Forum Discussion

Michael_Hull_61's avatar
Michael_Hull_61
Icon for Nimbostratus rankNimbostratus
Dec 21, 2005

Connection verification to another pool

Pools are named Pool_1 and Pool_2 and exist on the same BigIP pair.

 

 

I want to know if an iRule can only allow a connection to Pool_2 if you already have a current connection to Pool_1?

 

 

Scenario 1:

 

A web client establishes a connection to a virtual tied to Pool_1.

 

From same host, opens up another web client and connects to another virtual tied to Pool_2. In this case, the connection to Pool_2 is successful because the host has already established a connection to Pool_1.

 

 

Scenario 2:

 

A web client tries to establish a connection to a virtual tied to Pool_2. The BigIP determines there is no connection already established with Pool_1 and drops/redirects the connection.
application delivery
dev
devops
iRules

4 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Dec 22, 2005
    You should be able to populate a global array with client IP address when connected to Pool_1, then check the array when clients attempt connection on other vs with Pool_2, and discard if client IP is not in the array. This should get you started. You'll probably want to add some error checking and a method to clean up the array.

    
 virtual server 1 iRule (pool 1) 
when CLIENT_ACCEPTED {
   populate array with client IP address
  set ::pool1_clients([IP::client_addr])
  use pool 1
}
 virtual server 2 iRule (pool 2) 
when CLIENT_ACCEPTED {
   if { [info exists $::pool1_clients([IP::client_addr])] } {
     use pool 2
   } else { redirect "http://" }
}
  • Michael_Hull_61's avatar
    Michael_Hull_61
    Icon for Nimbostratus rankNimbostratus
    Dec 22, 2005
    Thank you very much for your quick response!! I will get with the application owners to see when we can test these rules.
  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Dec 28, 2005
    You should probably do this with the session table instead (using the "session add" and "session lookup" commands). The session table has a timeout associated with the entries, so you don't need to worry about eventually using up all the memory on your box since nothing removes entries from the global array.
  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Dec 28, 2005
    Try this rule:
     virtual server 1 iRule (pool 1) 
when CLIENT_ACCEPTED {
    populate session table with client IP address for 1 hour
   session add source_addr [IP::client_addr] 1 3600
   use pool 1
}
 virtual server 2 iRule (pool 2) 
when CLIENT_ACCEPTED {
   if { [session lookup source_addr [IP::client_addr]] } {
      use pool 2
   } else {
      redirect "http://"
   }
}

    Note each session lookup refreshes the TTL on a session table entry, so as long as subsequent requests occur within an hour, the entry will remain active.