Forum Discussion

danra_139044's avatar
danra_139044
Icon for Altostratus rankAltostratus
Apr 30, 2014

Add irule via tmsh without deleting existing irules, and how to re-order

In v11.5 - need assistance in adding irules via tmsh, without deleting existing irules.

 

tmsh modify /ltm virtual rules { irulename } this removes all the applied irules and only adds the new irule inside the curly braces.

 

I also would like to re-order rules via tmsh, once the irules are applied.

 

Regards,

 

15 Replies

  • There was a similar question a couple of weeks ago, asking about adding and deleting individual profiles. I am using 11.4.1, and found that the equivalent syntax for the rules collection within a virtual does not work. I think you are stuck with rewriting the entire rules list.

     

    This may not apply to other versions. I know through various versions little things like this are broken and fixed in tmsh. Things like being able to use wildcards for some objects and not others. The code behind tmsh must be dreadful.

     

    • danra_139044's avatar
      danra_139044
      Icon for Altostratus rankAltostratus
      Thanks. I requested an enhancement request, which might be a while to get implemented.
    • TJ_Vreugdenhil's avatar
      TJ_Vreugdenhil
      Icon for Cirrus rankCirrus
      I can confirm your RFE did not make it in v12: :( tj@(F5_v12)(cfg-sync Standalone)(Active)(/Common)(tmos) show /sys version Sys::Version Main Package Product BIG-IP Version 12.0.0 Build 0.0.606 Edition Final Date Fri Aug 21 13:29:22 PDT 2015 tj@(F5_v12)(cfg-sync Standalone)(Active)(/Common)(tmos) modify /ltm virtual test rules ? Values: "{" Replace the set with a new set none Remove all items from the set
  • uni's avatar
    uni
    Icon for Altostratus rankAltostratus

    There was a similar question a couple of weeks ago, asking about adding and deleting individual profiles. I am using 11.4.1, and found that the equivalent syntax for the rules collection within a virtual does not work. I think you are stuck with rewriting the entire rules list.

     

    This may not apply to other versions. I know through various versions little things like this are broken and fixed in tmsh. Things like being able to use wildcards for some objects and not others. The code behind tmsh must be dreadful.

     

    • danra_139044's avatar
      danra_139044
      Icon for Altostratus rankAltostratus
      Thanks. I requested an enhancement request, which might be a while to get implemented.
    • I can confirm your RFE did not make it in v12: :( tj@(F5_v12)(cfg-sync Standalone)(Active)(/Common)(tmos) show /sys version Sys::Version Main Package Product BIG-IP Version 12.0.0 Build 0.0.606 Edition Final Date Fri Aug 21 13:29:22 PDT 2015 tj@(F5_v12)(cfg-sync Standalone)(Active)(/Common)(tmos) modify /ltm virtual test rules ? Values: "{" Replace the set with a new set none Remove all items from the set
  • In v11.5 - need assistance in adding irules via tmsh, without deleting existing irules.

     

    is "tmsh load sys config from-terminal merge" useful?

     

    I also would like to re-order rules via tmsh, once the irules are applied.

     

    i prefer using event priority.

     

    priority

     

    https://devcentral.f5.com/wiki/iRules.priority.ashx

     

  • Okay, this is wildly simplistic, but take a look:

    !/bin/bash
    
    current_rules=`tmsh list ltm virtual $1 one-line all-properties |perl -ne 'print "$1" if /rules {(.*?)}/'`
    
    tmsh modify ltm virtual $1 rules { $current_rules $2 }
    

    There's no error checking here, so you'd need to add it. The above takes the VIP name as the first param ($1) and the new iRule as the second ($2). The first line extracts the current iRules form the given VIP into a variable, and then adds them back in with the second line.

  • Remco's avatar
    Remco
    Icon for Nimbostratus rankNimbostratus

    We got the same issue here, we are in the middle of upgrading all our F5's from v10 to v11.4.1 and are running into issue with our scripting. We are using EM to bring down our sites by adding a maintenance or sorry irule on the virtuals. But the EM staged changesets are based on bigpipe commands and have not find any information how to get tmsh based changeset working on EM.

    In the meantime if tried the script described in: link text

    In the hope it can be modified to also add irules, but it gives errors on this line:

    if { [tmsh::get_field_value $vip "rules" rules] == 0 } {

    Does any one has an idea what could be causing this?

