TCL error: invalid command name "1" on GTM

Hi Arnor,

The square braces execute the text within as a command and return the value. So if you have [$command1] or [$command2] it will return true or false (0 or 1). If you have [[$command1] or [$command2]] it will try to execute 0 or 1 and return an invalid command error as 0 and 1 aren't valid commands. If you want to do logical grouping, use parentheses instead.

Also, when using the IP::addr command, only put the /subnet on the network--not a host address like IP::remote_addr. Lastly, when checking the result of the active_members command, you should use == to do a numeric comparison not just =.

Can you try this?

when DNS_REQUEST {
   if { [active_members Global-webservices.landsbanki.is_A10_pool] == 0 and [active_members Global-webservices.landsbanki.is_RB_pool] == 0 } {
      drop
   } elseif { [IP::addr [IP::remote_addr] equals 89.104.145.0/24] } {
      if { [active_members Global-webservices.landsbanki.is_A10_pool] >= 1 } {
         pool Global-webservices.landsbanki.is_A10_pool
      } else {
         pool Global-webservices.landsbanki.is_RB_pool
      } 
      return
   } elseif { [IP::addr [IP::remote_addr] equals 89.104.148.0/24] } {
      if { [active_members Global-webservices.landsbanki.is_RB_pool] >= 1 } {
         pool Global-webservices.landsbanki.is_RB_pool
      } else {
         pool Global-webservices.landsbanki.is_A10_pool
      } 
      return
   } elseif { not ([IP::addr [IP::remote_addr] equals 172.27.0.0/16]  or [IP::addr [IP::remote_addr] equals 89.104.128.0/19]) } {
      drop
   }
}

Aaron

Excellent Aaron, thank you - of course this was the issue - works perfectly now :-)

 

 

I always get a bit confused with all the braces and parentheses :-(

 

 

Thanks,

 

Arnór

Just remember that square braces are to execute commands and return the value, and parentheses are used for logical grouping :)

 

 

Aaron

Now I have a new twist on this - and maybe I should open a case for this, but I'll try it here first.

 

 

I just upgraded the GTM's from 9.4.8 to 10.2.2 and after that, I am not able to edit this rule (above) through the GUI.

 

It works fine if I edit it with iRule editor and save it, but when editing it in the GUI and pressing 'update' I get this error:

 

 

01070151:3: Rule [Global_Webservice_millinet_irule] error:

 

line 1: [undefined procedure: ] [{}]

 

 

All other irules work fine, but not this one !?

 

 

Any ideas ?

Can you post the exact rule you're testing in [ code ] [/ code ] blocks (without the spaces)?

 

 

Aaron

Yes sure,

but actually - it is just a copy of what you wrote above 🙂

Here it is:

when DNS_REQUEST {
if { [active_members Global-webservices.landsbanki.is_A10_pool] == 0 and [active_members Global-webservices.landsbanki.is_RB_pool] == 0 } {
drop
}
elseif { [IP::addr [IP::remote_addr] equals 89.104.145.0/24] } {
if { [active_members Global-webservices.landsbanki.is_A10_pool] >= 1 } {
pool Global-webservices.landsbanki.is_A10_pool
}
else {
pool Global-webservices.landsbanki.is_RB_pool
} 
return
}
elseif { [IP::addr [IP::remote_addr] equals 89.104.148.0/24] } {
if { [active_members Global-webservices.landsbanki.is_RB_pool] >= 1 } {
pool Global-webservices.landsbanki.is_RB_pool
}
else {
pool Global-webservices.landsbanki.is_A10_pool
} 
return
}
elseif { not ([IP::addr [IP::remote_addr] equals 172.27.0.0/16]  or [IP::addr [IP::remote_addr] equals 89.104.128.0/19]) } {
drop
}
}

This looks like a bug in the GTM iRule parser. Here's a simple way to reproduce it:

when DNS_REQUEST {
    if { 1 == 1 } {
    }
}

Here's a workaround:

when DNS_REQUEST {
    if { not [active_members Global-webservices.landsbanki.is_A10_pool] and not [active_members Global-webservices.landsbanki.is_RB_pool] } {
        drop
    }
    elseif { [IP::addr [IP::remote_addr] equals 89.104.145.0/24] } {
        if { [active_members Global-webservices.landsbanki.is_A10_pool] } {
            pool Global-webservices.landsbanki.is_A10_pool
        }
        else {
            pool Global-webservices.landsbanki.is_RB_pool
        } 
        return
    }
    elseif { [IP::addr [IP::remote_addr] equals 89.104.148.0/24] } {
        if { [active_members Global-webservices.landsbanki.is_RB_pool] } {
            pool Global-webservices.landsbanki.is_RB_pool
        }
        else {
            pool Global-webservices.landsbanki.is_A10_pool
        } 
        return
    }
    elseif { not ([IP::addr [IP::remote_addr] equals 172.27.0.0/16]  or [IP::addr [IP::remote_addr] equals 89.104.128.0/19]) } {
        drop
    }
}

You could open a case with F5 Support to have them look into the issue. It might be fixed already in the current v11 beta as I believe there has been a lot of work done on GTM iRules in the upcoming version.

Aaron

Thanks Aaron, that did the trick.

 

 

I'll wait with opening a case, I always use the iRule editor anyways....

 

 

Arnór

...

If the unit isn't in production, try running 'b load' with the original iRule that generates an error when trying to save via the GUI. Chances are if it errs via the GUI it won't load either. I'd open a case on this sooner than later.

 

 

Aaron