For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

SNAT pool persistence

Problem this snippet solves: This example shows how select the same SNAT address from the SNAT pool for a given client IP address over multiple connections without tracking the selection in memory. ...
Published Mar 18, 2015
Version 1.0
application delivery
devops
iRules
utility
wonsoo_41223's avatar
wonsoo_41223
Historic F5 Account
Jul 09, 2017

It looks the iRule execution (RULE_INIT) is earlier than loading SNAT pool, so "members -list $snatpool_name" command execution is failed, and static::snat_ips array not be existed. Try to use this code in HTTP_REQUEST. It checks existence of variable/array and set the data again if the variables are not existed. This setting logic will be run for each tmm process.

 

when HTTP_REQUEST {
    if { ![info exists static::array_size] or ![array exists static::snat_ips] } {
        unset -nocomplain static::snat_ips

        set snatpool_name "/Common/my_snat_pool"
        set members_cmd "members -list $snatpool_name"

        set count 0
        foreach snat_ip [eval $members_cmd] {
            set static::snat_ips($count) [lindex $snat_ip 0]
            incr count
        }
        set static::array_size [array size static::snat_ips]
    }

    snat $static::snat_ips([expr {[crc32 [IP::client_addr]] % $static::array_size}])
}