[load balancing] extracting TCP option info

From: Tony Hosseiny <tony_hosseiny [izzat] yahoo.com>
Date: Thu Sep 10 2009 - 14:39:51 EDT

good day all, we have been struggling with IRule to extract some info that is embedded in the TCP Option header and have it as "X-Forwarded for" in the http header destined to the server. does anyone know if F5 gears can do this at all? we are evaluating some ADCs and it seems that Netscaler can do it but not F5!! has anyone done anything similar to this? tony ________________________________ From: Kenneth Salchow <k.salchow [izzat] f5.com> To: Load Balancing Mailing List <lb-l [izzat] vegan.net> Sent: Thursday, September 10, 2009 5:51:18 PM Subject: Re: [load balancing] Quick questions about f5's iRules If you want marketing speak—you need me, not Kirk. ;-) Seriously, you folks have hit upon some of the most basic frustrations that we at F5 have had concerning iRules since their release—particularly with the v9.0 upgrade. Marketing FUD from competitors has obfuscated a couple of points that Kirk makes; like, the events are always firing and the iRules engine is always running. Competitors like to put us in bake-offs and paid-for testing with “a simple iRule” that they never share in the results and then comment on how our performance suffers “simply by turning iRules on”. This is ludicrous, but to people who haven’t worked with our gear and iRules specifically—the numbers say it all. I think I’ve said it on this list a thousand times—we have a long history at F5 of giving our customers plenty of rope with which to hang themselves. It started with Extended Content Verification (ECV) checks over a decade ago that allowed you to execute full shell scripts in order to validate the availability and performance of the server application you were providing HA for. This was unparalleled capability at the time (and still beyond some implementations)—but naturally allowed customers (myself included at the time) to do some really, really bad things to ourselves, our networks and our kit. iRules are really no different. We have provided a fully extensible and flexible capability to change the very nature of application delivery that can meet the unforeseen needs of tomorrow, not just today; that means a lot of ability to break things today. What was that line from Spiderman: with great power comes great responsibility?? ;-) So—don’t take my word for it. Don’t take Kirk’s word for it (although take his word on this over mine any day). Go to http://devcentral.f5.com/ and talk to the people there who make a living doing iRules and iControl. Write your iRule and test it for yourself to see how it impacts YOUR application. If the impact is significant, submit it to DevCentral and see if someone can provide you some ideas how to optimize it—or maybe even do what you’re trying to do a completely different way. I know it would be nice if we could just say—yeah, it will hit you by 10 milliseconds—but it’s just not that simple. Even if a single iRule doesn’t have a massive impact, if you run it on every connection and handle Gbps traffic volumes—it will add up. Great discussion though—and I wish you the best of luck achieving your solution. KJ (Ken) Salchow, Jr.| Manager, Technical Marketing D 651.423.1133 M 612.868.1258 P 206.272.5555 F 206.272.5555 www.f5.com From:lb-l-bounces [izzat] vegan.net [mailto:lb-l-bounces [izzat] vegan.net] On Behalf Of Kirk Bauer Sent: Thursday, September 10, 2009 9:16 AM To: Load Balancing Mailing List Subject: Re: [load balancing] Quick questions about f5's iRules (all of the below is my personal opinion and not any official F5 stance) Of course you are correct, F5 does not and can not guarantee any performance level with iRules in use. It completely depends on what the rule does. As various other replies have mentioned, we do our best to make the iRule engine very efficient, we provide timing abilities to help you tune your iRules, and DevCentral provides a wealth of resources to help you tune iRules for greater efficiency. However, if you want to write an iRule that runs a series of complex mathematical operations on every character in a 512K web page, you can do it, and it will be resource-intensive. Now, for the rest of your questions, I have to mention that I have not seen the source code for any F5 products so I can’t provide you any answers with 100% certainty, but in my understanding: 1) iRules are pre-compiled so we get by with very little overhead apart from the actual commands the iRule runs 2) The iRule engine is always loaded: so going from 0 iRules to 1 simple iRule has minimal impact. 3) All of the events already “fire”, even if no iRules are attached, so again adding a simple iRule has minimal impact. 4) Each connection runs iRules in its own context. So if you have 10,000 active connections, you have up to 10,000 parallel executions of iRules. The rule doesn’t have to complete on one connection before it can run for another. I would consider this very multi-threaded. 