[j-nsp] Could JUNOS OP Script support generate firewall filter term and added before original one?
Phil Shafer
phil at juniper.net
Fri Dec 18 01:17:14 EST 2015
Chen Jiang writes:
>I have a requirement from end user that want to automate firewall filter
>configuration procedure, that means they want to use OP script to generate
>a customized firewall filter term and added it before the last "deny all"
>term.
Steve Hulshof suggestion re: using config groups is a great one,
since it removes the possibility of error. The group plumbing will
ensure the ordering of terms so your "default-all" term ends up last.
But you can use the normal <configuration> payload to control ordering:
http://www.juniper.net/documentation/en_US/junos15.1/topics/task/configuration/junos-xml-protocol-configuration-data-elements-reordering.html
For your case, this would be something like:
var $conf = <firewall> {
<family> {
<inet> {
<filter> {
<name> "new-term";
<term insert="before" name="default-all"> {
<name> "new-term";
....
} } } } }
Hmm..... you can also insert="first" and insert="last" (with no
identifiers), but that doesn't seem to have made it into the docs.
Sorry about that. Now PR 1148401.
Thanks,
Phil
More information about the juniper-nsp
mailing list