1

Seattle DevCentral User Group

iRules Optimization Techniques

Seattle DevCentral User Group

iRules Optimization Techniques

Joe Pruitt – Senior Strategic Architect

2

Agenda

iRules Overview

Optimization Techniques

Troubleshooting Tips

Open Q&A

3

What are iRules?

Programming language integrated into TMOSTraffic Management Operating System

Based on industry standard TCL languageTool Command Language

Provide ability to intercept, inspect, transform, direct and track inbound or outbound application trafficCore of the F5 “secret sauce” and key differentiator

4

What makes iRules so unique?

Full-fledged scripts, executed against traffic on the network, at wire-speed

Powerful logical operations combined with deep packet inspection

The ability to route, re-route, re-direct, retry, or block traffic

Community support, tools and innovation

5

How do iRules Work?• iRules allow you to perform deep packet inspection (entire header and

payload)

• Coded around Events (HTTP_REQUEST, HTTP_RESPONSE, CLIENT_ACCEPTED etc.)

• Full scripting language allows for extremely granular control of inspection,

alteration and delivery on a packet by packet basisRequests

Original Request

Modified Request*

iRule Triggered

HTTP Events Fire (HTTP_REQUEST,

HTTP_RESPONSE, etc.)

Modified Responses*

*Note: BIG-IP’s Bi-Directional Proxy capabilities allow it to inspect, modify and route traffic at nearly any point in the traffice flow, regardless of direction.

6

What can an iRule do?

Read, transform, replace header or payload information (HTTP, TCP, SIP, etc.)

Work with any protocol, such as SIP, RTSP, XML, others, whether with native (HTTP::cookie) or generic (TCP::payload) commands

Authentication assistance, offload, inspection and more for LDAP, RADIUS, etc.

Caching, compression, profile selection, rate shaping and much, much more

7

Key elements of an iRule

Event declarations– Define when code will be executed

Operators– Define under what conditions you will perform an

action

iRule commands– Define the action to perform

8

iRule elements - Events

Events are anything that may trigger the processing of the rule in the first place

Examples:– HTTP_REQUEST– HTTP_RESPONSE– CLIENT_ACCEPTED– LB_FAILED

Additional events found at http://devcentral.f5.com/wiki/default.aspx/iRules/Events.html

when HTTP_REQUEST { http_pool1}

9

iRule elements - Operators

There are two types or operators, Relational and Logical

Operators compare the operands in an expression

Relational operators– contains, matches, equals,

starts_with, ends_with,

matches_regex, switch

Logical operators– if, and, not, or

when HTTP_REQUEST { if{[HTTP::host] ends_with “bob.com”}{ pool http_pool1 }}

when HTTP_REQUEST { if{([HTTP::host] ends_with “bob.com”) or ([HTTP::uri] contains “/portal/”)}{ pool http_pool1 }}

10

iRule elements – iRule commands

As implied, the action that is to be carried out upon a operator matchDoes the rule look for data, manipulate data, send to a location?Statement commands – can cause actions such as destination selection or SNAT assignmentQuery commands – search for header or content data, such as IP::remote_addrData manipulation – as stated, manipulate the data content, such as insert or remove headersUtility commands – useful for parsing data and manipulating content, such as decode_uri <string>Many additional commands available - http://devcentral.f5.com/wiki/default.aspx/iRules/Commands.html

11

iRule Event TaxonomyAUTH

AUTH_ERRORAUTH_FAILUREAUTH_RESULTAUTH_SUCCESSAUTH_WANTCREDENTIAL

CACHECACHE_REQUESTCACHE_RESPONSE

CLIENTSSLCLIENTSSL_CLIENTCERTCLIENTSSL_HANDSHAKE

DNSDNS_REQUESTDNS_RESPONSENAME_RESOLVED

GLOBALLB_FAILEDLB_SELECTEDRULE_INIT

HTTPHTTP_CLASS_FAILEDHTTP_CLASS_SELECTEDHTTP_REQUESTHTTP_REQUEST_DATAHTTP_REQUEST_SENDHTTP_RESPONSEHTTP_RESPONSE_CONTINUEHTTP_RESPONSE_DATA

