Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

davec_20224's avatar
davec_20224
Icon for Nimbostratus rankNimbostratus
Jul 29, 2009

SNAT if client IP is a pool member?

I've seen the end of: http://devcentral.f5.com/wiki/default.aspx/iRules/SelectiveSNAT.html but that assumes each backend subnet is a /24, which is not currently true of my setup. ...
application delivery
dev
devops
irules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jul 29, 2009
Hi Dave,

The active_members -list command (Click here) returns a TCL list of the IP and port of the active pool members of a given pool. You'd need to loop through each list element and compare the client IP to the IP address from the element. I think it's a novel concept, but not very efficient to implement compared with creating two separate VIPs for the two types of traffic handling.

Now, if there was an active_nodes -list command (Click here), you could do something like: 

 
 when CLIENT_ACCEPTED { 
  
    if {[matchclass [IP::client_addr] equals [active_nodes -list [LB::server pool]]]}{ 
  
       log local0. "[IP::client_addr] a member of pool [LB::server pool]" 
       snat automap 
    } 
 }

Oddly enough, in 9.4.7, [active_nodes -list $pool] doesn't trigger a syntax or a runtime error--it just returns the same thing that active_members -list does?!

[active_nodes [LB::server pool]]: 1

[active_nodes -list [LB::server pool]]: {10.11.2.201 82}

[active_members -list [LB::server pool]]: {10.11.2.201 82}

Aaron