For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RoutingLoop_179's avatar
RoutingLoop_179
Icon for Cirrus rankCirrus
Mar 07, 2013

Dynamic 1:1 SNAT irule

Hi guys - looking for some feedback regarding my irule for 1:1 dynamic NAT. e.g we might use 10/8 on the client inside but then have only have a /17 pool on public outside, although over allocated t...
application delivery
dev
devops
iRules
RoutingLoop_179's avatar
RoutingLoop_179
Icon for Cirrus rankCirrus
Aug 19, 2013

cont...

loop through subnet until octet3 has reached it's maximum allocated value 
    while {$::oct3 <= $static::oct3end} {
        set ip 217.39.$::oct3.$::oct4

        if { [table lookup -notouch -subtable "DynNatAddreses" $ip] eq "" } {

            log local0. "Free IP: $ip found added to clientDynNat table"

            reserve the Free IP
            table add -subtable "DynNatAddreses" $ip [IP::client_addr] $static::timeout
            allocate the Free IP as client SNAT address
            table add -subtable "ClientDynNat" [IP::client_addr] $ip $static::timeout

        debugging
        if {$static::debug} {
            log local0. "table lookup in DynNatAddress for $ip: [table lookup -notouch -subtable "DynNatAddreses" $ip]"
            log local0. "table remaining ClientDynNat for [IP::client_addr]: [table timeout -subtable "ClientDynNat" -remaining [IP::client_addr]]"
            log local0. "table timeout DynNatAddreses for $ip: [table timeout -subtable "DynNatAddreses" -remaining $ip]"
        }   
            SNAT the client to the free IP
            snat $ip
             break the loop - found and allocated a address so no point in cycling through rest of Pool of IP's
            break           
        }
        increment the last octect of pool
        incr ::oct4
        if last octect has reached the end of the range increment next octet of IP and start looping through again
        if {$::oct4 > $static::oct4end} {
            incr ::oct3
            set ::oct4 0
        }
    }   
}



}
Vladimir_Bojko1's avatar
Vladimir_Bojko1
Historic F5 Account
Nov 26, 2013
Hi, I have checked your iRule and it works quite well. the only thing that can happen is a race condition when two clients at the same time lookup the same IP and then write their IPs in the sable. to prevent this you anc use following statemen instead: if { [table add -subtable "DynNatAddreses" $ip [IP::client_addr] $static::timeout] eq "[IP::client_addr]" } { log local0. "Free IP: $ip found added to clientDynNat table" allocate the Free IP as client SNAT address table add -subtable "ClientDynNat" [IP::client_addr] $ip $static::timeout When you use the "table add" statement instead. If the entry already exists it is not inserted. If the entry does not exist it will add the table entry. Anyhow the response is the key value. You hae to check if the response equals the client IP you try to acces. If so add the second table entry, if not go to the next step.