Flow Filter¶
For subscriber traffic, policies can include one or more rules based on Layer 2 (L2), Layer 3 (L3), or Layer 4 (L4) parameters. For example, rules can be defined to filter traffic based on a specific source address, protocol, source VLAN, or similar criteria. These rules can then be attached to a policy and applied. This capability allows service providers to analyze and manage traffic at a granular level, enabling them to take appropriate actions as needed.
Procedures¶
Following are the steps to install and apply the flow filter use case:
Apply PE Policy¶
In the example mentioned in this section, the PE Policy CR denies the traffic when the traffic matches the criteria, which has destination address as 22.22.22.100, the destination port as 80, IP version as IPv4, and the protocol as TCP.
Copy the following example in
pem-policy-flow-filter.yamlfile.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigPePolicy
metadata:
name: "pem-policy-flow-filter"
spec:
description: "pem policy for flow filter"
rule:
- name: flow-filter
precedence: 1
filter:
flow:
- name: test-flow
destinationAddress: 22.22.22.100/24
destinationPort: 80
internetProtocolVersion: ipv4
match: match
protocol: tcp
action:
enableGate: false
For the complete list of parameters supported, see spec.rule.filter.flow spec table.
Apply the PE Policy CR. Run the following command:
kubectl apply -f pem-policy-flow-filter.yaml -n <name_space>Verify that the PE policy is applied by checking the F5ingress logs.
I0224 11:45:47.295465 13 event.go:364] Event(v1.ObjectReference{Kind:"F5BigPePolicy", Namespace:"default", Name:"pe-policy-flow-filter", UID:"d61a891f-0c90-4128-a0d0-5b2d206e1622", APIVersion:"", ResourceVersion:"59582", FieldPath:""}): type: 'Normal' reason: 'Added/Updated' PePolicy default/pe-policy-flow-filter was added/updated
For more information on PE Policy, see F5BigPePolicy page.
PE Profile¶
Following is the process to apply the F5BigPeProfile.
Copy the following example into
pem-profile-flow-filter.yamlfile.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigPeProfile
metadata:
name: "pem-profile-flow-filter"
spec:
description: "pem profile for flow filter"
globalPolicy: {}
unknownSubscriberpolicy:
- "pem-policy-flow-filter"
Apply the PE Profile. Run the following command:
kubectl apply -f pem-profile-flow-filter.yaml -n <name_space>Verify that the PE profile is applied by checking the F5ingress logs.
I0221 08:02:55.145541 13 event.go:377] Event(v1.ObjectReference{Kind:"F5BigPeProfile", Namespace:"default", Name:"pe-profile-flow-filter", UID:"1405a7e8-402a-4490-80b6-710ae6b3f79c", APIVersion:"", ResourceVersion:"12241", FieldPath:""}): type: 'Normal' reason: 'Added/Updated' PeProfile default/pe-profile-flow-filter was added/updated
For more information on PE Profile, see F5BigPeProfile CRD page.
Secure Context¶
Following is the process to apply the F5BigContextSecure CR.
Add the following example in
secure-context.yamlfile.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigContextSecure
metadata:
name: "virtual-server"
spec:
destinationAddress: "0.0.0.0/0"
destinationPort: 0
ipProtocol: "tcp"
snat:
type: "automap"
peProfile: "pem-profile-flow-filter"
dpiProfile: "dpiprofile"
profile: "tcp"
Run the following command to apply the PE Profile.
kubectl apply -f secure-context.yaml -n <name_space>
Verify that the Secure Context CR is applied by checking the f5ingress logs.
I0221 08:06:28.013501 13 event.go:377] Event(v1.ObjectReference{Kind:"F5BigContextSecure", Namespace:"default", Name:"vs-internal", UID:"ec203939-44ef-4c32-9bc6-8e84b1501869", APIVersion:"", ResourceVersion:"12572", FieldPath:""}): type: 'Normal' reason: 'Added/Updated' SecureContext default/vs-internal was added/updated
For more information on Secure Context, see F5BigContextSecure CRD page.
