20 Lines or Less #13

What could you do with your code in 20 Lines or Less? That's the question I ask every week, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.

After a couple of weeks out of the office, I'm back at it with your weekly dose of iRules goodness in under 20 lines. This week's 20LoL comes from the forums as well as the codeshare. We've got some great examples here, including one iRule that can be used to help augment an already existing LTM module and give it some extra functionality...cool stuff!

 

Blocking Content with iRules

This is a good example of a robust, logified way to block certain URI parameters from being allowed through to the back-end servers. Aaron's gone to the trouble to both document the code and the output heavily. That might not be the fastest possible solution in production, but it sure is nice for testing.

 

 when HTTP_REQUEST { 
  
    # Log a debug message with client IP:port and the class contents 
    log local0. "[IP::client_addr]:[TCP::client_port]: class \$::badStrings: $::badStrings" 
  
    # Check if the client IP is part of the hosts datagroup 
    if { [matchclass [IP::server_addr] equals $::Hosts]}{ 
  
       # Log a debug message indicating the client IP matched the Hosts class 
       log local0. "[IP::client_addr]:[TCP::client_port]: matched Hosts class \$::Hosts: $::Hosts" 
  
       # Check if the requested URI contains any known bad strings 
       if { [matchclass [string tolower [HTTP::uri]] contains $::badStrings]}{  
  
          # Log a debug message indicating the client matched the Host class and had a bad string in the URI 
          log local0. "Matched server IP and found bad string in [HTTP::uri]: \
entry# [matchclass [string tolower [HTTP::uri]] contains $::badStrings]"  
  
  # Drop the TCP connection  
  drop  
       } 
    } 
 } 

 

MSM Allowlisting

https://devcentral.f5.com/s/articles/msm-bypass

This codeshare entry shows how you can use an iRule to get even more out of MSM on your LTM. Oh how I love TLAs.  By creating an allowlist of known good IP addresses in this iRule, you can skip MSM processing and wring even more performance out of your BIG-IP...nice!

  priority 1
  when CLIENT_ACCEPTED {  
    if { [matchclass [IP::client_addr] equals $::allow_list] } {  
            log local0. "client: [IP::client_addr] found in allow_list directed to http_test_pool"  
          pool http_test_pool  
          event disable all  
    }  
    elseif { [matchclass [IP::client_addr] equals $::deny_list] } {  
              log local0. " client: [IP::client_addr] found in deny_list directed to http_test_pool_2"  
          pool http_test_pool_2   
                     # or discard  
          event disable all  
    }  
  } 

 

Search and Replace via iRule

This example shows some of the things that can be done via the stream profile and selectively enabling replacements via iRules. The stream profile gives you plenty of ability to do data swapping in-line with even more speed than writing out the logic by hand in an iRule. Definitely good stuff.

when HTTP_REQUEST {   
  set replace_content 0  
  if {[HTTP::uri] contains "/atoz/"} {   
    set replace_content 1   
  }   
}   
when HTTP_RESPONSE {  
  if {$replace_content equals "1"} {  
    # Disable the stream filter by default  
    STREAM::disable  
    # Check if response type is text  
    if {[HTTP::header value Content-Type] contains "text" and [HTTP::header "User-Agent"] contains "***"}{  
      # Replace  
      STREAM::expression "@123@xyz@ @456@xyz@"  
      # Enable the stream filter for this response only  
      STREAM::enable  
    }  
  }  
}
   

 

There you have it, three more examples of iRules goodness in less than 20 lines each. See you next week.

#Colin

Published Aug 22, 2008
Version 1.0

Was this article helpful?

No CommentsBe the first to comment