Looking to remotely add/remove IPs to a table blacklist that can be referenced by an iRule. Is it possible to accomplish this through iControlREST ? Thanks!

Yes you can do that. I've done it before using an external datagroup, and storing the datagroup contents on an external HTTP (or HTTPS) server. Here's the tmsh command;- tmsh modify /sys file data-group /Common/dg_ip_blacklist separator ":=" source-path http://10.2.3.4:8080/etc/ip_blacklist.txt That doesn't quite get you there though...use the following guide https://devcentral.f5.com/d/icontrol-rest-user-guide-version-1150 to convert the tmsh command into a REST request that can be sent by a remote server....

Thanks for replying.¬† I found the data-group function in the iControlREST documentation, but I didn't see anything about tables.¬† https://devcentral.f5.com/s/articles/the101-irules-101-datagroups-amp-tables¬†

OK ok curl -k -u admin:'blah' -H "Content-Type: application/json" -X PUT -d '{"name":"dg_ip_blacklist","partition":"/Common","source-path": "http://10.2.3.4:8080/etc/ip_blacklist.txt"}' https://10.191.58.180/mgmt/tm/sys/file/data-group/dg_ip_blacklist/?$filter=partition%20eq%20Common

If you'd rather manipulate data group entries individually you can use an internal datagroup and you should be able to use iControl REST to do that too.

The best fit for an IP Blacklist to be accessed from an iRule is an 'address' type datagroup (either internal or external), not a session table. Datagroups are like a keyed table that exist in memory, and can easily be accessed from an iRule. If you really really need to use the session table this can be done remotely too (however you wouldn't use iControl REST). We can discuss if necessary but you'd have to have an unusual use-case.

Modify iRule Table through iControlREST ?

IheartF5_45022
Nacreous
Jan 20, 2017
Yes you can do that. I've done it before using an external datagroup, and storing the datagroup contents on an external HTTP (or HTTPS) server. Here's the tmsh command;-

tmsh modify /sys file data-group /Common/dg_ip_blacklist separator ":=" source-path http://10.2.3.4:8080/etc/ip_blacklist.txt

That doesn't quite get you there though...use the following guide https://devcentral.f5.com/d/icontrol-rest-user-guide-version-1150 to convert the tmsh command into a REST request that can be sent by a remote server....
- Ben_9010
  Nimbostratus
  Jan 20, 2017
  Thanks for replying.
  ¬†
  
  I found the data-group function in the iControlREST documentation, but I didn't see anything about tables.
  ¬†
  
  https://devcentral.f5.com/s/articles/the101-irules-101-datagroups-amp-tables
  ¬†
- IheartF5_45022
  Nacreous
  Jan 20, 2017
  OK ok
  
  curl -k -u admin:'blah' -H "Content-Type: application/json" -X PUT -d '{"name":"dg_ip_blacklist","partition":"/Common","source-path": "http://10.2.3.4:8080/etc/ip_blacklist.txt"}' https://10.191.58.180/mgmt/tm/sys/file/data-group/dg_ip_blacklist/?$filter=partition%20eq%20Common
- IheartF5_45022
  Nacreous
  Jan 20, 2017
  If you'd rather manipulate data group entries individually you can use an internal datagroup and you should be able to use iControl REST to do that too.
Kai_Wilke
MVP
Jan 27, 2017
Hi Ben,

you can't change
[table]
data via REST. But you can add/remove data-group entries via REST and then access the data-group via iRules.

To add/remove entries via REST into/from a data-group without applying the entire data-group again, you can deploy some TMSH helper scripts on your box and call those scripts via REST while passing the required parameters.

To get an idea how this could be implemented, you may take a look to the post below. It explains how a data-group can be changed within an iRule by using a combo of iRule->SIDEBAND Connection->REST API->TMSH Script->Data-Group. Simply skip the iRule->SIDEBAND part and you should have a working solution within minutes...

https://devcentral.f5.com/questions/write-into-internal-data-group-from-irule-50597

Cheers, Kai

Forum Discussion

Modify iRule Table through iControlREST ?

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Using iControlRest to modify LTM pools

iControlREST Swagger File

Enhanced SSL stats in iControlREST

iRule to modify a content-security-policy header

iControlREST Auth Token and Transaction Example (Postman)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS