For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mmelber14_62984's avatar
mmelber14_62984
Icon for Nimbostratus rankNimbostratus
Sep 19, 2012

Issue with Source based redirection when more than one subnet is added

A background on the situation.

 

We are running a warehouse management system that requires the telnet protocol to use different ports on the backend server for each "warehouse" or location. We have handhelds that utilize a terminal emulator for this telnet service. The application cannot differentiate the particular ports so we are using the F5 to redirect on a source based irule to a specific pool that contains the back end port.

 

When we have more than one subnet within the rule, the rule seems to not redirect properly. If we specify only one subnet to pool mapping the rule works as we can see the handheld is able to login to the correct warehouse through the correct port.

 

Can someone please look at this rule and see if there are any syntax issues. If there is a more efficient way to handle this situation we would like to understand that as well. Anyone's help is appreciated!

 

iRule:

 

when CLIENT_ACCEPTED {

 

if {[IP::addr [IP::client_addr] equals 10.21.72.0/24]}{

 

pool WMS_APP_DEV_TELNET}

 

if {[IP::addr [IP::client_addr] equals 10.22.29.0/24]}{

 

pool WMS_APP_DEV_TELNET}

 

if {[IP::addr [IP::client_addr] equals 10.23.68.0/24]}{

 

pool WMS_APP_DEV_TELNET_4506}

 

if {[IP::addr [IP::client_addr] equals 10.22.189.0/24]}{

 

pool WMS_APP_DEV_TELNET_4506}

 

{ drop }

 

}

 

Thanks,

 

Megan

 

application delivery
dev
devops
iRules

4 Replies

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Sep 20, 2012
    Megan,

     

    Using the Switch cmd will be more efficient and may sort your issue too.

     

     

    See the following for info:

     

    https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/108/iRules-Optimization-101--01--if-elseif-and-switch.aspx

     

     

    Hope this helps,

     

    N
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Sep 20, 2012
    Megan

    Had a bit of time so thought I'd post my suggestion, nowhere near an LTM at the mo so can't fully test, hope it's right though. 

     
when CLIENT_ACCEPTED {
   switch [IP::addr [IP::client_addr]] {
     "10.21.72.0/24" -
     "10.22.29.0/24" { pool WMS_APP_DEV_TELNET }
     "10.23.68.0/24" -
     "10.22.189.0/24" { pool WMS_APP_DEV_TELNET_4506 }
     }
     default {
    drop }
}

    HTH,

    N
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 20, 2012
    You can't actually use a switch statement to evaluate subnets. The original if/elseif/.../else iRule should work. If that's not working you could add debug logging to each condition and check the logs in /var/log/ltm.

     

     

    It would be more efficient to add the subnets and pool names to an IP address data group and use the class command to perform the lookup:

     

     

    https://devcentral.f5.com/wiki/iRules.class.ashx

     

     

    Aaron
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Sep 20, 2012
    Aaron,

     

    That's interesting, I'm forever learning.

     

     

    What if we use glob and 10.21.72.* etc. instead?

     

     

    Thanks as always,

     

    N