For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Richard__Harlan's avatar
Richard__Harlan
Historic F5 Account
Dec 01, 2011

Createing and modify data group

Running into something weird. In my iApp I am creating an empty data group then in a foreach loop I am modify the same group to add records to the list. What happens if the script tries to do the modify on the when I create the Application service I get the following error

 

 

script did not successfully complete: ( Command failed: tmsh::modify / ltm data-group internal firewall_rules records add { 10.10.10.200 { data 10.10.11.201:80}}

 

internal"/Common/d.app/firewall_rules"" not found

 

 

Now if I leave the field blank that add records to the data group it will work and when I go back into the Application service and reconfigure and add records it works just fine. When running the command through tmsh it seem to work just fine. Below is the code I am using to. You can see the create if happening first then the modify but when the modify runs it can not find the data group.

 

 

Check to see if Firewall iRule enabled

 

set irule_firewall $::basic__irule_firewall

 

if { $irule_firewall == $YES_ANSWER } {

 

set irule_firewall_rule $::basic__irule_firewall_rule

 

set rule [ split $irule_firewall_rule ; ]

 

tmsh_create "/ ltm data-group" "internal firewall_rules type string "

 

 

foreach rule_rec $rule {

 

set ip_port [ split $rule_rec | ]

 

set source [lindex $ip_port 0]

 

set dest [lindex $ip_port 1]

 

set port [lindex $ip_port 2]

 

set dest_port "$dest:$port"

 

tmsh_modify "/ ltm data-group" "internal firewall_rules records add { $source { data $dest:$port}}"

 

}

 

 

Any ideas? Thanks

 

 

Richard

 

automation
devops
iApps
management
TMSH

2 Replies

  • Brent_Blood_768's avatar
    Brent_Blood_768
    Historic F5 Account
    Dec 01, 2011
    Hi Richard,

     

     

    I don't see anything wrong with your approach in that you should be able to create a data group and subsequently modify it later in the same invocation of the script. I haven't tried to do what you're doing before, but if I have time I'll try it out tomorrow. If we can't come up with a solution to the problem, you will want to open a support case to pursue a possible bug.

     

     

    However - the approach I'd rather see you take is to modify your script so that rather than creating the data group and then adding records to it one at a time, build up a list of records to add and build a big command to combine with the create call so that you do it all in one shot. This will be more efficient due to making one change rather than many small ones - and it'll avoid the situation since you won't be making calls to modify the data group that you just created.

     

     

    Cheers,

     

    -Brent
  • Brent_Blood_768's avatar
    Brent_Blood_768
    Historic F5 Account
    Dec 02, 2011
    Hey Richard,

     

     

    I reproduced your issue and talked with another engineer about it - what you are trying to do should work and so I filed a bug for it: ID 373568. I also tested out the workaround I suggested where I built up a string consisting of the records that I wanted to add and supplied them as part of the "create" command and it succeeded. For now, I suggest you go that route.

     

     

    Cheers,

     

    -Brent