Skip to content

Commit

Permalink
Merge pull request Juniper#5 from jlcross/master
Browse files Browse the repository at this point in the history 
Updating GitHub to match library on www.
  • Loading branch information
@dssatya
dssatya committed Jun 20, 2014
2 parents 17f7ba5 + 4761a16 commit b294e25
Show file tree
Hide file tree
Showing 9 changed files with 440 additions and 1 deletion.
41 changes: 41 additions & 0 deletions library/juniper/commit/filters/lo0-filter/lo0-filter.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
filter lo0-filter {
term ssh {
from {
source-address {
10.1.2.0/24;
10.3.4.0/24;
10.3.4.5/32 except;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term xnm-ssl {
from {
protocol tcp;
destination-port 3220;
}
then accept;
}
term bgp {
from {
source-address {
10.5.14.2/32;
}
protocol tcp;
destination-port bgp;
}
then accept;
}
term ntp {
from {
source-address {
10.5.5.5/32;
}
protocol udp;
destination-port ntp;
}
then accept;
}
}
9 changes: 9 additions & 0 deletions library/juniper/commit/filters/lo0-filter/lo0-filter.output
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
[edit system services]
user@cli# show
ssh {
apply-macro allow {
10.1.2.0/24;
10.3.4.0/24;
10.3.4.5/32 except;
}
}
123 changes: 123 additions & 0 deletions library/juniper/commit/filters/lo0-filter/lo0-filter.slax
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

import "../import/junos.xsl";

/*
* Creates lo0 filter based on configured protocol
*
* lo0 filter protects the routing engine from external assault
*
* Look at configuration to know what (and how) to accept
* [system services]
* [protocols bgp group neighbor]
*
* Use apply-macro to extend syntax where required
* [edit system services]
* user@cli# show
* ssh {
* apply-macro allow {
* 10.1.2.0/24;
* 10.3.4.0/24;
* 10.3.4.5/32 except;
* }
* }
*/

match configuration {
var $top = .;

<transient-change> {
<firewall> {
<filter replace="replace"> {
<name> "lo0-filter";
var $services = system/services;
call service-term($name = "ssh", $this = $services/ssh);
call service-term($name = "xnm-ssl", $port = 3220,
$this = $services/xnm-ssl);
call service-term($name = "netconf", $port = 830,
$this = $services/netconf);
call protocol-term($name = "bgp", $this = protocols/bgp,
$peers = protocols/bgp/group/neighbor/name);
var $ntp = system/ntp;
call protocol-term($name = "ntp", $this = $ntp, $protocol = "udp",
$peers = $ntp/peer/name | $ntp/server/name);
}
}

<interfaces> {
<interface> {
<name> "lo0";
<unit> {
<name> "0";
<family> {
<inet> {
<filter> {
<input> "lo0-filter";
}
}
}
}
}
}
}
}

template service-term($name, $port = $name, $protocol = "tcp", $this) {
if ($this) {
<term> {
<name> $name;
<from> {
if ($protocol) {
<protocol> $protocol;
}
<destination-port> $port;

var $mac = $this/apply-macro[name == "allow"];
if ($mac) {
for-each ($mac/data) {
<source-address> {
<name> name;
if (value == "except") {
<except>;
}
}
}
}
}
<then> {
<accept>;
}
}
}
}

template protocol-term($name, $port = $name, $protocol = "tcp",
$this, $peers) {
if ($this) {
<term> {
<name> $name;
<from> {
if ($protocol) {
<protocol> $protocol;
}
<destination-port> $port;

if ($peers) {
for-each ($peers) {
<source-address> {
<name> .;

