For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

silver's avatar
silver
Icon for Nimbostratus rankNimbostratus
May 19, 2014

Nested if Condition Not working while using switch

Hi,

Am using the outbound connection from a host and based on the destination port the traffic needs to be routed to respective nodes and SNAT to be used.

I have use the below iRule.

when CLIENT_ACCEPTED {

switch [IP::client_addr] {
    192.168.100.1 { if { [TCP::local_port] >= 5566 <= 5580 } { 
                node 172.16.100.1
            snat 10.0.0.10
        } elseif { [TCP::local_port] == 4412 } {
            node 172.16.200.20
            snat 10.0.0.10
        } elseif { [TCP::local_port] == 5000 } {
            node 172.16.100.5
            snat 10.0.0.10
                   }
  }

} }

When i use the above iRule, the first condition only works and am able to connect properly to the destination with the SNAT enabled. But if i try to connect based on the second condition "Port 4412" it is not using the mentioned node as "172.16.200.20" rather than it is using the node as "172.16.100.1" which is stated in the first condition.

Am using the VS IP as my SNAT IP for this connection.

My VS : 10.0.0.10

I have verified using it by loging the TCP connection.

Can anyone help on why the condition is not working as expected.

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
LTM
security

3 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    May 19, 2014

    I'm not quite sure why you're using switch for that first part but anyway, the first test expression needs to be this;

    { if ([TCP::local_port] >= 5566) && ([TCP::local_port] <= 5580) }
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    May 19, 2014

    OK, understood. Did you make the adjustment to that line?

     

    If you did, I'd suggest you add some suitable logging statements to see how far you are getting.

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    May 22, 2014

    OK, so can you try using this, I've just adjusted the spacing to make things clearer and added appropriate logging, plus a final else to catch any cases that don't match your test expressions;

    switch [IP::client_addr] {
 192.168.100.1 { if ([TCP::local_port] >= 5566) && ([TCP::local_port] <= 5580) } {
                  node 172.16.100.1
                  snat 10.0.0.10
                  log local0. "Client 192.168.100.1 used a port between 5566 and 5580"
               } elseif { [TCP::local_port] == 4412 } {
                  node 172.16.200.20
                  snat 10.0.0.10
                  log local0. "Client 192.168.100.1 used port 4412"
               } elseif { [TCP::local_port] == 5000 } {
                  node 172.16.100.5
                  snat 10.0.0.10
                  log local0. "Client 192.168.100.1 used port 5000"
               } else {
                  log local0. "Client 192.168.100.1 didn't use a port we tested for"
               }
                         }