Forum Discussion
Stefan_Hellkvis
Nimbostratus
NimbostratusChanging source address for outgoing UDP
Hi,
Is it possible to change the UDP souce address (both IP address and port number) with an iRule command?
I'm redirecting some UDP packets with the node command but would also want to change the source address of these packets before sending them away so that it looks like it's coming from somewhere else. Is it possible to change the UDP souce address (both IP address and port number) with an iRule command so that this can be achieved? I cannot find any reference to this anywhere.
Regards,
Stefan
- Try this:
use snat 
Stefan_HellkvisIs it possible to do both the "node" command to sort of redirect where the packet is heading and also the "use snat" to change the source address?
My feeling is that when you do "node" or "use snat" for that matter, it sends the packet away and you cannot combine the two, but my understanding of how rules are applied might be wrong.- JRahm
Admin
From rapmaster_c:One thing to note about iRules in 9.x is that they're a full-blown programming language, and the "pool" command is simply that - a command. There's no implied termination of evaluation upon calling it.
I would imagine the same logic applies to all the "use" commands, so you should be able to apply a snat and assign a pool or node before the flow is released. - Stefan_HellkvisOh! That's interesting news indeed and just what I need. I just hope someone at F5 could confirm this also.
- Stefan_HellkvisThat's great news. Thanks for the help guys!
- I can confirm that you can do both a direct node selection and snat. However, this can only be done at the beginning before the serverside connection is established. UDP is a bit of a special case. If you enable datagram_lb in the UDP profile, then you should be able to select the node and snat on a per-packet basis.
- Stefan_HellkvisHmmm..."If you enable datagram_lb in the UDP profile"? Is that a configuration option on the LB for UDP? My thought was to use a rule activated "when SERVER_DATA", then check if it's UDP and then route it and snat it. I'm not sure really what you mean with "enable datagram_lb in the UDP profile". Would that affect how I write my rule also?
- Stefan_Hellkvis...and btw. What is the "preferred" hook so to speak when you want a rule invoked whenever you receive a UDP packet that you then want to redirect and snat? My guess was "when SERVER_DATA" and then check the IP protocol, but perhaps others here have something that works better for UDP.
- UDP is connectionless, but like all stateful network devices, BIG-IP creates connections for UDP. Idle UDP connections eventually expire. As I said earlier, you can only select the pool (or pool member or server) and SNAT once at the beginning of the connection. You can not change the server or SNAT after the connection to the server is established. However, if you enable the datagram lb option in the UDP profile, then a new connection will be established for each packet. This allows you to choose the pool and/or SNAT for each packet. Use the CLIENT_ACCEPTED event. Good luck!
- Stefan_HellkvisAh! I see. But I won't actually change the snat or destination server - all UDP to a certain address and port will be routed the same way as the first packet - so it might actually suit my purposes to have it stateful and only get it invoked once for the first packet "when CLIENT_ACCEPTED". But I'll do some prototyping once I actually have an LB to play with. Thanks for the help! This forum rocks!
