Forum Discussion

nanselmo_108951's avatar
nanselmo_108951
Icon for Nimbostratus rankNimbostratus
Dec 17, 2012

Need help with a SNAT iRule

So I have an iRule which will effectively SNAT everything to the VIP address, but I need to modify it to ONLY SNAT traffic where the source subnet is the same as the destination subnet. Any help here would be greatly appricated.

 

 

 

rule ir_snat2vip {

 

when CLIENT_ACCEPTED {

 

set VirtualIP [clientside {IP::local_addr}]

 

snat $VirtualIP

 

}

 

}

 

 

We have other iRules which do the selective SNAT but each one has to be created and the subnet must be noted on each one. I would rather have it where there is just one standard iRule across all my devices and anytime an application needs SNAT we just apply the iRule. Below is an example of a selective SNAT rule.

 

 

rule ir_snat_10_42_20 {

 

when CLIENT_ACCEPTED {

 

if { [IP::addr [IP::client_addr] equals 10.42.20.0/24] } {

 

snatpool abc_snatpool

 

}

 

}

 

}

 

 

Sooooo... any help would be greatly appreciated.

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Dec 17, 2012
    I don't see any easy way of doing this but if all the networks are /24's perhaps you could compare the first three octets of client address to the virtual address using [IP::addr [IP::local_addr]. Unfortunately I don't have the skills (yet) to knock something up but I'm sure someone could help out.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 17, 2012
    Here's a tidbit I got from dev:

     

     

    You only need to convert one side to be a network and then it will mask both with that same network mask to see if it’s on the same network. So, either of these should be sufficient:

     

     

    [IP::addr [IP::addr [IP::client_addr] mask 255.255.255.0] equals [LB::server addr]]

     

    or

     

    [IP::addr [IP::client_addr] equals [IP::addr [LB::server addr] mask 255.255.255.0]]

     

     

    It would be nice to add an option to IP::addr for a mask to apply. As in:

     

     

    [IP::addr –prefixlen 24 [IP::client_addr] equals [LB::server addr]]

     

    or

     

    [IP::addr –mask 255.255.255.0 [IP::client_addr] equals [LB::server addr]]

     

     

    There's a request for enhancement for an option like the last two:

     

    BZ376898: RFE improve IP::addr command to allow for simpler subnet comparison using prefixes

     

     

    Aaron
  • nanselmo_108951's avatar
    nanselmo_108951
    Icon for Nimbostratus rankNimbostratus
    Dec 18, 2012
    So a friend also suggested using a data group list on each LTM I use this on, just giving the DGL a standard name so the rule can be applied to each without needing to be edited.

     

     

    In that DGL, just define the networks for the pool members. The problem there is that we would have to maintain that DGL on each LTM when networks change. Sadly, that happens more often than I think I want to mess with around here.