Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Add irule via tmsh without deleting existing irules, and how to re-order

In v11.5 - need assistance in adding irules via tmsh, without deleting existing irules.

tmsh modify /ltm virtual rules { irulename } #this removes all the applied irules and only adds the new irule inside the curly braces.

I also would like to re-order rules via tmsh, once the irules are applied.

Regards,

0
Rate this Question
Comments on this Question
Comment made 11-May-2018 by Jeff Allen 250

This is an old topic, but still relevant. I have a need to remove a specific iRule from a specific set of VIPs. @Thomas Brown script works for adding; however the delete version is simply echoing back the command it should run to delete. As you can see from the output it never actually ran. Now I can take the output and manually run but that is not ideal for a whole list.

[root@lab-lb1]#./f5-irule-delete /P1/VIP1-CA_DR-XNET-443 Disable-SSL-Renegotiation echo tmsh modify ltm virtual /P1/VIP1-CA_DR-XNET-443 rules { } tmsh modify ltm virtual /P1/VIP1-CA_DR-XNET-443 rules { }

[root@lab-lb1]# tmsh list ltm virtual /P1/VIP1-CA_DR-XNET-443 | egrep 'ltm|Dis' ltm virtual /P1/VIP1-CA_DR-XNET-443 { Disable-SSL-Renegotiation

/jeff 12.1.2 HF1

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Okay, this is wildly simplistic, but take a look:

#!/bin/bash

current_rules=`tmsh list ltm virtual $1 one-line all-properties |perl -ne 'print "$1" if /rules {(.*?)}/'`

tmsh modify ltm virtual $1 rules { $current_rules $2 }

There's no error checking here, so you'd need to add it. The above takes the VIP name as the first param ($1) and the new iRule as the second ($2). The first line extracts the current iRules form the given VIP into a variable, and then adds them back in with the second line.

1
Comments on this Answer
Comment made 04-May-2014 by uni 1155
I like it Kevin - a perl hacker after my own heart. It is fortunate that the "rules" entry does not take parameters with curly brackets. To continue my rant from above, I don't understand why the syntax for the "ltm virtual rules" is not similar to, say, "gtm pool members", where you can add, modify and delete members of the collection individually, and each entry has an "order" field.
1
Comment made 06-Jan-2016 by TJ Vreugdenhil 494
I totally agree uni! That would be nice! Could I kindly get an example of just how to use this. Do I have to create a file with this content, then just use ./rule_add ? And how is the $2 variable calculated? Wouldn't it just be the name of your new iRule instead of a variable? I just need to use this for a 3-4 VIP's, not all the VIP's. If that's the case, the F5 iRule Editor has that ability. Thanks!
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Until F5 incorporates this feature request into the product I wrote two scripts to allow appending an iRule to as well as deleting an iRule from an existing virtual:


#!/bin/sh
#
# f5-irule-add - add iRule to virtual server, preserving existing iRule configuration
#
# Thomas Brown, CA Technologies - Mon Aug  1 15:21:29 GMT 2016 - initial version
#

# Parse command line arguments
if [ $# -ne 2 ]; then
   echo "Usage: $0 virtual irule" >&2
   exit 1
fi
virtual=$1
irule_add=$2

# Capture existing iRule configuration
tmsh list ltm virtual ${virtual} one-line | grep -q " rules { "
if [ $? -eq 1 ]; then
   echo "$0: ${virtual} currently contains no rules; adding new rule"
   irule_current=""
else
   irule_current=`tmsh list ltm virtual ${virtual} one-line | sed -e 's/.* rules { //' -e 's/ }.*//'`

   # Check if rule already exists
   exists=0
   for rule in ${irule_current}
   do
      if [ ${rule} == ${irule_add} ]; then
         exists=1
      fi
   done
   if [ ${exists} -eq 1 ]; then
      echo "$0: ${irule_add} already exists in virtual ${virtual}" >&2
      exit 2
   fi
fi

