Hi,
I spent a bit of time thrashing about trying to apply this iRule to a forwarding virtual, so I thought it might be worth pointing out some subtle differences in events based on the type of virtual server. The LB_SELECTED event works fine if you need to test a node address before the connection to the node is established, as in the case with a standard virtual server, or other types that actually load balance such as Performance L4. However, this event DOES NOT FIRE on virtual servers of type forwarding (ip).
Since with a forwarding virtual the destination address doesn't change, you can use the CLIENT_ACCEPTED event and the [IP::local_addr]. For those used to v4.5.x and "forwarding pools" which allowed you to disable SNAT/NAT, the following iRule will help in the transition to v9.
Given a SNAT that translates everything internal-->external, but you want to disable SNAT to certain destination networks:
class NoNATNets {
network 10.30.1.0 mask 255.255.255.0
network 10.30.100.0 mask 255.255.255.0
}
pool gateway {
member 10.30.1.254:any
member 10.30.1.253:any
}
snat SNATInternal {
automap
origin 0.0.0.0 mask 0.0.0.0
vlan internal enable
}
rule DisableSnatWithClass {
when CLIENT_ACCEPTED {
if {[matchclass [IP::local_addr] eq $::NoNATNets]} {
log "Matching NoNAT List, disabling SNAT: [IP::local_addr]"
snat none
forward
} else {
log "No Match in NoNAT List, allowing SNAT: [IP::local_addr]"
pool gateway
}
}
}
virtual Outbound {
destination any:any
profile myfastl4
pool gateway
rule DisableSnatWithClass
vlans internal enable
}
It is also worth noting that if you DO use the LB_SELECTED event for load balancing "transparent devices" such as routers or Firewalls, the address values are similar to CLIENT_ACCEPTED, with the addition of LB::selected. Here they are for review:
IP::remote == the client IP
IP::local == The destination IP of the packet (out in the cloud)
LB::server addr == The node selected (the router or firewall)
Hope this helps!