Forum Discussion
davec_20224
Nimbostratus
NimbostratusSNAT if client IP is a pool member?
I've seen the end of:
http://devcentral.f5.com/wiki/default.aspx/iRules/SelectiveSNAT.html
but that assumes each backend subnet is a /24, which is not currently true of my setup.
I haven't figured out a way to programmatically obtain the netmask associated with LB::server_addr with iRules, but I think it might be possible to obtain a list of all of the IPs in the pool and compare against that. Unfortunately I don't quite have the iRule foo yet, so I was hoping someone could help me fill in the blanks:
when LB_SELECTED {
if {[IP::addr "[IP::client_addr]" ***in list of node IPs for pool***]} {
snat automap
}
}
I realize I could also just make two separate virtual servers -- one on the external VLAN without SNAT & one on the internal VLAN with SNAT -- but somehow this seems more elegant.
Thanks,
Dave C.
1 Reply
hoolioCirrostratus
Hi Dave,
The active_members -list command (Click here) returns a TCL list of the IP and port of the active pool members of a given pool. You'd need to loop through each list element and compare the client IP to the IP address from the element. I think it's a novel concept, but not very efficient to implement compared with creating two separate VIPs for the two types of traffic handling.
Now, if there was an active_nodes -list command (Click here), you could do something like:when CLIENT_ACCEPTED { if {[matchclass [IP::client_addr] equals [active_nodes -list [LB::server pool]]]}{ log local0. "[IP::client_addr] a member of pool [LB::server pool]" snat automap } }
Oddly enough, in 9.4.7, [active_nodes -list $pool] doesn't trigger a syntax or a runtime error--it just returns the same thing that active_members -list does?!
[active_nodes [LB::server pool]]: 1
[active_nodes -list [LB::server pool]]: {10.11.2.201 82}
[active_members -list [LB::server pool]]: {10.11.2.201 82}
Aaron
