2 - Brocade Community Forums

BROCADE ADX OPENSCRIPT March 2013 Derek Kang (dkang@brocade.com), Solutions Architect 1 Agenda • OpenScript Architecture • Quick Start • Perl Basics • OpenScript Examples • Best Practices 2 OpenScript Architecture 3 What is OpenScript? Open-Standard (Perl) Based Application Delivery Programming Engine Predictable Scripting Engine with Performance Estimator Learn, Browse, Share Scripts through OpenScript Community www.brocade.com/openscript 4 OpenScript Architecture App Core MP Compile OpenScript Engine (event, context) (result) Content Switching Engine • • Packet Out Packet In TCP/UDP/IP Performance estimation Catching syntax errors • Event Driven Model • Script Attached to Virtual Port • Resource Profile Per Script Limits the resource consumption of a script • 1 MB memory foot print • Watch-dog timer (200 ms) • 100 KB data collection per event 5 OpenScript Quick Start 6 OpenScript Quick Start ADX SLB Config server l7-dont-reset-on-vip-port-fail server real rs1 10.1.1.10 port 80 group-id 10 10 Sorry. Get back later. http://20.1.1.1 server real rs2 10.1.1.11 port 80 group-id 10 10 server virtual v1 20.1.1.1 port 80 script “sorry.pl” bind 80 rs1 80 rs2 80 rs1 rs2 OpenScript “sorry.pl” 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 use OS_SLB; use OS_HTTP_REQUEST; my $page; sub BEGIN { $page = "HTTP/1.1 200 OK\r\nContentLength:21\r\nConnection:close\r\nContentType: text/html; charset=UTF-8\r\n\r\n. Sorry .Get. back later.”; } sub HTTP_REQUEST { OS_SLB::forward (10); } sub SERVER_SELECTION_FAILURE { OS_SLB::reply($page); } 7 OpenScript Quick Start Steps With CLI 1. Configure basic L4 SLB server l7-dont-reset-on-vip-port-fail server real rs1 10.1.1.10 port 80 group-id 10 10 server real rs2 10.1.1.11 port 80 group-id 10 10 server virtual v1 20.1.1.1 port 80 bind 80 rs1 80 rs2 80 2. Write a script on your choice of editor use OS_SLB; use OS_HTTP_REQUEST; sub BEGIN { $page = "HTTP/1.1 200 OK\r\nContentLength:21\r\nConnection:close\r\nContentType: text/html; charset=UTF-8\r\n\r\n. Sorry .Get. back later.”; } sub HTTP_REQUEST { OS_SLB::forward (10); } sub SERVER_SELECTION_FAILURE { OS_SLB::reply($page); } 5. Attach the script to the VIP port 3. Upload the script to the ADX ADX#copy tftp usb0 10.120.61.68 sorry.pl sys\dpscript\sorry.pl ADX#show script all index name In Use 1 sorry.pl 4. Compile the script ADX#copy tftp usb0 10.120.61.68 sorry.pl sys\dpscript\sorry.pl ADX#show script all index name In Use 1 sorry.pl ADX#config term ADX(config)#script compile sorry.pl This script is compiled successfully. Performance for this script: - Approximately 9548 connections/second at 10% CPU utilization - Approximately 47744 connections/second at 50% CPU utilization - Approximately 95488 connections/second at 100% CPU utilization server virtual v1 20.1.1.1 port http script “sorry.pl” 8 OpenScript Quick Start Steps With Web GUI 4 3 1 0 GUI Version Check 2 9 Perl Basics 10 Regex $string $string =~ m/pattern/ =~ s/pattern1/pattern2 my $string = “ab-abc-abcd”; $string =~ m/(.*)-/; print “$1\n”; ab-abc my $string = “ab-abc-abcd”; $string =~ m/(.*?)-/ print “$1\n”; ab my $string = “ab-abc-abcd”; $string =~ s/ab/x/ print “$string”; x-abc-abcd my $string = “ab-abc-abcd”; $string =~ s/ab/x/g print “$string”; x-xc-xcd 11 Hash / List / Array %my_hash_table = ( 1030=>”rs1”, 1031=>”rs2” ) $value = $my_hash_table { 1030 } rs1 @my_array = (“url1”, “url2”, “url3”); $value = $my_array [ 0 ]; url1 @my_two_dim_array = ( [ “url1”, 10 ], [ “url2”, 20 ], [ “url3”, 30 ] ) $value = $my_two_dim_array [ 1 ] [ 1 ] $size = scalar ( @my_array ) 20 3 12 Pack, Unpack, Split, Join and Substr my @ip = split('\.', "10.1.2.3"); my @net_mask = split('\.', "255.255.0.0"); pack (template, list) unpack (template, scalar) my $net_ip = pack("C4", @ip) & pack("C4", @net_mask); my $net = join( '.', unpack("C4", $net_ip) ); 10.1.0.0 print "$net\n"; split (‘separator’, scalar) join (‘joiner’, list) substr (data, start, size) $hex_string = "\x7e\xf1"; my $bin_string = unpack("b*", $hex_string); print "$bin_string\n"; 0111111010001111 my $field = substr ($bin_string, 4, 4); print "$field\n"; 1110 13 Conditional Statements if (EXPR) BLOCK if (EXPR) BLOCK else BLOCK if ( $string == “birthday” ) { print "Happy Birthday!\n"; } elsif ($string == “christmas”) { print "Happy Christmas!\n"; if (EXPR) BLOCK elsif (EXPR) BLOCK if (EXPR) BLOCK elsif (EXPR) BLOCK else BLOCK } else { print "Happy Whatever!\n"; } 14 Loop 2 3 for ($i=2; $i<=3; $i++) { print “$i"; } @url = (url1, url2, url3); foreach $i (@url) { print “$i\n”; } url1 url2 url3 @url = (url1, url2, url3); foreach (@url) { print “$_\n”; } $count = 1; while ($count <= 11 ) { $count++; last; $count++; } print “$count\n”; 2 for $i (2..3) { print “$i"; } 15 OpenScript Examples 16 Mitigate DNS Dynamic Update Attack • What is DNS dynamic update? • To update a DNS record on the DNS server dynamically, e.g., IP address change. • What is DNS dynamic DoS attack? • The attack sends a DNS server a crafted DNS dynamic update message to cause a server crash. • Some DNS Server S/Ws based on BIND 9 software are vulnerable to the attack. • Solution − Drop DNS dynamic update messages using OpenScript 17 Drop DNS Dynamic Update (DNS Dynamic Update Message) (ADX CLI Config) server real rs1 10.1.1.2 port 53 group-id 10 10 ! server real rs2 10.1.1.3 port 53 group-id 10 10 server virtual v1 10.1.1.100 port 53 port 53 script dnsdos.pl bind 53 rs1 53 rs2 (dnsdos.pl) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 use OS_UDP; use OS_SLB; sub UDP_CLIENT_DATA{ $payload = OS_UDP::payload; $mydata = unpack( "b*", $payload); $mystring = substr ($mydata, 17, 4); if ($mystring == "0101" ) { OS_SLB::drop; } else { OS_SLB::forward(10); } } 18 Blocking Access to Certain URLs based on Client IP addresses • You want to allow only Intranet clients to access an URL www.mycompany.com/data/, on your company web server. • Your Intranet clients belong to IP subnet 10.x.x.x/8 • If someone outside tries to access, return a page with a message “You are not allowed to access the content”. All PCs www.mycompany.com www.mycompany.com/datapublic Intranet PCs www.mycompany.com/data www.mycompany.com/data/ www.mycompany.com/data/* 19 Blocking Access to Certain URLs based on Client IP addresses 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 use OS_IP; use OS_SLB; use OS_HTTP_REQUEST; my $local_subnet; my $page; sub BEGIN { $local_subnet = “10.”; $page = "HTTP/1.1 200 OK\r\nContent-Length: 43\r\nConnection: close\r\nContent-Type: text/html; charset=UTF-8\r\n\r\nYou are not allowed to access the content."; } sub HTTP_REQUEST { my $client_ip = OS_IP::src; my $url = OS_HTTP_REQUEST::url; List OpenScript API modules to use Initialization sub routine • Define 10.x.x.x as an internal network • Prepare a web page to return for warning to external clients Main routine • If an external client tries to access www.mycompany.com/data, return a warning page. if (!($client_ip =~ m/^$local_subnet/) && $url =~ m/www.mycompany.com\/data($|\/.