Substituting IP addresses for RADIUS proxy

You could certainly parse those addresses and then use the node command to set the destination and the snat command to set the source.

thanks v.much for that - an example would also greatly assist if you could help. I'm still getting my head around forming iRules..

 

thanks for the assistance - to fill in the blanks, the traffic is UDP, and the intention is to have available in the body of the RADIUS requests a string of the following form: "Source-IP-Address=1.1.1.1, Destination- IP-Address=2.2.2.2" and use the rule to rewrite the IP header with the 1.1.1.1 and 2.2.2.2 IP addresses. Note that 1.1.1.1 and 2.2.2.2 are numerical strings.

hi,

 

 

got to the point of testing, the rule is as follows :

 

 

when CLIENT_ACCEPTED {

 

log "starting udp payload scan..."

 

scan [UDP::payload] "Proxy-State = \"Source-IP-Address=%s, Return-IP-Address=%s\"" src_ip ret_ip

 

log "source ip = $src_ip"

 

log "return ip = $ret_ip"

 

node $src_ip 1812

 

snat $ret_ip

 

}

 

 

we are getting a "can't read src_ip no such variable" error. If we simply 'scan [UDP::payload] %s src_ip' then we get the variable populated up to the first white space as expected. Any suggestions etc ???

Hi,

 

 

I have been working with Gavin on this and have made a little progress, but not sure if i am doing this the right way. I am using findstr to pull the src and dst add from the udp payload: (we cannot get scan to work and documentation is hard to find)

 

 

when CLIENT_ACCEPTED {

 

set src_ip [ findstr [UDP::payload] "Source-IP-Address=" 18 ","]

 

set ret_ip [ findstr [UDP::payload] "Return-IP-Address=" 18 8]

 

log $[UDP::payload]

 

log $src_ip

 

log $ret_ip

 

use snat $ret_ip

 

}

 

 

In our test, the udp payload looks like:

 

 

$ÀÀbÃÃÂTf¯÷¤Â>èÂÂ!6Source-IP-Address=1.1.1.1, Return-IP-Address=2.2.2.2fred7·Ã&ÂaÂÂ

 

 

although i am logging the correct addresses in the src_ip and dst_ip variables, how do i get around the fact that the ip address fields may vary in size? Any ideas?

 

 

Secondly, when i do a trace on the egress vlan, i am not seeing the correct src ip being used - the bigip comes up with its own random ip. I suspect this has something to do with how i have saved the value to the variable...(ret_ip)

 

 

Any thoughts?

Try this (untested!)

scan [UDP::payload] "Source-IP-Address=%u.%u.%u.%u, Return-IP-Address=%u.%u.%u.%u" s1 s2 s3 s4 r1 r2 r3 r4
set src_ip [format "%u.%u.%u.%u" $s1 $s2 $s3 $s4]
set dst_ip [format "%u.%u.%u.%u" $r1 $r2 $r3 $r4]

 

thanks, but no cigar - getting the following error in the logs :

 

 

Nov 9 11:43:15 tmm tmm[6200]: 01220001:3: TCL error: Rule alternate_rule - can't read "s1": no such variable while executing "format "%u.%u.%u.%u" $s1 $s2 $s3 $s4

Oops, Looks like I posted too soon. If you can delimit the end of your string with a comma, then the findstr approach is much better.

I have one question. Why are you converting temp_src into it's components and then reforming them into src_ip? Doesn't temp_src equal src_ip and temp_ret equal ret_ip?

when CLIENT_ACCEPTED {
  set src_ip [ findstr [UDP::payload] "Source-IP-Address=" 18 ","] 
  set ret_ip [ findstr [UDP::payload] "Return-IP-Address=" 18 ","] 
  log $src_ip
  log $ret_ip
}

How is your rule different than this?

-Joe

Guys,

 

 

Thanks for the input!!

 

 

<>

 

 

We found that if we didnt do this, our snat statement didnt work - we needed to somehow make sure that the format of the data within the variable was in point decimal format for the snat statement to work. Also our prospect does have control over how he formats the fields, so using the comma as a delimiter should be ok...

 

 

Regards,

 

Evan.