SNAT persistency

This is a fairly large list of requirements and unless I am missing something m,ay be fairly complex to implement. I will try to address as many of the pieces as I can here.

 

 

First assigning a specific member to a snatpool should be pretty straight forward. The command do this is "snatpool [member ". So an example would be "snatpool mysnatpool member 10.1.2.3". In reality you will probably use a variable for the member so

 

 

"snatpool mysnatpool member $some_variable"

 

 

Now the harder part is how are you going to assign the variable. You could create a class containing all of the IPs that are in the snat pool and loop through it using next element. This would take care of getting the list of members but next you would need a way to keep track of them so I am thinking you would need to use the table command.

 

 

So the flow would be check an incoming request to see if it has and existing snat assigned, if it doesn't you would loop through the class file checking each element against the table until you find a snat member that is not in use.

 

 

I am not certain exactly how efficient this would be but I think you could make it work. I am sure others will chime in with there thoughts. It is also entirely possible that I am over complicating this a bit.

Alright, I decided to give this a try. I am sure this irule probably needs some work yet, and it may not be the most efficient, but I think it comes close do doing what you are looking for.

 when HTTP_REQUEST {
Set var with username header 
set uname [HTTP::header "username"]
set clname "snatpool_class"
set searchID [class startsearch "snatpool_example" ]
Check to see if the uname already has a snat
if { [table lookup -subtable "snat_table" $uname] ne "" } {
set snatpool_member [table lookup -subtable "snattable" $uname]
} else {
while { [class anymore $clname $searchID] } {
look up an ip from the class
set snatpool_member [class nextelement -value $clname $searchID]
check to see if the IP has been assigned yet
if { [table lookup -subtable "snat_table" -notouch $snatpool_meember] eq "" } {
add snat assignement to tables
table set -subtable "snat_table" $snatpool_member $uname 300
table set -subtable "snat_table" $uname $snatpool_member 300
local log entry this should be changed to a highspeed log off box.
log local0.info "Snat assignment of $snatpool_member made to $uname"
}
}
}
snatpool mysnatpool member $snatpool_member
HTTP::header remove "username"
}
 

Thank you so much Steve!

 

I need some assistance understanding your iRule.

 

 

1) I need to create a 'data group list' called snatpool_example which will contain all the available IPs to choose from for doing the SNAT.

 

In addition I need to create a 'snatpool' called mysnatpool which will contain the exact same members as snatpool_example data group list?

 

 

2) snatpool_class and snatpool_example are the same? (so its a typo and I need to change them to be same?)

 

 

3) snat_table and snattable are the same? (so its a typo and I need to change them to be same?)

 

 

4) wouldn't it be more efficent to use different tables. one for uname as key and snatpool_member as value and the other table with snatpool_member as key and uname as value?

 

 

5) wouldn't the while go over the entire snatpool even if an available IP is found to be used (since there is no 'exit' or 'return')? can it be changed?

 

Hi Yaniv,

 

Sorry about the typos, I got a bit rushed when I put this together yesterday. Here is an updated version and I changed most of the names to variables so you can call the snatpool and the class anything you like, just update the var. I also fixed the while loop I had something similar in there before but re did the rule before I posted it so I never put it back in. As for sepperate tables I am not sure which would be more efficient, maybe someone else can chime in. Also I have not had a chance to really test and debug this rule, so it may still need some work.

 

 

when HTTP_REQUEST {

 

Set var with username header

 

set uname [HTTP::header "username"]

 

The clname var contains the class name, if you want to call it something else change it here.

 

For the rule to work you will need to create a class matching this name that contains all of the snats.

 

set clname "snatpool_class"

 

The search id is used to search the class file.

 

set searchID [class startsearch $clname ]

 

The mysnatpool var contains the snatpool name, if you want to call it something else change it here.

 

set mysnatpool "snatpool_name"

 

The snattable var contains the snattable name, if you want to call it something else change it here.

 

set snattable "snat_table_name"

 

set counter 0

 

Check to see if the uname already has a snat

 

if { [table lookup -subtable $snattable $uname] ne "" } {

 

set snatpool_member [table lookup -subtable $snattable" $uname]

 

} else {

 

while { ([class anymore $clname $searchID]) and ($counter ne 999) } {

 

look up an ip from the class

 

set snatpool_member [class nextelement -value $clname $searchID]

 

check to see if the IP has been assigned yet

 

if { [table lookup -subtable $snattable -notouch $snatpool_member] eq "" } {

 

add snat assignement to tables

 

table set -subtable $snattable $snatpool_member $uname 300

 

table set -subtable $snattable $uname $snatpool_member 300

 

local log entry this should be changed to a highspeed log off box.

 

log local0.info "Snat assignment of $snatpool_member made to $uname"

 

Set counter var to 999 to end the loop

 

set counter 999

 

}

 

}

 

}

 

snatpool $mysnatpool member $snatpool_member

 

HTTP::header remove "username"

 

}

 

 

Thanks Steve,

 

 

It doesn't seem to be working :(

 

 

There was one typo i fixed (the was a redundant " character in this line 'set snatpool_member [table lookup -subtable $snattable $uname] '

 

 

looking at the log it seems that the $snatpool_member value doesn't get populated for some reason:

 

Mar 23 08:18:28 local/tmm3 info tmm3[5253]: Rule Snat_Persist : Snat assignment of made to ccc

 

 

I created the snat pool and the data group list (class) with the exact same names as in the iRule.

 

 

Any idea what could it be?

 

i added the 2nd line here for debugging:

 

set snatpool_member [class nextelement -value $clname $searchID]

 

log local0.info "clname:=$clname ; searchID=$searchID ; snatpool_member=$snatpool_member"

 

 

And indeed according to the log it seems that the snatpool_member var remains empty:

 

Mar 23 08:46:11 local/tmm2 info tmm2[5251]: Rule Snat_Persist : clname:=snatpool_example ; searchID=class_iter:snatpool_example1 ; snatpool_member=

 

 

(snatpool_example is the name I gave to the class i created)

 

 

I guess it's because the class doesnt contains values, only keys/names.

 

 

So I changes "-value" to be "-name" and now the log looks better:

 

Mar 23 08:55:47 local/tmm2 info tmm2[5251]: Rule Snat_Persist : Snat assignment of 10.107.200.202/32 made to ccc

 

 

 

I'll keep looking into that...

 

 

 

Thanks

 

me again :)

 

 

ok, so the snat assignment itself doesnt seem to work because the following line expects an IP like 10.107.200.202 but I got 10.107.200.202/32

 

snatpool $mysnatpool member $snatpool_member

 

 

How can I get rid of the "/32"?

The /32 is in your data group? If so I would suggest switching from an IP data group to a string and simply put a single IP without the mask on each line.

Awesome!

 

changing the data group to be string instead of IP fixed the problem

 

Thanks a million.

 

 

another question: how can I access the table for debugging? for example I want to see all concurrent assignments of SNAT IP to username and their timeout state? (is there some CLI 'b' command to do it?)

Actually I just did some poking around and found this VERY COOL iRule that Joe wrote for manipulating the session table. It builds a page that allows you to view, edit, import, export the session table all inside of the iRule. He has a really good write up and a video demo.

 

 

http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086401/Session-Table-Control-With-iRules.aspx