Forum Discussion

noahshelton_237's avatar
noahshelton_237
Icon for Nimbostratus rankNimbostratus
Aug 25, 2016

Combine IF and SWITCH to apply SNAT based on destination IP and/or TCP port

I use an irule applied to a L4 performance forwarding virtual server to serve as a sort of selective NAT based on a couple different criteria (in most cases just the TCP port for which I use a switch...
application delivery
iRules
LTM
  • ekaleido_26616's avatar
    ekaleido_26616
    Aug 26, 2016
    when CLIENT_ACCEPTED {
  if { [IP::addr [IP::local_addr] equals 10.10.10.10/32] } {
    switch [TCP::local_port] {
      "104" -
      "4000" -
      "7400" -
      "12000" { snat 10.10.70.70 }
      default { snat 10.10.70.15 }
    }
  }
}

    At this point, though, you're getting close to wanting to use a datagroup instead of switch.

AJ_01_135899's avatar
AJ_01_135899
Icon for Cirrostratus rankCirrostratus
Aug 26, 2016

Both of the statements would run. The return would end processing at that point.

If you want the switch statement to run, but not if the IP address matches 10.10.10.10, why not add an if statement to your switch statement? There are probably more elegant ways to accomplish this:

 if destination IP is 10.10.10.10 SNAT to .15 regardless of TCP port
when CLIENT_ACCEPTED {if { [IP::addr [IP::local_addr] equals 10.10.10.10/32] } 
{log local0. "Export Server [IP::client_addr] sending outbound connection to [IP::local_addr]:[TCP::local_port], applying SNAT 10.10.70.15"
snat 10.10.70.15 }

 if tcp port matches anything in the switch list use .70 snat
switch [TCP::local_port] {
"104" -
"4000" -
"12000" -
"7400" {
    if {[IP::addr [IP::local_addr] not 10.10.10.10/32] }{
        snat 10.10.70.70
        log local0. “Host with IP address [IP::client_addr] sending outbound connection to [IP::remote_addr]:[TCP::local_port], applying SNAT 10.10.70.70”
    }
}
 otherwise don't do anything...
default {
}
}
}
  • noahshelton_237's avatar
    noahshelton_237
    Icon for Nimbostratus rankNimbostratus
    Aug 26, 2016

    This makes more sense, I'll test it.

     

    I always forget about checking for a negative match in my logic.

     

  • noahshelton_237's avatar
    noahshelton_237
    Icon for Nimbostratus rankNimbostratus
    Aug 26, 2016

    Ugh... the only operand for IP:addr looks to be 'equals'....

     

  • AJ_01_135899's avatar
    AJ_01_135899
    Icon for Cirrostratus rankCirrostratus
    Aug 26, 2016

    Hmm, that's unfortunate. Mabye ne, not equals or != ? If none of those work I'd just flip the logic around.

     if destination IP is 10.10.10.10 SNAT to .15 regardless of TCP port
when CLIENT_ACCEPTED {if { [IP::addr [IP::local_addr] equals 10.10.10.10/32] } 
{log local0. "Export Server [IP::client_addr] sending outbound connection to [IP::local_addr]:[TCP::local_port], applying SNAT 10.10.70.15"
snat 10.10.70.15 }

 if tcp port matches anything in the switch list use .70 snat
switch [TCP::local_port] {
"104" -
"4000" -
"12000" -
"7400" {
    if {[IP::addr [IP::local_addr] equals 10.10.10.10/32] }{
        do nothing        
    }
    else{
        snat 10.10.70.70
        log local0. “Host with IP address [IP::client_addr] sending outbound connection to [IP::remote_addr]:[TCP::local_port], applying SNAT 10.10.70.70”
    }
}
 otherwise don't do anything...
default {
}
}
}
  • noahshelton_237's avatar
    noahshelton_237
    Icon for Nimbostratus rankNimbostratus
    Aug 26, 2016

    Yeah I'll have to tinker... just to get the functionality I need out the door falling back to a bunch of if statements...

    when CLIENT_ACCEPTED {

if {[TCP::local_port] equals "104"}{
snat 10.10.70.70}

if {[TCP::local_port] equals "4000"}{
snat 10.10.70.70}

if {[TCP::local_port] equals "7400"}{
snat 10.10.70.70}

if {[TCP::local_port] equals "12000"}{
snat 10.10.70.70}

if { [IP::addr [IP::local_addr] equals 10.10.10.10/32]} {
log local0. "Export Server [IP::client_addr] sending outbound connection to [IP::local_addr]:[TCP::local_port], applying SNAT 10.10.70.15"
snat 10.10.70.15}

}