For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rlohman_77883's avatar
Rlohman_77883
Historic F5 Account
Jul 29, 2008

Opimization and Error Question

Hi,     Just a quick question or two:     1. Is this the best optimization for this iRule or would something like a switch statement be better? I'm looking for lowest cpu utiliza...
application delivery
dev
devops
iRules
Ian_Smith's avatar
Ian_Smith
Ret. Employee
Jul 29, 2008
Switch is a great way to make selective snat assignments: 

 
 when CLIENT_ACCEPTED { 
     switch [ IP::client_addr ] { 
         10.10.1.1 { snat 10.20.1.1 }      
         10.10.1.2 { snat 10.20.1.2 }      
         10.10.1.3 - 
         10.10.1.4 - 
         10.10.1.5 { snat 10.20.1.3 }      
         default { snat automap }           
         } 
 }

the problem is that you don't get a terrific way to use network blocks with switch, so you can do string matching: 

 
 when CLIENT_ACCEPTED { 
     switch -glob [ IP::client_addr ] { 
         "10.10.1.1*" { snat 10.20.1.1 }      
         "10.10.1.2*" { snat 10.20.1.2 }      
         "10.10.1.3*" - 
         "10.10.1.4*" - 
         "10.10.1.5*" { snatpool snat_pool_1 }      
         default { snat automap }           
         } 
 }

there is also a -regexp option for switch, which I suppose might be more efficient than a classmatch, but probably not enough to be worth the effort.

The error seems to be saying you've run out of automap ports - which makes sense as you are automapping about seventeen thousand addresses in this rule, and using at least one other irule to assign snats. Add on a couple of virtual servers, some profiles with long timeouts, and some long-lived sessions and that automap pool of 60000 or so ports can get chewed up.