Fortinet black logo

TCP commands

Copy Link
Copy Doc ID 42c4d1e2-47b9-11ea-9384-00505692583a:633253
Download PDF

TCP commands

TCP:reject()

Allows the user to reject a TCP connection from a client.

Syntax

TCP:reject();

Arguments: N/A

Examples

when TCP_ACCEPTED {

--check if the st is true or false;

If st then

TCP:reject();

end

}

FortiADC version: V5.0

Used in events:

Used in TCP_ACCEPTED

TCP:set_snat_ip(str)

Allows the user to set the backend TCP connection’s source address and port.

Syntax

TCP:set_snat_ip(str);

Note: to use set_snat_ip() you need to make sure the flag SOURCE ADDRESS is selected in the HTTP or HTTPS type of profile.

Arguments

Name Description

str

A string which specifies the ip address.

Examples

when TCP_ACCEPTED{

addr_group = “172.24.172.60/24”

client_ip = IP:client_addr()

matched = cmp_addr(client_ip, addr_group)

if matched then

if TCP:set_snat_ip(“10.106.3.124”) then

debug(“set SNAT ip to 10.106.3.124\n”)

end

end

}

Note: vs must config client-address enable in the profile

config load-balance profile

edit "http"

set type http

set client-address enable

next

end

FortiADC version: V5.2

Used in events:

Used in TCP_ACCEPTED / HTTP_REQUEST / HTTP_DATA_REQUEST / CLIENTSSL_HANDSHAKE

TCP:clear_snat_ip()

Allows the user to clear whatever customized ip the user set with set_snat_ip().

Syntax

TCP:clear_snat_ip();

Arguments

Name Description

str

A string which will be calculated.

Examples

when HTTP_REQUEST {

if TCP:clear_snat_ip() then

debug(“clear SNAT ip!\n”)

}

FortiADC version: V5.0

Used in events: ALL

Used in TCP_ACCEPTED / HTTP_REQUEST / HTTP_DATA_REQUEST / CLIENTSSL_HANDSHAKE

TCP:sockopt(t)

Allows the user to customize the send buffer and receive buffer size. Can set or get various socket/ip/tcp operations, such as buffer size, timeout, MSS, etc. Right now, only supports snd_buf and rcv_buf buffer size.

For client-side events, it applies to client-side socket; for server-side events, it applies to server-side socket.

Syntax

TCP:sockopt(t);

Arguments

Name Description

t

A table which specifies the event and operation, variable.

Examples

when RULE_INIT {

debug(" ======== RULE_INIT ========\n");

-- access to https://notes.shichao.io/unp/ch7/ for more details.

tcp_message = {};

tcp_message[1]="snd_buf"; --int

tcp_message[2]="rcv_buf"; --int

setIntMsg = {};

setIntMsg[1]="snd_buf"; --int

setIntMsg[2]="rcv_buf"; --int

setIntValue = {};

setIntValue[1] = 111222;

setIntValue[2] = 111222;

}

when VS_LISTENER_BIND{

--when a VS tries to bind.

debug(" ======== VS_LISTENER_BIND ========\n");

for k,v in pairs(tcp_message) do

t = {};

t["op"] = "get"

t["message"]=v

if TCP:sockopt(t) then

debug("%s value is %d\n",v, TCP:sockopt(t));

else

debug("get %s status %s\n",v,TCP:sockopt(t));

end

end

debug(" ==== set ==== \n");

for k,v in pairs(setIntMsg) do

s = {};

s["op"] = "set"; --or "set"

s["message"] = v

s["value"] = setIntValue[k]; -- for integer value

result = TCP:sockopt(s);

debug("setting %s to %s return %s\n",v,setIntValue[k], result);

end

debug(" ==== End set ==== \n");

for k,v in pairs(tcp_message) do

t = {};

t["op"] = "get"

t["message"]=v

if TCP:sockopt(t) then

debug("%s value is %d\n",v, TCP:sockopt(t));

else

debug("get %s status %s\n",v,TCP:sockopt(t));

end

end

}

when HTTP_RESPONSE {

debug(" ======== HTTP_RESPONSE ========\n");

t={}

t["size"] = 100;

