forked from Juniper/junoscriptorium
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request Juniper#5 from jlcross/master
Updating GitHub to match library on www.
- Loading branch information
Showing
9 changed files
with
440 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
filter lo0-filter { | ||
term ssh { | ||
from { | ||
source-address { | ||
10.1.2.0/24; | ||
10.3.4.0/24; | ||
10.3.4.5/32 except; | ||
} | ||
protocol tcp; | ||
destination-port ssh; | ||
} | ||
then accept; | ||
} | ||
term xnm-ssl { | ||
from { | ||
protocol tcp; | ||
destination-port 3220; | ||
} | ||
then accept; | ||
} | ||
term bgp { | ||
from { | ||
source-address { | ||
10.5.14.2/32; | ||
} | ||
protocol tcp; | ||
destination-port bgp; | ||
} | ||
then accept; | ||
} | ||
term ntp { | ||
from { | ||
source-address { | ||
10.5.5.5/32; | ||
} | ||
protocol udp; | ||
destination-port ntp; | ||
} | ||
then accept; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
[edit system services] | ||
user@cli# show | ||
ssh { | ||
apply-macro allow { | ||
10.1.2.0/24; | ||
10.3.4.0/24; | ||
10.3.4.5/32 except; | ||
} | ||
} |
123 changes: 123 additions & 0 deletions
123
library/juniper/commit/filters/lo0-filter/lo0-filter.slax
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
version 1.0; | ||
|
||
ns junos = "http://xml.juniper.net/junos/*/junos"; | ||
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm"; | ||
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0"; | ||
|
||
import "../import/junos.xsl"; | ||
|
||
/* | ||
* Creates lo0 filter based on configured protocol | ||
* | ||
* lo0 filter protects the routing engine from external assault | ||
* | ||
* Look at configuration to know what (and how) to accept | ||
* [system services] | ||
* [protocols bgp group neighbor] | ||
* | ||
* Use apply-macro to extend syntax where required | ||
* [edit system services] | ||
* user@cli# show | ||
* ssh { | ||
* apply-macro allow { | ||
* 10.1.2.0/24; | ||
* 10.3.4.0/24; | ||
* 10.3.4.5/32 except; | ||
* } | ||
* } | ||
*/ | ||
|
||
match configuration { | ||
var $top = .; | ||
|
||
<transient-change> { | ||
<firewall> { | ||
<filter replace="replace"> { | ||
<name> "lo0-filter"; | ||
var $services = system/services; | ||
call service-term($name = "ssh", $this = $services/ssh); | ||
call service-term($name = "xnm-ssl", $port = 3220, | ||
$this = $services/xnm-ssl); | ||
call service-term($name = "netconf", $port = 830, | ||
$this = $services/netconf); | ||
call protocol-term($name = "bgp", $this = protocols/bgp, | ||
$peers = protocols/bgp/group/neighbor/name); | ||
var $ntp = system/ntp; | ||
call protocol-term($name = "ntp", $this = $ntp, $protocol = "udp", | ||
$peers = $ntp/peer/name | $ntp/server/name); | ||
} | ||
} | ||
|
||
<interfaces> { | ||
<interface> { | ||
<name> "lo0"; | ||
<unit> { | ||
<name> "0"; | ||
<family> { | ||
<inet> { | ||
<filter> { | ||
<input> "lo0-filter"; | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
|
||
template service-term($name, $port = $name, $protocol = "tcp", $this) { | ||
if ($this) { | ||
<term> { | ||
<name> $name; | ||
<from> { | ||
if ($protocol) { | ||
<protocol> $protocol; | ||
} | ||
<destination-port> $port; | ||
|
||
var $mac = $this/apply-macro[name == "allow"]; | ||
if ($mac) { | ||
for-each ($mac/data) { | ||
<source-address> { | ||
<name> name; | ||
if (value == "except") { | ||
<except>; | ||
} | ||
} | ||
} | ||
} | ||
} | ||
<then> { | ||
<accept>; | ||
} | ||
} | ||
} | ||
} | ||
|
||
template protocol-term($name, $port = $name, $protocol = "tcp", | ||
$this, $peers) { | ||
if ($this) { | ||
<term> { | ||
<name> $name; | ||
<from> { | ||
if ($protocol) { | ||
<protocol> $protocol; | ||
} | ||
<destination-port> $port; | ||
|
||
if ($peers) { | ||
for-each ($peers) { | ||
<source-address> { | ||
<name> .; | ||
|
||
} | ||
} | ||
} | ||
} | ||
<then> { | ||
<accept>; | ||
} | ||
} | ||
} | ||
} |
223 changes: 223 additions & 0 deletions
223
library/juniper/commit/system/protect-config/protect-config.slax
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,223 @@ | ||
version 1.0; | ||
ns junos = "http://xml.juniper.net/junos/*/junos"; | ||
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm"; | ||
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0"; | ||
import "../import/junos.xsl"; | ||
match configuration { | ||
expr "\n-->\n"; | ||
/* | ||
- Make sure [edit chassis] is not totally deleted... | ||
- | ||
*/ | ||
call error-if-missing($must = chassis, $statement = "chassis") { | ||
with $message = { | ||
expr "Chassis configuration cannot be empty !!!"; | ||
} | ||
} | ||
/* | ||
- We are making sure that the loopback interface configuration is present | ||
- and it has family inet configured. | ||
- The commit will fail if this is the case. | ||
*/ | ||
call error-if-missing($must = interfaces/interface[name == "lo0"]/unit[name == "0"]/family/inet/address, $statement = "interfaces lo0 unit 0 family inet address"); | ||
