For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

wfaulk_98141's avatar
wfaulk_98141
Icon for Altostratus rankAltostratus
Mar 28, 2014

Get information about Self-IPs in iRule

I have a need for an iRule that enables SNAT if the client and server addresses are in the same subnet. In practice, this only happens if the client and server addresses are on directly connected subnets.

I expect the iRule would look something like this:

when LB_SELECTED {
    set client_net [ class match -name [IP::client_addr] equals "self-ip-nets" ]
    set server_net [ class match -name [IP::server_addr] equals "self-ip-nets" ]
    if { client_net eq server_net } {
        snat automap
    }
}

But that depends on the existence of a class called "self-ip-nets" that I would have to maintain separately from the actual device configuration, and that's an administrative overhead that's likely to break down.

I can't just assume that all subnets are of a particular size, because they're not.

Is there any way to get information about the locally connected networks on the LTM, specifically including netmask information, inside an iRule?

application delivery
devops
iRules
LTM

5 Replies

  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Mar 28, 2014

    You probably dont need to know the selfip, it is the same subnet as the server right?

    when LB_SELECTED {
    set ClientIP [clientside {IP::remote_addr}]
    set VirtualIP [clientside {IP::local_addr}]
    set NodeIP [LB::server addr]
    if { [IP::addr $ClientIP/24 equals $NodeIP/24] } {
        if { $static::debug != 0 } {
            log local0. "SNAT Client: $ClientIP to VIP: $VirtualIP targeting Node: $NodeIP"
        }
        snat $VirtualIP
    }
}
  • IheartF5_45022's avatar
    IheartF5_45022
    Icon for Nacreous rankNacreous
    Mar 28, 2014

    Hi I think this might work for you - I have assumed that you use a mix of 24/25/26 masks - you adjust as appropriate (following code not tested BTW);-

     

    when LB_SELECTED {
    foreach mask [26 25 24] {
        if {[IP::addr [clientside {IP::remote_addr}]/$mask equals [IP::remote_addr]/$mask]}{
            snat automap
            break
        }
    }
}
    • wfaulk_98141's avatar
      wfaulk_98141
      Icon for Altostratus rankAltostratus
      Mar 28, 2014
      The problem with this idea is that if two hosts are in two different narrow networks that happen to be in the same supernet, it will SNAT unnecessarily. As a concrete example, if I have two hosts, 192.168.0.2/26 and 192.168.0.254/26, your iRule will SNAT those hosts even though they aren't in the same subnet. This is why I want to be able to get information about the Self-IPs: in order to get netmask information.
    • IheartF5_45022's avatar
      IheartF5_45022
      Icon for Nacreous rankNacreous
      Mar 30, 2014
      Right. Good point. I'm afraid you are out of luck - you can't get the self-ip info from an iRule. You'll either need to snat everything or maintain a list of networks (which I agree is unwieldy).
  • IheartF5_45022's avatar
    IheartF5_45022
    Icon for Nacreous rankNacreous
    Mar 30, 2014

    Actually I do have one more idea which would only work if your pools only contain members from a single subnet.

     

    Set yourself a pool naming standard that includes the mask length of the members subnets in a consistent position ie. pl_dns_26, pl_mysite_http_24. Then you can extract the mask info from the pool name.