Forum Discussion

Ferg_104721's avatar
Ferg_104721
Icon for Nimbostratus rankNimbostratus
Oct 30, 2011

Syntext on Irule for NATTING

Hi

 

 

I am writing an irule to do some natting (long story i know there are better ways). I know the switch statement has a limitation in the number of functions you can have it do, i.e. SNAT and POOL in one catch. The irule i am implementating is meant to A. if specific IP, SNAT to a specific SNAT pool member. I now have a requirement for a specific IP to SNAT and redirect to another pool. I had syntext errors from F5 so i came up with below, just wanted to confirm this looks logically correct.

 

 

Thanks

 

 

when CLIENT_ACCEPTED {

 

set c_nat 0

 

if {[IP::remote_addr] equals "10.X.X.25" or [IP::remote_addr] equals "10.X.X.26"}{

 

$c_nat 1

 

} else {

 

$c_nat 0

 

}

 

 

if {$c_nat == 0}{

 

switch -glob [IP::remote_addr] {

 

10.X.X.5 { snatpool SNATX member X.X.X.1 }

 

10.X.X.6 { snatpool SNATX member X.X.X.2}

 

10.X.X.7 { snatpool SNATX member X.X.X.3 }

 

10.X.X.8 { snatpool SNATX member X.X.X.4 }

 

10.X.X.9 { snatpool SNATX member X.X.X.5 }

 

default { snatpool SNAT }

 

}

 

} elseif {$c_nat == 1}{

 

pool poo_2

 

switch -glob [IP::remote_addr] {

 

10.X.X.25 { snatpool SNATY member X.X.Y.1 }

 

10.X.X.26 { snatpool SNATY member X.X.Y.2 }

 

}

 

} else {

 

log local0. "NAT on F5 has failed

 

}

 

}

 

application delivery
dev
devops
iRules
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 31, 2011
    what about this one? 

    when CLIENT_ACCEPTED {
   if {[IP::addr [IP::remote_addr] equals "10.X.X.25"]} {
      pool poo_2
      snatpool SNATY member X.X.Y.1  
  } elseif {[IP::addr [IP::remote_addr] equals "10.X.X.26"]} {
      pool pool_2
      snatpool SNATY member X.X.Y.2
  } else {  
      switch [IP::remote_addr] {
         "10.X.X.5" { snatpool SNATX member X.X.X.1 }
         "10.X.X.6" { snatpool SNATX member X.X.X.2 }
         "10.X.X.7" { snatpool SNATX member  X.X.X.3 }
         "10.X.X.8" { snatpool SNATX member  X.X.X.4 }
         "10.X.X.9" { snatpool SNATX member  X.X.X.5 }
          default { snatpool SNAT }
      }
  }
}
  • Kurt_Knochner_5's avatar
    Kurt_Knochner_5
    Icon for Cirrus rankCirrus
    Oct 31, 2011
    As you do SNAT in any case (value of c_nat will be 0 or 1), you can put it all in one switch statement, without the -glob. 

    when CLIENT_ACCEPTED {
  switch [IP::remote_addr] {
     "10.X.X.5"  { snatpool SNATX member X.X.X.1 }
     "10.X.X.6"  { snatpool SNATX member X.X.X.2 }
     "10.X.X.7"  { snatpool SNATX member X.X.X.3 }
     "10.X.X.8"  { snatpool SNATX member X.X.X.4 }
     "10.X.X.9"  { snatpool SNATX member X.X.X.5 }
     "10.X.X.25" { snatpool SNATY member X.X.Y.1 }
     "10.X.X.26" { snatpool SNATY member X.X.Y.2 }
     default   { snatpool SNAT }
   }
   if this is your only pool, leave the statement here. Otherwise put it in the switch action 
   pool poo_2
}

    Regards

    Kurt Knochner
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 31, 2011
    i think Kurt's example looks simpler. by the way, if i am not wrong, i understand only 10.x.x.25 and 10.x.x.26 using pool poo_2. so, you have to move pool foo_2 into the switch's code block.
  • Ferg_104721's avatar
    Ferg_104721
    Icon for Nimbostratus rankNimbostratus
    Oct 31, 2011
    Thanks nitass, doing it without setting the variable does look better. Thanks also Kurt. I will have a play with both.