[j-nsp] Could JUNOS OP Script support generate firewall filter term and added before original one?

Fri Dec 18 10:56:21 EST 2015

Hi! Phil

Yes, this is exactly what I needed and it works as you described, Thanks
for the great help!

BR!

James

On Fri, Dec 18, 2015 at 2:17 PM, Phil Shafer <phil at juniper.net> wrote:

> Chen Jiang writes:
> >I have a requirement from end user that want to automate firewall filter
> >configuration procedure, that means they want to use OP script to generate
> >a customized firewall filter term and added it before the last "deny all"
> >term.
>
> Steve Hulshof suggestion re: using config groups is a great one,
> since it removes the possibility of error.  The group plumbing will
> ensure the ordering of terms so your "default-all" term ends up last.
>
> But you can use the normal <configuration> payload to control ordering:
>
>
> http://www.juniper.net/documentation/en_US/junos15.1/topics/task/configuration/junos-xml-protocol-configuration-data-elements-reordering.html
>
> For your case, this would be something like:
>
>     var $conf = <firewall> {
>         <family> {
>             <inet> {
>                 <filter> {
>                     <name> "new-term";
>                     <term insert="before" name="default-all"> {
>                         <name> "new-term";
>                         ....
>     }   }   }   }   }
>
> Hmm..... you can also insert="first" and insert="last" (with no
> identifiers), but that doesn't seem to have made it into the docs.
> Sorry about that.  Now PR 1148401.
>
> Thanks,
>  Phil
>

-- 
BR!

           James Chen