Forum Discussion

Neil_Cook_66167's avatar
Neil_Cook_66167
Icon for Nimbostratus rankNimbostratus
Aug 21, 2011

Can I use a variable as a class name?

Hi,

 

 

I'm allocating SNAT Pools for outbound traffic in a fairly complex fashion: essentially I want to allocate a different SNAT pool based on the destination port. To do this in the most maintainable fashion, I'd like to use a two-level lookup, firstly a lookup based on the server port to figure out which SNAT Pool class to use, then a lookup based on the client IP addr against the class returned in the first lookup. In order to do that, I'd need to use the result of the first class match to determine which class to perform the second lookup on, i.e.:

 

 

class match -value [IP:client_addr] equals $class_name

 

 

Is this possible?

 

 

The second question I have is how to implement this rule in the most efficient fashion. I thought I could simply create a wildcard forwarding virtual server which is only configured on my "internal" VLAN (i.e. only traffic destined for external hosts), and apply the iRule to that. Then the iRule only fires for outbound traffic. If there's a better way to have an iRule fire only for outbound traffic, I'd be interested to find out.

 

 

Example code below:

 

 

class Client_Port_Table {

 

{

 

"10050" { "Entity1_Normal_SNAT_Table" }

 

"10051" { "Entity2_Normal_SNAT_Table" }

 

}

 

}

 

 

class Entity1_Normal_SNAT_Table {

 

{

 

"10.223.10.1" { "Entity1_Normal_SNATPool_1" }

 

"10.223.10.2" { "Entity1_Normal_SNATPool_2" }

 

}

 

}

 

 

class Entity2_Normal_SNAT_Table {

 

{

 

"10.223.10.1" { "Entity2_Normal_SNATPool_1" }

 

"10.223.10.2" { "Entity2_Normal_SNATPool_2" }

 

}

 

}

 

 

class Default_SNAT_Table {

 

{

 

"10.223.10.1" { "Default_SNATPool_1" }

 

"10.223.10.2" { "Default_SNATPool_2" }

 

}

 

}

 

 

 

iRule Source

 

 

when CLIENT_ACCEPTED {

 

set snat_table [class match -value [TCP::server_port] equals Client_Port_Table]

 

if {$snat_table ne ""} {

 

set snat_pool [class match -value [IP:client_addr] equals $snat_table]

 

if {$snat_pool ne ""} {

 

pool $snat_pool

 

}

 

}

 

else {

 

set snat_pool [class match -value [IP:client_addr] equals Default_SNAT_Table]

 

if ($snat_pool ne ""} {

 

pool $snat_pool

 

}

 

}

 

}

 

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Yes. No problems. Checkut the ProxyPass v10 iRule for examples... (http://devcentral.f5.com/wiki/iRules.ProxyPassV10.ashx)

     

     

    H
  • Hi Neil,

     

    Very interesting iRule. Yes I believe you can input a variable name in the fashion you require.

     

     

    Looking at your code I think there is a way to collapse the data group down to 2 and avoid using variable name within class command specifically class get command along with the scan command.

     

     

    Also change "pool" to "snatpool" in your code otherwise it won't work :-)

     

     

     

    I hope this little bit of information helps

     

    Bhattman
  • I have a further question related to the iRule in this thread. I forgot to mention that what I want to also do it to rewrite the destination port to a specific port, actually port 25.

     

     

    However, I don't see any way to achieve this without having a pool attached. Since this is outbound traffic, and I'm using a widlcard forwarindg virtual server to attach the iRule to, then I don't see how this can be achieved. Any thoughts?