My iRule Impressions & Optimiziation-Request-"Contest" (IP to STOREID)

Question

Hello community, 
&nbsp; first of all I have to say two 4 words: I love our BIGIPs! :-) 
&nbsp;  
&nbsp; But when it comes to "iRule-Scripting", I see some disadvantages not regarding tcl itself, but the implementation of tcl in LTM which brings some limitations with it. (documented here: https://support.f5.com/kb/en-us/solutions/public/6000/300/sol6319.html ). For Example, this disallows "iRulers" like me from using user defined procedures (using the proc command). This is the biggest disadvantage compared to "native" tcl scripting, because you have to write down the same function every time you need it in your script. I know there are already discussions (for example at http://devcentral.f5.com/Default.aspx?tabid=53&amp;forumid=5&amp;tpage=1&amp;view=topic&amp;postid=2156428332 ) and also Customer Requests (CR96170) asking F5 to allow the proc command! I've also contacted our F5 representive refering to this request. Not documented - but also unusable/non-functional - are some math commands like "pow"! ^^ 
&nbsp; Said that, let me talk about my real matter of concern, and why I opened this thread. 
&nbsp;  
&nbsp; I'm working at a retail company in Germany, which got 1400 stores/branchoffices connected to our headquarter. These stores are using webapplications (let's call it the store-intranet) hosted at our headquarter. All this stores, got a unique IP address, which can be calculated on a static algorithm. In the past, the webapplication server knew this algorithm to identfiy the store id by the client ip address or X-Forwarded-For Header including the client ip address. That means that all applications (some written by our own developers, some written by 3rd parties) always had to know the algorithm to calculate the store id based on the ip to enforce permissions/views for the specific store requesting a page/element! 
&nbsp;  
&nbsp;  
&nbsp; Now, having our lovely BIGIPs, we moved this "ip2storeid"-functionality into the loadbalancer (using iRules!), so modifications on this algorithm only have to be done on one central place. This saves a lot of time and prevent implementation errors on the application(server)side. Simply said, the loadbalancer takes the ip, calculates the storeid based on the given algorithm and inserts a X-Store-Id in to the request header before sending it to the application servers. Works like a charme! 
&nbsp;  
&nbsp; BUT! (there's always a but :-))... After evualating the iRule perfomance, it shows up that this algorithm takes "a few" more cpu cycles! This part of the iRule takes an 450000cycles/request average!! 
&nbsp; So I'd like to ask all you "iRulers" out there to take a little challenge on my script, to save cpu cycles ! (but obtain all functionality and errorhandling as already implemented!)... Because of.. ME == networkenginer-by-heart &amp;&amp; ME != programmer-by-heart I guess there is a lot of potential, to save cpu cycles in this part of my I rule. 
