For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jwlarger's avatar
jwlarger
Icon for Cirrus rankCirrus
Sep 27, 2019

Legacy iRule generating constant error logs

This iRule is verbatim from DevCentral 4 or 5 years ago.

 

when CLIENT_ACCEPTED {

  # Check if the client IP address is a node in the VIP's default pool and active

  if {[matchclass [IP::client_addr] equals [active_nodes -list [LB::server pool]]]}{

 

   # log local0. "SNAT'ing for [IP::client_addr], member of pool [LB::server pool]"

   snat automap

  }

}

 

I see the following errors (tens of thousands per day):

 

Sep 27 04:02:42 slot1/someltm err tmm1[17681]: 01220001:3: TCL error: /Common/SNAT_Real_To_VIP <CLIENT_ACCEPTED> - invalid matchclass operands - no class or list type foun

d, lhs: ip, rhs: (line 2)   invoked from within "matchclass [IP::client_addr] equals [active_nodes -list [LB::server pool]]"

 

I understand that matchclass was deprecated and should be replaced by 'class match', but I am unable to find a ref for updating the rule to eliminate the constant errors for 11.6.3.

 

 

application delivery
BIG-IP
iRules
TCL operand class list

2 Replies

  • iaine's avatar
    iaine
    Icon for Nacreous rankNacreous
    Sep 30, 2019

    Hi

     

    Matchclass or class match are used to compare against Data Groups but I don't see one defined in your code and the error being returned indicates the same. Therefore, try this

     

    when CLIENT_ACCEPTED {
  # Check if the client IP address is a node in the VIP's default pool and active
  if {[IP::client_addr] equals [active_nodes -list [LB::server pool]]}{
   # log local0. "SNAT'ing for [IP::client_addr], member of pool [LB::server pool]"
   snat automap
  }
}