The CLIENT_ACCEPTED event is triggered every time a client makes a TCP connection. The SNAT would be performed throughout the life of the connection.
Also, if you want to apply the SNAT based on the what the client IP address is, you would need to use IP::client_addr instead of LB::server. LB::server will return the node IP address in the pool.
Regardless of whether the rule applies the SNAT correctly, you shouldn't be seeing a TCL error using the class and rule you just listed.
Can you retry with the following rule to see if a) works without an error and b) actually SNAT's the traffic as you want?
when CLIENT_ACCEPTED {
log local0. "\[IP::client_addr\]: [IP::client_addr]"
SNAT requests if client_addr is defined in the class
if { [matchclass [IP::client_addr] equals $::Hosts]} {
log local0. "matched for [IP::client_addr]"
snat automap
}
}
If that doesn't work for some reason, can you try this rule without the class as a test:
when CLIENT_ACCEPTED {
log local0. "\[IP::client_addr\]: [IP::client_addr]"
SNAT requests if client_addr matches this IP
if { [IP::addr [IP::client_addr]/24 equals 1.2.3.4]} {
log local0. "matched for [IP::client_addr]"
snat automap
}
}
Aaron