Forum Discussion
hooleylist
Oct 25, 2010Cirrostratus
You can also set a local variable in one rule and check for it in subsequent rules. This avoids the need to disable events for the duration of the TCP connection. That approach can be problematic for handling subsequent HTTP requests on the same TCP connection.
Here's an example using the variable $snatted to determine if an initial rule has enabled SNAT and therefore not take any subsequent action.
Aaron
rule 1
when CLIENT_ACCEPTED {
Apply a SNAT based on some connection criteria
Check if the client IP is in the 10.0.0.0/8 subnet
if {[IP::addr [IP::client_addr] equals 10.0.0.0/8]}{
Apply SNAT automap for this connection
snat automap
Set a variable that tracks we've applied SNAT
set snatted 1
}
}
--------------------------------------------------------------------------
rule 2
when CLIENT_ACCEPTED {
Check if $snatted exists and is set to 1
if {[info exists snatted] && $snatted==1}
We've already SNAT'd this connection so don't select a new pool
} else {
We haven't SNAT'd this connection, so select a pool
based on the client's destination port
switch [TCP::local_port] {
"80" {
Select the corresponding pool for port 80
pool port_80_pool
}
"443" {
Select the corresponding pool for port 80
pool port_443_pool
}
default {
No match for the destination port, so take some default action
pool default_pool
}
}
}
}