Rejecting a connection based on address and time of day?

Hi Joe,

 

 

There isn't a simple way to remove a connection table entry from an iRule. An iControl app would be more suitable for this. You can check the iControl page (Click here) for some links on using the iControl API.

 

 

Aaron

Hi Joe,

 

 

That might have been bad advice actually. It looks like there isn't a supported way to remove individual connection table entries from the connection table via iControl right now. You can check this post for details:

 

 

System::Connections seems to be gone from the SDK

 

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=86013&forumid=1&tpage=186023

 

 

You could potentially use 'b conn' to look up and delete a connection from the LTM command line. However, there is a limit of ~7000 entries that 'b conn' will output:

 

 

SOL6573 - The bigpipe conn command displays a maximum of 7037 connections

 

https://support.f5.com/kb/en-us/solutions/public/6000/500/sol6573.html

 

 

You might consider opening a case with F5 Support and ask them for a recommendation on how to do this. If they can't come up with anything foolproof, it would make for a good 'request for enhancement'.

 

 

Aaron

Joe: I'd consider going back to good 'ol crontab for this particular job. It's perfectly suited for it, and you won't run into any challenges this way: the bigpipe command will absolutely work for you here from the shell.

 

 

Post back if you need any assistance with this. If you're not familiar with cron, have a peek at this solution: https://support.f5.com/kb/en-us/solutions/public/8000/400/sol8430.html.

 

 

-Matt

This may be of help regarding using time in an iRule:

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=13201

 

 

I haven't had a chance to try this out, but I think the general logic MAY look something like this:

 

 

1. Create a Datagroup named "ServerAddress" and throw in the IP of the server. If you use a datagroup it can be easier to expand the iRule in the future (IMO).

 

 

2. iRule similar to the one below:

 

 

 

when RULE_INIT {

 

"clock seconds" will return the time in seconds

 

"clock format" will format the previous value with it's date/time components

 

split will chop the returned string into a list of elements.

 

set l [split [clock format [clock seconds] -format {%A %H}] " "]

 

 

Next add the time check logic:

 

if { ([lindex $l 1] >= 0) &&

 

([lindex $l 1] < 2) } {

 

Put in iRule logic here

 

if {([matchclass [IP::client_addr] equals $::ServerAddress])} {

 

discard

 

}

 

}

naladar, you can definitely check the current time from an iRule. But short of collecting the payload for every TCP connection to the VIP, I don't think you can kill an existing TCP connection from hour X through hour Y. You could potentially use discard or TCP::close to close new connections attempted during the time window, but I don't think that was the original poster's scenario.

 

 

Aaron

Aaron,

 

 

Your summarization is correct. I need to sever the connection between a host and a database server every day at midnight. Our Unix geeks can cron something, but we wanted to explore the options that the LTM could provide.

 

 

Thanks to all for the suggestions. I've got a few things with which I can work.

 

 

Joe