Nimbostratus
The irule should drop the packet by checking the field in Diameter_Result_Code AVP. For instance if the value of Diameter_Result_Code AVP is 4011 then the packet should be dropped and not sent to Diameter_Client. Otherwise F5 should forward the packet.
Can that be done by defining a diameter irule?
Thanks/Ege
EmployeeEmployee
[root@ve1100:Active] config tmsh
root@ve1100(Active)(/Common)(tmos) show sys version
Sys::Version
Main Package
Product BIG-IP
Version 11.0.0
Build 8131.0
Edition Hotfix HF1
Date Tue Oct 4 18:28:31 PDT 2011
root@ve1100(Active)(/Common)(tmos) list ltm virtual vs_scapv2
ltm virtual vs_scapv2 {
destination 172.28.19.252:3868
ip-protocol tcp
mask 255.255.255.255
pool diameter_pool
profiles {
diameter { }
mblb { }
tcp { }
}
rules {
myrule
}
snat automap
vlans-disabled
}
root@ve1100(Active)(/Common)(tmos) list ltm pool diameter_pool
ltm pool diameter_pool {
members {
200.200.200.101:3868 {
address 200.200.200.101
}
}
}
root@ve1100(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
when DIAMETER_INGRESS {
if {[DIAMETER::is_response]} {
log local0. "[IP::remote_addr]:[TCP::remote_port]>[IP::local_addr]:[TCP::local_port]|[DIAMETER::result]"
switch [DIAMETER::result] {
4011 { DIAMETER::drop }
}
}
}
when DIAMETER_EGRESS {
if {[DIAMETER::is_response]} {
log local0. "[IP::local_addr]:[TCP::local_port]>[IP::remote_addr]:[TCP::remote_port]|[DIAMETER::result]"
}
}
}
[root@ve1100:Active] config tail -f /var/log/ltm
Nov 25 11:24:37 tmm info tmm[5633]: Rule /Common/myrule : 200.200.200.101:3868>200.200.200.11:51479|2001
Nov 25 11:24:37 tmm info tmm[5633]: Rule /Common/myrule : 172.28.19.252:3868>172.28.19.251:51479|2001
[root@ve1100:Active] config tail -f /var/log/ltm
Nov 25 11:27:14 tmm info tmm[5633]: Rule /Common/myrule : 200.200.200.101:3868>200.200.200.11:51480|4011
Nov 25 11:27:15 tmm info tmm[5633]: Rule /Common/myrule : 200.200.200.101:3868>200.200.200.11:51480|4011
Nov 25 11:27:16 tmm info tmm[5633]: Rule /Common/myrule : 200.200.200.101:3868>200.200.200.11:51480|4011
this version is also applied to CEA; anyway, i have not found command to silently drop CCA message.
root@ve1100(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
when SERVER_CONNECTED {
TCP::collect
}
when SERVER_DATA {
binary scan [TCP::payload] II a b
set comcode [expr {$b & 0xffffff}]
set mlen [expr {$a & 0xffffff}]
set rflag [expr {($b >> 31)&1}]
if { !($rflag) } {
switch $comcode {
280 -
282 { }
default {
set index 20
while {$index < $mlen} {
binary scan [TCP::payload $mlen] @${index}II avp_code avp_len
set avp_len [expr {$avp_len & 0xffffff}]
set avp_len_pad [expr {(($avp_len + 3)/4)*4}]
if {$avp_code == 268} {
binary scan [TCP::payload $mlen] @[expr {$index + 8}]I result
break
}
incr index $avp_len_pad
}
if {$result == 4011} {
reject
return
}
}
}
}
TCP::release
TCP::collect
}
}