5) None of our built-in features are done with iRules, however over the years a number of iRules have been turned into built-in features. I don’t think we have any performance numbers showing how much performance increased, but presumably it did increase a little. You make a good point about L7 versus L4 iRules. In my experience, L4 iRules tend to be very basic and hence extremely fast and efficient. For example, this popular iRule is called “Selective SNAT” which basically will enable SNAT only if the client and the real server are on the same subnet. This eliminates the common problem of a server hitting its own VIP and then that other server responding directly to the first server and bypassing the load balancer. if { [IP::addr [IP::remote_addr] equals [LB::server addr]/16] } { snat automap } The IP::addr command is a built-in command that already does IP/subnet comparisons very efficiently. The IP::remote_addr and LB::server_addr are just hooks into data that is already sitting in memory regarding the connection. The “snat automap” is a built-in command to change ourselves to SNAT mode. So, effectively, by adding this iRule to a virtual server, you are doing one IP address comparison that you would not have done if you just always turned SNAT on. If you think of all of the other calculations that are performed to perform a load balancing decision, this should be a very small percentage in general. From:lb-l-bounces [izzat] vegan.net [mailto:lb-l-bounces [izzat] vegan.net] On Behalf Of Erhan Dolak Sent: Thursday, September 10, 2009 5:49 AM To: 'Load Balancing Mailing List' Subject: Re: [load balancing] Quick questions about f5's iRules Good Day Kirk, I know that most of the vendors does not commit or guaranty the performance or give any performance figures when scripts are used and surprised about your comments. Performance has two dependencies, developer brightness and how the platform handles and executes the code. You may control the second one only to commit best performance J From development perspective, it may be very nice if you could give more detail about how this irules scripts are running on the platform without breaking your company privacy rules. is there any compilation task to convert the script to machine code before executing to achieve the efficiency you described. Also is it possible to create multithread irules scripts or run it in multithread mode? and last question, is there any irules used inside F5 by default to accomplish some basic features defined in the datasheet of the product, so that we can compare the compiled code and irules performance. I always thought that scripting is the weakest link of this kind of platforms and any web application. For “web application load balancing”, the execution delay (not the cpu/memory usage) due to scripts can be understandable and can be seen as part of the web app code but for TCP/UDP load balancing I always prefer to have functions are available in the product in enterprise level solution instead of calling a script. Each hook means delay and resource usage and loading the scripting engine to the memory. Regards, Erhan DOLAK From:lb-l-bounces [izzat] vegan.net [mailto:lb-l-bounces [izzat] vegan.net] On Behalf Of Kirk Bauer Sent: Tuesday, September 08, 2009 8:58 PM To: Load Balancing Mailing List Subject: Re: [load balancing] Quick questions about f5's iRules 1) iRules are event-driven which means you can attach iRule code to various events that already occur in the BIG-IP system. The standard full-proxy mode already fires all of these events, whether or not iRules are being used. So there is no immediate performance impact just by attaching an iRule to a virtual server: in other words, the BIG-IP or the specific virtual sererv will not change modes and become less efficient just because iRules are being used. However, there will be some CPU time required to run the actual iRule code. This is very efficient, and for most iRules (which tend to be fairly trivial) the performance impact is negligible. However, you can do just about anything you want in an iRule, so it is possible to significantly affect performance by creating a very intensive iRule. 2) There are no published tests because each iRule is different. However, BIG-IP includes some great timing functionality so you can determine how much CPU time your iRules utilize, and so you can optimize your iRule by making changes and observing the effects. From:lb-l-bounces [izzat] vegan.net [mailto:lb-l-bounces [izzat] vegan.net] On Behalf Of Joo Yong-Seok Sent: Tuesday, September 08, 2009 10:46 AM To: Load Balancing Mailing List Subject: [load balancing] Quick questions about f5's iRules Hello Load-balancing Gurus, I have simple questions about f5's iRules. Please share your experience if you have anything :-) 1) f5's iRule can impact their L4/L7 performance? it means if we're turning on the options, there is any performance degradation or improvement?(maybe upt to iRule script) 2) If there is any official marketing data in regards of iRule test, where can I get? (like Tolly group report). Thanks in advance. Best regards, - yongseok

_______________________________________________
lb-l mailing list
lb-l@vegan.net
http://vegan.net/mailman/listinfo/lb-l
Searchable Archive: http://vegan.net/lb/archive
http://lbdigest.com Load Balancing Digest
http://lbwiki.com Load Balancing Wiki
Received on Thu Sep 10 14:40:23 2009

This archive was generated by hypermail 2.1.8 : Thu Sep 10 2009 - 14:40:29 EDT