Forum Discussion
SNAT IP address logging
- Jun 14, 2023
Hi JohnnyG ,
Pretty irule first,
Why do you add "Clientside"
in this Line Code :set clientip "[IP::local_addr clientside]:[TCP::local_port clientside]"
SNAT IP not in the Client side but server side ,
So Remove it and check again
I think it should be like this now :when CLIENT_ACCEPTED { # Set logging variables set vip [IP::local_addr]:[TCP::local_port] set reqTime [clock format [clock seconds] -format {%Y/%m/%d %H:%M:%S}] set hslHandle [HSL::open -publisher /Common/SNATLog_Publisher] # Do the SNAT stuff if { [class match [getfield [IP::client_addr] "%" 1] equals internal_nets] } { snatpool snat_pool_internal } else { snatpool snat_pool_external } } when SERVER_CONNECTED { #Get client and server IPs and Ports set client "[clientside {IP::remote_addr}]:[clientside {TCP::remote_port}]" set clientip "[IP::local_addr]:[TCP::local_port]" set node "[IP::remote_addr]:[TCP::remote_port]" } when CLIENT_CLOSED { # log connection info HSL::send $hslHandle "$reqTime: Client $client -> SNAT: $clientip -> VIP: $vip -> Node: $node" }
According to this Article :
https://clouddocs.f5.com/api/irules/TCP__local_port.html
I hope this helps you 🙂
Hi JohnnyG ,
Pretty irule first,
Why do you add "Clientside"
in this Line Code :
set clientip "[IP::local_addr clientside]:[TCP::local_port clientside]"
SNAT IP not in the Client side but server side ,
So Remove it and check again
I think it should be like this now :
when CLIENT_ACCEPTED {
# Set logging variables
set vip [IP::local_addr]:[TCP::local_port]
set reqTime [clock format [clock seconds] -format {%Y/%m/%d %H:%M:%S}]
set hslHandle [HSL::open -publisher /Common/SNATLog_Publisher]
# Do the SNAT stuff
if { [class match [getfield [IP::client_addr] "%" 1] equals internal_nets] } {
snatpool snat_pool_internal
}
else {
snatpool snat_pool_external
}
}
when SERVER_CONNECTED {
#Get client and server IPs and Ports
set client "[clientside {IP::remote_addr}]:[clientside {TCP::remote_port}]"
set clientip "[IP::local_addr]:[TCP::local_port]"
set node "[IP::remote_addr]:[TCP::remote_port]"
}
when CLIENT_CLOSED {
# log connection info
HSL::send $hslHandle "$reqTime: Client $client -> SNAT: $clientip -> VIP: $vip -> Node: $node"
}
According to this Article :
https://clouddocs.f5.com/api/irules/TCP__local_port.html
I hope this helps you 🙂
- JohnnyGJun 14, 2023Nimbostratus
Hi Mohamed,
Thanks for looking at this for me - not sure why the clientside was added, but removing makes it the same as the value that is being used for the Virtual Server address:
set vip [IP::local_addr]:[TCP::local_port] set clientip "[IP::local_addr]:[TCP::local_port]"
Would that also not duplicate the incorrect IP address in the generated logs ?
- Jun 14, 2023
Hi JohnnyG ,
No , Because it depends on the which event has been triggered.set vip [IP::local_addr]:[TCP::local_port]
This will be saved in Variable $vip at Client side.
But this :set clientip "[IP::local_addr]:[TCP::local_port]"
this will be saved in variable $clientip when server side connection being established.
so both of values are different.
Have a look at this Article : https://clouddocs.f5.com/api/irules/TCP__local_port.html
it proves what I say. - Jun 14, 2023
Another Solution ,
Try to add this after "Server Connected " Event , it will work with you as well :
when SERVER_CONNECTED { # This logs information about the TCP connections on *both* sides of the full proxy set client_remote "[IP::client_addr]:[TCP::client_port]" set client_local "[IP::local_addr clientside]:[TCP::local_port clientside]" set server_local "[IP::local_addr]:[TCP::local_port]" set server_remote "[IP::server_addr]:[TCP::server_port]" log local0. "Got connection: Client($client_remote)<->($client_local)LTM($server_local)<->($server_remote)Server" }It will give you this output :<SERVER_CONNECTED>: Got connection: Client(10.3.3.20:33798)<->(10.3.3.111:80)LTM(10.1.1.110:33798)<->(10.1.1.200:80)Server
This is another way , but your irule is much pretty and you can modify it by removing clientside , because adding client side with Local_addr that's equal = Virtual server IP.
Because this is the Cliemt side event
you are using both of events ( Client side and Server side )
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com