IPCLIENT_ACCEPTEDCLIENT_CLOSEDCLIENT_DATASERVER_CLOSEDSERVER_CONNECTEDSERVER_DATA

LINECLIENT_LINESERVER_LINE

RTSPRTSP_REQUESTRTSP_REQUEST_DATARTSP_RESPONSERTSP_RESPONSE_DATA

SIPSIP_REQUESTSIP_REQUEST_SENDSIP_RESPONSE

SERVERSSLSERVERSSL_HANDSHAKE

STREAMSTREAM_MATCHED

TCPCLIENT_ACCEPTEDCLIENT_CLOSEDCLIENT_DATASERVER_CLOSEDSERVER_CONNECTEDSERVER_DATAUSER_REQUESTUSER_RESPONSE

UDPCLIENT_ACCEPTEDCLIENT_CLOSEDCLIENT_DATASERVER_CLOSEDSERVER_CONNECTEDSERVER_DATA

XMLXML_BEGIN_DOCUMENTXML_BEGIN_ELEMENTXML_CDATAXML_END_DOCUMENTXML_END_ELEMENTXML_EVENT

AUTH

CACHE

CLIENTSSL

DNS

GLOBAL

HTTP

IP

LINE

RTSP

SIP

SERVERSSL

STREAM

TCP

UDP

XML

12

Prize Giveaway #1

What does TCL stand for?

13

iRules Optimization Techniques

14

Optimization Tip #1 – Don’t use an iRule

If you aren’t doing custom conditional testing, let the profiles do the work.

• HTTP header insert• HTTP header erase• HTTP fallback• HTTP compress uri <exclude|include>• HTTP compress gzip level• HTTP redirect rewrite• HTTP insert xforwarded for• HTTP ramcache uri <exclude|include|pinned>• Stream Profile for content replacement• Class profile for URI matching.

15

Optimization Tip #2 - Planning

Plan your iRule before attempting to code– Determine what protocols involved– Decide what commands you'll need– Choose how to achieve the desired effect in the least

steps– Confirm what needs to be logged– Determine where/how you will test

16

Optimization Tip #3 – Tools and Preparation

Have a test System available

Install and get familiar with a packet capture tool

Find your favorite TCL resource(s)

Browse DevCentral

Use a code editing tool

17

F5 iRule EditorFirst network rule editor optimizes developmentIncludes:– Syntax checking– Auto-complete– Template support– Doc Links– Deployment integration– Statistics monitoring– Data group editing– Optional post to

CodeShare feature

Available: NowTutorials: on DevCentral

18

Optimization Tip #4 – Control Your Control statements

when HTTP_REQUEST { switch –glob [HTTP::uri] { “/img*” - “/image*” - “/pics*” { pool imagePool } }}

Think “switch”, then “class”, then “if/elseif”

class image_dirs { “/img” “/image” “/pics”}

…when HTTP_REQUEST { if { [matchclass [HTTP::uri] starts_with $::image_dirs] } { pool imagePool }}

when HTTP_REQUEST { if { [HTTP::uri] starts_with “/img” } { pool imagePool } elseif { [HTTP::uri] starts_with “/image” } { pool imagePool } elseif { [HTTP::uri] starts_with “/pics” } { pool imagePool }}

19

Optimization Tip #5 – Regex is EVIL

when HTTP_REQUEST { if { [regex {^/myPortal} [HTTP::uri] } { regsub {/myPortal} [HTTP::uri] “/UserPortal” newUri HTTP::uri $newUri pool http_pool1 }}

Regex’s are cool, but are CPU hogs and should be considered pure evil. Most often there are better alternatives.

when HTTP_REQUEST { if{[HTTP::uri] starts_with “/myPortal”}{ newUri [string map {myPortal UserPortal [HTTP::uri]] HTTP::uri $newUri pool http_pool1 }}

when HTTP_RESPONSE_DATA { # Find ALL the possible credit card numbers in one pass set card_indices [regexp -all -inline -indices {(?:30[0-5]\d{11})|(?:3[6|8]\d{12})|(?:3[4|7]\d{13})|(?:4\d{12})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})} [HTTP::payload]]}

But sometimes they are a necessary evil…

20

Optimization Tip #6 – Don’t Use Variables

when HTTP_REQUEST { set host [HTTP::host] set uri [HTTP::uri] if{[HTTP::host] contains “bob.com”}{ log “Host = $host” log “URI = $uri” pool http_pool1 }}

Don’t use variables unless you HAVE to. They may make it easier to read, but they do chew up memory and CPU.

when HTTP_REQUEST { if{[HTTP::host] contains “bob.com”}{ log “Host = [HTTP::host] ; URI = [HTTP::uri]” pool http_pool1 }}

21

Optimization Tip #7 – Use Variables

when HTTP_REQUEST { if { [string tolower [HTTP::uri] starts_with “/img” } { pool imagePool } elseif { ([string tolower [HTTP::uri] ends_with “.gif”]) || ([string tolower [HTTP::uri] ends_with “.jpg”]) || ([string tolower [HTTP::uri] ends_with “.png”]) } { pool imagePool }}

