[j-nsp] How to query the results tree from a commit script?

Curtis Call ccall at juniper.net
Tue May 22 18:37:30 EDT 2012


In SLAX 1.1 you'd be able to use mvars, but that isn't released in Junos yet, so you'll need to use some sort of out-of-script storage such as the Utility MIB or a disk file.

BTW, this could cause your unit numbers to jump around between commits. (If you remove one VPN then every following VPN will suddenly have a lower unit number). Is that going to be a problem for you? It might be preferable to store the assigned unit number for each VPN within the configuration, perhaps within an apply-macro, so that you can ensure that a particular VPN doesn't change. That would allow you to assign the numbers randomly as well, which would be more efficient. (i.e. when the script makes the transient change it also makes a permanent apply-macro change, recording the assigned unit [if it is a previously unconfigured VPN])

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Tore Anderson
> Sent: Tuesday, May 22, 2012 6:22 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] How to query the results tree from a commit script?
> 
> Hi,
> 
> I'm trying to write a template for a commit script that, when called,
> will find the first unused unit on an interface and add some transient
> config to it. "Unused" means that that the unit isn't defined in the
> main configuration file and that an earlier call to the template hasn't
> written transient config to it yet.
> 
> This second part I have trouble figuring out how to accomplish. The
> following template will, when called repeatedly, make the change to the
> same unit every time (the first one not defined in the input
> configuration file). The second condition in the first if() for
> "/commit-script-result/transient-change/..." clearly doesn't work, I
> just left it in so it's obvious what I want it to do (I've tried
> various other xpath expressions too, without luck). Any suggestion on
> how to make this work?
> 
> 
> template generate-vpn($unit=0, $ikegw, $local, $remote) {
>   /* create the tunnel sub-interfaces on this interface */
>   var $iface = "st0";
> 
>   /*
>    * call the template recursively until we find the first unused
>    * unit on the interface (poor man's iterator)
>    */
>   if(/commit-script-input/configuration/interfaces/interface[name ==
> $iface]/unit[name == $unit] ||
>      /commit-script-results/transient-change/interfaces/interface[name
> == $iface]/unit[name == $unit]) {
>     call emit-vpn-definition() {
>       with $unit = $unit + 1;
>       with $ikegw = $ikegw;
>       with $local = $local;
>       with $remote = $remote;
>     }
>   } else {
>     /* found the first available unit, now add the transient change */
>     <xnm:warning> {
>       <message> "adding interface=" _ $iface _ "." _ $unit _ "; ikegw="
> _ $ikegw _ "; local=" _ $local _ "; remote=" _ $remote;
>     }
>     <transient-change> {
>       <interfaces> {
>         <interface> {
>           <name> $iface;
>           <unit> {
>             <name> $unit;
>             <description> "ikegw=" _ $ikegw _ "; local=" _ $local _ ";
> remote=" _ $remote;
>             <family> {
>               <inet>;
>             }
>           }
>         }
>       }
>     }
>   }
> }
> 
> If I can make this work, the idea is to extend the transient change to
> also add filter-based forwarding for the src/dst network into the right
> st0.x interface, plus generating vpn entries for under security ipsec
> with matching proxy identities and bind-interface, so that I can make
> the SRX establish multi-phase2 IPSEC VPNs to e.g. Cisco ASA without
> requiring a massive configuration file. The box is running JUNOS
> 12.1R1.9.
> 
> Best regards,
> --
> Tore Anderson
> Redpill Linpro AS - http://www.redpill-linpro.com
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list