACCEPTED log local0. the client is IP:remote_addr, the server is IP:local_addr if (IP:addr IP:local_ad

8、dr equals 10.64.238.0/23 | IP:addr IP:local_addr equals 10.64.69.0/23 | IP:addr IP:local_addr equals 10.64.208.0/23) & (IP:addr IP:remote_addr equals 192.168.68.106 | IP:addr IP:remote_addr equals 192.168.68.109 | IP:addr IP:remote_addr equals 192.168.68.113 | IP:addr IP:remote_addr equals 192.168.6

9、8.114) snat 10.228.69.133log local0. snat to 10.228.69.133 elseif (IP:addr IP:local_addr equals 10.64.238.0/23 | IP:addr IP:local_addr equals 10.64.69.0/23 | IP:addr IP:local_addr equals 10.64.208.0/23) & (IP:addr IP:remote_addr equals 192.168.68.132 | IP:addr IP:remote_addr equals 192.168.68.135 |

10、IP:addr IP:remote_addr equals 192.168.68.139) snat 192.168.68.219log local0. snat to 192.168.68.219 else snat 172.16.0.130log local0. snat to 172.16.0.130,iRule案例(4)when CLIENT_ACCEPTED,iRule调试log命令,Log的输出会放在/var/log/ltm中,/var/log/ltmiRule本身如果有错误,也会放在/var/log/ltm可以增加一些debug语句,来验证iRule的运行log local0.

11、“Start of the rulelog local0. “Middle of the rulelog local0. “End of the rule,iRule调试log命令Log的输出会放在/var/log,Log 命令的输出,The argument for the log statement is the facility dot levelFacilities are:local0 is /var/log/ltmlocal1 is /var/log/emlocal2 is /var/log/gtmlocal3 is /var/log/asmlocal4 is /var/log/l

12、tmlocal5 is /var/log/pktfilterlocal6 is /var/log/httpd/httpd_errorslocal7 is /var/log/boot.log注意log命令会消耗资源,请在正式生产上,一定要注释掉,Log 命令的输出The argument for the,iRule的资源,http:/,iRule的资源http:/devcentral.f5.c,iRule论坛,http:/,iRule论坛http:/devcentral.f5.co,iRule其他,请注意 一定要充分测试 F5 support只支持命令的语法,但无法支持客户的iRule应用逻辑

13、有顾问服务可以购买,一起开发,iRule其他请注意,演示,演示,F5-iRule-规则编写详解课件,TCL Foundational,变量表达式流程控制if-then-elseswitchfor,TCL Foundational变量,变量,基本操作set unset append incr ,变量基本操作,变量,列表set lst item 1 item 2 item 3 lindex lindex lindex lindex $a 1 2 3 lindex $a 1 2 3lappend linsert 在index之前插入内容lreplace 替换first至last之间的内容如果变量不足

14、,则删除对应部分llength ,变量列表,变量,全局变量RULE_INIT内定义的均为全局变量:varname 为全局变量使用全局变量将导致 CMP 失效,即只能单CPU处理流量,这在v10以后的版本一定非常注意,变量全局变量,表达式与操作符:TCL Standard,表达式与操作符:TCL StandardOperators,表达式与操作符:iRules Extended,关联操作符containsmatches ( 参考Tcl “string match”, *,? )equalsstarts_withends_withmatches_regex ( 参考常用简单正则表达式 )逻辑操作符

15、not !and &or |,表达式与操作符:iRules Extended关联操作符,表达式:关于字符串比较,TCL语言习惯性的将字符串转换为数值进行比较3 20 , =, , =, =, !=建议使用 eq, ne,表达式:关于字符串比较TCL语言习惯性的将字符串转换为数值,Flow Control,if then elseif then else Notice: then and else are optional注意:请采用尽量少的elseif/elseif,Flow Controlif ,Flow Control,switch option - # do something else

16、. default # dont do anything. * 尽可能多的使用switch,而不是if,Flow Controlswitch option s,Flow Control:Switch Options,Flow Control:Switch Options O,Convert If to Switch,Convert If to SwitchIFSWIT,Flow Control:For,for ,for set i 3 $i 12 incr i puts I inside second loop: $i“,Flow Control:Forfor start,iRule Foun

17、dational 1,全局命令功能函数功能命令事件,iRule Foundational 1全局命令,iRules命令,iRule 命令类型数据流控制命令(Statement)数据流的目的地选择是否进行SNAT没有返回值数据提取命令(Query)获取数据流中指定的内容数据操作命令(Data manipulation)修改数据流中指定的内容实用工具命令(Utility)一组功能函数,提供常用的数据解析功能,iRules命令iRule 命令类型,iRules命令:全局命令 1,iRules命令:全局命令 1CommandDescrip,iRules命令:全局命令 2,when SERVER_CON

18、NECTED if IP:addr clientside IP:remote_addr equals 10.1.1.80 discard ,iRules命令:全局命令 2CommandDescrip,iRules命令:全局命令 3,iRules命令:全局命令 3CommandDescrip,iRules命令:全局命令 4,iRules命令:全局命令 4CommandDescrip,iRules命令:全局命令 5,when CLIENT_ACCEPTED if TCP:local_port equals 531 snatpool chat_snatpool elseif TCP:local_po

19、rt equals 25 snatpool smtp_snatpool member 10.20.30.40,iRules命令:全局命令 5CommandDescrip,iRules命令:全局命令 6,iRules命令:全局命令 6CommandDescrip,iRules命令:全局命令 7,when HTTP_REQUEST if cpu usage 5sec = 1 pool www else HTTP:redirect http:/,iRules命令:全局命令 7CommandDescrip,iRules命令:全局命令 8,iRules命令:全局命令 8CommandDescrip,iR

