For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rlohman_77883's avatar
Rlohman_77883
Historic F5 Account
Jul 29, 2008

Opimization and Error Question

Hi,

 

 

Just a quick question or two:

 

 

1. Is this the best optimization for this iRule or would something like a switch statement be better? I'm looking for lowest cpu utilization:

 

 

rule irule_autosnat_generic {

 

when CLIENT_ACCEPTED {

 

if { [matchclass [IP::remote_addr] equals $::dmz_snat_addr]}{

 

snat automap

 

}

 

}

 

}

 

 

class dmz_snat_addr {

 

network 64.210.192.192 mask 255.255.255.192

 

network 64.210.193.0 mask 255.255.255.0

 

network 64.210.194.0 mask 255.255.255.128

 

network 64.210.195.0 mask 255.255.255.0

 

network 64.210.198.0 mask 255.255.255.0

 

network 64.210.199.0 mask 255.255.255.0

 

network 172.25.0.0 mask 255.255.0.0

 

}

 

 

2. I have received the error message:

 

Jul 28 11:00:40 tmm tmm[1279]: 01220001:3: TCL error: Rule irule_autosnat_generic - Address in use (line 2) invoked from within "snat automap"

 

 

when using this iRule during heavy traffic periods. Any clues as to what it means?

 

 

Thanks in advance,

 

 

Russ
application delivery
dev
devops
iRules

1 Reply

  • Ian_Smith's avatar
    Ian_Smith
    Ret. Employee
    Jul 29, 2008
    Switch is a great way to make selective snat assignments: 

     
 when CLIENT_ACCEPTED { 
     switch [ IP::client_addr ] { 
         10.10.1.1 { snat 10.20.1.1 }      
         10.10.1.2 { snat 10.20.1.2 }      
         10.10.1.3 - 
         10.10.1.4 - 
         10.10.1.5 { snat 10.20.1.3 }      
         default { snat automap }           
         } 
 }

    the problem is that you don't get a terrific way to use network blocks with switch, so you can do string matching: 

     
 when CLIENT_ACCEPTED { 
     switch -glob [ IP::client_addr ] { 
         "10.10.1.1*" { snat 10.20.1.1 }      
         "10.10.1.2*" { snat 10.20.1.2 }      
         "10.10.1.3*" - 
         "10.10.1.4*" - 
         "10.10.1.5*" { snatpool snat_pool_1 }      
         default { snat automap }           
         } 
 }

    there is also a -regexp option for switch, which I suppose might be more efficient than a classmatch, but probably not enough to be worth the effort.

    The error seems to be saying you've run out of automap ports - which makes sense as you are automapping about seventeen thousand addresses in this rule, and using at least one other irule to assign snats. Add on a couple of virtual servers, some profiles with long timeouts, and some long-lived sessions and that automap pool of 60000 or so ports can get chewed up.