}
}
}
}
<then> {
<accept>;
}
}
}
}
223 changes: 223 additions & 0 deletions library/juniper/commit/system/protect-config/protect-config.slax
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,223 @@
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match configuration {
expr "\n-->\n";
/*
- Make sure [edit chassis] is not totally deleted...
-
*/
call error-if-missing($must = chassis, $statement = "chassis") {
with $message = {
expr "Chassis configuration cannot be empty !!!";
}
}
/*
- We are making sure that the loopback interface configuration is present
- and it has family inet configured.
- The commit will fail if this is the case.
*/
call error-if-missing($must = interfaces/interface[name == "lo0"]/unit[name == "0"]/family/inet/address, $statement = "interfaces lo0 unit 0 family inet address");
/*
- Now we check the present loopback interface configuration and make sure it's not
- deleted nor disabled.
- The commit will fail if this is the case.
*/
call error-if-present($must = interfaces/interface[name == "lo0"]/disable | interfaces/interface[name == "lo0"]/unit[name == "0"]/disable) {
with $message = {
expr "The Loopback interface is disabled.";
}
}
/*
- Make sure snmp 0/0 is not configured. It would mess up with auto-filter !QQ
- The commit will fail if this is the case.
*/
call error-if-present($must = snmp/community[name == *]/clients[name == "0.0.0.0/0"]) {
with $message = {
expr "0.0.0.0/0 restrict is not recommended along with apply-path";
expr "because it would compromise the firewall filter !!! ";
}
}
/*
- Making sure the whole forwarding-options section is not deleted/deactivated.
- The commit will fail if this is the case.
*/
call error-if-missing($must = forwarding-options, $statement = "[edit forwarding-options]") {
with $message = {
expr "The [edit forwarding-options] is missing !!! ";
}
}
/*
/*
- Making sure the whole routing-options section is not deleted/deactivated.
- The commit will fail if this is the case.
*/
call error-if-missing($must = routing-options, $statement = "[edit routing-options]") {
with $message = {
expr "The [edit routing-options] is missing !!! ";
}
}
/*
- Making sure the whole protocols/bgp section is not deleted/deactivated.
- The commit will fail if this is the case.
*/
call error-if-missing($must = protocols/bgp, $statement = "protocols bgp") {
with $message = {
expr "The protocols/bgp is missing !!! ";
}
}
/*
- Check that the protocol is not disabled...
*/
call error-if-present($must = protocols/bgp/disable) {
with $message = {
expr "The BGP protocol is disabled, failing commit..";
}
}
/*
- Making sure the whole protocols/ospf section is not deleted/deactivated.
- The commit will fail if this is the case.
*/
call error-if-missing($must = protocols/ospf, $statement = "protocols ospf") {
with $message = {
expr "The OSPF protocol is missing, failing commit..";
}
}
/*
- Check that the protocol is not disabled...
*/
call error-if-present($must = protocols/ospf/disable) {
with $message = {
expr "The OSPF protocol is disabled, failing commit..";
}
}

/*
- Making sure the whole class-of-service section is not deleted/deactivated.
- The commit will fail if this is the case.
*/

call error-if-missing($must = class-of-service, $statement = "[edit class-of-service]") {
with $message = {
expr "The whole class-of-service section is missing, failing commit..";
}
}
/*
- Check that the Cos is not disabled...
*/
call error-if-present($must = class-of-service/disable) {
with $message = {
expr "The whole class-of-service is disabled, failing commit..";
}
}
/*
- Making sure the whole protocols/pim section is not deleted/deactivated.
- The commit will fail if this is the case.
*/
call error-if-missing($must = protocols/pim, $statement = "protocols pim") {
with $message = {
expr "The pim protocol is missing, failing commit..";
}
}
/*
- Check that the protocol is not disabled...
*/
call error-if-present($must = protocols/pim/disable) {
with $message = {
expr "The pim protocol is disabled, failing commit..";
}
}
/*
- Making sure the whole protocols/mpls section is not deleted/deactivated.
- The commit will fail if this is the case.
*/
call error-if-missing($must = protocols/mpls, $statement = "protocols mpls") {
with $message = {
expr "The mpls protocol is missing, failing commit..";
}
}
/*
- Check that the protocol is not disabled...
*/
call error-if-present($must = protocols/mpls/disable) {
with $message = {
expr "The MPLS protocol is disabled, failing commit..";
}
}
/*
- Making sure the whole protocols/ldp section is not deleted/deactivated.
- The commit will fail if this is the case.
*/
call error-if-missing($must = protocols/ldp, $statement = "protocols ldp") {
with $message = {
expr "The LDP protocol is missing, failing commit..";
}
}
/*
- Check that the protocol is not disabled...
*/
call error-if-present($must = protocols/ldp/disable) {
with $message = {
expr "The LDP protocol is disabled, failing commit..";
}
}
}
/*
- Make sure snmp 0/0 is not configured. It would mess up with auto-filter !QQ
- The commit will fail if this is the case.
*/
/*
- This is where we can generate custom error/warning messages
- by modifying the default templates.
*/
template warn-if-missing ($must, $statement = "unknown", $message = "missing mandatory configuration statement") {

if (not($must)) {
<xnm:warning> {
<edit-path> {
copy-of $statement;
}
<message> {
copy-of $message;
}
}
}
}
/*
-
-
-
*/
template error-if-missing ($must, $statement = "unknown", $message = "missing mandatory configuration statement") {

if (not($must)) {
<xnm:error> {
<edit-path> {
copy-of $statement;
}
<message> {
copy-of $message;
}
}
}
}
/*
-
-
-
*/
template error-if-present ($must = 1, $message = "invalid configuration statement") {
/* give error if param missing */

for-each ($must) {
<xnm:error> {
call jcs:edit-path();
call jcs:statement();
<message> {
copy-of $message;
}
}
}
}
Loading

0 comments on commit b294e25

Please sign in to comment.