Forum Discussion

genseek_32178's avatar
genseek_32178
Icon for Nimbostratus rankNimbostratus
Jun 18, 2012

iRule Processing

Hi,

 

 

We have the following config for wild card VS with iRule

 

 

virtual vs_vl10

 

pool pl_vl10

 

destination any:any

 

mask 0.0.0.0

 

rules rule_vl10

 

profiles fastl4-pr

 

vlan 10 enable

 

 

rule rule_vl10

 

when CLIENT_ACCEPTED |

 

if { [matchclass [IP::local_addr] equals gol_networks

 

snat none

 

pool pl_vln10

 

} else {

 

snatpool vln20

 

pool pl_vl20

 

}

 

}

 

}

 

 

vl10 - 10.10.10.x/24, vl20 -20.20.20.x/24, snatpool vln20 - 20.20.20.99

 

 

gol_networks {

 

 

{

 

 

network 1.1.1.1

 

network 172.20.20.x/24

 

network 10.210.0.0/24

 

network 203.36.135.192/27

 

}

 

}

 

 

Issue - how iRule works here

 

 

when CLIENT_ACCEPTED means - pakts coming from external clients to LTM?

 

 

when CLIENT_ACCEPTED | if { [matchclass [IP::local_addr] equals gol_networks

 

 

here IP::local_addr] equals gol_networks -- means destination in the pkts coming to LTM

 

 

OR

 

 

means destination in the pkts going out of LTM?

 

 

 

application delivery
dev
devops
iRules

5 Replies

Sort By
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Jun 18, 2012
    Hi genseek,

     

     

    The CLIENT_ACCEPTED event is fired when an external client establishes a connection to the LTM.

     

     

    The IP::local_addr event is context based. It can either be the IP Address of the Virtual Server that the client connects to, or the Self-IP Address that the LTM uses to communicate with the Server.

     

     

    I would suggest that you use the more specific calls so that you know exactly what you are asking for and getting:

     

    IP::client_addr

     

    IP::server_addr

     

     

    Also, in v10.x.x and up you are going to want to start using "class match" instead of "matchclass".

     

     

    See the class command for more details.

     

     

    Hope this helps.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 18, 2012
    The client's destination IP (the virtual server IP if it's a host virtual instead of a network virtual) can only be retrieved using IP::local_addr in the clientside context. To get the client or server IP addresses, Michael's suggestion makes sense.

     

     

    here IP::local_addr] equals gol_networks -- means destination in the pkts coming to LTM

     

     

    That's correct.

     

     

    See your earlier post for a link to a thread with more detail on clientside versus serverside context:

     

     

    https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/2163322/showtab/groupforums/Default.aspx ->

     

    https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/10187/showtab/groupforums/Default.aspx10235

     

     

    Aaron
  • genseek_32178's avatar
    genseek_32178
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2012
    thnx Michael and Aaron for the responses.

     

     

    Is it possible that if the iRule is not applied correctly for some reason, say, incorrect syntax..F5 will not correctly process the traffic that needs to pass via the specific iRule?

     

     

    What could be the negative outcomes if iRule is not applied correctly?

     

     

    genseek
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 25, 2012
    What do you mean by "not applied correctly"? The iRule should either be enabled on a virtual server or not applied.

     

     

    If you've experienced an issue with the iRule or virtual server that you're not sure about, you could open a case with F5 Support to get help diagnosing it.

     

     

    Aaron
  • genseek_32178's avatar
    genseek_32178
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2012
    i mean...as i said ...incorrect syntax.

     

     

    Recently, i came across a situation..where we defined the iRule..while creating the iRule....we did not get any alerts....but later may be after few days..we saw in logs ..it said....invalid command due to incorrect space after IP::addr....

     

     

    In these cases...is it possible that even though iRule got created...but some syntax issue...may not process traffic properly?

     

     

    genseek.