Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Rlohman_77883's avatar
Rlohman_77883
Historic F5 Account
Jul 28, 2008

Opimization and Error Question

Hi,

 

 

Just a quick question or two:

 

 

1. Is this the best optimization for this iRule or would something like a switch statement be better? I'm looking for lowest cpu utilization:

 

 

rule irule_autosnat_generic {

 

when CLIENT_ACCEPTED {

 

if { [matchclass [IP::remote_addr] equals $::dmz_snat_addr]}{

 

snat automap

 

}

 

}

 

}

 

 

class dmz_snat_addr {

 

network 64.210.192.192 mask 255.255.255.192

 

network 64.210.193.0 mask 255.255.255.0

 

network 64.210.194.0 mask 255.255.255.128

 

network 64.210.195.0 mask 255.255.255.0

 

network 64.210.198.0 mask 255.255.255.0

 

network 64.210.199.0 mask 255.255.255.0

 

network 172.25.0.0 mask 255.255.0.0

 

}

 

 

2. I have received the error message:

 

Jul 28 11:00:40 tmm tmm[1279]: 01220001:3: TCL error: Rule irule_autosnat_generic - Address in use (line 2) invoked from within "snat automap"

 

 

when using this iRule during heavy traffic periods. Any clues as to what it means?

 

 

Thanks in advance,

 

 

Russ

1 Reply

  • Ian_Smith's avatar
    Ian_Smith
    Ret. Employee
    Jul 28, 2008
    Switch is a great way to make selective snat assignments: 

     
 when CLIENT_ACCEPTED { 
     switch [ IP::client_addr ] { 
         10.10.1.1 { snat 10.20.1.1 }      
         10.10.1.2 { snat 10.20.1.2 }      
         10.10.1.3 - 
         10.10.1.4 - 
         10.10.1.5 { snat 10.20.1.3 }      
         default { snat automap }           
         } 
 }

    the problem is that you don't get a terrific way to use network blocks with switch, so you can do string matching: 

     
 when CLIENT_ACCEPTED { 
     switch -glob [ IP::client_addr ] { 
         "10.10.1.1*" { snat 10.20.1.1 }      
         "10.10.1.2*" { snat 10.20.1.2 }      
         "10.10.1.3*" - 
         "10.10.1.4*" - 
         "10.10.1.5*" { snatpool snat_pool_1 }      
         default { snat automap }           
         } 
 }

    there is also a -regexp option for switch, which I suppose might be more efficient than a classmatch, but probably not enough to be worth the effort.

    The error seems to be saying you've run out of automap ports - which makes sense as you are automapping about seventeen thousand addresses in this rule, and using at least one other irule to assign snats. Add on a couple of virtual servers, some profiles with long timeouts, and some long-lived sessions and that automap pool of 60000 or so ports can get chewed up.