For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Osama_Elsherbin's avatar
Osama_Elsherbin
Icon for Nimbostratus rankNimbostratus
Jan 05, 2021

REST API Call "PUT" how to Update packet filter rule with IP address and not to replace existing

Hello F5 Developers Community I have an Issue with f5 API ? the use case is that i need to add IP address to the Packet filter Policy and not to overwrite to the existing IP addresses through REST...
devops
iControl
iControlREST
security
Satoshi_Toyosa1's avatar
Satoshi_Toyosa1
Ret. Employee
Jan 06, 2021

Overwriting the existing rule is expected because the rule is represented as a single string (irrespective of a number of conditions joined by OR). This applies also to the equivalent tmsh command (modify net packet-filter <rule> ".....rule....").

To modify the rule, you need to GET the rule, compose a new rule from the current configuration, and PUT it.

I would use jq to create a rule with an additional "src host" (assuming that the rule consists of just "src host xx.xx.xx.xx") like this (SatPktRule is the name of the rule):

# Informatioal. Check the current rule.
$ curl -sku $PASS https://$HOST/mgmt/tm/net/packet-filter/SatPktRule | jq '.rule'
"(src host 10.10.10.10 or src host 10.10.10.20)"
 
# Add "src host 10.10.10.30" to the current
$ curl -sku $PASS https://$HOST/mgmt/tm/net/packet-filter/SatPktRule | jq '.rule | rtrimstr(")") + " or src host 10.10.10.30)"'
"(src host 10.10.10.10 or src host 10.10.10.20 or src host 10.10.10.30)"