Blog Viewer

Scripting How-To: Use the add-accept script for firewall filters

By Erdem posted 08-10-2015 08:07

  

Use the add-accept Script for Firewall Filters

 

For SLAX version 1.0 and higher, you can use the add-accept script to add a 'then accept' statement to firewall filters that do not have one.

 

Junos OS firewall filters default to discarding anything that doesn't match the filter. To achieve the opposite behavior, the filter must include a bare 'then accept' (with no match conditions). Such configuration is difficult to maintain. This add-accept script checks to ensure that every filter has a bare accept statement. If one is missing, the script adds it and issues a warning to inform the user of the action.

 

If the last term in a filter has a "from" or "to", repair the script and emit an <xnm:warning> for the user.

 

Source Code and GitHub Links

 

The source code below is also available from the following GitHub locations:

 

Example Configuration

 

01	system {
02	    scripts {
03	    commit {
04	        file add-accept.xsl;
05	    }
06	    }
07	}
08	firewall {
09	    policer sgt-friday {
10	        if-exceeding {
11	            bandwidth-percent 10;
12	            burst-size-limit 250k;
13	        }
14	        then discard;
15	    }
16	    filter test1 {
17	        term one {
18	            from {
19	                address {
20	                    10.0.0.0/8;
21	                }
22	            }
23	            then {
24	                count ten-network;
25	                reject;
26	            }
27	        }
28	    }
29	    filter test2 {
30	    interface-specific;
31	        term first {
32	            from {
33	                destination-port http;
34	            }
35	            then policer sgt-friday;
36	        }
37	    }
38	}

 

Example Output

 

1	[edit firewall filter test1]
2	  warning: filter is missing bare 'then accept' rule
3	[edit firewall filter test2]
4	  warning: filter is missing bare 'then accept' rule
5	[edit]
6	  'system'
7	    Missing mandatory statement: 'root-authentication'
8	error: configuration check-out failed: (missing statements)

 

SLAX Script Contents

 

01	/* Machine Crafted with Care (tm) by slaxWriter */
02	version 1.0;
03	 
04	 
05	/*
06	- $Id: add-accept.slax,v 1.1 2007/10/17 18:37:03 phil Exp $
07	-
08	- Copyright (c) 2004-2005, Juniper Networks, Inc.
09	- All rights reserved.
10	-
11	 */
12	ns junos = "http://xml.juniper.net/junos/*/junos";
13	ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
14	ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
15	 
16	import "../import/junos.xsl";
17	 
18	match configuration {
19	    apply-templates firewall/filter | firewall/family/inet | firewall/family/inet6 {
20	        mode "filter";
21	    }
22	}
23	 
24	 
25	/*
26	- This example adds a 'then accept' to any firewall filter
27	- that does not already end with one.  This counteracts the
28	- normal JUNOS default of an implicit 'then reject'.
29	 */
30	match filter {
31	    mode "filter";
32	     
33	    param $last = term[position() == last()];
34	     
35	    <xsl:comment> {
36	        expr "Found ";
37	        expr name;
38	        expr "; last ";
39	        expr $last/name;
40	    }
41	    if ($last &&($last/from || $last/to || not($last/then/accept))) {
42	        <xnm:warning> {
43	            call jcs:edit-path();
44	            <message> "filter is missing bare 'then accept' rule";
45	        }
46	        call jcs:emit-change() {
47	            with $content = {
48	                <term> {
49	                    <name> "very-last";
50	                    <junos:comment> "This term was added by a commit script";
51	                    <then> {
52	                        <accept>;
53	                    }
54	                }
55	             }
56	        }
57	    }
58	}

 

XML Script Contents
 
01	<?xml version="1.0"?>
02	<script version="0.1">
03	  <title>add-accept.slax</title>
04	  <alternate>add-accept.xsl</alternate>
05	  <author>phil</author>
06	  <synopsis>
07	    Adds a 'then accept' to firewall filters that do not have one
08	  </synopsis>
09	  <keyword>firewall</keyword>
10	  <keyword>filter</keyword>
11	  <keyword>then accept</keyword>
12	 
13	  <description>
14	    JUNOS firewall filters default to discarding anything
15	    that doesn't match the filter.  To achieve the opposite
16	    behavior, the filter must include a bare 'then accept'
17	    (with no match conditions).  Such configuration is difficult
18	    to maintain.  This script checks to ensure that every filter
19	    has a bare accept statement.  If one is missing, the script
20	    adds it and issues a warning to inform the user of the action.
21	  </description>
22	  <implementation>
23	    If the last term in a filter has a "from" or "to", repair it
24	    and emit an &lt;xnm:warning&gt; for the user.
25	  </implementation>
26	 
27	  <example>
28	    <config>add-accept.conf</config>
29	    <output>add-accept.output</output>
30	  </example>
31	  <xhtml:script xmlns:xhtml="http://www.w3.org/1999/xhtml"
32	                src="../../../../../web/leaf.js" type="text/javascript"/>
33	</script>

 


#JunosOS
#filters
#How-To
#commitscript
#ScriptingHow-To
#firewall

Permalink