qqdixf5_74186
Nimbostratus
NimbostratusiRule testing
I am fairly new to the BigIP and iRule. I just wonder how everybody tests iRule. Is there something like a BigIP emulator so we can fully test an iRule before it is loaded to the LTM?
Thank you!
Forum Discussion
9 Replies
hooleylistCirrostratus
Unfortunately not. I think F5 has considered it, and could run the software in vmware, but hasn't released anything. You could open a support case and add your name to the list of people that would like the ability to test without having a full BIG-IP unit.
Check this post for some suggestions on testing: (Click here).
Aaron- JRahm
Admin
If you don't have the luxury of lab units, you can add dummy virtuals to apply your test iRules against and test (somewhat) offline from what the real users will experience. - hooleylistF5 has a CR noting the request to be able to run BIG-IP software in a vmware-like instance. I think something like this would allow users to test iRules without having to use production BIG-IP hardware. It should also allow you to test ASM security policies and other L7 configurations.
The CR is CR81856. It doesn't sound like it's likely to be released to the public, but we can at least let F5 know it would be a valuable feature. If you think this would help you, open a case via https://websupport.f5.com and ask to have your case attached to CR81856.
Thanks,
Aaron 
Jon_Strabala_46The lack of an emulator is unbeleivable after all iRULEs are TCL even if it was only a partial emulator how hard can this be- hooleylistYou can use tclsh.exe on Windows to test standard TCL commands. And very shortly (this month?), I've heard F5 will be releasing a version of LTM which can be run in VMware.
Aaron - Stefan_Magnus_LI just created a tcl library called testcl that can be used for unit testing irules. Check it out and let me know if you like it.
- Jesse_Mauntel_4
Not sure if it's what you are looking for, but I wrote an iRule testing framework that supports TDD. Check it out and let me know what you think.
https://devcentral.f5.com/questions/built-an-f5-ltm-irule-testing-framework
- Stefan_Magnus_LI actually thought about implementing a framework similar to yours before wtiting TesTcl. It's an interesting approach, but as long as there are side effects that can not be extracted from the response (lets say cache::enable, or simulating that pool members are down), one cannot assert the correct stuff is happening. TesTcl lets you test pretty much anything - however, it doesn't do integration testing at all right now, just unit testing. It would be kinda cool to take TesTcl tests and convert them into HTTP-style requests with assertions (basically same approach as yours). One could use a switch of some kind in order to switch between modes. Have you looked at my project over at http://testcl.com ?
Deepak_Habbu_23https://devcentral.f5.com/s/articles/irules-101-09-debugging when RULE_INIT { set static::alternate_profile_for_non_sni "cbayleap.com_Wildcard_2016" } when CLIENT_ACCEPTED { if { [PROFILE::exists clientssl] } { set detect_non_sni 1 SSL::disable TCP::collect } else { log local0. "This iRule is applied to a VS that has no clientssl profile." set detect_non_sni 0 } } when CLIENT_DATA { if { [class match [IP::client_addr] equals cbayleap_IP] } { set detect_non_sni 0 set ssl_profile_enable "SSL::profile /Common/cbayleap.com-SHA2" catch { eval $ssl_profile_enable } SSL::enable TCP::release log local0. "[IP::client_addr] is matched and applying SHA2 cert" event disable all } if { ($detect_non_sni) } { binary scan [TCP::payload] cSS tls_xacttype tls_version tls_recordlen switch "$tls_version" { "769" - "770" - "771" { if { ($tls_xacttype == 22) } { binary scan [TCP::payload] @5c tls_action if { not (($tls_action == 1) && ([TCP::payload length] > $tls_recordlen)) } { set detect_non_sni 0 } } } default { set detect_non_sni 0 } } if { ($detect_non_sni) } { set record_offset 43 set tls_extenlen 0 binary scan [TCP::payload] @${record_offset}c tls_sessidlen set record_offset [expr {$record_offset + 1 + $tls_sessidlen}] binary scan [TCP::payload] @${record_offset}S tls_ciphlen set record_offset [expr {$record_offset + 2 + $tls_ciphlen}] binary scan [TCP::payload] @${record_offset}c tls_complen set record_offset [expr {$record_offset + 1 + $tls_complen}] if { ([TCP::payload length] >= $record_offset) } { binary scan [TCP::payload] @${record_offset}S tls_extenlen set record_offset [expr {$record_offset + 2}] binary scan [TCP::payload] @${record_offset}a* tls_extensions for { set x 0 } { $x < $tls_extenlen } { incr x 4 } { set start [expr {$x}] binary scan $tls_extensions @${start}SS etype elen if { ($etype == "00") } { set grabstart [expr {$start + 9}] set grabend [expr {$elen - 5}] binary scan $tls_extensions @${grabstart}A${grabend} tls_servername set start [expr {$start + $elen}] } else { set start [expr {$start + $elen}] } set x $start } if { ([info exists tls_servername] ) } { set ssl_profile_enable "SSL::profile /Common/cbayleap.com-SHA2" catch { eval $ssl_profile_enable } SSL::enable } else { set ssl_profile_enable "SSL::profile /Common/cbayleap.com_Wildcard_2016" catch { eval $ssl_profile_enable } SSL::enable } } else { set ssl_profile_enable "SSL::profile /Common/cbayleap.com-SHA2" catch { eval $ssl_profile_enable } SSL::enable } set detect_non_sni 0 TCP::release } else { set detect_non_sni 0 set ssl_profile_enable "SSL::profile /Common/cbayleap.com-SHA2" catch { eval $ssl_profile_enable } SSL::enable TCP::release } } }