# Modify iRule list
command="tmsh modify ltm virtual ${virtual} rules { ${irule_current} ${irule_add} }"
echo ${command}
exec ${command}
status=$?
if [ ${status} -ne 0 ]; then
   echo "tmsh returned error status ${status}" >&2
   exit ${status}
fi

#!/bin/sh
#
# f5-irule-delete - delete iRule from virtual server, preserving existing iRule configuration
#
# Thomas Brown, CA Technologies - Mon Aug  1 15:52:03 GMT 2016 - initial version
#

# Parse command line arguments
if [ $# -ne 2 ]; then
   echo "Usage: $0 virtual irule" >&2
   exit 1
fi
virtual=$1
irule_del=$2

# Capture existing iRule configuration
tmsh list ltm virtual $virtual one-line | grep -q " rules { "
if [ $? -eq 1 ]; then
   echo "$0: ${virtual} currently contains no rules; exiting"
   exit 2
else
   irule_current=`tmsh list ltm virtual ${virtual} one-line | sed -e 's/.* rules { //' -e 's/ }.*//'`

   # Check if rule already exists
   exists=0
   for rule in ${irule_current}
   do
      if [ ${rule} == ${irule_del} ]; then
         exists=1
      fi
   done
   if [ ${exists} -eq 0 ]; then
      echo "$0: ${irule_del} does not exist in virtual ${virtual}" >&2
      exit 2
   else
      irule_current=`echo " ${irule_current} " | sed -e "s/ ${irule_del} / /"`
   fi
fi

# Modify iRule list
command="echo tmsh modify ltm virtual ${virtual} rules { ${irule_current} }"
echo ${command}
exec ${command}
status=$?
if [ ${status} -ne 0 ]; then
   echo "tmsh returned error status ${status}" >&2
   exit ${status}
fi
1
Comments on this Answer
Comment made 11-Nov-2016 by daniel 51

Thanks Thomas for sharing.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

There was a similar question a couple of weeks ago, asking about adding and deleting individual profiles. I am using 11.4.1, and found that the equivalent syntax for the rules collection within a virtual does not work. I think you are stuck with rewriting the entire rules list.

This may not apply to other versions. I know through various versions little things like this are broken and fixed in tmsh. Things like being able to use wildcards for some objects and not others. The code behind tmsh must be dreadful.

0
Comments on this Answer
Comment made 02-May-2014 by danra 188
Thanks. I requested an enhancement request, which might be a while to get implemented.
0
Comment made 06-Jan-2016 by TJ Vreugdenhil 494
I can confirm your RFE did not make it in v12: :( tj@(F5_v12)(cfg-sync Standalone)(Active)(/Common)(tmos)# show /sys version Sys::Version Main Package Product BIG-IP Version 12.0.0 Build 0.0.606 Edition Final Date Fri Aug 21 13:29:22 PDT 2015 tj@(F5_v12)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify /ltm virtual test rules ? Values: "{" Replace the set with a new set none Remove all items from the set
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

In v11.5 - need assistance in adding irules via tmsh, without deleting existing irules.

is "tmsh load sys config from-terminal merge" useful?

I also would like to re-order rules via tmsh, once the irules are applied.

i prefer using event priority.

priority
https://devcentral.f5.com/wiki/iRules.priority.ashx

0
Comments on this Answer
Comment made 02-May-2014 by danra 188
Thanks! I will read the link above.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

We got the same issue here, we are in the middle of upgrading all our F5's from v10 to v11.4.1 and are running into issue with our scripting. We are using EM to bring down our sites by adding a maintenance or sorry irule on the virtuals. But the EM staged changesets are based on bigpipe commands and have not find any information how to get tmsh based changeset working on EM.

In the meantime if tried the script described in: link text

In the hope it can be modified to also add irules, but it gives errors on this line: if { [tmsh::get_field_value $vip "rules" rules] == 0 } {

Does any one has an idea what could be causing this?

Still don't understand why something as basic as adding irules is not possible in tmsh while it was in bigpipe.

0