&nbsp;  
&nbsp;  
&nbsp; 'Nuff said, here's the part of my iRule I've talked (too much!?) about: 
&nbsp;  
&nbsp;  Set X-VKST-ID 
&nbsp; set ip [IP::client_addr] 
&nbsp;  Setting the ip for testing purposes because dev workstation does not belong to store-network ;-) 
&nbsp; set ip 10.192.18.0 
&nbsp; if {[scan $ip "%d.%d.%d.%d" a b c d] == 4} { 
&nbsp; foreach i "$a $b $c $d" { 
&nbsp; if {($i &gt; 255) || ($i &lt; 0)} { 
&nbsp; return "" 
&nbsp; } 
&nbsp; } 
&nbsp; set iplong [expr {$a} &lt;&lt; 24 | {$b} &lt;&lt; 16 | {$c} &lt;&lt; 8 | {$d}] 
&nbsp; if {$iplong &lt; 0} { 
&nbsp; set iplong [expr 4294967296 + {$iplong}] 
&nbsp; } 
&nbsp; } 
&nbsp; set net_start 172.20.0.0 
&nbsp; if {[scan $net_start "%d.%d.%d.%d" a b c d] == 4} { 
&nbsp; foreach i "$a $b $c $d" { 
&nbsp; if {($i &gt; 255) || ($i &lt; 0)} { 
&nbsp; return "" 
&nbsp; } 
&nbsp; } 
&nbsp; set net_startlong [expr {$a} &lt;&lt; 24 | {$b} &lt;&lt; 16 | {$c} &lt;&lt; 8 | {$d}] 
&nbsp; if {$net_startlong &lt; 0} { 
&nbsp; set net_startlong [expr 4294967296 + {$net_startlong}] 
&nbsp; } 
&nbsp; } 
&nbsp; log local0. "net_startlong1 is $net_startlong" 
&nbsp; set net_size 262144 
&nbsp; set net_segment_size 32 
&nbsp; if { $iplong &gt;= $net_startlong &amp;&amp; $iplong &lt; ( $net_startlong + $net_size ) } then { 
&nbsp; log local0. "netversion 1 found." 
&nbsp; set VKSTID [expr ( {$iplong} - {$net_startlong} ) / {$net_segment_size} ] 
&nbsp; if {[HTTP::header exists X-Store-id]} { 
&nbsp; HTTP::header replace X-Store-Id $VKSTID 
&nbsp; } else { 
&nbsp; HTTP::header insert X-Store-Id $VKSTID 
&nbsp; } 
&nbsp; } 
&nbsp; set net_start 10.192.0.0 
&nbsp; if {[scan $net_start "%d.%d.%d.%d" a b c d] == 4} { 
&nbsp; foreach i "$a $b $c $d" { 
&nbsp; if {($i &gt; 255) || ($i &lt; 0)} { 
&nbsp; return "" 
&nbsp; } 
&nbsp; } 
&nbsp; set net_startlong [expr {$a} &lt;&lt; 24 | {$b} &lt;&lt; 16 | {$c} &lt;&lt; 8 | {$d}] 
&nbsp; if {$net_startlong &lt; 0} { 
&nbsp; set net_startlong [expr 4294967296 + {$net_startlong}] 
&nbsp; } 
&nbsp; } 
&nbsp; log local0. "net_startlong2 is $net_startlong" 
&nbsp; set net_size 4194304 
&nbsp; set net_segment_size 512 
&nbsp; if { $iplong &gt;= $net_startlong &amp;&amp; $iplong &lt; ( $net_startlong + $net_size ) } then { 
&nbsp; log local0. "netversion 2 found." 
&nbsp; set VKSTID [expr ( {$iplong} - {$net_startlong} ) / {$net_segment_size} ] 
&nbsp; if {[HTTP::header exists X-Store-id]} { 
&nbsp; HTTP::header replace X-Store-Id $VKSTID 
&nbsp; } else { 
&nbsp; HTTP::header insert X-Store-Id $VKSTID 
&nbsp; } 
&nbsp; } 
&nbsp;  
&nbsp;  
&nbsp; The intention for you to help me on this is easy! Save cpu cycles = save power consumption = save planet earth! Long live the green IT! :-)