HTTP:collect(t)

debug(" ==== set ==== \n");

for k,v in pairs(setIntMsg) do

s = {};

s["op"] = "set"; --or "set"

s["message"] = v

s["value"] = setIntValue[k]; -- for integer value

result = TCP:sockopt(s);

debug("setting %s to %s return %s\n",v,setIntValue[k], result);

end

debug(" ==== End set ==== \n");

for k,v in pairs(tcp_message) do

t = {};

t["op"] = "get"

t["message"]=v

if TCP:sockopt(t) then

debug("%s value is %d\n",v, TCP:sockopt(t));

else

debug("get %s status %s\n",v,TCP:sockopt(t));

end

end

}

when HTTP_DATA_RESPONSE {

debug(" ======== HTTP_DATA_RESPONSE ========\n");

debug(" ==== set ==== \n");

for k,v in pairs(setIntMsg) do

s = {};

s["op"] = "set"; --or "set"

s["message"] = v

s["value"] = setIntValue[k]; -- for integer value

result = TCP:sockopt(s);

debug("setting %s to %s return %s\n",v,setIntValue[k], result);

end

debug(" ==== End set ==== \n");

for k,v in pairs(tcp_message) do

t = {};

t["op"] = "get"

t["message"]=v

if TCP:sockopt(t) then

debug("%s value is %d\n",v, TCP:sockopt(t));

else

debug("get %s status %s\n",v,TCP:sockopt(t));

end

end

}

FortiADC version: V5.0

Used in events:

Used in client-side events, including TCP_BIND, TCP_ACCEPTED, HTTP_REQUEST, HTTP_DATA_REQUEST

Used in server-side events, including HTTP_RESPONSE, HTTP_DATA_RESPONSE, BEFORE_CONNECT, SERVER_CONNECTED.

TCP commands

TCP:reject()

Allows the user to reject a TCP connection from a client.

Syntax

TCP:reject();

Arguments: N/A

Examples

when TCP_ACCEPTED {

--check if the st is true or false;

If st then

TCP:reject();

end

}

FortiADC version: V5.0

Used in events:

Used in TCP_ACCEPTED

TCP:set_snat_ip(str)

Allows the user to set the backend TCP connection’s source address and port.

Syntax

TCP:set_snat_ip(str);

Note: to use set_snat_ip() you need to make sure the flag SOURCE ADDRESS is selected in the HTTP or HTTPS type of profile.

Arguments

Name Description

str

A string which specifies the ip address.

Examples

when TCP_ACCEPTED{

addr_group = “172.24.172.60/24”

client_ip = IP:client_addr()

matched = cmp_addr(client_ip, addr_group)

if matched then

if TCP:set_snat_ip(“10.106.3.124”) then

debug(“set SNAT ip to 10.106.3.124\n”)

end

end

}

Note: vs must config client-address enable in the profile

config load-balance profile

edit "http"

set type http

set client-address enable

next

end

FortiADC version: V5.2

Used in events:

Used in TCP_ACCEPTED / HTTP_REQUEST / HTTP_DATA_REQUEST / CLIENTSSL_HANDSHAKE

TCP:clear_snat_ip()

Allows the user to clear whatever customized ip the user set with set_snat_ip().

Syntax

TCP:clear_snat_ip();

Arguments

Name Description

str

A string which will be calculated.

Examples

when HTTP_REQUEST {

if TCP:clear_snat_ip() then

debug(“clear SNAT ip!\n”)

}

FortiADC version: V5.0

Used in events: ALL

Used in TCP_ACCEPTED / HTTP_REQUEST / HTTP_DATA_REQUEST / CLIENTSSL_HANDSHAKE

TCP:sockopt(t)

Allows the user to customize the send buffer and receive buffer size. Can set or get various socket/ip/tcp operations, such as buffer size, timeout, MSS, etc. Right now, only supports snd_buf and rcv_buf buffer size.

