[j-nsp] Could JUNOS OP Script support generate firewall filter term and added before original one?

Steve Hulshof cereal at gmail.com
Thu Dec 17 10:10:37 EST 2015


You can delete the term default-all from metro-access filter and then use
groups to add the term at the end like this:

set groups ADD_DEFAULT_FW firewall family inet filter metro-access
default-all all then accept
set apply-groups ADD_DEFAULT_FW

This will add your default term to the end of the filter after you commit.
You will not see the term when you do "show configuration firewall filter
metro-access" unless you add " | display inheritance" at the end of the
show command

If you want to apply this to all firewall filters you can do the following:

set groups ADD_DEFAULT_FW firewall family inet filter <*> default-all all
then accept
set apply-groups ADD_DEFAULT_FW


Thanks,

Steve



On Thu, Dec 17, 2015 at 9:28 AM Chen Jiang <ilovebgp4 at gmail.com> wrote:

> Hi! Jordan
>
> End user's MX has a firewall filter named metro-access has many terms in
> it, just like below:
>
> lab at mx#show firewall family inet filter metro-access
>
> term inside-test {
>
>             from {
>
>                 source-address {
>
>                     124.42.96.208/29;
>
>                 }
>
>             }
>
>             then {
>
>                 policer inside-test-2m;
>
>                 accept;
>
>             }
>
>         }
>
>  term bj_kun_lun_fan_dian-15m {
>
>             from {
>
>                 source-address {
>
>                     119.253.129.64/28;
>
>                 }
>
>             }
>
>             then {
>
>                 policer bj_kun_lun_fan_dian-15m;
>
>                 accept;
>
>             }
>
>         }
>
> ...
>
> term default-all {
>
>             then accept;
>
>         }
>
> Every time end user want to add a new network he will create a term match
> new net's source address and add it before the last "default-all" term.
>
> Use JUNOS OP script we could simplify this procedure: auto generate the new
> term content and merge it into the configuration (this step is tested
> successfully in POC lab), but the new term is always arranged as the last
> term in the firewall filter, I haven't find any method to insert the new
> term before the original last "accept all" term and it will make traffic
> never hit the generated new term.
>
> Thanks for your help!
>
> On Thu, Dec 17, 2015 at 8:53 PM, Jordan Head <jordan.head.ny at gmail.com>
> wrote:
>
> > Hi James
> >
> > An op script could definitely do this, but I haven't seen a basic
> template
> > for this use case.  Depending on *exactly* what you want it to do, it
> might
> > be a better job for Python, and maybe some netconf.
> >
> > Here's something that might help get you started.
> >
> >
> >
> http://www.juniper.net/documentation/en_US/junos12.3/topics/example/junos-script-automation-op-script-changing-configuration.html
> >
> > How complex are the rules that need to be generated?  Could you provide
> > some examples?  Feel free to ping me off list if necessary.
> >
> > -JH
> >
> > > On Dec 17, 2015, at 2:35 AM, Chen Jiang <ilovebgp4 at gmail.com> wrote:
> > >
> > > Hi! Experts
> > >
> > > I have a requirement from end user that want to automate firewall
> filter
> > > configuration procedure, that means they want to use OP script to
> > generate
> > > a customized firewall filter term and added it before the last "deny
> all"
> > > term.
> > >
> > > I have searched official documents but couldn't find helpful
> information,
> > > it seems there is no method could manage firewall filter term sequence
> in
> > > SLAX language.
> > >
> > > Could you pls shed some light on this if you have experience on this,
> > > Thanks!
> > >
> > > --
> > > BR!
> > >
> > >
> > >
> > >           James Chen
> > > _______________________________________________
> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>
>
> --
> BR!
>
>
>
>            James Chen
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list