1 seattle devcentral user group irules optimization techniques joe pruitt – senior strategic...
TRANSCRIPT
1
Seattle DevCentral User Group
iRules Optimization Techniques
Seattle DevCentral User Group
iRules Optimization Techniques
Joe Pruitt – Senior Strategic Architect
2
Agenda
iRules Overview
Optimization Techniques
Troubleshooting Tips
Open Q&A
3
What are iRules?
Programming language integrated into TMOSTraffic Management Operating System
Based on industry standard TCL languageTool Command Language
Provide ability to intercept, inspect, transform, direct and track inbound or outbound application trafficCore of the F5 “secret sauce” and key differentiator
4
What makes iRules so unique?
Full-fledged scripts, executed against traffic on the network, at wire-speed
Powerful logical operations combined with deep packet inspection
The ability to route, re-route, re-direct, retry, or block traffic
Community support, tools and innovation
5
How do iRules Work?• iRules allow you to perform deep packet inspection (entire header and
payload)
• Coded around Events (HTTP_REQUEST, HTTP_RESPONSE, CLIENT_ACCEPTED etc.)
• Full scripting language allows for extremely granular control of inspection,
alteration and delivery on a packet by packet basisRequests
Original Request
Modified Request*
iRule Triggered
HTTP Events Fire (HTTP_REQUEST,
HTTP_RESPONSE, etc.)
Modified Responses*
*Note: BIG-IP’s Bi-Directional Proxy capabilities allow it to inspect, modify and route traffic at nearly any point in the traffice flow, regardless of direction.
6
What can an iRule do?
Read, transform, replace header or payload information (HTTP, TCP, SIP, etc.)
Work with any protocol, such as SIP, RTSP, XML, others, whether with native (HTTP::cookie) or generic (TCP::payload) commands
Authentication assistance, offload, inspection and more for LDAP, RADIUS, etc.
Caching, compression, profile selection, rate shaping and much, much more
7
Key elements of an iRule
Event declarations– Define when code will be executed
Operators– Define under what conditions you will perform an
action
iRule commands– Define the action to perform
8
iRule elements - Events
Events are anything that may trigger the processing of the rule in the first place
Examples:– HTTP_REQUEST– HTTP_RESPONSE– CLIENT_ACCEPTED– LB_FAILED
Additional events found at http://devcentral.f5.com/wiki/default.aspx/iRules/Events.html
when HTTP_REQUEST { http_pool1}
9
iRule elements - Operators
There are two types or operators, Relational and Logical
Operators compare the operands in an expression
Relational operators– contains, matches, equals,
starts_with, ends_with,
matches_regex, switch
Logical operators– if, and, not, or
when HTTP_REQUEST { if{[HTTP::host] ends_with “bob.com”}{ pool http_pool1 }}
when HTTP_REQUEST { if{([HTTP::host] ends_with “bob.com”) or ([HTTP::uri] contains “/portal/”)}{ pool http_pool1 }}
10
iRule elements – iRule commands
As implied, the action that is to be carried out upon a operator matchDoes the rule look for data, manipulate data, send to a location?Statement commands – can cause actions such as destination selection or SNAT assignmentQuery commands – search for header or content data, such as IP::remote_addrData manipulation – as stated, manipulate the data content, such as insert or remove headersUtility commands – useful for parsing data and manipulating content, such as decode_uri <string>Many additional commands available - http://devcentral.f5.com/wiki/default.aspx/iRules/Commands.html
11
iRule Event TaxonomyAUTH
AUTH_ERRORAUTH_FAILUREAUTH_RESULTAUTH_SUCCESSAUTH_WANTCREDENTIAL
CACHECACHE_REQUESTCACHE_RESPONSE
CLIENTSSLCLIENTSSL_CLIENTCERTCLIENTSSL_HANDSHAKE
DNSDNS_REQUESTDNS_RESPONSENAME_RESOLVED
GLOBALLB_FAILEDLB_SELECTEDRULE_INIT
HTTPHTTP_CLASS_FAILEDHTTP_CLASS_SELECTEDHTTP_REQUESTHTTP_REQUEST_DATAHTTP_REQUEST_SENDHTTP_RESPONSEHTTP_RESPONSE_CONTINUEHTTP_RESPONSE_DATA
IPCLIENT_ACCEPTEDCLIENT_CLOSEDCLIENT_DATASERVER_CLOSEDSERVER_CONNECTEDSERVER_DATA
LINECLIENT_LINESERVER_LINE
RTSPRTSP_REQUESTRTSP_REQUEST_DATARTSP_RESPONSERTSP_RESPONSE_DATA
SIPSIP_REQUESTSIP_REQUEST_SENDSIP_RESPONSE
SERVERSSLSERVERSSL_HANDSHAKE
STREAMSTREAM_MATCHED
TCPCLIENT_ACCEPTEDCLIENT_CLOSEDCLIENT_DATASERVER_CLOSEDSERVER_CONNECTEDSERVER_DATAUSER_REQUESTUSER_RESPONSE
UDPCLIENT_ACCEPTEDCLIENT_CLOSEDCLIENT_DATASERVER_CLOSEDSERVER_CONNECTEDSERVER_DATA
XMLXML_BEGIN_DOCUMENTXML_BEGIN_ELEMENTXML_CDATAXML_END_DOCUMENTXML_END_ELEMENTXML_EVENT
AUTH
CACHE
CLIENTSSL
DNS
GLOBAL
HTTP
IP
LINE
RTSP
SIP
SERVERSSL
STREAM
TCP
UDP
XML
12
Prize Giveaway #1
What does TCL stand for?
