Forum Discussion
Rob_78590
Nimbostratus
NimbostratusiRule for SNAT for Host IPs & Supernets based on specific customer
Hi everyone! We currently have an iRule setup to SNAT to a particular IP depending on which customer it is. We specify the customer's host address in the Data Group List and associate it to our IP tha...
hoolio
Cirrostratus
CirrostratusI'd guess the current format is just a host and the corresponding SNAT IP:
client IP | SNAT IP
1.1.1.1 2.2.2.2
Unfortunately, there isn't a simple way to do subnet evaluations against a two-field datagroup. Normally you could use matchclass to evaluate a client IP or subnet against a datagroup of a type "address". But that doesn't allow you to easily configure a corresponding SNAT address. You could loop through the datagroup as a TCL list, use IP::addr (Click here) to evaluate the client IP against the subnet (in CIDR format) and then get the corresponding SNAT IP. It wouldn't be as efficient as using a native class querying command line matchclass, but it should provide the functionality.
So the class would be a string class with this format:
1.1.1.0/24 2.2.2.2
3.1.1.0/20 3.3.3.3
And you could use a rule like this:
when CLIENT_ACCEPTED {
log local0. "[IP::client_addr]:[TCP::client_port]: New connection. Using class: $::ip_snat_class"
Loop through each line in the datagroup
foreach line $::ip_snat_class {
Log the current line by field
log local0. "\$line: $line, IP: [lindex $line 0], SNAT: [lindex $line 1]"
Check if the client IP equals the current line's subnet
if {[IP::addr [client_addr] equals [lindex $line 0]]}{
log local0. "[IP::client_addr]:[TCP::client_port]: Matched [lindex $line 0], using SNAT [lindex $line 1]"
Use the SNAT IP
snat [lindex $line 1]
Exit the loop as we've found a match
break
}
}
}
Which logs this:
: 1.2.2.3:37646: New connection. Using class: {1.2.0.0/16 4.4.4.4} {1.1.1.0/24 2.2.2.2} {3.4.5.0/24 3.3.3.3}
: $line: 1.2.0.0/16 4.4.4.4, IP: 1.2.0.0/16, SNAT: 4.4.4.4
: 1.2.2.3:37646: Matched 1.2.0.0/16, using SNAT 4.4.4.4
Aaron
