Using Tcl

You can use the Tcl programming language to write advanced branch rules in the Visual Policy Designer (VPD), and for assigning variables to custom expressions in the Variable Assign action.

Note: Using Tcl is optional; it provides an alternative to using the expression builder (in the Visual Policy Designer), and to using other options provided by the Variable Assign action.

Tcl syntax notes

BIG-IP Next Access supports standard Tcl syntax and additional commands and operators listed in the following table.

Standard Tcl Syntax

BIG-IP Next Access supports the various facilities provided by the Tcl language; for example, loops (while, foreach, and so on), conditions (ifelse, switch, and so on), functions (proc), and built-in Tcl commands (strings, split, and so on), as well as various Tcl operators.

Additional commands and operators

In addition to standard Tcl syntax, Access supports these commands and operators:

  • mcget command

  • Rule operators: A rule operator compares two operands in an expression.

  • Logical operators: A logical operator compares two values in an expression.

Note: iRules on the BIG-IP Next instances can provide functionality to the BIG-IP Next Access components. However, Tcl commands that are specific to iRules are not available in Access policy rules.

Command or Operator Type Description
mcget Command mcget is an abbreviation for: get the session variable from the memory cache. BIG-IP Next Access stores all session variables generated in a session in its memory cache. When evaluating a branch rule, Access examine session variables from system memory using the Tcl command mcget.
contains Rule operator Tests whether one string contains another string.
ends_with Rule operator Tests whether one string ends with another string.
equals Rule operator Tests whether one string equals another string.
matches Rule operator Tests whether one string matches another string.
matches_regex Rule operator Tests whether one string matches a regular expression.
starts_with Rule operator Tests whether one string starts_with another string.
switch Rule operator Evaluates one of several scripts, depending on a given value.
and Logical operator Performs a logical and comparison between two values.
not Logical operator Performs a logical not action on a value.
or Logical operator Performs a logical or comparison between two values.

Tcl examples

These tables describe the syntax elements for the Tcl examples.

Using mcget

[ mcget { } ]

Syntax element Value Description
Brackets [ ] The brackets [ ] that enclose the entire command are the Tcl notation for command evaluation.
Command name mcget This command gets the session variable from the memory cache.
Braces { } Braces enclose the session variable.
Session variable name Session variables that are generated during a session are stored in memory cache.

Checking a certificate field

expr { [mcget {session.ssl.cert.OU } ]contains “PD” }

This expression checks whether the Organizational Unit (OU) field of a user certificate contains the text PD.

Syntax element Value Description
Command name expr The Tcl language specifies that an expression begin with the syntax expr.
Rule operator contains This operator checks for the string PD.
Return values 0 or 1 0 usually indicates failure, while 1 usually indicates success.