Find Import Policies with Only a Bare 'then accept' Term
For SLAX version 1.0 and higher, you can report on named import policies that only contain a bare 'then accept' term. This helps protect against importing the full routing table into these IGPs.
The following example inspects the import statements configured under [protocols ospf] and [protocols isis] to see if any of the named policies contain a bare "then accept" term, and protects against importing the full routing table into these IGPs.
The testing criteria in this example are likely not sufficient, but you can can easily tune or improve the testing criteria.
Source Code and GitHub Links
The source code below is also available from the following GitHub locations:
01 system {
02 scripts {
03 commit {
04 file import-policies.xsl;
05 }
06 }
07 }
08 protocols {
09 ospf {
10 import bad-news;
11 }
12 }
13 policy-options {
14 policy-statement bad-news {
15 then accept;
16 }
17 }
1 [edit protocols ospf import]
2 'import bad-news;'
3 policy contains bare 'then accept'
4 error: 1 error reported by commit scripts
5 error: commit script failure
SLAX Script Contents
01 /* Machine Crafted with Care (tm) by slaxWriter */
02 version 1.0;
03
04
05 /*
06 - $Id: import-policies.slax,v 1.1 2007/10/17 18:37:04 phil Exp $
07 -
08 - Copyright (c) 2004-2005, Juniper Networks, Inc.
09 - All rights reserved.
10 -
11 */
12 ns junos = "http://xml.juniper.net/junos/*/junos";
13 ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
14 ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
15
16 import "../import/junos.xsl";
17 param $po = commit-script-input/configuration/policy-options;
18
19 /*
20 - This example inspects the import statements configured under
21 - [protocols ospf] and [protocols isis] to see if any of the
22 - named policies contain a bare "then accept" term. This is
23 - meant to protect against importing the full routing table
24 - into these IGPs. The testing criteria in this example are
25 - likely not sufficient, but can easily be tuned or improved.
26 */
27 match configuration {
28 apply-templates protocols/ospf/import;
29 apply-templates protocols/isis/import;
30 }
31
32 match import {
33 param $test = .;
34
35 for-each ($po/policy-statement[name == $test]) {
36 if (then/accept && not(to) && not(from)) {
37 <xnm:error> {
38 call jcs:edit-path($dot = $test);
39 call jcs:statement($dot = $test);
40 <message> "policy contains bare 'then accept'";
41 }
42 }
43 }
44 }
XML Script Contents
01 <?xml version="1.0"?>
02 <script version="0.1">
03 <title>import-policies.slax</title>
04 <alternate>import-policies.xsl</alternate>
05 <author>phil</author>
06 <synopsis>
07 Require that import policies do contain bare 'then accept' terms
08 </synopsis>
09 <keyword>ospf</keyword>
10 <keyword>isis</keyword>
11 <keyword>then accept</keyword>
12 <description>
13 We want to check if any of the named policies contain a bare
14 'then accept' term. This helps protect against importing the full routing
15 table into these IGPs.
16 </description>
17 <implementation>
18 This example inspects the import statements configured under
19 [protocols ospf] and [protocols isis] to see if any of the
20 named policies contain a bare "then accept" term. This is
21 meant to protect against importing the full routing table
22 into these IGPs. The testing criteria in this example are
23 likely not sufficient, but can easily be tuned or improved.
24 </implementation>
25 <example>
26 <config>import-policies.conf</config>
27 <title>A simple configuration</title>
28 <errors>import-policies.output</errors>
29 </example>
30 <xhtml:script xmlns:xhtml="http://www.w3.org/1999/xhtml"
31 src="../../../../../web/leaf.js" type="text/javascript"/>
32 </script>