Interesting twist -- I've never had to SNAT on specific destination IPs through a forwarding virtual server (no defined local address, and the destination addresses are not local objects either.)
To match only specific source IPs, you can create the SNATpool with the same origin filter as above.
To limit the SNAT to only specific destination IPs, I'm thinking the rule would be something like:
when CLIENT_ACCEPTED {
log local0. "Local address is [IP::local_addr]"
if {[IP::addr [IP::local_addr] equals x.x.x.0/24] ) {
snatpool mySNATpool
}
}
(I'm not 100% certain which IP command would pick up the destination address passing through a forwarding virtual. I'm guessing that it must be "local_addr", but I don't have a way to test a forwarding virtual, so I added a log line to help figure that out.)
You can use a class of type network to list the destination addresses which are SNAT candidates:
class BounceBackSNAT {
"x.x.x.a"
"z.z.x.0 netmask 255.255.255.0"
}
when CLIENT_ACCEPTED {
if {[IP::addr [IP::local_addr] equals $::BounceBackSNAT] ) {
snatpool mySNATpool
}
}
Does that sound more like what you were going for?
/deb