For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bernhard_M's avatar
Bernhard_M
Icon for Nimbostratus rankNimbostratus
Jul 17, 2014

Create/Modify ACLs from within TMSH

Hi,   Is there a possibility to add acl-entries via tmsh to an existing acl?   Background is the task to migrate a Firepass to BigIP. I exported the config to xml. Now i want to generate tmsh-c...
BIG-IP Access Policy Manager (APM)
management
security
TMSH
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 17, 2014

This, I believe, is one of those commands that doesn't allow additive editing. So because it looked like an interesting scripting challenge, here's a Bash script you can use to add acl entries to an existing acl:

!/bin/bash

if [ "$1" == "" ] || [ "$2" == "" ]
then
    echo "Syntax error:   name>  "
    exit
fi

acllist=`tmsh list apm acl test-acl one-line | sed -n "s/.*{ { \([^']*\) } }.*/\1/p"`

IFS={ read -a array <<< "$acllist"

acl="{"
for i in "${array[@]}"
do
    acltmp="{ `echo $i |sed "s/}//"` }"
    acl="$acl $acltmp"
done
acl="$acl { $2 } }"

tmsh modify apm acl $1 entries $acl

This is what your command line would look like:

./addacl.sh test-acl "action reject dst-subnet 0.0.0.0/0 src-subnet 10.60.0.0/24"

The first param is the acl name, and the second is the acl entry string.