Example Configuration
01 system {
02 scripts {
03 commit {
04 file add-accept.xsl;
05 }
06 }
07 }
08 firewall {
09 policer sgt-friday {
10 if-exceeding {
11 bandwidth-percent 10;
12 burst-size-limit 250k;
13 }
14 then discard;
15 }
16 filter test1 {
17 term one {
18 from {
19 address {
20 10.0.0.0/8;
21 }
22 }
23 then {
24 count ten-network;
25 reject;
26 }
27 }
28 }
29 filter test2 {
30 interface-specific;
31 term first {
32 from {
33 destination-port http;
34 }
35 then policer sgt-friday;
36 }
37 }
38 }
Example Output
1 [edit firewall filter test1]
2 warning: filter is missing bare 'then accept' rule
3 [edit firewall filter test2]
4 warning: filter is missing bare 'then accept' rule
5 [edit]
6 'system'
7 Missing mandatory statement: 'root-authentication'
8 error: configuration check-out failed: (missing statements)
SLAX Script Contents
01 /* Machine Crafted with Care (tm) by slaxWriter */
02 version 1.0;
03
04
05 /*
06 - $Id: add-accept.slax,v 1.1 2007/10/17 18:37:03 phil Exp $
07 -
08 - Copyright (c) 2004-2005, Juniper Networks, Inc.
09 - All rights reserved.
10 -
11 */
12 ns junos = "http://xml.juniper.net/junos/*/junos";
13 ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
14 ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
15
16 import "../import/junos.xsl";
17
18 match configuration {
19 apply-templates firewall/filter | firewall/family/inet | firewall/family/inet6 {
20 mode "filter";
21 }
22 }
23
24
25 /*
26 - This example adds a 'then accept' to any firewall filter
27 - that does not already end with one. This counteracts the
28 - normal JUNOS default of an implicit 'then reject'.
29 */
30 match filter {
31 mode "filter";
32
33 param $last = term[position() == last()];
34
35 <xsl:comment> {
36 expr "Found ";
37 expr name;
38 expr "; last ";
39 expr $last/name;
40 }
41 if ($last &&($last/from || $last/to || not($last/then/accept))) {
42 <xnm:warning> {
43 call jcs:edit-path();
44 <message> "filter is missing bare 'then accept' rule";
45 }
46 call jcs:emit-change() {
47 with $content = {
48 <term> {
49 <name> "very-last";
50 <junos:comment> "This term was added by a commit script";
51 <then> {
52 <accept>;
53 }
54 }
55 }
56 }
57 }
58 }
XML Script Contents
01 <?xml version="1.0"?>
02 <script version="0.1">
03 <title>add-accept.slax</title>
04 <alternate>add-accept.xsl</alternate>
05 <author>phil</author>
06 <synopsis>
07 Adds a 'then accept' to firewall filters that do not have one
08 </synopsis>
09 <keyword>firewall</keyword>
10 <keyword>filter</keyword>
11 <keyword>then accept</keyword>
12
13 <description>
14 JUNOS firewall filters default to discarding anything
15 that doesn't match the filter. To achieve the opposite
16 behavior, the filter must include a bare 'then accept'
17 (with no match conditions). Such configuration is difficult
18 to maintain. This script checks to ensure that every filter
19 has a bare accept statement. If one is missing, the script
20 adds it and issues a warning to inform the user of the action.
21 </description>
22 <implementation>
23 If the last term in a filter has a "from" or "to", repair it
24 and emit an <xnm:warning> for the user.
25 </implementation>
26
27 <example>
28 <config>add-accept.conf</config>
29 <output>add-accept.output</output>
30 </example>
31 <xhtml:script xmlns:xhtml="http://www.w3.org/1999/xhtml"
32 src="../../../../../web/leaf.js" type="text/javascript"/>
33 </script>