13
iRules Optimization Techniques
14
Optimization Tip #1 – Don’t use an iRule
If you aren’t doing custom conditional testing, let the profiles do the work.
• HTTP header insert• HTTP header erase• HTTP fallback• HTTP compress uri <exclude|include>• HTTP compress gzip level• HTTP redirect rewrite• HTTP insert xforwarded for• HTTP ramcache uri <exclude|include|pinned>• Stream Profile for content replacement• Class profile for URI matching.
15
Optimization Tip #2 - Planning
Plan your iRule before attempting to code– Determine what protocols involved– Decide what commands you'll need– Choose how to achieve the desired effect in the least
steps– Confirm what needs to be logged– Determine where/how you will test
16
Optimization Tip #3 – Tools and Preparation
Have a test System available
Install and get familiar with a packet capture tool
Find your favorite TCL resource(s)
Browse DevCentral
Use a code editing tool
17
F5 iRule EditorFirst network rule editor optimizes developmentIncludes:– Syntax checking– Auto-complete– Template support– Doc Links– Deployment integration– Statistics monitoring– Data group editing– Optional post to
CodeShare feature
Available: NowTutorials: on DevCentral
18
Optimization Tip #4 – Control Your Control statements
when HTTP_REQUEST { switch –glob [HTTP::uri] { “/img*” - “/image*” - “/pics*” { pool imagePool } }}
Think “switch”, then “class”, then “if/elseif”
class image_dirs { “/img” “/image” “/pics”}
…when HTTP_REQUEST { if { [matchclass [HTTP::uri] starts_with $::image_dirs] } { pool imagePool }}
when HTTP_REQUEST { if { [HTTP::uri] starts_with “/img” } { pool imagePool } elseif { [HTTP::uri] starts_with “/image” } { pool imagePool } elseif { [HTTP::uri] starts_with “/pics” } { pool imagePool }}
19
Optimization Tip #5 – Regex is EVIL
when HTTP_REQUEST { if { [regex {^/myPortal} [HTTP::uri] } { regsub {/myPortal} [HTTP::uri] “/UserPortal” newUri HTTP::uri $newUri pool http_pool1 }}
Regex’s are cool, but are CPU hogs and should be considered pure evil. Most often there are better alternatives.
when HTTP_REQUEST { if{[HTTP::uri] starts_with “/myPortal”}{ newUri [string map {myPortal UserPortal [HTTP::uri]] HTTP::uri $newUri pool http_pool1 }}
when HTTP_RESPONSE_DATA { # Find ALL the possible credit card numbers in one pass set card_indices [regexp -all -inline -indices {(?:30[0-5]\d{11})|(?:3[6|8]\d{12})|(?:3[4|7]\d{13})|(?:4\d{12})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})} [HTTP::payload]]}
But sometimes they are a necessary evil…
20
Optimization Tip #6 – Don’t Use Variables
when HTTP_REQUEST { set host [HTTP::host] set uri [HTTP::uri] if{[HTTP::host] contains “bob.com”}{ log “Host = $host” log “URI = $uri” pool http_pool1 }}
Don’t use variables unless you HAVE to. They may make it easier to read, but they do chew up memory and CPU.
