[j-nsp] How to query the results tree from a commit script?

Tore Anderson tore.anderson at redpill-linpro.com
Wed May 23 03:18:17 EDT 2012 

Hi Curtis,

* Curtis Call

> In SLAX 1.1 you'd be able to use mvars, but that isn't released in 
> Junos yet, so you'll need to use some sort of out-of-script storage 
> such as the Utility MIB or a disk file.

Thanks, I'll look into this. On first glance I think perhaps the Utility
MIB might do the trick - I'm thinking that every time the template emits
a transient change, it would also write the unit number to the Utility
MIB. The if test would then check to see if the current iterator was <=
the stored number, and if so recurse/iterate further. Or, perhaps even
better, I suppose the template that calls the generate-vpn template
could read in the stored value and call the generate-vpn template with
$unit set to the stored number + 1,

> BTW, this could cause your unit numbers to jump around between 
> commits. (If you remove one VPN then every following VPN will 
> suddenly have a lower unit number). Is that going to be a problem
> for you?

It's not optimal that the unit number may change, but I think I can live
with it. It's my intention to auto-generate everything that refers to it
(routes, ipsec vpn definitions, etc) also, so the configuration should
always be consistent even though the unit numbers would be considered
ephemeral.

> It might be preferable to store the assigned unit number for each VPN
> within the configuration, perhaps within an apply-macro, so that you
> can ensure that a particular VPN doesn't change. That would allow you
> to assign the numbers randomly as well, which would be more 
> efficient. (i.e. when the script makes the transient change it also 
> makes a permanent apply-macro change, recording the assigned unit
> [if it is a previously unconfigured VPN])

My motivation for doing this is to prevent the configuration file from
becoming unmaintainably large. I'd have two apply-macros for each
[security ike gateway foo], one containing a list with the local
networks and one with the remote networks. Those two needs to be
expanded to all possible combinations, so if I, say, have a single VPN
peer with 10 local subnets and 10 remote subnets, I need to build 100
vpn definitions under [security ipsec] with the right proxy identities,
100 st0.x interfaces bound to each of those vpns, and then I haven't
even begun looking at the filter-based forwarding that would be
necessary to direct the traffic into the right st0.x interface.

You can probably see that maintaining such a huge configuration file
manually would be a nightmare, so no, I don't want to store the unit
numbers within the configuration itself. Unless I manage to do what I
want with a script, I think I will need to generate the configuration
off the device instead and push it using NETCONF or something like that.

Best regards,
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com

More information about the juniper-nsp mailing list