nat_thirasuttakorn · Answer

Hi saschareuter,  
&nbsp; I think the follow modifications may help....  
&nbsp; - use IP::addr command to manipulate IP address and validate  if the address is valid (you may see example here:- http://devcentral.f5.com/wiki/default.aspx/iRules/IP__addr.html)  
&nbsp; Here is an example iRule that I believe equivalent to yours....  
&nbsp;    
&nbsp; when RULE_INIT {  
&nbsp;  Setting the ip for testing purposes because dev workstation does not belong to store-network ;-)   
&nbsp; set ip 10.192.18.0   
&nbsp; set net_start 172.20.0.0   
&nbsp; set net_maskbit 14  
&nbsp; set net_mask 0.3.255.224  
&nbsp;  0.3.255.224 = 00000000-00000011-11111111-11100000  
&nbsp;  net_size = 262144 so ignore first 14 bits  
&nbsp;  net_segment_size = 32 so ignore last 5 bits  
&nbsp; set net_segment_bit 5  
&nbsp; if { [IP::addr $ip/$net_maskbit equals $net_start] }{  
&nbsp; log local0. "net $net_start found."    
&nbsp; scan [IP::addr $ip mask $net_mask] "%d.%d.%d.%d" a b c d  
&nbsp; set VKSTID [expr ( {$a} &lt;&lt; 24 | {$b} &lt;&lt; 16 | {$c} &lt;&lt; 8 | {$d} ) &gt;&gt; {$net_segment_bit} ]   
&nbsp; log local0. "VKSTID = $VKSTID"  
&nbsp; }  
&nbsp; set net_start 10.192.0.0   
&nbsp; set net_maskbit 10  
&nbsp; set net_mask 0.63.254.0  
&nbsp; set net_segment_bit 9  
&nbsp; if { [IP::addr $ip/$net_maskbit equals $net_start] }{  
&nbsp; log local0. "net $net_start found."    
&nbsp; scan [IP::addr $ip mask $net_mask] "%d.%d.%d.%d" a b c d  
&nbsp; set VKSTID [expr ( {$a} &lt;&lt; 24 | {$b} &lt;&lt; 16 | {$c} &lt;&lt; 8 | {$d} ) &gt;&gt; {$net_segment_bit} ]   
&nbsp; log local0. "VKSTID = $VKSTID"  
&nbsp; }  
&nbsp; }  
&nbsp; &nbsp;  
&nbsp; - combine some command together  
&nbsp; - pre-calculate some value in RULE_INIT event and store it in global variable for reuse (for example, value related to 172.20.0.0 and 10.192.0.0)  
&nbsp; - current version of BIG-IP does not support function (proc) but I believe you might be able to reduce number of lines of irule by using foreach and array variable. 
&nbsp; Nat

sre_81614 · Answer

Hey Nat, 
&nbsp;  
&nbsp; first off all, thanks for the reply :-) I've tried the modified iRule you provided. Functionality is still given (!), and it looks more beautiful. That's all great, but the impact on the cpucycles/perfomance is still very high (i would say somethin' like my first shot)... can you confirm that? I'll try to combine some line, but for now it looks it still uses the same cpu cycles for processing... :-( 
&nbsp;  
&nbsp; Greets, 
&nbsp;  
&nbsp; Sascha

nat_thirasuttakorn · Answer

Hi Sascha, 
&nbsp;  
&nbsp; in my basic test, I have seen cpu cycle reduced. what I did was putting partial of your iRule and mine in RULE_INIT (of separate iRule) and compare cpucycle reported. 
&nbsp; If you still see that cpucycle is very high. Maybe I was missing something. can you post your tested iRule? 
&nbsp; May I ask what hardware/software are you using? (I tested on 6800/v10HF1 and 3600/v9.4.6) 
&nbsp;  
&nbsp; btw, in production irule, you may remove unnecessary log (or consolidate them by saving all information in variable first then issue log command at the end). I guess you may already did this. (so just in case) 
&nbsp;  
&nbsp; Nat

sre_81614 · Answer

Hey Nat, 
  
 here is the whole iRule I use including the "ip to storeid" function. It takes an average of 400.000cpu cycles/request. Putting some of the IP convert functions into the RULE_INIT doesn't work on my BIGIP1600 running V10 HFA2, because [IP::client_addr] isn't known while init. I'm looking forward to see if you can get this rule to burn less cpucycles 😉 
  
 Thanks in advance! 
  
 - SR

timing on 
  
 when RULE_INIT { 
 } 
  
 when HTTP_REQUEST { 
  
      Set default publication and pool 
 set publication vkstintranet 
 pool vkstintranet 
  
  Set publications 
  Syntax: publicpath internalpath pool 
  
     set publications { 
 publicpath1internalpath1appsrv1-8020 
 publicpath2internalpath2appsrv2-8020 
 publicpath3internalpath3appsrv3-8020 
 publicpath4internalpath4appsrv4-8020 
 publicpath5internalpath5appsrv5-8020 
 publicpath6internalpath6appsrv6-8020 
 publicpath7internalpath7appsrv7-8020 
 publicpath8internalpath8appsrv8-8020 
 publicpath9internalpath9appsrv9-8020 
 publicpath10internalpath10appsrv10-8020 
 publicpath11internalpath11appsrv11-8020 
 publicpath12internalpath12appsrv12-8020 
 } 
  
