01
This script performs a lookup in the policy table and returns the matching policies based on the search criteria. It accepts the following parameters
02
03
user@cli> run op policy-test ?
04
Possible completions:
05
06
destination-address Destination IP address of the initial session creation packet
07
destination-port Destination port of the packet
08
from-zone Ingress zone of the packet
09
source-address Source IP address of the initial session creation packet
10
source-port Source port of the packet
11
to-zone Egress zone of the packet
12
13
If a parameter is not specified it will match all. If no parameter is provided, every policy will be returned.
14
15
If a source/dest address is provided, but the security zone is not specified, the zone for that source/dest IP will be determined from the zone of the ingress/egress interface (doing a route lookup). Of course, if a zone is explicitely specified, it will be used instead of the one determined by the route lookup.
16
17
user@cli# run op policy-test source-address 10.1.1.1 destination-address 10.2.2.2
18
From-Zone To-Zone Name Src-Addr Dst-Addr Application Action
19
trust untrust ftp-permit any any junos-ftp permit
20
trust untrust http-https-rej any any junos-https reject
21
junos-http
22
23
user@cli# run op policy-test source-address 10.1.1.1 destination-address 10.2.2.2 destination-port 443
24
From-Zone To-Zone Name Src-Addr Dst-Addr Application Action
25
trust untrust http-https-rej any any junos-https reject
26
junos-http
SLAX Script Contents
001
/* Machine Crafted with Care (tm) by slaxWriter */
002
version 1.0;
003
004
ns junos = "http://xml.juniper.net/junos/*/junos";
005
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
006
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
007
008
009
/*
010
This is a simple script that looks up all the entries in the policy table that match a particular query
011
It is useful to debug polcy configurations
012
*/
013
import "../import/junos.xsl";
014
var $arguments = {
015
<argument> {
016
<name> "source-address";
017
<description> "Source IP address of the initial session creation packet";
018
}
019
<argument> {
020
<name> "destination-address";
021
<description> "Destination IP address of the initial session creation packet";
022
}
023
<argument> {
024
<name> "source-port";
025
<description> "Source port of the packet";
026
}
027
<argument> {
028
<name> "destination-port";
029
<description> "Destination port of the packet";
030
}
031
<argument> {
032
<name> "from-zone";
033
<description> "Ingress zone of the packet";
034
}
035
<argument> {
036
<name> "to-zone";
037
<description> "Egress zone of the packet";
038
}
039
}
040
/* Open a persistent connection */
041
var $connection = jcs:open();
042
param $source-address = {
043
expr "0.0.0.0/0";
044
}
045
param $destination-address = {
046
expr "0.0.0.0/0";
047
}
048
param $source-port = {
049
expr "0";
050
}
051
param $destination-port = {
052
expr "0";
053
}
054
param $protocol = {
055
expr "0";
056
}
057
param $from-zone = {
058
call find-zone($ip = $source-address);
059
}
060
param $to-zone = {
061
call find-zone($ip = $destination-address);
062
}
063
/* print-policy: Displays the policy info */
064
template print-policy ($name, $from-zone, $to-zone, $source-address, $destination-address, $application,$action, $comment, $row = number("1"), $header = false()) {
065
var $format-string = "%-12.11s %-12.11s %-15.14j1s %-15.14s %-15.14s %-12.11s %-10.9s %s \n";
066
067
if ($header) {
068
expr jcs:printf($format-string, "From-Zone", "To-Zone", "Name", "Src-Addr", "Dst-Addr","Application", "Action", "");
069
070
} else {
071
var $num-rows = {
072
if (count($application) >= count($source-address) && count($application) >= count($destination-address)) {
073
expr count($application);
074
075
} else if (count($source-address) > count($application) && count($source-address) > count($destination-address)) {
076
expr count($source-address);
077
078
} else {
079
expr count($destination-address);
080
}
081
}
082
083
if ($row <= $num-rows) {
084
expr jcs:printf($format-string, $from-zone, $to-zone, $name, $source-address[$row] ,$destination-address[$row] , $application[$row] , $action, $comment);
085
call print-policy($row = $row + 1, $num-rows, $source-address, $destination-address,$application);
086
}
087
}
088
}
089
090
/* find-zone: Returns the zone where a given IP is */
091
template find-zone ($ip) {
092
093
if ($ip == "0.0.0.0/0") {
094
expr "any";
095
096
} else {
097
var $get-route-rpc = <command> {
098
expr "show route ";
099
expr $ip;
100
expr " active-path best";
101
}
102
var $get-rotue = jcs:execute($connection, $get-route-rpc);
103
var $zone = {
104
if ($get-rotue//via) {
105
var $get-int-rpc = <command> {
106
expr "show interface ";
107
expr $get-rotue//via;
108
}
109
var $get-int = jcs:execute($connection, $get-int-rpc);
110
111
expr $get-int//logical-interface-zone-name;
112
113
} else {
114
expr "any";
115
}
116
}
117
118
expr $zone;
119