*)/) { OS_SLB::reply($page); } else { OS_SLB::forward(1); Regular Expression to match the URL } } 20 SIP VIA Header IP Replacement SIP/2.0 200 OK Via: SIP/2.0/UDP server.foo.com;branch=z9hG4bKnashds8;received=192.0.2.3 Via: SIP/2.0/UDP bigbox.site3.com;branch=z9hG4bK77ef4c2312983.1;received=192.0.2.2 Via: SIP/2.0/UDP pc3.atlanta.com;branch=z9hG4bK776asdhds ;received=192.0.2.1 To: Bob <sip:bob.com>;tag=a6c85cf From: Alice <sip:alice.com>;tag=1928301774 Call-ID: a84b4c76e66710.atlanta.com CSeq: 314159 INVITE Contact: <sip:bob.0.2.4> Content-Type: application/sdp Content-Length: 131 SIP/2.0 200 OK Via: SIP/2.0/UDP server.foo.com;branch=z9hG4bKnashds8;received=10.1.1.100 Via: SIP/2.0/UDP bigbox.site3.com;branch=z9hG4bK77ef4c2312983.1;received=10.1.1.100 Via: SIP/2.0/UDP pc3.atlanta.com;branch=z9hG4bK776asdhds ;received=10.1.1.100 To: Bob <sip:bob.com>;tag=a6c85cf From: Alice <sip:alice.com>;tag=1928301774 Call-ID: a84b4c76e66710.atlanta.com CSeq: 314159 INVITE Contact: <sip:bob.0.2.4> Content-Type: application/sdp Content-Length: 131 21 SIP VIA Header IP Replacement 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 use OS_IP; use OS_UDP; my $vip; sub BEGIN { $vip = 10.1.1.100; # VIP you want to put in the Via header } sub UDP_CLIENT_DATA{ my $client_ip = OS_IP::src; my $sip_msg = OS_UDP::payload; if ($sip_msg =~ s/ (.*?Via:) (.*?;) (.*?;) (received=) (\d{1,3}\. \d{1,3}\. \d{1,3}\. \d{1,3}) / $1 $2 $3 $4 $vip /xig) { OS_UDP::payload($sip_msg); } else { OS_SLB::log (“Warning : SIP client $client_ip : VIA header was not found”); } } 22 OpenScript Best Practices 23 OpenScript Best Practices • Readability • Performance • Trouble Shooting 24 Variable Names and Spaces Around No CamelCase DO my $variable_that_contains_my_server_name = gather_server_stats (gigantic_apache_web_server); DO NOT my $variableThatContainsMyServerName = gatherServerStats (giganticApacheWebServer) ; 25 Spaces Around Operators and After Commas DO my %server_list = (1030=>”rs1”, 1031=>”rs2” ); DO NOT my %server_list=(1030=>”rs1”,1031=>”rs2” ); 26 Regular Expression DO / ( [a-fA-F0-9] ) - [a-fA-F0-9]{4} - [a-fA-F0-9]{4} - [a-fA-F0-9]{4} - [a-fA-F0-9]{12} /x DO NOT /([a-fA-F0-9])-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}/ Also, Don’t Overdo Regex 27 Compile with “Strict” script compile <script file name> strict Or include in the OpenScript code use strict; use Sub::StrictDecl; …………………………… ……………………………. ADX(config)#script compile hello.pl This script is compiled successfully. Performance for this script: - Approximately 5200 connections/second at 10% CPU utilization - Approximately 26200 connections/second at 50% CPU utilization - Approximately 52400 connections/second at 100% CPU utilization ADX(config)#script compile hello.pl strict S_my_exit_jump being called Compile Errors found : Undeclared subroutine &OS_SLB::Forward at -e line 11. BEGIN not safe after errors--compilation aborted at -e line 17. * the strict option in the compilation CLI and Sub:StrictDecl require 12.4.00f or later. 28 SLB Forwarding API Use OS_HTTP_REQUEST () { if ( EXPR ) { OS_SLB::forward(1); } OS_SLB::forward(2); } OS_HTTP_REQUEST () { if ( EXPR ) { OS_SLB::forward(1); } else { OS_SLB::forward(2); } } Wrong 29 No Object Oriented Convention DO $url = OS_HTTP_REQUEST::url; DO NOT $req_obj = OS_HTTP_REQUEST::get; $url = $req_obj->url Not Supported, starting in 12.4.00e for increased performance by 30% 30 BEGIN Subroutine my %network_group; my $net_mask_hex; sub BEGIN { my $net_mask = "255.255.0.0"; %network_group = ( "10.1.0.0“ => "GROUP_A“, "10.2.0.0“ => "GROUP_B”, “10.3.0.0“ => "GROUP_C" ); my @net_mask = split ('\.', $net_mask); $net_mask_hex = pack(C4, @netmask); • Do not assign a value to a variable outside a sub routine • Just declare the variable with the scope“my” outside a sub routine as lexical scoping is required. Do As Many As Operations in the BEGIN } my $ip = OS_IP::src; my @ip = split ('\.', $ip); my $net_hex = pack ("C4", @ip) & $net_mask_hex; Main Event Handler $net = join (‘.', unpack("C4", $net_hex) ); $group_name = $network_group { $net }; 31 Print Statement and Log script-profile production print-output none ! server virtual v1 10.24.142.86 port http port http script "hello.pl" script-profile "production” print: Do not use in production except for debugging purpose OS_SLB::log: Use to log unexpected and rare events in production environment 32 Use Memory To Save CPU sub HTTP_REQUEST { my $host = OS_HTTP_REQUEST::host; my %host_server_mapping; } elsif ( $host =~ m/www.host2.com ) { OS_SLB::forward (rs2); sub BEGIN { %host_server_mapping = { “www.host1.com”=>”rs1”, “www.host2.com”=>”rs2”, “www.host3.com”=>”rs3”}; } } elsif { $host =~ m/www.host3.com ) { OS_SLB::forward (rs3); sub HTTP_REQUEST { my $host = OS_HTTP_REQUEST::host; if ( $host =~ m/www.host1.com/) { OS_SLB::forward (rs1); my $server = $host_server_mapping {$host}; } else { OS_SLB:reset_client(); } if ( $server ) { OS_SLB::forward($server); } else { OS_SLB:reset_client(); } } } 33 Release Memory After Use my %url_hash = (); sub HTTP_REQUEST () { my $req_id = OS_CONN::client_connection; $url_hash {$req_id} = OS_HTTP_REQUEST::url; } sub HTTP_RESPONSE () { my $req_id = OS_CONN::client_connection; print “url from the corresponding request is $url_hash{$req_id} \n”; delete $url_hash{$req_id}; } 34 Trouble Shooting Where To Start • Is my script attached to a VIP? • Did the script modification take into effect? • Do event counters increase? show script <script name> program • Does my script reset? show script <script name> detail <vip name> <port> • Is there any typo in OpenScript APIs? script compile <script name> strict • Is the cause of a problem not identified? script update <script name> use “print” in the script url debug 3, debug filter, packet capture 35 Trouble Shooting What To Gather To Escalate • Problem description • show run • show script <script name> program • show script <script name> detail <vip name> <port> • Gather 2~3 times after issuing “script update” to reset counters. • url debug 3 <client ip> • packet trace from your client PC 36 Trouble Shooting Example My OpenScript code does not send a sorry page out though all servers are down. ADX#show server bind Bind info Virtual server: test Status: enabled IP: 20.1.1.1 ADX(config)#script compile sorry.pl strict http -------> rs1: 10.10.1.10, http (Failed) show script sorry.pl program This script is compiled successfully. rs2: 10.10.1.1, http (Failed) Performance for this script: use OS_SLB; - Approximately 4100 connections/second at 10% CPU utilization use OS_HTTP_REQUEST; - Approximately 20600 connections/second at 50% CPU utilization show run - Approximately 41200 connections/second at 100% CPU utilization my $page; ADX#show script sorry.pl detail v1 80 server real rs1 10.1.1.10 =============================================== port 80 group-id 10 10 sub BEGIN { Virtual Server: v1 $page = "HTTP/1.1 200 OK\r\nContentService-Port: http server real rs2 10.1.1.11 Length:21\r\nConnection:close\r\nContent- Script State: ACTIVE port 80 group-id 10 10 Type: text/html; charset=UTF-8\r\n\r\n. Last Updated: 00:59:21, GMT+00, Sun Mar 3 2013 Sorry .Get. back later.”; server virtual v1 20.1.1.1 } Script Restart: 0 port 80 script “sorry.pl” bind 80 rs1 80 rs2 80 sub HTTP_REQUEST { Total Connections: 0 OS_SLB::forward (10); Concurrent Connections: 0 } Error Counters: sub SERVER_SELECTION_FAILURE { exceed max rewrite entry: OS_SLB::reply($page); } Hits Per Event: HTTP Request event: server l7-dont-reset-on-vip-port-fail 37 THANK YOU 38

2 - Brocade Community Forums

Related documents

Products

Support

2 - Brocade Community Forums

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib