Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

I've used this, to capture ftp username from tcp payload.

https://devcentral.f5.com/wiki/iRul...gging.ashx

However, is there a way to match the captured username with a datagroup, that contains list of usernames, and decide to route to a pool xyz? The datagroup type string in v10 takes string and value, while I have list of usernames only. and can I put that in the CLIENT_DATA event within the same iRule? Doesn't seem to work for me.

 


2 Answer(s):

i do not think you can use FTP Session Logging codeshare as a template because the 1st SERVER_DATA happens before the 1st CLIENT_DATA.

e.g.

[root@ve10:Active] config # b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.252:21
   ip protocol 6
   rules myrule
   profiles {
      ftp {}
      tcp {}
   }
}
[root@ve10:Active] config # b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
  log local0. "-"
  TCP::collect 0 0
}
when CLIENT_DATA {
  log local0. "-"
  log local0. [TCP::payload]
  TCP::release
  TCP::collect
}
when SERVER_CONNECTED {
  log local0. "-"
  TCP::collect
}
when SERVER_DATA {
  log local0. "-"
  log local0. [TCP::payload]
  TCP::release
  TCP::collect
}
}

[root@ve10:Active] config # tail -f /var/log/ltm
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule <CLIENT_ACCEPTED>: -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule <SERVER_CONNECTED>: -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule <SERVER_DATA>: -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule <SERVER_DATA>: 220 (vsFTPd 2.0.5)
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule <CLIENT_DATA>: -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule <CLIENT_DATA>: AUTH GSSAPI
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule <SERVER_DATA>: -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule <SERVER_DATA>: 530 Please login with USER and PASS.
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule <CLIENT_DATA>: -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule <CLIENT_DATA>: AUTH KERBEROS_V4
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule <SERVER_DATA>: -
Jan 19 16:27:48 local/tmm info tmm[4884]: Rule myrule <SERVER_DATA>: 530 Please login with USER and PASS.
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule <CLIENT_DATA>: -
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule <CLIENT_DATA>: USER anonymous
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule <SERVER_DATA>: -
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule <SERVER_DATA>: 331 Please specify the password.
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule <CLIENT_DATA>: -
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule <CLIENT_DATA>: PASS
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule <SERVER_DATA>: -
Jan 19 16:27:50 local/tmm info tmm[4884]: Rule myrule <SERVER_DATA>: 230 Login successful.


instead, i think you should use FTP proxy v10 to proxy client connection until receiving username.

FTP proxy v10 by Bhattman
https://devcentral.f5.com/wiki/irules.FTP-Proxy.ashx

e.g.

[root@ve10:Active] config # b virtual bar list
virtual bar {
   snat automap
   destination 172.28.19.252:21
   ip protocol 6
   rules myrule
   profiles {
      ftp {}
      tcp {}
   }
}
[root@ve10:Active] config # b pool foo1 list
pool foo1 {
   members 200.200.200.101:21 {}
}
[root@ve10:Active] config # b pool foo2 list
pool foo2 {
   members 200.200.200.111:21 {}
}
[root@ve10:Active] config # b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
  #log local0. "-"
  #log local0. "220\r\n"
  TCP::respond "220\r\n"
  TCP::collect
}

when CLIENT_DATA {
  #log local0. "-"
  #log local0. [TCP::payload]
  if { [TCP::payload] starts_with "USER" } {
    scan [TCP::payload] {USER%s} cuser
    switch $cuser {
      "garfield" { pool foo1 }
      default { pool foo2 }
    }
    TCP::payload replace 0 [string length [TCP::payload]] ""
    TCP::release
    return
  }
  TCP::payload replace 0 [string length [TCP::payload]] ""
  #log local0. "530 Please login with USER and PASS.\r\n"
  TCP::respond "530 Please login with USER and PASS.\r\n"
}
when SERVER_CONNECTED {
  #log local0. "-"
  log local0. "client [IP::client_addr]:[TCP::client_port] server [IP::remote_addr]:[TCP::release]"
  TCP::collect
}
when SERVER_DATA {
  #log local0. "-"
  #log local0. [TCP::payload]
  if { [TCP::payload] starts_with "220" } {
    TCP::respond "USER $cuser\r\n"
    TCP::payload replace 0 [string length [TCP::payload]] ""
  }
  TCP::release
}
}

# anonymous

[root@centos251 ~]# ftp 172.28.19.252
Connected to 172.28.19.252.
220
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.28.19.252:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (172,28,19,252,122,137)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 May 30  2011 pub
226 Directory send OK.

[root@ve10:Active] config # tail -f /var/log/ltm
Jan 19 17:14:52 local/tmm info tmm[4884]: Rule myrule <SERVER_CONNECTED>: client 172.28.19.251:44457 server 200.200.200.111:0

# garfile

[root@centos251 ~]# ftp 172.28.19.252
Connected to 172.28.19.252.
220
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (172.28.19.252:root): garfield
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (172,28,19,252,193,201)
150 Here comes the directory listing.
226 Directory send OK.

[root@ve10:Active] config # tail -f /var/log/ltm
Jan 19 17:15:35 local/tmm info tmm[4884]: Rule myrule <SERVER_CONNECTED>: client 172.28.19.251:44459 server 200.200.200.101:0
Thank you very much. This worked great.

Your answer:

You must be logged in to reply. You can login here.