Forum Discussion

yquirion's avatar
yquirion
Icon for Altostratus rankAltostratus
Mar 05, 2018

iRules and variable initialization

Hello,

 

I'm new to F5 BigIP and there is something I don't understand well regarding iRules and variables.

 

I have a VIP on which I have two iRules applied. The first one, the an iRule to log the connection on my syslog server using HSL method. Into this script I initialize several variables into CLIENT_CONNECTED event: set timestamp [clock format [clock seconds] -format {%Y-%m-%d_%H:%M:%S}] set cip [IP::client_addr] set cport [TCP::client_port] set vip [IP::local_addr] set vport [TCP::local_port] set partition [lindex [split [virtual name] /] 1] set script_name "logging_clients_https"

 

Then later, into the SERVER_CONNECTED event, I'm using those variable to generate my log line to be sent to the syslog server: set hsl [HSL::open -proto UDP -pool /$partition/syslogi_pool ] HSL::send $hsl "<$partition>:<$script_name> Client IP: $cip:$cport -> Dest VIP: $vip:$vport to SNAT To: $snat_ip:$snat_port -> $sip:$sport [Cipher: $used_cipher] "

 

This iRule has been created into the Common partition to allow my users, who are in charge of their ownm partition, to use that rule without having to redefined it on their partition and have the same iRule being created to accomplish the save.

 

The second iRule is more specific for a particular VIP and won't be used into another one. One more time, this rules is to send logs to my syslog server, using HSL.

 

On the event HTTP_REQUEST, I will initialize some variables: when HTTP_REQUEST { set DEBUG 0 set CLASSLISTA "/INFRA-PROD/IP_Clients_Sofe_B2C_CL" set CLASSLISTB "/INFRA-PROD/IP_Clients_Sofe_B2C_FORM_CL" set partition [lindex [split [virtual name] /] 1] set script_name "intranet_sofe_test_filter" ... }

 

As you can see, in both iRule, I'm using the same variable (partition, and script_name). This is because, on my syslog server, I want to know from which partition the iRule has been called from, and also I want to know which iRule it is. That way, it will be easier for me to debug if needed.

 

So, each time I send a log line to my syslog server, it will start with the same information: HSL::send $hsl "<$partition>:<$script_name> Message to log..."

 

However, that being said, when I the iRule are being executed, I have a problem with the variable initialization. Here is an example of what I have on the syslog server:

 

Mar 5 11:18:34 132.210.7.7 :<intranet_sofe_test_filter> Alerte! Accès non autorisé à SOFE Client_IP:10.45.49.80%7 URI:/b2c/sofe_b2c_connect.pl

 

Mar 5 11:18:34 132.210.7.7 :<intranet_sofe_test_filter> Client IP: 10.45.49.80%7:54150 -> Dest VIP: 132.210.7.64%7:443 to SNAT To: 132.210.7.123%7:54150 -> 10.32.96.236%7:7800 [Cipher: ECDHE-RSA-AES128-GCM-SHA256]

 

You can see that the variable script_name has the same value for both separate iRule. Furthermore, when I add an "unset " argument after the "Alerte!" log line into that iRule, I will got this on ltm log file:

 

Mar 5 10:57:34 f5-0905 err tmm2[17429]: 01220001:3: TCL error: /Common/logging_clients_https - can't read "partition": no such variable while executing "HSL::open -proto UDP -pool /$partition/syslogi_pool "

 

So I really don't understand how variable are initialized into iRule. His somebody can kindly tries to explain me that behavior?

 

Thank you and best regards, Yanick

 

4 Replies

  • Hello Yanick,

    To solve this, you will need to use a different variable name in place of

    script_name
    in your second iRule, i.e.
    script_name_intranet
    . When writing iRules, in particular if there are other developers involved, it's best to avoid generic variable names like "log", "time" etc. TMM does not want one variable name to be used twice. Although, this will not cause any issues before 2 iRules where a variable name overlaps are applied to the same Virtual Server. While you're at it, check if other iRules have specific-enough variable names to prevent the same issue in future.

    Rgds,

    • yquirion's avatar
      yquirion
      Icon for Altostratus rankAltostratus

      Hi Hannes,

       

      Thank you very much for the clarification. We were with another brand of load balancer before, using TCL script as well, and we never face that problem with those devices. Maybe they treat each TCL script as one and the variable are flushed after each script execution.

       

      That being said, we will change our approach in developing iRules.

       

      Thanks again and best regards, Yanick

       

  • Hello Yanick,

    To solve this, you will need to use a different variable name in place of

    script_name
    in your second iRule, i.e.
    script_name_intranet
    . When writing iRules, in particular if there are other developers involved, it's best to avoid generic variable names like "log", "time" etc. TMM does not want one variable name to be used twice. Although, this will not cause any issues before 2 iRules where a variable name overlaps are applied to the same Virtual Server. While you're at it, check if other iRules have specific-enough variable names to prevent the same issue in future.

    Rgds,

    • yquirion's avatar
      yquirion
      Icon for Altostratus rankAltostratus

      Hi Hannes,

       

      Thank you very much for the clarification. We were with another brand of load balancer before, using TCL script as well, and we never face that problem with those devices. Maybe they treat each TCL script as one and the variable are flushed after each script execution.

       

      That being said, we will change our approach in developing iRules.

       

      Thanks again and best regards, Yanick