[j-nsp] Could JUNOS OP Script support generate firewall filter term and added before original one?

Dave Bell me at geordish.org
Thu Dec 17 11:04:59 EST 2015


You could always have your op script delete the default-all term, add
your new network term, then re-add the default-all term.

On 17 December 2015 at 14:27, Chen Jiang <ilovebgp4 at gmail.com> wrote:
> Hi! Jordan
>
> End user's MX has a firewall filter named metro-access has many terms in
> it, just like below:
>
> lab at mx#show firewall family inet filter metro-access
>
> term inside-test {
>
>             from {
>
>                 source-address {
>
>                     124.42.96.208/29;
>
>                 }
>
>             }
>
>             then {
>
>                 policer inside-test-2m;
>
>                 accept;
>
>             }
>
>         }
>
>  term bj_kun_lun_fan_dian-15m {
>
>             from {
>
>                 source-address {
>
>                     119.253.129.64/28;
>
>                 }
>
>             }
>
>             then {
>
>                 policer bj_kun_lun_fan_dian-15m;
>
>                 accept;
>
>             }
>
>         }
>
> ...
>
> term default-all {
>
>             then accept;
>
>         }
>
> Every time end user want to add a new network he will create a term match
> new net's source address and add it before the last "default-all" term.
>
> Use JUNOS OP script we could simplify this procedure: auto generate the new
> term content and merge it into the configuration (this step is tested
> successfully in POC lab), but the new term is always arranged as the last
> term in the firewall filter, I haven't find any method to insert the new
> term before the original last "accept all" term and it will make traffic
> never hit the generated new term.
>
> Thanks for your help!
>
> On Thu, Dec 17, 2015 at 8:53 PM, Jordan Head <jordan.head.ny at gmail.com>
> wrote:
>
>> Hi James
>>
>> An op script could definitely do this, but I haven't seen a basic template
>> for this use case.  Depending on *exactly* what you want it to do, it might
>> be a better job for Python, and maybe some netconf.
>>
>> Here's something that might help get you started.
>>
>>
>> http://www.juniper.net/documentation/en_US/junos12.3/topics/example/junos-script-automation-op-script-changing-configuration.html
>>
>> How complex are the rules that need to be generated?  Could you provide
>> some examples?  Feel free to ping me off list if necessary.
>>
>> -JH
>>
>> > On Dec 17, 2015, at 2:35 AM, Chen Jiang <ilovebgp4 at gmail.com> wrote:
>> >
>> > Hi! Experts
>> >
>> > I have a requirement from end user that want to automate firewall filter
>> > configuration procedure, that means they want to use OP script to
>> generate
>> > a customized firewall filter term and added it before the last "deny all"
>> > term.
>> >
>> > I have searched official documents but couldn't find helpful information,
>> > it seems there is no method could manage firewall filter term sequence in
>> > SLAX language.
>> >
>> > Could you pls shed some light on this if you have experience on this,
>> > Thanks!
>> >
>> > --
>> > BR!
>> >
>> >
>> >
>> >           James Chen
>> > _______________________________________________
>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
>
> --
> BR!
>
>
>
>            James Chen
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list