Forum Discussion
Chuck_127210
Nimbostratus
Nimbostratus1 VS and 2 Pools
I'm new to IRULES and I'm having an issue with converting a 4.5 rule into a version 9 IRULE. Listed below is the 4.5 rule and below that the IRULE I created (which doesn't work). Any help would be appreciated.
4.5 rule
if (client_addr == 172.0.0.0 netmask 255.0.0.0) {
use pool Release2_DR_Pool
}
else if (client_addr == 10.144.0.0 netmask 255.255.0.0) {
use pool Release2_DR_Pool
}
else {
use pool Touchpoint_COB_Pool
}
9.1.2 IRULE
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 172.0.0.0/8] } {
pool Branchplatform_Citizens_pool
}
if { [IP::addr [IP::client_addr] equals 10.144.0.0/16] } {
pool Branchplatform_Citizens_pool
} else {
pool Branchplatform_COB_pool
}
}
Thanks in advance
Chuck
5 Replies
- You are close...
You code is comparing the client address to the subnet
Let's say your client_addr is 172.1.1.1, then your if would equate to thisif { 172.1.1.1 equals 172.0.0.0 }
Obviously this will return false. To achieve what you want to do, you'll need to apply the netmask to the IP::client_addr like thiswhen CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr]/8 equals 172.0.0.0] } { pool Branchplatform_Citizens_pool } if { [IP::addr [IP::client_addr]/16 equals 10.144.0.0] } { pool Branchplatform_Citizens_pool } else { pool Branchplatform_COB_pool } }
-Joe 
Chuck_127210Hello Joe,
Thanks for your input, but I still fall through to the Branchplatform_COB_pool when I on a 172 subnet. Any more idea's? Thanks in advance
Chuck- I'd recommend throwing in some logging to point out where things are going wrong..
when CLIENT_ACCEPTED { log local0. "client address: [IP::client_addr]" if { [IP::addr [IP::client_addr]/8 equals 172.0.0.0] } { log local0. "[IP::client_addr] is in the 172.0.0.0 subnet" pool Branchplatform_Citizens_pool } if { [IP::addr [IP::client_addr]/16 equals 10.144.0.0] } { log local0. "[IP::client_addr] is in the 10.144.0.0 subnet" pool Branchplatform_Citizens_pool } else { log local0. "[IP::client_addr] doesn't match." pool Branchplatform_COB_pool } }
Then look in the /var/log/ltm file. If it is not clear to you based on the logged output, if you could pass the log output back here and I'll take a look.
-Joe - Chuck_127210It appears to match the rule but goes to the else pool. Please see attached.
Thanks Chuck - Hi guys -
I always put the mask on the subnet side of the comparison and it works just fine, so based on your logged results, it looks like it would work either way.
Looking more closely at your logic, though it seems that your "if" construct needs to be reconsidered:
You have 2 "if"s here, which means the conditions are not mutually exclusive. The connection is only forwarded after all conditions have been evaluated and acted upon, so when you send a request from a 172 address, the first condition is True, but the 2nd condtion is False. As a result, the pool is first set to the Citzens pool, but later set to the COB pool, which is where the traffic is actually sent.
You need to combine the 3 tests into one so you get only one result. You can either combine the 2 IP tests into one, or create a single "if / elseif / else" test:
orwhen CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr]/8 equals 172.0.0.0] } { pool Branchplatform_Citizens_pool } elseif { [IP::addr [IP::client_addr]/16 equals 10.144.0.0] } { pool Branchplatform_Citizens_pool } else { pool Branchplatform_COB_pool } }when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr]/8 equals 172.0.0.0] or [IP::addr [IP::client_addr]/16 equals 10.144.0.0] }{ pool Branchplatform_Citizens_pool } else { pool Branchplatform_COB_pool } }
HTH
/deb
