Forum Discussion
Bilal_9919
Dec 03, 2011Nimbostratus
iRule to change Destination IP
Hello Team,
I am using clone pool to duplicate the syslog packets to syslog-ng. I see packets been duplicated on F5 and forwarded to host on clone pool by wiresharking on syslog-ng and also the utilisation counter on F5. This is the traffic flow:
1. Client send syslog messages to F5 VIP (1.1.1.1);
2. F5 receives the packet and sends to standard load balancing pool (2.2.2.2);
3. At same time, packet is duplicated and send to clone pool member syslog-ng (3.3.3.3);
4. The duplicated packet sent to syslog-ng doesn't change the packet destination IP and still preserves as 1.1.1.1 F5 VIP. When packet is received on 3.3.3.3 the destination MAC is of 3.3.3.3, but destination IP is 1.1.1.1. I can confirm this via wireshark and sees on physical interface, but IP layer checking discard the packet, because of mismatch of MAC and IP.
I confirm this by assiging the secondary IP on syslog-ng as 1.1.1.1 and I start receiving the packet...just a nasty trick. The clone pool is doing it's job by not changing the destination IP as it was designed for IDS.
I am thinking to write an iRule to change the destination IP to syslog-ng (3.3.3.3) from 1.1.1.1. when packet is duplicated and before sent on wire.
I am not a good programmer as someone please help in writing this iRule.
Thanks in advance.
- nitassEmployeenot sure if this is acceptable instead of changing destination ip.
[root@ve1023:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:514 ip protocol 17 rules myrule } [root@ve1023:Active] config b pool foo list pool foo { members 200.200.200.101:514 {} } [root@ve1023:Active] config b pool syslog_server_pool list pool syslog_server_pool { members 200.200.200.111:514 {} } [root@ve1023:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { set hsl [HSL::open -proto UDP -pool syslog_server_pool] } when CLIENT_DATA { HSL::send $hsl [UDP::payload] } } on 200.200.200.101 [root@centos101 ~] nc -l -u 514 <106>This is a test message generated by Kiwi SyslogGen on 200.200.200.111 [root@centos111 ~] nc -l -u 514 <106>This is a test message generated by Kiwi SyslogGen
- Bilal_9919NimbostratusThanks Nitass - It seems you are suggesting not to use the clone pool functionality and employ hsl iRule to replicate the syslog packets to another destination. To be honest, if that works, I don't mind as long as packets are sent to two pools. One standard pool that will be used for load balancing and another pool mentioned as syslog servers.
- Zachary_101609NimbostratusI'm actually in need of pretty much an identical solution. (Need to rewrite the destination IP on clone pool for UDP syslog traffic or the equivalent). Bilal, were you able to get this to work as you wished?
- Bilal_9919NimbostratusThank you guys- I was able to make it work by duplicating the syslog messages to two different sources. With clone pool, it was duplicating, but with same destination IP. I created an iRule and it does duplicate events to two different destination; however, it was sending all together 3 messages, meaning two same messages to destination 1 and one unique message to destination 2.
- Bilal_9919NimbostratusJust realised that you are right Zachary, the source was from F5 self-IP. Inorder to investigate the syslog messages, we will require real source, not F5. Did you find any workaround.
- nitassEmployeeis it source ip address in ip header or in syslog message. if it is in syslog message, may we parse original syslog message and modify it?
- Bilal_9919NimbostratusIt was source in IP header even in syslog message; however, syslog message shows bot IP.
- nitassEmployeethese are tcpdump and stream content of 2nd syslog server (irule). hostname in message shows client hostname (ve1100). you know since it is in payload, it is not changed by address translation. 172.28.19.80 is f5 selfip. i am not aware of how to change source ip in the ip header.
- Varun_01_133381Nimbostratus
Bilal, Zachary, Nitass,
I am having a similar situation. Can you please share with me the final solution that you got.
Thanks.
Varun
- julien_betacornNimbostratusHi, we have a cluster in this situation too. do you have a fix for this ? we are in 11.2.. this changes pending is really disturbing. thanks Julien..
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects