SNAT PBR Irule

it seems in case of fastL4 CLIENT_ACCEPTED is triggered before finishing 3-ways handshake.

e.g.

 configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual norf
ltm virtual norf {
    destination 172.28.24.10:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        fastL4 { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 7
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  log local0. ""
  if { [IP::addr [IP::client_addr] equals 172.28.24.1/32] } {
    snat 123.123.123.123
  }
}
when SERVER_CONNECTED {
  log local0. ""
}
}

 trace

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:54:12.913262 IP 172.28.24.1.56738 > 172.28.24.10.80: S 3457045251:3457045251(0) win 5840  in slot1/tmm0 lis=
11:54:12.913445 IP 123.123.123.123.56738 > 200.200.200.101.80: S 3457045251:3457045251(0) win 5840  out slot1/tmm0 lis=/Common/norf

 /var/log/ltm

[root@ve11a:Active:In Sync] config  cat /var/log/ltm
Dec  9 11:54:10 ve11a notice tmm1[14890]: 013e0001:5: Tcpdump starting bcast on 127.1.1.3:2 from 127.1.1.1:35239
Dec  9 11:54:10 ve11a notice tmm[14890]: 013e0001:5: Tcpdump starting bcast on 127.1.1.2:2 from 127.1.1.1:35239
Dec  9 11:54:12 ve11a info tmm[14890]: Rule /Common/qux :
Dec  9 11:54:18 ve11a notice tmm1[14890]: 013e0002:5: Tcpdump stopping on 127.1.1.3:2 from 127.1.1.1:35239
Dec  9 11:54:18 ve11a notice tmm[14890]: 013e0002:5: Tcpdump stopping on 127.1.1.2:2 from 127.1.1.1:35239