  Always set X-Forwarded-For for transparency... 
 if {[HTTP::header exists X-Forwarded-For]} { 
 HTTP::header replace X-Forwarded-For [IP::client_addr] 
 } else { 
 HTTP::header insert X-Forwarded-For [IP::client_addr] 
 } 
  
  Set X-Store-Id 
  
     set STOREID Non-Store 
 set ip [IP::client_addr] 
  
  Setting the ip for testing purposes because dev workstation does not belong to store-network 😉 
 set ip 172.20.15.32 
  
     set net_start 172.20.0.0 
 set net_maskbit 14 
 set net_mask 0.3.255.224 
 set net_segment_bit 5 
  
 if { [IP::addr $ip/$net_maskbit equals $net_start] }{  
 scan [IP::addr $ip mask $net_mask] "%d.%d.%d.%d" a b c d  
 set STOREID [expr ( {$a} &lt;&lt; 24 | {$b} &lt;&lt; 16 | {$c} &lt;&lt; 8 | {$d} ) &gt;&gt; {$net_segment_bit} ]  
 if {[HTTP::header exists X-Store-id]} { 
 HTTP::header replace X-Store-Id $STOREID 
 } else { 
 HTTP::header insert X-Store-Id $STOREID 
 } 
 }  
  
     set net_start 10.192.0.0 
 set net_maskbit 10 
     set net_mask 0.63.254.0 
 set net_segment_bit 9 
  
 if { [IP::addr $ip/$net_maskbit equals $net_start] }{  
 scan [IP::addr $ip mask $net_mask] "%d.%d.%d.%d" a b c d  
 set STOREID [expr ( {$a} &lt;&lt; 24 | {$b} &lt;&lt; 16 | {$c} &lt;&lt; 8 | {$d} ) &gt;&gt; {$net_segment_bit} ]  
 if {[HTTP::header exists X-Store-id]} { 
 HTTP::header replace X-Store-Id $STOREID 
 } else { 
 HTTP::header insert X-Store-Id $STOREID 
 }  
 }  
  
  We're going to balance (otherwisethe request will be balanced to the default pool of the virtual server)... 
 set requesteduri [HTTP::uri] 
 foreach { publicpath publicpath srvpool } $publications { 
 if { ([HTTP::uri] starts_with "/$publicpath\/") or ([HTTP::uri] equals "/$publicpath")  } { 
 set internalUri [regsub -nocase "/$publicpath/*" [HTTP::uri] ""] 
 HTTP::uri "/$publicpath/$internalUri" 
 set publication $publicpath 
 pool $srvpool 
 } 
 } 
 } 
  
 when HTTP_REQUEST_SEND { 
   log local0. "Source-IP: [IP::client_addr], Source-Port: [client_port], URI: $requesteduri, Publication: $publication, VKST: $STOREID, SelectedPoolAndNode: [LB::server]" 
 } 
  
 when LB_FAILED { 
 HTTP::respond 200 content {

Apology Page

We are sorry, but the site you are looking for is temporarily out of service
  
 If you feel you have reached this page in error, please try again.

} 
 log local0. "Balancing failed. Publication: $publication" 
 }

jrahm · Answer

A couple things come to mind.  Move the math into CLIENT_ACCEPTED since that occurs only once during the session, the scan &amp; expression alone took 130000 cycles in a quick test I just ran.  Also, unless you are eventually going to derive the net values dynamically, just use them directly and avoid setting the variables (net_start, net_mask, net_segment_mask).  Make your next net_start if an elseif so it is not checked if the first is evaluated. 
&nbsp;  &nbsp;

Forum Discussion

My iRule Impressions & Optimiziation-Request-"Contest" (IP to STOREID)

7 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

Impressions from OpenStack Summit Barcelona

RSA Impressions: The Intersection of Security and SDN

GITEX Global 2023 in Dubai - DevCentral Visits

GSLB pools, pros and cons to multiple.single pools?

Mobile Threats Rise 261-percent in Perspective