For client-side events, it applies to client-side socket; for server-side events, it applies to server-side socket.

Syntax

TCP:sockopt(t);

Arguments

Name Description

t

A table which specifies the event and operation, variable.

Examples

when RULE_INIT {

debug(" ======== RULE_INIT ========\n");

-- access to https://notes.shichao.io/unp/ch7/ for more details.

tcp_message = {};

tcp_message[1]="snd_buf"; --int

tcp_message[2]="rcv_buf"; --int

setIntMsg = {};

setIntMsg[1]="snd_buf"; --int

setIntMsg[2]="rcv_buf"; --int

setIntValue = {};

setIntValue[1] = 111222;

setIntValue[2] = 111222;

}

when VS_LISTENER_BIND{

--when a VS tries to bind.

debug(" ======== VS_LISTENER_BIND ========\n");

for k,v in pairs(tcp_message) do

t = {};

t["op"] = "get"

t["message"]=v

if TCP:sockopt(t) then

debug("%s value is %d\n",v, TCP:sockopt(t));

else

debug("get %s status %s\n",v,TCP:sockopt(t));

end

end

debug(" ==== set ==== \n");

for k,v in pairs(setIntMsg) do

s = {};

s["op"] = "set"; --or "set"

s["message"] = v

s["value"] = setIntValue[k]; -- for integer value

result = TCP:sockopt(s);

debug("setting %s to %s return %s\n",v,setIntValue[k], result);

end

debug(" ==== End set ==== \n");

for k,v in pairs(tcp_message) do

t = {};

t["op"] = "get"

t["message"]=v

if TCP:sockopt(t) then

debug("%s value is %d\n",v, TCP:sockopt(t));

else

debug("get %s status %s\n",v,TCP:sockopt(t));

end

end

}

when HTTP_RESPONSE {

debug(" ======== HTTP_RESPONSE ========\n");

t={}

t["size"] = 100;

HTTP:collect(t)

debug(" ==== set ==== \n");

for k,v in pairs(setIntMsg) do

s = {};

s["op"] = "set"; --or "set"

s["message"] = v

s["value"] = setIntValue[k]; -- for integer value

result = TCP:sockopt(s);

debug("setting %s to %s return %s\n",v,setIntValue[k], result);

end

debug(" ==== End set ==== \n");

for k,v in pairs(tcp_message) do

t = {};

t["op"] = "get"

t["message"]=v

if TCP:sockopt(t) then

debug("%s value is %d\n",v, TCP:sockopt(t));

else

debug("get %s status %s\n",v,TCP:sockopt(t));

end

end

}

when HTTP_DATA_RESPONSE {

debug(" ======== HTTP_DATA_RESPONSE ========\n");

debug(" ==== set ==== \n");

for k,v in pairs(setIntMsg) do

s = {};

s["op"] = "set"; --or "set"

s["message"] = v

s["value"] = setIntValue[k]; -- for integer value

result = TCP:sockopt(s);

debug("setting %s to %s return %s\n",v,setIntValue[k], result);

end

debug(" ==== End set ==== \n");

for k,v in pairs(tcp_message) do

t = {};

t["op"] = "get"

t["message"]=v

if TCP:sockopt(t) then

debug("%s value is %d\n",v, TCP:sockopt(t));

else

debug("get %s status %s\n",v,TCP:sockopt(t));

end

end

}

FortiADC version: V5.0

Used in events:

Used in client-side events, including TCP_BIND, TCP_ACCEPTED, HTTP_REQUEST, HTTP_DATA_REQUEST

Used in server-side events, including HTTP_RESPONSE, HTTP_DATA_RESPONSE, BEFORE_CONNECT, SERVER_CONNECTED.