Forum Discussion
hooleylist
Jun 12, 2012Cirrostratus
If you're on 10.2.1 or higher you should use RESOLV::lookup as it's a simpler command which doesn't require coding in the NAME_RESOLVED event. Also, change the data group lookup from
if { $ptr starts_with $::non-prod-list } {
to:
if { [class match $ptr starts_with non-prod-list]} {
Note the use of the class command and the removal of the $:: prefix. The $:: prefix won't work in 10.x or higher.
You probably also want to check if the ptr record ends with the data group strings as you might get a PTR record like client-x-y-z.example.com and want to match against example.com in the data group.
Lastly you can remove the do_lookup variable and CLIENT_ACCEPTED is only triggered when a new client connection is established to the virtual server.
Here's an untested example:
Check the config options for tmm.resolv.retry and tmm.resolv.timeout on the RESOLV::lookup wiki page!
https://devcentral.f5.com/wiki/iRules.resolv__lookup.ashx
when RULE_INIT {
Log debug to /var/log/ltm? 1=yes, 0=no.
set static::dns_debug 1
Use a DNS virtual server for redundancy
set static::dns_server my_dns_vs
Less optimally, hardcode a DNS server IP address
set static::dns_server 4.2.2.2
Data group name which maps the domain names to a pool name
The logical data group format is expected to be:
Name=domain1.org, value=prod_pool
Name=domain1.com, value=non_prod_pool
The exact format of the data group depends on the LTM version
See these articles for details:
v11 - https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086510/v11-iRules-Data-Group-Updates.aspx
v10 - https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086448/iRules-Data-Group-Formatting-Rules.aspx
set static::ptr_to_pool_dg "ptr_to_pool_dg"
}
when CLIENT_ACCEPTED {
Get PTR for client's IP address
set ptr [RESOLV::lookup @$static::dns_server -ptr [IP::client_addr]]
if {$static::dns_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Resolved $ptr"}
Check if a pointer record was returned
if {$ptr eq ""}{
No PTR, so use the VS default pool
if {$static::dns_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: No PTR!"}
pool [LB::server pool]
} else {
Check the data group named ptr_to_pool_dg to get the pool name
set pool [class match -value -- $ptr ends_with $static::ptr_to_pool_dg]
if {$pool eq ""}{
No match for domain, so use the VS default pool
if {$static::dns_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: No pool found for $ptr in $static::ptr_to_pool_dg"}
pool [LB::server pool]
} else {
Try to assign the matched pool, but use the default pool if the assignment fails
if {[catch {pool $pool} result]}{
if {$static::dns_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Error assigning pool $pool. Using default pool [LB::server pool]. Error: $error"}
pool [LB::server pool]
}
}
}
}
Aaron