    Still don't understand why something as basic as adding irules is not possible in tmsh while it was in bigpipe.

  • Until F5 incorporates this feature request into the product I wrote two scripts to allow appending an iRule to as well as deleting an iRule from an existing virtual:

    !/bin/sh
    
     f5-irule-add - add iRule to virtual server, preserving existing iRule configuration
    
     Thomas Brown, CA Technologies - Mon Aug  1 15:21:29 GMT 2016 - initial version
    
    
     Parse command line arguments
    if [ $ -ne 2 ]; then
       echo "Usage: $0 virtual irule" >&2
       exit 1
    fi
    virtual=$1
    irule_add=$2
    
     Capture existing iRule configuration
    tmsh list ltm virtual ${virtual} one-line | grep -q " rules { "
    if [ $? -eq 1 ]; then
       echo "$0: ${virtual} currently contains no rules; adding new rule"
       irule_current=""
    else
       irule_current=`tmsh list ltm virtual ${virtual} one-line | sed -e 's/.* rules { //' -e 's/ }.*//'`
    
        Check if rule already exists
       exists=0
       for rule in ${irule_current}
       do
          if [ ${rule} == ${irule_add} ]; then
             exists=1
          fi
       done
       if [ ${exists} -eq 1 ]; then
          echo "$0: ${irule_add} already exists in virtual ${virtual}" >&2
          exit 2
       fi
    fi
    
     Modify iRule list
    command="tmsh modify ltm virtual ${virtual} rules { ${irule_current} ${irule_add} }"
    echo ${command}
    exec ${command}
    status=$?
    if [ ${status} -ne 0 ]; then
       echo "tmsh returned error status ${status}" >&2
       exit ${status}
    fi
    
    !/bin/sh
    
     f5-irule-delete - delete iRule from virtual server, preserving existing iRule configuration
    
     Thomas Brown, CA Technologies - Mon Aug  1 15:52:03 GMT 2016 - initial version
    
    
     Parse command line arguments
    if [ $ -ne 2 ]; then
       echo "Usage: $0 virtual irule" >&2
       exit 1
    fi
    virtual=$1
    irule_del=$2
    
     Capture existing iRule configuration
    tmsh list ltm virtual $virtual one-line | grep -q " rules { "
    if [ $? -eq 1 ]; then
       echo "$0: ${virtual} currently contains no rules; exiting"
       exit 2
    else
       irule_current=`tmsh list ltm virtual ${virtual} one-line | sed -e 's/.* rules { //' -e 's/ }.*//'`
    
        Check if rule already exists
       exists=0
       for rule in ${irule_current}
       do
          if [ ${rule} == ${irule_del} ]; then
             exists=1
          fi
       done
       if [ ${exists} -eq 0 ]; then
          echo "$0: ${irule_del} does not exist in virtual ${virtual}" >&2
          exit 2
       else
          irule_current=`echo " ${irule_current} " | sed -e "s/ ${irule_del} / /"`
       fi
    fi
    
     Modify iRule list
    command="echo tmsh modify ltm virtual ${virtual} rules { ${irule_current} }"
    echo ${command}
    exec ${command}
    status=$?
    if [ ${status} -ne 0 ]; then
       echo "tmsh returned error status ${status}" >&2
       exit ${status}
    fi
    
  • This is an old topic, but still relevant. I have a need to remove a specific iRule from a specific set of VIPs. @Thomas Brown script works for adding; however the delete version is simply echoing back the command it should run to delete. As you can see from the output it never actually ran. Now I can take the output and manually run but that is not ideal for a whole list.

     

    [root@lab-lb1]./f5-irule-delete /P1/VIP1-CA_DR-XNET-443 Disable-SSL-Renegotiation echo tmsh modify ltm virtual /P1/VIP1-CA_DR-XNET-443 rules { } tmsh modify ltm virtual /P1/VIP1-CA_DR-XNET-443 rules { }

     

    [root@lab-lb1] tmsh list ltm virtual /P1/VIP1-CA_DR-XNET-443 | egrep 'ltm|Dis' ltm virtual /P1/VIP1-CA_DR-XNET-443 { Disable-SSL-Renegotiation

     

    /jeff 12.1.2 HF1