For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bezeqint's avatar
bezeqint
Icon for Nimbostratus rankNimbostratus
Jan 25, 2016

help with irule for snat

i've got two different irules that working fine , but not together 😞 and i need both irules features in the same VIP. iRule_AutoMap_Networks when CLIENT_ACCEPTED { # Check if the client IP...
BIG-IP
iRules
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 25, 2016

Hi Bezeqint,

the return command would just stop the current iRule from further processing. To stop additional code you may have to combine the independent events into a single iRule...

iRule (combined)

 

when CLIENT_ACCEPTED {
     Check if the client IP address is a member of the address data group named AutoMap_Hosts if { [matchclass [IP::client_addr] equals AutoMap_Hosts]} {
     Check if the client's destination port is in the AutoMap_Ports integer data group
    if { [matchclass [TCP::local_port] equals AutoMap_Ports]} {

         Default action is to not SNAT
        snat automap

         Exit this event to avoid disabling SNAT below
        return
    }

     Check if the client IP address is a member of the address data group named No_AutoMap_Hosts if { [matchclass [IP::client_addr] equals No_AutoMap_Hosts]} {
     Check if the client's destination port is in the No_AutoMap_Ports integer data group
    if { [matchclass [TCP::local_port] equals No_AutoMap_Ports]} {

         Default action is to not SNAT
        snat none

         Exit this event to avoid disabling SNAT below
        return
    }
}

 

... or additionally issue the command [event CLIENT_ACCEPTED disable] to stop the processing of additional CLIENT_ACCEPTED events...

iRule1

 

when CLIENT_ACCEPTED {
     Check if the client IP address is a member of the address data group named AutoMap_Hosts if { [matchclass [IP::client_addr] equals AutoMap_Hosts]} {
     Check if the client's destination port is in the AutoMap_Ports integer data group
    if { [matchclass [TCP::local_port] equals AutoMap_Ports]} {

         Default action is to not SNAT
        snat automap

         Exit this event to avoid disabling SNAT below
        event CLIENT_ACCEPTED disable
        return
    }
}

 

iRule2

 

when CLIENT_ACCEPTED {
     Check if the client IP address is a member of the address data group named No_AutoMap_Hosts if { [matchclass [IP::client_addr] equals No_AutoMap_Hosts]} {
     Check if the client's destination port is in the No_AutoMap_Ports integer data group
    if { [matchclass [TCP::local_port] equals No_AutoMap_Ports]} {

         Default action is to not SNAT
        snat none

         Exit this event to avoid disabling SNAT below
        event CLIENT_ACCEPTED disable
        return
    }
}

 

Cheers, Kai