when HTTP_REQUEST { if{[HTTP::host] contains “bob.com”}{ log “Host = [HTTP::host] ; URI = [HTTP::uri]” pool http_pool1 }}
21
Optimization Tip #7 – Use Variables
when HTTP_REQUEST { if { [string tolower [HTTP::uri] starts_with “/img” } { pool imagePool } elseif { ([string tolower [HTTP::uri] ends_with “.gif”]) || ([string tolower [HTTP::uri] ends_with “.jpg”]) || ([string tolower [HTTP::uri] ends_with “.png”]) } { pool imagePool }}
Use variables to reduce repetitive costly evaluations, but don’t make the names too long…
when HTTP_REQUEST { set theUriThatIAmMatchingInThisiRule [string tolower [HTTP::uri]] if { $theUriThatIAmMatchingInThisiRule starts_with “/img” } { pool imagePool } elseif { ($theUriThatIAmMatchingInThisiRule ends_with “.gif”) || ($theUriThatIAmMatchingInThisiRule ends_with “.jpg”) || ($theUriThatIAmMatchingInThisiRule ends_with “.png”) } { pool imagePool }} when HTTP_REQUEST {
set uri [string tolower [HTTP::uri]] if { $uri starts_with “/img” } { pool imagePool } elseif { ($uri ends_with “.gif”) || ($uri ends_with “.jpg”) || ($uri ends_with “.png”) } { pool imagePool }}
22
Optimization Tip #8 – Return Early
when HTTP_REQUEST { if { [HTTP::uri] contains “/images” { pool imagePool } if { [HTTP::header exists “SomeHeader” } { log local0. “SomeHeader found” }}
Use "return" to exit early to save as many CPU cycles as possible.
when HTTP_REQUEST { if { [HTTP::uri] contains “/images” { pool imagePool return } if { [HTTP::header exists “SomeHeader” } { log local0. “SomeHeader found” }}
23
Optimization Tip #9 – Operators and Data Types
set x 0foreach dir {[split [HTTP::uri] "/"]} { incr x if {$x == 4} { ... }}
• Polymorphism is a blessing and a killer.• Use the right operator for the right type• Use eq, ne on strings• Use ==, != on numbers
set x 0foreach dir {[split [HTTP::uri] "/"]} { incr x if {$x eq 4} { ... }}
set x 5if { $x == 5 } { } # this evaluates as trueif { $x eq 5 } { } # this evaluates as trueif { $x == 05 } { } # this evaluates as trueif { $x eq 05 } { } # this evaluates as false
if { [IP::addr [IP::client_addr]/8 equals 10.0.0.0] } { … }
Use [IP::addr] tocompare addresses
Things are not always as they seem
24
Optimization Tip #9 – Operators and Data Types
when CLIENT_ACCEPTED { set newOct [expr 3 + [getfield [IP::client_addr] "." 4] ] set total [expr 128 + $newOct] ... }
when CLIENT_ACCEPTED { set newOct [expr {3 + [getfield [IP::client_addr] "." 4]}] set total [expr {128 + $newOct}] ... }
Group expressions with curly’s to avoid unnecessary conversions (especially with “expr”).
25
Optimization Tip #10 – Timing
timing onwhen HTTP_REQUEST { if { [HTTP::uri] starts_with “/img” } { pool imgPool } elseif { [HTTP::uri] starts_with “/doc” } { pool docPool } elseif { [HTTP::uri] starts_with “/blog” } { pool blogPool }}when HTTP_RESPONSE { if { [HTTP::status] == 500 } { HTTP::respond 200 content “An error occurred” }}
Use the “timing” command to turn on profiling statistics in your iRule. Use the GUI, bigpipe, or the iRule Editor to monitor and test your optimizations.
when HTTP_REQUEST { if { [HTTP::uri] starts_with “/img” } { pool imgPool } elseif { [HTTP::uri] starts_with “/doc” } { pool docPool } elseif { [HTTP::uri] starts_with “/blog” } { pool blogPool }}when HTTP_RESPONSE timing on { if { [HTTP::status] == 500 } { HTTP::respond 200 content “An error occurred” }}
26
Optimization Tip #11 – Use the community
27
Prize Giveaway #2
How may *::payload
iRule commands are there?
28
Troubleshooting tips
Verify that the rule is looking for the correct item to act upon, such as the URI
Ensure you’re using the right events
Check the logs for hints
Try using single-case comparisons
Analyze traffic with a capture tool
Use “timing” to measure efficiency gains
29
Troubleshooting tips continued
Use log statements to verify the information– Logging practices that can be helpful:
• Log variable values before and after each time they are set • Log at least once in each event to ensure all events are firing
as intended • Add a log entry inside each conditional block to see if the
conditional returned true or false (don't forget Else clauses)• Log the result of each command being executed if possible
by re-logging any variable that was effected
30
Where can I find out more?
F5 DevCentral:– Home:
• http://devcentral.f5.com– Editor:
• http://devcentral.f5.com/Default.aspx?tabid=66
TCL Links:– Overview:
• http://en.wikipedia.org/wiki/Tcl– Tutorial:
• http://www.tcl.tk/man/tcl8.5/tutorial/tcltutorial.html– Reference:
• http://tmml.sourceforge.net/doc/tcl/index.html
31
Prize Giveaway #3
What two functions
does OneConnect perform?
32
Know How. Now.