}
120
}
121
122
/* rshift: Shifts bits to the right. Used to do an IP/MASK comparision */
123
template rshift ($number, $count) {
124
125
/* <output>
126
<xsl:value-of select="jcs:printf('Shifting %i %i times\n',$number, $count)"/>
127
</output> */
128
if ($count <= 0) {
129
expr $number;
130
131
} else {
132
call rshift($number = floor($number div 2), $count = ($count) - 1);
133
}
134
}
135
136
/* match-ip: Returns true if the ip is in the prefix */
137
template match-ip ($prefix, $ip) {
138
var $bytes-network = jcs:regex("([0-9]+).([0-9]+).([0-9]+).([0-9]+)/([0-9]+)", $prefix);
139
var $subnet = {
140
call rshift($number = $bytes-network[2] * 16777216 + $bytes-network[3] * 65536 + $bytes-network[4] * 256 + $bytes-network[5], $count = 32 -($bytes-network[6]));
141
}
142
var $bytes-ip = jcs:regex("([0-9]+).([0-9]+).([0-9]+).([0-9]+)", $ip);
143
var $ipnet = {
144
call rshift($number = $bytes-ip[2] * 16777216 + $bytes-ip[3] * 65536 + $bytes-ip[4] * 256 +$bytes-ip[5], $count = 32 - $bytes-network[6]);
145
}
146
147
if ($ipnet == $subnet) {
148
expr true();
149
150
} else {
151
expr false();
152
}
153
}
154
155
/* match-prefix-list: Returns true if the ip is in the prefix list */
156
template match-prefix-list ($ip, $prefix-list) {
157
158
if (not($prefix-list)) {
159
expr false();
160
161
} else {
162
var $match-prefix = {
163
call match-ip($ip, $prefix = $prefix-list);
164
}
165
166
if ($match-prefix == "true") {
167
expr true();
168
169
} else {
170
call match-prefix-list($ip, $prefix-list = $prefix-list[position() > 1]);
171
}
172
}
173
}
174
175
match / {
176
<op-script-results> {
177
/* First, check parameters passed */
178
if (not(jcs:parse-ip($source-address))) {
179
<output> jcs:printf("Bad IP address format: %s
180
", $source-address);
181
182
} else if (not(jcs:parse-ip($destination-address))) {
183
<output> jcs:printf("Bad IP address format: %s
184
", $destination-address);
185
186
} else if (not($source-port >= 0 && $source-port <= 65535)) {
187
<output> jcs:printf("Bad IP port number: %s
188
", $source-port);
189
190
} else if (not($destination-port >= 0 && $destination-port <= 65535)) {
191
<output> jcs:printf("Bad IP port number: %s
192
", $destination-port);
193
194
} else {
195
<output> {
196
call print-policy($header = true());
197
}
198
var $filters = {
199
if ($from-zone != "any") {
200
expr " from-zone ";
201
expr $from-zone;
202
}
203
if ($to-zone != "any") {
204
expr " to-zone ";
205
expr $to-zone;
206
}
207
}
208
var $get-policies-rpc = <command> {
209
expr " show security policies ";
210
expr $filters;
211
expr " detail ";
212
}
213
/* Get the list of possible policies */
214
var $policies = jcs:execute($connection, $get-policies-rpc);
215
/* Loop throught the policies to find the matching ones */
216
217
for-each ($policies//policy-information) {
218
var $match-source = {
219
call match-prefix-list($ip = $source-address, $prefix-list = .//source-address//address-prefix);
220
}
221
var $match-destination = {
222
call match-prefix-list($ip = $destination-address, $prefix-list = .//destination-address//address-prefix);
223
}
224
var $match-destination-port = {
225
if ($destination-port == "0") {
226
expr true();
227
228
} else if (./applications/application/application-term/destination-port-range[low =="0" && high == "0"]) {
229
expr true();
230
231
} else if (./applications/application/application-term/destination-port-range[low <=$destination-port && high >= $destination-port]) {
232
expr true();
233
234
} else {
235
expr false();
236
}
237
}
238
var $match-source-port = {
239
if ($source-port == "0") {
240
expr true();
241
242
} else if (./applications/application/application-term/source-port-range[low == "0"&& high == "0"]) {
243
expr true();
244
245
} else if (./applications/application/application-term/source-port-range[low <=$source-port && high >= $source-port]) {
246
expr true();
247
248
} else {
249
expr false();
250
}
251
}
252
253
/* <output>
254
<xsl:value-of select="jcs:printf('Policy name: %s\n',./policy-name)"/>
255
<xsl:value-of select="jcs:printf(' match source: %s\n', $match-source)"/>
256
<xsl:value-of select="jcs:printf(' match destination: %s\n', $match-destination)"/>
257
<xsl:value-of select="jcs:printf(' match source port: %s\n', $match-source-port)"/>
258
<xsl:value-of select="jcs:printf(' match destination port: %s\n', $match-destination-port)"/>
259
</output> */
260
if ($match-source == "true" && $match-destination == "true" && $match-source-port =="true" && $match-destination-port == "true") {
261
<output> {
262
call print-policy($from-zone = ../../context-information/source-zone-name, $to-zone = ../../context-information/destination-zone-name, $name = ./policy-name, $destination-address = ./destination-addresses/destination-address/address-name, $source-address = ./source-addresses/source-address/address-name, $application = ./applications/application/application-name, $action = ./policy-action/action-type);
263
}
264
}
265
}
266
}
267
}
268
}