FAILED selecting pool based on DNS reverse lookup result.

Hi you might be able to use geo-location https://devcentral.f5.com/articles/new-geolocation-capabilities-in-v101.U04lXUp--M8 for what you are trying to do also but I think this is how you use a reverse lookup;-

when CLIENT_ACCEPTED {
    if {!([domain [RESOLV::lookup inet -ptr [IP::client_addr]] 1] eq "jp")} {
        pool SMTP_AUTH_Pool
    else {
        pool SMTP_Fallback_Pool    
    }
}

Thanks for your answer!

I tried below:

-----
when CLIENT_ACCEPTED {
    set ptr [RESOLV::lookup @ inet -ptr [IP::client_addr]]
    if { $ptr ends_with ".jp" } {
        pool SMTP_AUTH_Pool
        log local0. "selected SMTP_AUTH_Pool ptr = $ptr"
    } else {
        pool SMTP_Fallback_Pool
        log local0. "selected SMTP_Fallback_Pool ptr = $ptr"
    }
}
-----

but $ptr was empty although I tried with IP address which should be reverse lookuped.

There is a known issue "sol12378: The 'RESOLV::lookup -ptr' iRule command fails to return a valid hostname ", so I think is does not work. (Our BIG-IP version is 10.2.1 297.0)

Is there a way to use NAME:: method instead of RESOLV:: method ?

thank you for your help!

e.g.

 config

[root@ve10:Active] config  tmsh list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.9:http
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        tcp { }
    }
    rules {
        qux
    }
    snat automap
}
[root@ve10:Active] config  tmsh list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
   8.8.8.8 is dns server
   203.216.231.189 is yahoo.co.jp
  NAME::lookup @8.8.8.8 inet -ptr 203.216.231.189
}
when NAME_RESOLVED {
  if { [domain [NAME::response] 1] eq "jp" } {
    log local0. "jp - do something"
  } else {
    log local0. "not jp - do something else"
  }
}
}

 log

[root@ve10:Active] config  tail -f /var/log/ltm
Apr 16 15:49:45 local/tmm info tmm[4955]: Rule qux : jp - do something

Thanks for your answer, nitass.

 

I tried below: when CLIENT_ACCEPTED { NAME::lookup @210.141.48.50 [IP::client_addr] } when NAME_RESOLVED { set ptr [string tolower [NAME::response]] log local0. "[IP::client_addr]:[TCP::client_port]: Lookup result: $ptr" if { $ptr ends_with ".jp" } { pool SMTP_AUTH_Pool } else { pool SMTP_Fallback_Pool } }

 

but the log below appeared. Apr 16 14:44:18 local/tmm info tmm[5276]: Rule dns_reverse_lookup_test : XXX.XXX.XXX>XXX:15751: Lookup result: ****.jp Apr 16 14:44:18 local/tmm err tmm[5276]: 01220001:3: TCL error: dns_reverse_lookup_test - Address in use (line 1) invoked from within "pool SMTP_AUTH_Pool"

 

Maybe when CLIENT_ACCEPTED the SMTP connection is forwarded to real server, but try to be re-forwarded to real server at NAME_RESOLVED.

 

Is there a way to it works ?

 

-- thank you for your help!

 

Apr 16 14:44:18 local/tmm err tmm[5276]: 01220001:3: TCL error: dns_reverse_lookup_test - Address in use (line 1) invoked from within "pool SMTP_AUTH_Pool"

 

i understand since NAME::lookup does not suspend irule processing, NAME_RESOLVED will be triggered after SERVER_CONNECT. so, address in use tcl error will be returned.

 

i think the better way is to apply the hotfix (in case 10.2.1) or upgrade to not-affected version and use RESOLV::lookup.

 

another solution off top of my head is to trigger LB_FAILED and reselect pool.

e.g.

 config

root@ve10(Active)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  log local0. ""
   8.8.8.8 is dns server
   203.216.231.189 is yahoo.co.jp
  NAME::lookup @8.8.8.8 inet -ptr 203.216.231.189
   fake node (to trigger LB_FAILED)
  node 1.2.3.4 80
}
when NAME_RESOLVED {
  log local0. ""
  if { [domain [NAME::response] 1] eq "jp" } {
    set pool_name foo
  } else {
    set pool_name default
  }
}
when LB_FAILED {
  log local0. ""
  LB::reselect pool $pool_name
}
when SERVER_CONNECTED {
  log local0. ""
}
}

 log

[root@ve10:Active] config  tail -f /var/log/ltm
Apr 16 17:44:53 local/tmm info tmm[4955]: Rule qux :
Apr 16 17:44:53 local/tmm info tmm[4955]: Rule qux :
Apr 16 17:45:05 local/tmm info tmm[4955]: Rule qux :
Apr 16 17:45:05 local/tmm info tmm[4955]: Rule qux :

Hi, nitass, thank you for your answer!

I tried below:

when CLIENT_ACCEPTED {
    NAME::lookup @DNS_SERVER_IP [IP::client_addr]
    node 172.17.20.104:8080        down node
}

when NAME_RESOLVED {
    set ptr [string tolower [NAME::response]]
    log local0. "[IP::client_addr]:[TCP::client_port]: Lookup result: $ptr"
    if { $ptr ends_with ".jp" } {
        set pool_name SMTP_AUTH_Pool
    } else {
        set pool_name SMTP_Fallback_Pool
    }
}

when LB_FAILED {
    log local0. "LB_FAILED triggered."
    LB::reselect pool $pool_name
}

when SERVER_CONNECTED {
    log local0. "SERVER_CONNECTED triggered. Pool is $pool_name."
}

It worked!! but sometime it failed, and logged below.

Apr 17 09:00:05 local/tmm1 err tmm1[5277]: 01220001:3: TCL error: dns_reverse_lookup_test  - can't read "pool_name": no such variable     while executing "LB::reselect pool $pool_name"

I think it is due to the timing of processing NAME_RESOLVED and LB_FAILED. If NAME_RESOLVED is processed earlier than LB_FAILED, it succeeds, but if NAME_RESOLVED is processed after than LB_FAILED, it fails.

I think it seems that our BIGIP should be upgraded to non-affected version to use RESOLV::lookup.

Thanks so much, nitass!

I think it is due to the timing of processing NAME_RESOLVED and LB_FAILED. If NAME_RESOLVED is processed earlier than LB_FAILED, it succeeds, but if NAME_RESOLVED is processed after than LB_FAILED, it fails.

 

yes, i think so. in case of http, we can hold irule processing using HTTP::collect.

 

I think it seems that our BIGIP should be upgraded to non-affected version to use RESOLV::lookup.

 

totally agree :)