TCP commands
TCP commands contains functions to obtain and manipulate information related to the TCP layer, such as sockopt:
TCP:reject() — Allows the user to reject a TCP connection from a client.
TCP:set_snat_ip(str) — Allows the user to set the backend TCP connection’s source address and port.
TCP:clear_snat_ip() — Allows the user to clear any IP that was set using the set_snat_ip() command.
TCP:sockopt(t) — Allows the user to customize the send buffer and receive buffer size. Can set or get various socket/IP/TCP operations, such as buffer size, timeout, MSS, etc. This currently only supports snd_buf and rcv_buf buffer sizes. For client-side events, this command applies to the client-side socket; for server-side events, it applies to server-side socket.
TCP:reject()
Allows the user to reject a TCP connection from a client.
Syntax
TCP:reject();
Arguments
N/A
Example
when TCP_ACCEPTED { --check if the st is true or false; If st then TCP:reject(); end }
FortiADC version: V5.0
Used in events: TCP_ACCEPTED
TCP:set_snat_ip(str)
Allows the user to set the backend TCP connection’s source address and port.
Syntax
TCP:set_snat_ip(str);
Note: To use the set_snat_ip() command, you must ensure the SOURCE ADDRESS flag is selected in the HTTP or HTTPS profile type.
Arguments
Name | Description |
---|---|
str |
A string which specifies the ip address. |
Example
when TCP_ACCEPTED{ addr_group = “172.24.172.60/24” client_ip = IP:client_addr() matched = cmp_addr(client_ip, addr_group) if matched then if TCP:set_snat_ip(“10.106.3.124”) then debug(“set SNAT ip to 10.106.3.124\n”) end end }
Note: The VS must have the client address enabled in the profile, as shown in the example below.
config load-balance profile
edit "http"
set type http
set client-address enable
next
end
FortiADC version: V5.2
Used in events: TCP_ACCEPTED / HTTP_REQUEST / HTTP_DATA_REQUEST / CLIENTSSL_HANDSHAKE
TCP:clear_snat_ip()
Allows the user to clear any IP that was set using the set_snat_ip() command.
Syntax
TCP:clear_snat_ip();
Arguments
Name | Description |
---|---|
str |
A string which will be calculated. |
Example
when HTTP_REQUEST { if TCP:clear_snat_ip() then debug(“clear SNAT ip!\n”) }
FortiADC version: V5.0
Used in events: TCP_ACCEPTED / HTTP_REQUEST / HTTP_DATA_REQUEST / CLIENTSSL_HANDSHAKE
TCP:sockopt(t)
Allows the user to customize the send buffer and receive buffer size. Can set or get various socket/IP/TCP operations, such as buffer size, timeout, MSS, etc. This currently only supports snd_buf and rcv_buf buffer sizes. For client-side events, this command applies to the client-side socket; for server-side events, it applies to server-side socket.
Syntax
TCP:sockopt(t);
Arguments
Name | Description |
---|---|
t |
A table which specifies the event and operation, variable. |
Example
when RULE_INIT { debug(" ======== RULE_INIT ========\n"); -- access to https://notes.shichao.io/unp/ch7/ for more details. tcp_message = {}; tcp_message[1]="snd_buf"; --int tcp_message[2]="rcv_buf"; --int setIntMsg = {}; setIntMsg[1]="snd_buf"; --int setIntMsg[2]="rcv_buf"; --int setIntValue = {}; setIntValue[1] = 111222; setIntValue[2] = 111222; }
when VS_LISTENER_BIND{ --when a VS tries to bind. debug(" ======== VS_LISTENER_BIND ========\n"); for k,v in pairs(tcp_message) do t = {}; t["op"] = "get" t["message"]=v if TCP:sockopt(t) then debug("%s value is %d\n",v, TCP:sockopt(t)); else debug("get %s status %s\n",v,TCP:sockopt(t)); end end debug(" ==== set ==== \n"); for k,v in pairs(setIntMsg) do s = {}; s["op"] = "set"; --or "set" s["message"] = v s["value"] = setIntValue[k]; -- for integer value result = TCP:sockopt(s); debug("setting %s to %s return %s\n",v,setIntValue[k], result); end debug(" ==== End set ==== \n"); for k,v in pairs(tcp_message) do t = {}; t["op"] = "get" t["message"]=v if TCP:sockopt(t) then debug("%s value is %d\n",v, TCP:sockopt(t)); else debug("get %s status %s\n",v,TCP:sockopt(t)); end end }
when HTTP_RESPONSE { debug(" ======== HTTP_RESPONSE ========\n"); t={} t["size"] = 100; HTTP:collect(t) debug(" ==== set ==== \n"); for k,v in pairs(setIntMsg) do s = {}; s["op"] = "set"; --or "set" s["message"] = v s["value"] = setIntValue[k]; -- for integer value result = TCP:sockopt(s); debug("setting %s to %s return %s\n",v,setIntValue[k], result); end debug(" ==== End set ==== \n"); for k,v in pairs(tcp_message) do t = {}; t["op"] = "get" t["message"]=v if TCP:sockopt(t) then debug("%s value is %d\n",v, TCP:sockopt(t)); else debug("get %s status %s\n",v,TCP:sockopt(t)); end end }
when HTTP_DATA_RESPONSE { debug(" ======== HTTP_DATA_RESPONSE ========\n"); debug(" ==== set ==== \n"); for k,v in pairs(setIntMsg) do s = {}; s["op"] = "set"; --or "set" s["message"] = v s["value"] = setIntValue[k]; -- for integer value result = TCP:sockopt(s); debug("setting %s to %s return %s\n",v,setIntValue[k], result); end debug(" ==== End set ==== \n"); for k,v in pairs(tcp_message) do t = {}; t["op"] = "get" t["message"]=v if TCP:sockopt(t) then debug("%s value is %d\n",v, TCP:sockopt(t)); else debug("get %s status %s\n",v,TCP:sockopt(t)); end end }
FortiADC version: V5.0
Used in events:
-
In client-side events, including TCP_BIND, TCP_ACCEPTED, HTTP_REQUEST, HTTP_DATA_REQUEST
-
In server-side events, including HTTP_RESPONSE, HTTP_DATA_RESPONSE, BEFORE_CONNECT, SERVER_CONNECTED.