Use variables to reduce repetitive costly evaluations, but don’t make the names too long…

when HTTP_REQUEST { set theUriThatIAmMatchingInThisiRule [string tolower [HTTP::uri]] if { $theUriThatIAmMatchingInThisiRule starts_with “/img” } { pool imagePool } elseif { ($theUriThatIAmMatchingInThisiRule ends_with “.gif”) || ($theUriThatIAmMatchingInThisiRule ends_with “.jpg”) || ($theUriThatIAmMatchingInThisiRule ends_with “.png”) } { pool imagePool }} when HTTP_REQUEST {

set uri [string tolower [HTTP::uri]] if { $uri starts_with “/img” } { pool imagePool } elseif { ($uri ends_with “.gif”) || ($uri ends_with “.jpg”) || ($uri ends_with “.png”) } { pool imagePool }}

22

Optimization Tip #8 – Return Early

when HTTP_REQUEST { if { [HTTP::uri] contains “/images” { pool imagePool } if { [HTTP::header exists “SomeHeader” } { log local0. “SomeHeader found” }}

Use "return" to exit early to save as many CPU cycles as possible.

when HTTP_REQUEST { if { [HTTP::uri] contains “/images” { pool imagePool return } if { [HTTP::header exists “SomeHeader” } { log local0. “SomeHeader found” }}

23

Optimization Tip #9 – Operators and Data Types

set x 0foreach dir {[split [HTTP::uri] "/"]} { incr x if {$x == 4} { ... }}

• Polymorphism is a blessing and a killer.• Use the right operator for the right type• Use eq, ne on strings• Use ==, != on numbers

set x 0foreach dir {[split [HTTP::uri] "/"]} { incr x if {$x eq 4} { ... }}

set x 5if { $x == 5 } { } # this evaluates as trueif { $x eq 5 } { } # this evaluates as trueif { $x == 05 } { } # this evaluates as trueif { $x eq 05 } { } # this evaluates as false

if { [IP::addr [IP::client_addr]/8 equals 10.0.0.0] } { … }

Use [IP::addr] tocompare addresses

Things are not always as they seem

24

Optimization Tip #9 – Operators and Data Types

when CLIENT_ACCEPTED { set newOct [expr 3 + [getfield [IP::client_addr] "." 4] ] set total [expr 128 + $newOct] ... }

when CLIENT_ACCEPTED { set newOct [expr {3 + [getfield [IP::client_addr] "." 4]}] set total [expr {128 + $newOct}] ... }

Group expressions with curly’s to avoid unnecessary conversions (especially with “expr”).

25

Optimization Tip #10 – Timing

timing onwhen HTTP_REQUEST { if { [HTTP::uri] starts_with “/img” } { pool imgPool } elseif { [HTTP::uri] starts_with “/doc” } { pool docPool } elseif { [HTTP::uri] starts_with “/blog” } { pool blogPool }}when HTTP_RESPONSE { if { [HTTP::status] == 500 } { HTTP::respond 200 content “An error occurred” }}

Use the “timing” command to turn on profiling statistics in your iRule. Use the GUI, bigpipe, or the iRule Editor to monitor and test your optimizations.

when HTTP_REQUEST { if { [HTTP::uri] starts_with “/img” } { pool imgPool } elseif { [HTTP::uri] starts_with “/doc” } { pool docPool } elseif { [HTTP::uri] starts_with “/blog” } { pool blogPool }}when HTTP_RESPONSE timing on { if { [HTTP::status] == 500 } { HTTP::respond 200 content “An error occurred” }}

26

Optimization Tip #11 – Use the community

27

Prize Giveaway #2

How may *::payload

iRule commands are there?

28

Troubleshooting tips

Verify that the rule is looking for the correct item to act upon, such as the URI

Ensure you’re using the right events

Check the logs for hints

Try using single-case comparisons

Analyze traffic with a capture tool

Use “timing” to measure efficiency gains

29

Troubleshooting tips continued

Use log statements to verify the information– Logging practices that can be helpful:

• Log variable values before and after each time they are set • Log at least once in each event to ensure all events are firing

as intended • Add a log entry inside each conditional block to see if the

conditional returned true or false (don't forget Else clauses)• Log the result of each command being executed if possible

by re-logging any variable that was effected

30

Where can I find out more?

F5 DevCentral:– Home:

• http://devcentral.f5.com– Editor:

• http://devcentral.f5.com/Default.aspx?tabid=66

TCL Links:– Overview:

• http://en.wikipedia.org/wiki/Tcl– Tutorial:

• http://www.tcl.tk/man/tcl8.5/tutorial/tcltutorial.html– Reference:

• http://tmml.sourceforge.net/doc/tcl/index.html

31

Prize Giveaway #3

What two functions

does OneConnect perform?

32

Know How. Now.