20、ules命令:功能函数,iRules命令:功能函数FunctionDescript,iRules命令:功能函数,iRules命令:功能函数FunctionDescript,iRules命令:功能函数,Findstr HTTP:payload “fid=“ 4 “&”http:/,iRules命令:功能函数FunctionDescript,iRules命令:TCL String Func,iRules命令:TCL String FuncComma,iRules命令:TCL SCAN,iRules命令:TCL SCANCommandDescr,iRules命令:TCL BINARY SCAN,iR

21、ules命令:TCL BINARY SCANComma,TMOS Commands 祥解,LB/OneConnect相关命令TCP/IP相关命令HTTP/Cache/DNS相关命令,TMOS Commands 祥解,TMOSCMD:LB,TMOSCMD:LBCommandDescriptionL,TMOSCMD:OneConnect,TMOSCMD:OneConnectCommandDesc,TMOSCMD:LINK,TMOSCMD:LINKCommandDescriptio,TMOSCMD:IP,when CLIENT_ACCEPTED if IP:addr IP:client_addr e

22、quals 10.10.10.10 pool my_pool ,TMOSCMD:IPCommandDescriptionI,TMOSCMD:TCP,TMOSCMD:TCPCommandDescription,TMOSCMD:TCP,TMOSCMD:TCPCommandDescription,TMOSCMD:TCP,TMOSCMD:TCPCommandDescription,TMOSCMD:TCP,when SERVER_CONNECTED peer TCP:collect 4 when CLIENT_DATA if TCP:payload starts_with EHLO TCP:respon

23、d 500 5.3.3 Unrecognized commandrn TCP:payload replace 0 TCP:payload length TCP:release ,TMOSCMD:TCPCommandDescription,TMOSCMD:HTTP,TMOSCMD:HTTPCommandDescriptio,TMOSCMD:HTTP:Header,TMOSCMD:HTTP:HeaderCommandDe,TMOSCMD:HTTP:Header,TMOSCMD:HTTP:HeaderCommandDe,TMOSCMD:HTTP:Header,TMOSCMD:HTTP:HeaderC

24、ommandDe,TMOSCMD:HTTP:Cookie,TMOSCMD:HTTP:CookieCommandDe,TMOSCMD:HTTP:Cookie,TMOSCMD:HTTP:CookieCommandDe,TMOSCMD:HTTP:Cookie,TMOSCMD:HTTP:CookieCommandDe,TMOSCMD:HTTP,TMOSCMD:HTTPCommandDescriptio,TMOSCMD:HTTP,when HTTP_REQUEST set ckname app set ckvalue 893 set cookie format %s=%s; path=/; domain

25、=%s $ckname $ckvalue .domain.org HTTP:respond 302 Location http:/www.domain.org Set-Cookie $cookie ,when HTTP_RESPONSE if HTTP:status = 302 foreach aCookieName HTTP:cookie names set currentCookie $aCookieName=HTTP:cookie value $aCookieName set cookies $cookiesrnSet-Cookie: $currentCookie HTTP:respon

26、d 200 content Forbidden Redirect From remote ServerThe server is trying to redirect the client to an external site, but it is forbidden Set-Cookie $cookies ,TMOSCMD:HTTPCommandDescriptio,TMOSCMD:HTTP,TMOSCMD:HTTPCommandDescriptio,iRules事件,如何声明事件when body An example:when CLIENT_ACCEPTED if IP:addr IP

27、:remote_addr equals 10.1.1.80 pool my_pool1,iRules事件如何声明事件,iRules事件,事件类型Global EventsIP EventsTCP/UDP EventsHTTP/SSL/DNS/Auth/Cache EventsOthers (F5还在不断扩充支持的事件类型)SIP/XML/RTSP, etc,iRules事件事件类型,TMOS Events 祥解 1,第一部分全局事件TCP/IP事件HTTP,TMOS Events 祥解 1第一部分,事件清单 1,事件清单 1Event ClassEvents ListCA,事件清单 2,事件清

28、单 2Event ClassEvents ListAU,事件:Global,事件:GlobalEventsTriggeredRULE_,事件:Global:LB_FAILED,事件:Global:LB_FAILEDEventsTri,事件:IP/TCP,事件:IP/TCPEventsTriggeredCLIEN,事件:TCP,when SERVER_DATA TCP:release TCP:collect log local0. in SERVER_DATA, calling TCP:notify response to trigger USER_RESPONSE event TCP:noti

29、fy response when USER_RESPONSE log local0. in USER_RESPONSE ,事件:TCPEventsTriggeredUSER_REQ,事件:HTTP,事件:HTTPEventsTriggeredHTTP_RE,Advanced Persistence with iRules,UIE - Universal Inspection EngineHash,Advanced Persistence with iRul,iRules命令:Global:persist,iRules命令:Global:persistComma,iRules命令:Global:

30、persist,iRules命令:Global:persistComma,iRules命令:Global:persist,iRules命令:Global:persistComma,iRules命令:Global:session,iRules命令:Global:sessionComma,iRules命令:persist&session,when HTTP_REQUEST set lookup list IP:client_addr any virtual set value persist lookup uie $lookup ,when HTTP_REQUEST set value persist lookup uie IP:client_addr any pool ,iRules命令:persist&sessionwhen,iRules命令:UIE Persistence,iRules命令:UIE PersistenceComma,

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 生活休闲 > 在线阅读


备案号:宁ICP备20000045号-2

经营许可证:宁B2-20210002

宁公网安备 64010402000987号