Forum Discussion

Osama_Elsherbin's avatar
Osama_Elsherbin
Icon for Nimbostratus rankNimbostratus
Jan 05, 2021

REST API Call "PUT" how to Update packet filter rule with IP address and not to replace existing

Hello F5 Developers Community

I have an Issue with f5 API ?

the use case is that i need to add IP address to the Packet filter Policy and not to overwrite to the existing IP addresses through REST API Call

 

The following API Call that I Use

 

"curl -sk -u 'username****:password*****' -H "Content-Type: application/json" -X PUT -d '{"action":"discard","order":5 ,"rule":"(src host 10.10.10.10 or src host 20.20.20.20)"}' https://f5IPAddress/mgmt/tm/net/packet-filter/~Common~HQ_DENY_ACL?ver=15.1.0 "

 

And I got the below response:

 

"{"kind":"tm:net:packet-filter:packet-filterstate","name":"HQ_DENY_ACL","partition":"Common","fullPath":"/Common/HQ_DENY_ACL","generation":8435930,"selfLink":"https://localhost/mgmt/tm/net/packet-filter/~Common~HQ_DENY_ACL?ver=15.1.0","action":"discard","logging":"disabled","order":5,"rule":"(src host 10.10.10.10 or src host 20.20.20.20)"}"

 

That Shows IP addresses have been added successfuly added if i repeat action with different IPs they overwrite the existing from first action,

 

I Appreciate if any can support

devops
iControl
iControlREST
security

2 Replies

Sort By
  • Satoshi_Toyosa1's avatar
    Satoshi_Toyosa1
    Icon for Employee rankEmployee
    Jan 06, 2021

    Overwriting the existing rule is expected because the rule is represented as a single string (irrespective of a number of conditions joined by OR). This applies also to the equivalent tmsh command (modify net packet-filter <rule> ".....rule....").

    To modify the rule, you need to GET the rule, compose a new rule from the current configuration, and PUT it.

    I would use jq to create a rule with an additional "src host" (assuming that the rule consists of just "src host xx.xx.xx.xx") like this (SatPktRule is the name of the rule):

    # Informatioal. Check the current rule.
$ curl -sku $PASS https://$HOST/mgmt/tm/net/packet-filter/SatPktRule | jq '.rule'
"(src host 10.10.10.10 or src host 10.10.10.20)"
 
# Add "src host 10.10.10.30" to the current
$ curl -sku $PASS https://$HOST/mgmt/tm/net/packet-filter/SatPktRule | jq '.rule | rtrimstr(")") + " or src host 10.10.10.30)"'
"(src host 10.10.10.10 or src host 10.10.10.20 or src host 10.10.10.30)"
  • Satoshi_Toyosa1's avatar
    Satoshi_Toyosa1
    Icon for Employee rankEmployee
    Jan 06, 2021

    P.S. If you do not need to change the action and order properties, you can use the PATCH command instead. You only need to specify the rule.