Forum Discussion

Laudec_55181's avatar
Laudec_55181
Icon for Altostratus rankAltostratus
Nov 20, 2012

SRC and DST Match Irule for NATting

I have the following irule, using two datagroups. The DG_DEST datagroup has a value that is a snatpool name. I need to set the snatpoolname variable to this value. What is the best way to do that with the iRule:

 

 

when CLIENT_ACCEPTED {

 

This iRule would NAT the source IP in the DG_SRC and match it to a destination in DG_DEST

 

and then snat to the snatpool defined in DG_DEST as the value corresponding to the name.

 

if { [class match [IP::client_addr] equals "DG_SRC" ] } {

 

if { [set snatpoolname [class match [IP::client_addr] equals "DG_DEST" ]] } {

 

log local0. "Got Natted to $snatpoolname"

 

snatpool $snatpoolname

 

}

 

}

 

else { forward

 

log local0. "NOT GETTING NATTED !!!"

 

}

 

}

 

9 Replies

  • Sorry but I'm rather confused by what is in the DG_DEST Data Group and your logic here. So, if our client source IP matches DG_SRC we move on to checking for what against DG_DEST? The destination IP? If so, then you are still using the client source IP address for your check and it will always fail the check.
  • You are right, I have made the change by using IP::local_addr as the destination IP. I am still unsure on how to set the snatpoolname to the value in DG_DEST though

     

     

    when CLIENT_ACCEPTED {

     

    This iRule would NAT the source IP in the DG_SRC and match it to a destination in DG_DEST

     

    and then snat to the snatpool defined in DG_DEST as the value corresponding to the name.

     

    if { [class match [IP::client_addr] equals "DG_SRC" ] } {

     

    if { [set snatpoolname [class match [IP::local_addr] equals "DG_DEST" ]] } {

     

    log local0. "Got Natted to $snatpoolname"

     

    snatpool $snatpoolname

     

    }

     

    }

     

    else { forward

     

    log local0. "NOT GETTING NATTED !!!"

     

    }

     

    }
  • Try this;

    
    when CLIENT_ACCEPTED {
     This iRule would NAT the source IP in the DG_SRC and match it to a destination in DG_DEST
     and then snat to the snatpool defined in DG_DEST as the value corresponding to the name.
     if { [class match [IP::client_addr] equals "DG_SRC" ] } {
      set snatpoolname [class match -value [IP::local_addr] equals "DG_DEST" ]]
      if { not $snatpoolname equals "" } {
        log local0. "Got Natted to $snatpoolname"
       snatpool $snatpoolname
       return
       }
     }
     else { forward
    log local0. "NOT GETTING NATTED !!!"
    }
    }
    
  • With a bit of modification to the iRule to get it working properly, the matching part between the two DG's are working perfectly. However, if a SRC IP initiates that is not in the DG_SRC, it does not go to the else statement.

    
    when CLIENT_ACCEPTED {
     This iRule would NAT the source IP in the DG_SRC and match it to a destination in DG_DEST
     and then snat to the snatpool defined in DG_DST as the value corresponding to the name.
     if { [class match [IP::client_addr] equals "DG_SRC" ] } {
      set snatip [class match -value [IP::local_addr] equals "DG_DST" ]]
      if { not ($snatip equals "") } {
       log local0. "[IP::client_addr] going to [IP::local_addr] got Natted to $snatip"
       snat $snatip
       }
     }
     else { forward
    log local0. "[IP::client_addr] going to [IP::local_addr] did NOT get Natted!!!"
    }
    }
    
     
  • Can you remove the 'forward' command. If that doesn't work, add a bit more logging and another 'else' statement like so;

    
    when CLIENT_ACCEPTED {
     This iRule would NAT the source IP in the DG_SRC and match it to a destination in DG_DEST
     and then snat to the snatpool defined in DG_DST as the value corresponding to the name.
     if { [class match [IP::client_addr] equals "DG_SRC" ] } {
      set snatip [class match -value [IP::local_addr] equals "DG_DST" ]]
      if { not ($snatip equals "") } {
       log local0. "[IP::client_addr] going to [IP::local_addr] got Natted to $snatip"
       snat $snatip
       return
       }
       else
       log local0. "SNAT IP was empty"
     }
     else {
    log local0. "[IP::client_addr] going to [IP::local_addr] did NOT get Natted!!!"
    }
    }
    
  • here is what I get from the log file, after I made the changes you suggested.

     

     

    Rule iRule_nat_src_dst : 10.250.x.x going to 10.10.xx.xxx got Natted to ]

     

    Rule iRule_nat_src_dst : 10.250.x.x going to 173.xxx.x.xx got Natted to 212.xxx.xxx.xxx]

     

    Rule iRule_nat_src_dst : 10.250.x.x going to 173.xxx.x.xx got Natted to 212.xxx.xxx.xxx]

     

     

    the first line is an IP that will not be in the destination DG, yet, instead of not NATting it, it does.
  • Ah, remove one of the ']'s on this line: set snatip [class match -value [IP::local_addr] equals "DG_DST" ]] <<<<
  • lol .. funny how something that obvious can be so easily missed. Working like a charm now! Many thanks