when CLIENT_ACCEPTED { set INPUT_OPTION [TCP::option get 28] binary scan $INPUT_OPTION c ver set ver [expr { $ver & 0xff }] set forwarded_ip [IP::addr parse $INPUT_OPTION 1] log local0. "The IP address was $forwarded_ip for version $ver" }
when SERVER_CONNECTED { scan [IP::client_addr] {%d.%d.%d.%d} a b c d TCP::option set 28 [binary format cccc $a $b $c $d] all }
两层F5 拓扑第一层将客户端地址插入到tcp-option 中,第二层取出 真实客户端地址用作snat 地址 需要tcp profiles 开启tcp-option 功能 如下: create ltm profile tcp tcp_1 tcp-options "{28 first}" 注释:定义后续的操作是对tcp option 的哪个位置进行操作 第一层irules如下: 对于所有的请求都进行插入 when SERVER_CONNECTED { scan [IP::client_addr] {%d.%d.%d.%d} e b c d TCP::option set 28 [binary format cccc $e $b $c $d] all set tcp_option_content [binary format cccc $e $b $c $d] binary scan $tcp_option_content H* cli_addr_H log local0. "2222222222222@@@@@$cli_addr_H" } 第二层F5 irules 配置: 将客户端地址取出来,配置为snat 地址 when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { set opt28 [TCP::option get 28] if { ($opt28 != "")} { log local0. "!!!!!!!!!!!!!!!!!!@@@@@@@@@@@$opt28 " set optaddr [IP::addr parse $opt28 ] #通过 [IP::addr parse] 将$opt28 的ASCii 编码转换为点分四元地址 log local0. "@@@@@@@@@@@$optaddr" snat $optaddr TCP::release } }
https://devcentral.f5.com/s/articles/accessing-tcp-options-from-irules