[j-nsp] Could JUNOS OP Script support generate firewall filter term and added before original one?

Chen Jiang ilovebgp4 at gmail.com
Thu Dec 17 09:27:52 EST 2015 

Hi! Jordan

End user's MX has a firewall filter named metro-access has many terms in
it, just like below:

lab at mx#show firewall family inet filter metro-access

term inside-test {

            from {

                source-address {

                    124.42.96.208/29;

                }

            }

            then {

                policer inside-test-2m;

                accept;

            }

        }

 term bj_kun_lun_fan_dian-15m {

            from {

                source-address {

                    119.253.129.64/28;

                }

            }

            then {

                policer bj_kun_lun_fan_dian-15m;

                accept;

            }

        }

...

term default-all {

            then accept;

        }

Every time end user want to add a new network he will create a term match
new net's source address and add it before the last "default-all" term.

Use JUNOS OP script we could simplify this procedure: auto generate the new
term content and merge it into the configuration (this step is tested
successfully in POC lab), but the new term is always arranged as the last
term in the firewall filter, I haven't find any method to insert the new
term before the original last "accept all" term and it will make traffic
never hit the generated new term.

Thanks for your help!

On Thu, Dec 17, 2015 at 8:53 PM, Jordan Head <jordan.head.ny at gmail.com>
wrote:

> Hi James
>
> An op script could definitely do this, but I haven't seen a basic template
> for this use case.  Depending on *exactly* what you want it to do, it might
> be a better job for Python, and maybe some netconf.
>
> Here's something that might help get you started.
>
>
> http://www.juniper.net/documentation/en_US/junos12.3/topics/example/junos-script-automation-op-script-changing-configuration.html
>
> How complex are the rules that need to be generated?  Could you provide
> some examples?  Feel free to ping me off list if necessary.
>
> -JH
>
> > On Dec 17, 2015, at 2:35 AM, Chen Jiang <ilovebgp4 at gmail.com> wrote:
> >
> > Hi! Experts
> >
> > I have a requirement from end user that want to automate firewall filter
> > configuration procedure, that means they want to use OP script to
> generate
> > a customized firewall filter term and added it before the last "deny all"
> > term.
> >
> > I have searched official documents but couldn't find helpful information,
> > it seems there is no method could manage firewall filter term sequence in
> > SLAX language.
> >
> > Could you pls shed some light on this if you have experience on this,
> > Thanks!
> >
> > --
> > BR!
> >
> >
> >
> >           James Chen
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
BR!



           James Chen

More information about the juniper-nsp mailing list