For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RoutingLoop_179's avatar
RoutingLoop_179
Icon for Cirrus rankCirrus
Mar 07, 2013

Dynamic 1:1 SNAT irule

Hi guys - looking for some feedback regarding my irule for 1:1 dynamic NAT. e.g we might use 10/8 on the client inside but then have only have a /17 pool on public outside, although over allocated t...
application delivery
dev
devops
iRules
RoutingLoop_179's avatar
RoutingLoop_179
Icon for Cirrus rankCirrus
Aug 19, 2013

cont...

loop through subnet until octet3 has reached it's maximum allocated value 
    while {$::oct3 <= $static::oct3end} {
        set ip 217.39.$::oct3.$::oct4

        if { [table lookup -notouch -subtable "DynNatAddreses" $ip] eq "" } {

            log local0. "Free IP: $ip found added to clientDynNat table"

            reserve the Free IP
            table add -subtable "DynNatAddreses" $ip [IP::client_addr] $static::timeout
            allocate the Free IP as client SNAT address
            table add -subtable "ClientDynNat" [IP::client_addr] $ip $static::timeout

        debugging
        if {$static::debug} {
            log local0. "table lookup in DynNatAddress for $ip: [table lookup -notouch -subtable "DynNatAddreses" $ip]"
            log local0. "table remaining ClientDynNat for [IP::client_addr]: [table timeout -subtable "ClientDynNat" -remaining [IP::client_addr]]"
            log local0. "table timeout DynNatAddreses for $ip: [table timeout -subtable "DynNatAddreses" -remaining $ip]"
        }   
            SNAT the client to the free IP
            snat $ip
             break the loop - found and allocated a address so no point in cycling through rest of Pool of IP's
            break           
        }
        increment the last octect of pool
        incr ::oct4
        if last octect has reached the end of the range increment next octet of IP and start looping through again
        if {$::oct4 > $static::oct4end} {
            incr ::oct3
            set ::oct4 0
        }
    }   
}



}
Vladimir_Bojko1's avatar
Vladimir_Bojko1
Historic F5 Account
Nov 26, 2013
here my iRule: timing on for testing timing on when RULE_INIT { set ::oct3 1 set ::oct4 1 set static::oct3end 1 set static::oct4end 255 set static::timeout 60 set static::debug 1 } when CLIENT_ACCEPTED { debugging if {$static::debug} { foreach key [table keys -subtable "ClientDynNat" -notouch] { log local0. "table ClientDynNat key: $key" } } if { [set SnatTo [table lookup -subtable "ClientDynNat" [IP::client_addr]]] ne "" } { to reset idle timeout of dynamic NAT address so it's not re-allocated until client SNAT times out. table lookup -subtable "DynNatAddreses" $SnatTo log local0. "Found exisiting snat in ClientDynNat for [IP::client_addr]: [table lookup -notouch -subtable "ClientDynNat" [IP::client_addr]]" debugging if {$static::debug} { log local0. "table lookup in DynNatAddress for $SnatTo: [table lookup -notouch -subtable "DynNatAddreses" $SnatTo]" log local0. "table remaining ClientDynNat for [IP::client_addr]: [table timeout -subtable "ClientDynNat" -remaining [IP::client_addr]]" log local0. "table remaining DynNatAddress for $SnatTo: [table timeout -subtable "DynNatAddreses" -remaining $SnatTo]" } snat $SnatTo log local0. "deleting dynnats in tables" table delete -subtable "ClientDynNat" -all table delete -subtable "DynNatAddreses" -all } else { debugging if {$static::debug} { foreach key [table keys -subtable "DynNatAddreses" -notouch] { log local0. "table DynNatAddreses key: $key" } log local0. "DynNatAddress table count -- [table keys -subtable "DynNatAddreses" -count]" log local0. "no snat for [IP::client_addr]" } loop through subnet until octet3 has reached it's maximum allocated value while {$::oct3 <= $static::oct3end} { set ip 217.39.$::oct3.$::oct4 if { [table add -subtable "DynNatAddreses" $ip [IP::client_addr] $static::timeout] eq "[IP::client_addr]" } { log local0. "Free IP: $ip found added to clientDynNat table" allocate the Free IP as client SNAT address table add -subtable "ClientDynNat" [IP::client_addr] $ip $static::timeout debugging if {$static::debug} { log local0. "table lookup in DynNatAddress for $ip: [table lookup -notouch -subtable "DynNatAddreses" $ip]" log local0. "table lookup in ClientDyn Nat for [IP::client_addr]: [table lookup -subtable "ClientDynNat" [IP::client_addr]]" log local0. "table remaining ClientDynNat for [IP::client_addr]: [table timeout -subtable "ClientDynNat" -remaining [IP::client_addr]]" log local0. "table timeout DynNatAddreses for $ip: [table timeout -subtable "DynNatAddreses" -remaining $ip]" } SNAT the client to the free IP snat $ip break the loop - found and allocated a address so no point in cycling through rest of Pool of IP's break } increment the last octect of pool incr ::oct4 if last octect has reached the end of the range increment next octet of IP and start looping through again if {$::oct4 > $static::oct4end} { incr ::oct3 set ::oct4 0 } } } }