Forum Discussion

genseek_32178's avatar
Icon for Nimbostratus rankNimbostratus
Jun 18, 2012

iRule Processing




We have the following config for wild card VS with iRule



virtual vs_vl10


pool pl_vl10


destination any:any




rules rule_vl10


profiles fastl4-pr


vlan 10 enable



rule rule_vl10




if { [matchclass [IP::local_addr] equals gol_networks


snat none


pool pl_vln10


} else {


snatpool vln20


pool pl_vl20









vl10 - 10.10.10.x/24, vl20 -20.20.20.x/24, snatpool vln20 -



gol_networks {








network 172.20.20.x/24











Issue - how iRule works here



when CLIENT_ACCEPTED means - pakts coming from external clients to LTM?



when CLIENT_ACCEPTED | if { [matchclass [IP::local_addr] equals gol_networks



here IP::local_addr] equals gol_networks -- means destination in the pkts coming to LTM






means destination in the pkts going out of LTM?




5 Replies

  • Hi genseek,



    The CLIENT_ACCEPTED event is fired when an external client establishes a connection to the LTM.



    The IP::local_addr event is context based. It can either be the IP Address of the Virtual Server that the client connects to, or the Self-IP Address that the LTM uses to communicate with the Server.



    I would suggest that you use the more specific calls so that you know exactly what you are asking for and getting:







    Also, in v10.x.x and up you are going to want to start using "class match" instead of "matchclass".



    See the class command for more details.



    Hope this helps.
  • The client's destination IP (the virtual server IP if it's a host virtual instead of a network virtual) can only be retrieved using IP::local_addr in the clientside context. To get the client or server IP addresses, Michael's suggestion makes sense.



    here IP::local_addr] equals gol_networks -- means destination in the pkts coming to LTM



    That's correct.



    See your earlier post for a link to a thread with more detail on clientside versus serverside context:






  • thnx Michael and Aaron for the responses.



    Is it possible that if the iRule is not applied correctly for some reason, say, incorrect syntax..F5 will not correctly process the traffic that needs to pass via the specific iRule?



    What could be the negative outcomes if iRule is not applied correctly?



  • What do you mean by "not applied correctly"? The iRule should either be enabled on a virtual server or not applied.



    If you've experienced an issue with the iRule or virtual server that you're not sure about, you could open a case with F5 Support to get help diagnosing it.



  • i i said ...incorrect syntax.



    Recently, i came across a situation..where we defined the iRule..while creating the iRule....we did not get any alerts....but later may be after few days..we saw in logs said....invalid command due to incorrect space after IP::addr....



    In these it possible that even though iRule got created...but some syntax issue...may not process traffic properly?