[j-nsp] How to query the results tree from a commit script?

Tore Anderson tore.anderson at redpill-linpro.com
Tue May 22 09:21:45 EDT 2012 

Hi,

I'm trying to write a template for a commit script that, when called,
will find the first unused unit on an interface and add some transient
config to it. "Unused" means that that the unit isn't defined in the
main configuration file and that an earlier call to the template hasn't
written transient config to it yet.

This second part I have trouble figuring out how to accomplish. The
following template will, when called repeatedly, make the change to the
same unit every time (the first one not defined in the input
configuration file). The second condition in the first if() for
"/commit-script-result/transient-change/..." clearly doesn't work, I
just left it in so it's obvious what I want it to do (I've tried
various other xpath expressions too, without luck). Any suggestion on
how to make this work?


template generate-vpn($unit=0, $ikegw, $local, $remote) {
  /* create the tunnel sub-interfaces on this interface */
  var $iface = "st0";

  /*    
   * call the template recursively until we find the first unused
   * unit on the interface (poor man's iterator)
   */
  if(/commit-script-input/configuration/interfaces/interface[name == $iface]/unit[name == $unit] ||
     /commit-script-results/transient-change/interfaces/interface[name == $iface]/unit[name == $unit]) {
    call emit-vpn-definition() {
      with $unit = $unit + 1;
      with $ikegw = $ikegw;
      with $local = $local;
      with $remote = $remote;
    }           
  } else {
    /* found the first available unit, now add the transient change */
    <xnm:warning> {
      <message> "adding interface=" _ $iface _ "." _ $unit _ "; ikegw=" _ $ikegw _ "; local=" _ $local _ "; remote=" _ $remote;
    }           
    <transient-change> {
      <interfaces> {    
        <interface> {           
          <name> $iface;                
          <unit> {                      
            <name> $unit;                       
            <description> "ikegw=" _ $ikegw _ "; local=" _ $local _ "; remote=" _ $remote;
            <family> {                          
              <inet>;                                   
            }                                   
          }                             
        }                       
      }                 
    }           
  }     
}

If I can make this work, the idea is to extend the transient change to
also add filter-based forwarding for the src/dst network into the right
st0.x interface, plus generating vpn entries for under security ipsec
with matching proxy identities and bind-interface, so that I can make
the SRX establish multi-phase2 IPSEC VPNs to e.g. Cisco ASA without
requiring a massive configuration file. The box is running JUNOS
12.1R1.9.

Best regards,
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com

More information about the juniper-nsp mailing list