Example: Adding a Final then accept Term to a Firewall
This commit script example adds a then
accept statement to any firewall filter that does not already
end with an explicit then accept statement.
Requirements
This example uses a device running Junos OS.
Overview and Commit Script
Each firewall filter in Junos OS has an implicit discard action at the end of the filter, which is equivalent to the following explicit filter term:
term implicit-rule {
then discard;
}
As a result, if a packet matches none of the terms in the filter,
it is discarded. In some cases, you might want to override the default
by adding a last term to accept all packets that do not match a firewall
filter’s series of match conditions. In this example, the commit
script adds a final then accept statement to any firewall
filter that does not already end with an explicit then accept statement.
The example script is shown in both XSLT and SLAX syntax:
XSLT Syntax
<?xml version="1.0" standalone="yes"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:junos="http://xml.juniper.net/junos/*/junos" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm" xmlns:jcs="http://xml.juniper.net/junos/commit-scripts/1.0"> <xsl:import href="../import/junos.xsl"/> <xsl:template match="configuration"> <xsl:apply-templates select="firewall/filter | firewall/family/inet | firewall/family/inet6" mode="filter"/> </xsl:template> <xsl:template match="filter" mode="filter"> <xsl:param name="last" select="term[position() = last()]"/> <xsl:comment> <xsl:text>Found </xsl:text> <xsl:value-of select="name"/> <xsl:text>; last </xsl:text> <xsl:value-of select="$last/name"/> </xsl:comment> <xsl:if test="$last and ($last/from or $last/to or not($last/then/accept))"> <xnm:warning> <xsl:call-template name="jcs:edit-path"/> <message> <xsl:text>filter is missing final 'then accept' rule</xsl:text> </message> </xnm:warning> <xsl:call-template name="jcs:emit-change"> <xsl:with-param name="content"> <term> <name>very-last</name> <junos:comment> <xsl:text>This term was added by a commit script</xsl:text> </junos:comment> <then> <accept/> </then> </term> </xsl:with-param> </xsl:call-template> </xsl:if> </xsl:template> </xsl:stylesheet>
SLAX Syntax
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match configuration {
apply-templates firewall/filter | firewall/family/inet | firewall/family/inet6 {
mode "filter";
}
}
match filter {
mode "filter";
param $last = term[position() = last()];
<xsl:comment> {
expr "Found ";
expr name;
expr "; last ";
expr $last/name;
}
if ($last and ($last/from or $last/to or not($last/then/accept))) {
<xnm:warning> {
call jcs:edit-path();
<message> "filter is missing final 'then accept' rule";
}
call jcs:emit-change() {
with $content = {
<term> {
<name> "very-last";
<junos:comment> "This term was added by a commit script";
<then> {
<accept>;
}
}
}
}
}
}Configuration
Procedure
Step-by-Step Procedure
To download, enable, and test the script:
Copy the script into a text file, name the file add-accept.xsl or add-accept.slax as appropriate, and copy it to the /var/db/scripts/commit/ directory on the device.
Select the following test configuration stanzas, and press Ctrl+c to copy them to the clipboard.
If you are using the SLAX version of the script, change the filename at the
[edit system scripts commit file]hierarchy level to add-accept.slax.system { scripts { commit { file add-accept.xsl; } } } firewall { policer sgt-friday { if-exceeding { bandwidth-percent 10; burst-size-limit 250k; } then discard; } family inet { filter test { term one { from { interface t1-0/0/0; } then { count ten-network; discard; } } term two { from { forwarding-class assured-forwarding; } then discard; } } } } interfaces { t1-0/0/0 { unit 0 { family inet { policer output sgt-friday; filter input test; } } } }In configuration mode, issue the
load merge terminalcommand to merge the stanzas into your device configuration.[edit] user@host# load merge terminal [Type ^D at a new line to end input] ... Paste the contents of the clipboard here ...
At the prompt, paste the contents of the clipboard by using the mouse and the paste icon.
Press Enter.
Press Ctrl+d.
Commit the configuration.
user@host# commit
Verification
Verifying the Configuration
Purpose
Verify that the script behaves as expected.
Action
Review the output of the commit command. The
script requires that all firewall filters end with an explicit then accept statement. The sample configuration stanzas include
the test filter with two terms but do not include an explicit then accept statement. When you issue the commit command, the script adds the missing then accept statement
and commits the configuration. When you issue the commit command, the following output appears:
[edit] user@host# commit [edit firewall family inet filter test] warning: filter is missing final 'then accept' rule commit complete
In configuration mode, issue the show firewall command to review the modified configuration. The following output
appears:
[edit]
user@host# show firewall
policer sgt-friday {
if-exceeding {
bandwidth-percent 10;
burst-size-limit 250k;
}
then discard;
}
family inet {
filter test {
term one {
from {
interface t1-0/0/0;
}
then {
count ten-network;
discard;
}
}
term two {
from {
forwarding-class assured-forwarding;
}
then {
discard;
}
}
term very-last {
then accept; /* This term was added by a commit script */
}
}
}