When using show-access-rulebase with section headers, you might have issues parsing out the actual rules when section headers appear in the rulebase via a script with jq.
The specific issue that rules are above all section headers (or there are no sections) are accessible with .rulebase[] while rules below section headers are accessible with .rulebase[].rulebase[].
This creates a potential issue with scripting, since it's quite possible to have both in the same access layer.
How do you get only the access rules? You "flatten" it, which can be done with jq.
For example: mgmt_cli -r true --format json show-access-rulebase name "$layerName" limit 500 | jq -r '. |recurse(.rulebase[]?) | select(.type == "access-rule")'
For some context here:
- mgmt_cli -r true --format json show-access-rulebase name "$layerName" limit 500 will show the first 500 rules in JSON format. You will need to make multiple calls using limit/offset parameters to get additional results.
- jq -r is used to parse the output of the mgmt_cli command to get the data you are interested in. To explain the argument we are passing to this command:
- recurse(.rulebase[]?) flattens the rulebase to a bunch of rulebase contents: access-rule, access-section, place-holder.
- select(.type == "access-rule") filters the access-rules whose data we wish to access.
Hope this helps!