Policy Enforcement statistics¶
If the TMM Debug sidecar is enabled (default), use the following steps to verify PE actions statistics.
Log in to the TMM debug Pod.
kubectl exec -it deploy/f5-tmm -c debug -n <name_space> -- bashThe PE policy applied earlier drops any traffic which matches the destination address as 22.22.22.100, destination port as 80, IP version as IPv4 and protocol as TCP. It allows any traffic which does not match the criteria.
Verify the
pem_actions_statstatistics. Run the following command:tmctl -d blade pem_actions_stat -w 130Sample output:
pass drop clone redirect icap_request icap_response steering w_steering steering_on_response bwc_uplink bwc_downlink dscp_marking_uplink ---- ---- ----- -------- ------------ ------------- -------- ---------- -------------------- ---------- ------------ ------------------- 1 1 0 0 0 0 0 0 0 0 0 0 dscp_marking_downlink http_headers_modify insert_content irule l2_marking_uplink l2_marking_downlink flow_report session_report transaction_report --------------------- ------------------- -------------- ----- ----------------- ------------------- ----------- -------------- ------------------ 0 0 0 0 0 0 0 0 0 reeval_cnt reeval_max media_qoe dtos_td rancon_detect tcpopt_to_net tcpopt_to_sub tcpana_to_net tcpana_to_sub sfc_path ---------- ---------- --------- ------- ------------- ------------- ------------- ------------- ------------- -------- 0 0 0 0 0 0 0 0 0 0
Stats Supported¶
The following table lists the supported Stats for PE CNFs:
| Stat name | Description |
|---|---|
| Pass | Specifies the number of flows that are passed (gate enabled). |
| Drop | Specifies the number of flows that are dropped (gate disabled). |
| Clone | Specifies the number of flows to which clone actions apply. |
| HTTP Redirect | Specifies the number of flows to which redirection actions apply. |
| ICAP Response | Specifies the number of flows to which ICAP actions apply on the response direction. |
| Steering | Specifies the number of flows to which steering actions apply. |
| Service Chain | Specifies the number of flows to which steering endpoint actions apply. |
| Steering on Response | Specifies the number of flows to which steering actions apply on the response direction. |
| QoS Uplink | Specifies the number of uplink flows to which QoS actions apply (Uplink means to network). |
| QoS Downlink | Specifies the number of downlink flows to which QoS actions apply (Downlink means to subscriber). |
| DSCP Marking Uplink | Specifies the number of uplink flows with DSCP action applied. |
| DSCP Marking Downlink | Specifies the number of downlink flows with DSCP action applied. |
| HTTP Headers Modify | Specifies the number of HTTP Headers Modify actions. |
| Insert Content | Specifies the number of Insert Content actions. |
| iRule | Specifies the number of iRule actions. |
| L2 Marking Uplink | Specifies the number of uplink flows to which L2 Marking actions apply. |
| L2 Marking Downlink | Specifies the number of downlink flows to which L2 Marking actions apply. |
| Flow Reporting | Specifies the number of actions of flow reporting record generation applied. |
| Session Reporting | Specifies the number of actions of session record generation applied. |
| Transaction Reporting | Specifies the number of actions of transaction record generation applied. |
| reeval_cnt | Specifies total number of policy reevaluations. |
| reeval_max | Specifies maximum number of policy reevaluations in current window. |
| Media Quality-of-experience (QoE) | Specifies the number of actions of media Quality-of-experience (QoE) record generation applied. |
| tcpopt_to_net | Specifies the TCP optimization applied to the uplink network. |
| tcpopt_to_sub | Specifies the TCP optimization applied to the subscriber. |
Feedback
To provide feedback and help improve this document, please email us at cnfdocs@f5.com.