Example: Prevent Import of the Full Routing Table
In the Junos OS routing policy, if you configure
a policy with no match conditions and a terminating action of then accept, and then apply the policy to a routing protocol,
the protocol imports the entire routing table. This example shows
how to use a commit script to prevent this scenario.
Requirements
This example uses a device running Junos OS.
Overview and Commit Script
This example inspects the import statements
configured at the [edit protocols ospf] and [edit
protocols isis] hierarchy levels to determine if any of the
named policies contain a then accept term with no match
conditions. The script protects against importing the full routing
table into these interior gateway protocols (IGPs).
The example script is shown in both XSLT and SLAX syntax:
XSLT Syntax
<?xml version="1.0" standalone="yes"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:junos="http://xml.juniper.net/junos/*/junos" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm" xmlns:jcs="http://xml.juniper.net/junos/commit-scripts/1.0"> <xsl:import href="../import/junos.xsl"/> <xsl:param name="po" select="commit-script-input/configuration/policy-options"/> <xsl:template match="configuration"> <xsl:apply-templates select="protocols/ospf/import"/> <xsl:apply-templates select="protocols/isis/import"/> </xsl:template> <xsl:template match="import"> <xsl:param name="test" select="."/> <xsl:for-each select="$po/policy-statement[name=$test]"> <xsl:choose> <xsl:when test="then/accept and not(to) and not(from)"> <xnm:error> <xsl:call-template name="jcs:edit-path"> <xsl:with-param name="dot" select="$test"/> </xsl:call-template> <xsl:call-template name="jcs:statement"> <xsl:with-param name="dot" select="$test"/> </xsl:call-template> <message>policy contains bare 'then accept'</message> </xnm:error> </xsl:when> </xsl:choose> </xsl:for-each> </xsl:template> </xsl:stylesheet>
SLAX Syntax
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
param $po = commit-script-input/configuration/policy-options;
match configuration {
apply-templates protocols/ospf/import;
apply-templates protocols/isis/import;
}
match import {
param $test = .;
for-each ($po/policy-statement[name=$test]) {
if (then/accept and not(to) and not(from)) {
<xnm:error> {
call jcs:edit-path($dot = $test);
call jcs:statement($dot = $test);
<message> "policy contains bare 'then accept'";
}
}
}
}Configuration
Procedure
Step-by-Step Procedure
To download, enable, and test the script:
Copy the script into a text file, name the file import.xsl or import.slax as appropriate, and copy it to the /var/db/scripts/commit/ directory on the device.
Select the following test configuration stanzas, and press Ctrl+c to copy them to the clipboard.
If you are using the SLAX version of the script, change the filename at the
[edit system scripts commit file]hierarchy level to import.slax.system { scripts { commit { file import.xsl; } } } protocols { ospf { import bad-news; } } policy-options { policy-statement bad-news { then accept; } }In configuration mode, issue the
load merge terminalcommand to merge the stanzas into your device configuration.[edit] user@host# load merge terminal [Type ^D at a new line to end input] ... Paste the contents of the clipboard here ...
At the prompt, paste the contents of the clipboard by using the mouse and the paste icon.
Press Enter.
Press Ctrl+d.
Commit the configuration.
user@host# commit
Verification
Verifying the Commit Script Execution
Purpose
Verify that the script behaves as expected.
Action
Review the output of the commit command. The
sample configuration configures an import statement at the [edit protocols ospf] hierarchy level.
Because the policy contains a then accept term with no
match conditions, the script generates an error, and the commit operation
fails. The following output appears after issuing a commit command:
[edit] user@host# commit [edit protocols ospf] 'import bad-news;' policy contains bare 'then accept' error: 1 error reported by commit scripts error: commit script failure