Supported Platforms
Example: Adding a Final then accept Term to a Firewall
This commit script example adds a then accept statement to any firewall filter that does not already end with an explicit then accept statement.
Requirements
This example uses a device running Junos OS.
Overview and Commit Script
Each firewall filter in Junos OS has an implicit discard action at the end of the filter, which is equivalent to the following explicit filter term:
As a result, if a packet matches none of the terms in the filter, it is discarded. In some cases, you might want to override the default by adding a last term to accept all packets that do not match a firewall filter’s series of match conditions. In this example, the commit script adds a final then accept statement to any firewall filter that does not already end with an explicit then accept statement.
The example script is shown in both XSLT and SLAX syntax:
XSLT Syntax
<?xml version="1.0" standalone="yes"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:junos="http://xml.juniper.net/junos/*/junos"
xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm"
xmlns:jcs="http://xml.juniper.net/junos/commit-scripts/1.0">
<xsl:import href="../import/junos.xsl"/>
<xsl:template match="configuration">
<xsl:apply-templates select="firewall/filter | firewall/family/inet
| firewall/family/inet6" mode="filter"/>
</xsl:template>
<xsl:template match="filter" mode="filter">
<xsl:param name="last" select="term[position() = last()]"/>
<xsl:comment>
<xsl:text>Found </xsl:text>
<xsl:value-of select="name"/>
<xsl:text>; last </xsl:text>
<xsl:value-of select="$last/name"/>
</xsl:comment>
<xsl:if test="$last and ($last/from or $last/to or not($last/then/accept))">
<xnm:warning>
<xsl:call-template name="jcs:edit-path"/>
<message>
<xsl:text>filter is missing final 'then accept' rule</xsl:text>
</message>
</xnm:warning>
<xsl:call-template name="jcs:emit-change">
<xsl:with-param name="content">
<term>
<name>very-last</name>
<junos:comment>
<xsl:text>This term was added by a commit script</xsl:text>
</junos:comment>
<then>
<accept/>
</then>
</term>
</xsl:with-param>
</xsl:call-template>
</xsl:if>
</xsl:template>
</xsl:stylesheet>
SLAX Syntax
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match configuration {
apply-templates firewall/filter | firewall/family/inet | firewall/family/inet6 {
mode "filter";
}
}
match filter {
mode "filter";
param $last = term[position() = last()];
<xsl:comment> {
expr "Found ";
expr name;
expr "; last ";
expr $last/name;
}
if ($last and ($last/from or $last/to or not($last/then/accept))) {
<xnm:warning> {
call jcs:edit-path();
<message> "filter is missing final 'then accept' rule";
}
call jcs:emit-change() {
with $content = {
<term> {
<name> "very-last";
<junos:comment> "This term was added by a commit script";
<then> {
<accept>;
}
}
}
}
}
}
Configuration
Step-by-Step Procedure
Step-by-Step Procedure
To download, enable, and test the script:
- Copy the XSLT or SLAX script into a text file, name the
file
add-accept.xsloradd-accept.slaxas appropriate, and copy it to the/var/db/scripts/commit/directory on the device. Select the following test configuration stanzas, and press Ctrl+c to copy them to the clipboard.
If you are using the SLAX version of the script, change the filename at the [edit system scripts commit file] hierarchy level to
add-accept.slax.system {scripts {commit {file add-accept.xsl;}}}firewall {policer sgt-friday {if-exceeding {bandwidth-percent 10;burst-size-limit 250k;}then discard;}family inet {filter test {term one {from {interface t1-0/0/0;}then {count ten-network;discard;}}term two {from {forwarding-class assured-forwarding;}then discard;}}}}interfaces {t1-0/0/0 {unit 0 {family inet {policer output sgt-friday;filter input test;}}}}In configuration mode, issue the load merge terminal command to merge the stanzas into your device configuration.
[edit]user@host# load merge terminal[Type ^D at a new line to end input]... Paste the contents of the clipboard here ...- At the prompt, paste the contents of the clipboard by using the mouse and the paste icon.
- Press Enter.
- Press Ctrl+d.
Issue the commit command to commit the configuration.
user@host# commit
Verification
Verifying the Configuration
Purpose
Verify that the script behaves as expected.
Action
Review the output of the commit command. The script requires that all firewall filters end with an explicit then accept statement. The sample configuration stanzas include the test filter with two terms but do not include an explicit then accept statement. When you issue the commit command, the script adds the missing then accept statement and commits the configuration. When you issue the commit command, the following output appears:
[edit]
user@host# commit
[edit firewall family inet filter test]
warning: filter is missing final 'then accept' rule
commit complete
In configuration mode, issue the show firewall command to review the modified configuration. The following output appears:
