Forum Discussion
genseek_32178
Nimbostratus
NimbostratusiRule Processing
Hi,
We have the following config for wild card VS with iRule
virtual vs_vl10
pool pl_vl10
destination any:any
mask 0.0.0.0
rules rule_vl10
profiles fastl4-pr
vlan 10 enable
rule rule_vl10
when CLIENT_ACCEPTED |
if { [matchclass [IP::local_addr] equals gol_networks
snat none
pool pl_vln10
} else {
snatpool vln20
pool pl_vl20
}
}
}
vl10 - 10.10.10.x/24, vl20 -20.20.20.x/24, snatpool vln20 - 20.20.20.99
gol_networks {
{
network 1.1.1.1
network 172.20.20.x/24
network 10.210.0.0/24
network 203.36.135.192/27
}
}
Issue - how iRule works here
when CLIENT_ACCEPTED means - pakts coming from external clients to LTM?
when CLIENT_ACCEPTED | if { [matchclass [IP::local_addr] equals gol_networks
here IP::local_addr] equals gol_networks -- means destination in the pkts coming to LTM
OR
means destination in the pkts going out of LTM?
5 Replies
Michael_YatesHi genseek,
The CLIENT_ACCEPTED event is fired when an external client establishes a connection to the LTM.
The IP::local_addr event is context based. It can either be the IP Address of the Virtual Server that the client connects to, or the Self-IP Address that the LTM uses to communicate with the Server.
I would suggest that you use the more specific calls so that you know exactly what you are asking for and getting:
IP::client_addr
IP::server_addr
Also, in v10.x.x and up you are going to want to start using "class match" instead of "matchclass".
See the class command for more details.
Hope this helps.
hoolioCirrostratus
The client's destination IP (the virtual server IP if it's a host virtual instead of a network virtual) can only be retrieved using IP::local_addr in the clientside context. To get the client or server IP addresses, Michael's suggestion makes sense.
here IP::local_addr] equals gol_networks -- means destination in the pkts coming to LTM
That's correct.
See your earlier post for a link to a thread with more detail on clientside versus serverside context:
https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/2163322/showtab/groupforums/Default.aspx ->
https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/10187/showtab/groupforums/Default.aspx10235
Aaron
genseek_32178thnx Michael and Aaron for the responses.
Is it possible that if the iRule is not applied correctly for some reason, say, incorrect syntax..F5 will not correctly process the traffic that needs to pass via the specific iRule?
What could be the negative outcomes if iRule is not applied correctly?
genseek- hoolioWhat do you mean by "not applied correctly"? The iRule should either be enabled on a virtual server or not applied.
If you've experienced an issue with the iRule or virtual server that you're not sure about, you could open a case with F5 Support to get help diagnosing it.
Aaron - genseek_32178i mean...as i said ...incorrect syntax.
Recently, i came across a situation..where we defined the iRule..while creating the iRule....we did not get any alerts....but later may be after few days..we saw in logs ..it said....invalid command due to incorrect space after IP::addr....
In these cases...is it possible that even though iRule got created...but some syntax issue...may not process traffic properly?
genseek.
