[j-nsp] Could JUNOS OP Script support generate firewall filter term and added before original one?
Chen Jiang
ilovebgp4 at gmail.com
Fri Dec 18 10:50:55 EST 2015
Hi! Dave
Thanks for the information, it's a solution for this issue.
BR!
James
On Fri, Dec 18, 2015 at 12:04 AM, Dave Bell <me at geordish.org> wrote:
> You could always have your op script delete the default-all term, add
> your new network term, then re-add the default-all term.
>
> On 17 December 2015 at 14:27, Chen Jiang <ilovebgp4 at gmail.com> wrote:
> > Hi! Jordan
> >
> > End user's MX has a firewall filter named metro-access has many terms in
> > it, just like below:
> >
> > lab at mx#show firewall family inet filter metro-access
> >
> > term inside-test {
> >
> > from {
> >
> > source-address {
> >
> > 124.42.96.208/29;
> >
> > }
> >
> > }
> >
> > then {
> >
> > policer inside-test-2m;
> >
> > accept;
> >
> > }
> >
> > }
> >
> > term bj_kun_lun_fan_dian-15m {
> >
> > from {
> >
> > source-address {
> >
> > 119.253.129.64/28;
> >
> > }
> >
> > }
> >
> > then {
> >
> > policer bj_kun_lun_fan_dian-15m;
> >
> > accept;
> >
> > }
> >
> > }
> >
> > ...
> >
> > term default-all {
> >
> > then accept;
> >
> > }
> >
> > Every time end user want to add a new network he will create a term match
> > new net's source address and add it before the last "default-all" term.
> >
> > Use JUNOS OP script we could simplify this procedure: auto generate the
> new
> > term content and merge it into the configuration (this step is tested
> > successfully in POC lab), but the new term is always arranged as the last
> > term in the firewall filter, I haven't find any method to insert the new
> > term before the original last "accept all" term and it will make traffic
> > never hit the generated new term.
> >
> > Thanks for your help!
> >
> > On Thu, Dec 17, 2015 at 8:53 PM, Jordan Head <jordan.head.ny at gmail.com>
> > wrote:
> >
> >> Hi James
> >>
> >> An op script could definitely do this, but I haven't seen a basic
> template
> >> for this use case. Depending on *exactly* what you want it to do, it
> might
> >> be a better job for Python, and maybe some netconf.
> >>
> >> Here's something that might help get you started.
> >>
> >>
> >>
> http://www.juniper.net/documentation/en_US/junos12.3/topics/example/junos-script-automation-op-script-changing-configuration.html
> >>
> >> How complex are the rules that need to be generated? Could you provide
> >> some examples? Feel free to ping me off list if necessary.
> >>
> >> -JH
> >>
> >> > On Dec 17, 2015, at 2:35 AM, Chen Jiang <ilovebgp4 at gmail.com> wrote:
> >> >
> >> > Hi! Experts
> >> >
> >> > I have a requirement from end user that want to automate firewall
> filter
> >> > configuration procedure, that means they want to use OP script to
> >> generate
> >> > a customized firewall filter term and added it before the last "deny
> all"
> >> > term.
> >> >
> >> > I have searched official documents but couldn't find helpful
> information,
> >> > it seems there is no method could manage firewall filter term
> sequence in
> >> > SLAX language.
> >> >
> >> > Could you pls shed some light on this if you have experience on this,
> >> > Thanks!
> >> >
> >> > --
> >> > BR!
> >> >
> >> >
> >> >
> >> > James Chen
> >> > _______________________________________________
> >> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >
> >
> >
> > --
> > BR!
> >
> >
> >
> > James Chen
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
BR!
James Chen
More information about the juniper-nsp
mailing list