/* | ||
- Now we check the present loopback interface configuration and make sure it's not | ||
- deleted nor disabled. | ||
- The commit will fail if this is the case. | ||
*/ | ||
call error-if-present($must = interfaces/interface[name == "lo0"]/disable | interfaces/interface[name == "lo0"]/unit[name == "0"]/disable) { | ||
with $message = { | ||
expr "The Loopback interface is disabled."; | ||
} | ||
} | ||
/* | ||
- Make sure snmp 0/0 is not configured. It would mess up with auto-filter !QQ | ||
- The commit will fail if this is the case. | ||
*/ | ||
call error-if-present($must = snmp/community[name == *]/clients[name == "0.0.0.0/0"]) { | ||
with $message = { | ||
expr "0.0.0.0/0 restrict is not recommended along with apply-path"; | ||
expr "because it would compromise the firewall filter !!! "; | ||
} | ||
} | ||
/* | ||
- Making sure the whole forwarding-options section is not deleted/deactivated. | ||
- The commit will fail if this is the case. | ||
*/ | ||
call error-if-missing($must = forwarding-options, $statement = "[edit forwarding-options]") { | ||
with $message = { | ||
expr "The [edit forwarding-options] is missing !!! "; | ||
} | ||
} | ||
/* | ||
/* | ||
- Making sure the whole routing-options section is not deleted/deactivated. | ||
- The commit will fail if this is the case. | ||
*/ | ||
call error-if-missing($must = routing-options, $statement = "[edit routing-options]") { | ||
with $message = { | ||
expr "The [edit routing-options] is missing !!! "; | ||
} | ||
} | ||
/* | ||
- Making sure the whole protocols/bgp section is not deleted/deactivated. | ||
- The commit will fail if this is the case. | ||
*/ | ||
call error-if-missing($must = protocols/bgp, $statement = "protocols bgp") { | ||
with $message = { | ||
expr "The protocols/bgp is missing !!! "; | ||
} | ||
} | ||
/* | ||
- Check that the protocol is not disabled... | ||
*/ | ||
call error-if-present($must = protocols/bgp/disable) { | ||
with $message = { | ||
expr "The BGP protocol is disabled, failing commit.."; | ||
} | ||
} | ||
/* | ||
- Making sure the whole protocols/ospf section is not deleted/deactivated. | ||
- The commit will fail if this is the case. | ||
*/ | ||
call error-if-missing($must = protocols/ospf, $statement = "protocols ospf") { | ||
with $message = { | ||
expr "The OSPF protocol is missing, failing commit.."; | ||
} | ||
} | ||
/* | ||
- Check that the protocol is not disabled... | ||
*/ | ||
call error-if-present($must = protocols/ospf/disable) { | ||
with $message = { | ||
expr "The OSPF protocol is disabled, failing commit.."; | ||
} | ||
} | ||
|
||
/* | ||
- Making sure the whole class-of-service section is not deleted/deactivated. | ||
- The commit will fail if this is the case. | ||
*/ | ||
|
||
call error-if-missing($must = class-of-service, $statement = "[edit class-of-service]") { | ||
with $message = { | ||
expr "The whole class-of-service section is missing, failing commit.."; | ||
} | ||
} | ||
/* | ||
- Check that the Cos is not disabled... | ||
*/ | ||
call error-if-present($must = class-of-service/disable) { | ||
with $message = { | ||
expr "The whole class-of-service is disabled, failing commit.."; | ||
} | ||
} | ||
/* | ||
- Making sure the whole protocols/pim section is not deleted/deactivated. | ||
- The commit will fail if this is the case. | ||
*/ | ||
call error-if-missing($must = protocols/pim, $statement = "protocols pim") { | ||
with $message = { | ||
expr "The pim protocol is missing, failing commit.."; | ||
} | ||
} | ||
/* | ||
- Check that the protocol is not disabled... | ||
*/ | ||
call error-if-present($must = protocols/pim/disable) { | ||
with $message = { | ||
expr "The pim protocol is disabled, failing commit.."; | ||
} | ||
} | ||
/* | ||
- Making sure the whole protocols/mpls section is not deleted/deactivated. | ||
- The commit will fail if this is the case. | ||
*/ | ||
call error-if-missing($must = protocols/mpls, $statement = "protocols mpls") { | ||
with $message = { | ||
expr "The mpls protocol is missing, failing commit.."; | ||
} | ||
} | ||
/* | ||
- Check that the protocol is not disabled... | ||
*/ | ||
call error-if-present($must = protocols/mpls/disable) { | ||
with $message = { | ||
expr "The MPLS protocol is disabled, failing commit.."; | ||
} | ||
} | ||
/* | ||
- Making sure the whole protocols/ldp section is not deleted/deactivated. | ||
- The commit will fail if this is the case. | ||
*/ | ||
call error-if-missing($must = protocols/ldp, $statement = "protocols ldp") { | ||
with $message = { | ||
expr "The LDP protocol is missing, failing commit.."; | ||
} | ||
} | ||
/* | ||
- Check that the protocol is not disabled... | ||
*/ | ||
call error-if-present($must = protocols/ldp/disable) { | ||
with $message = { | ||
expr "The LDP protocol is disabled, failing commit.."; | ||
} | ||
} | ||
} | ||
/* | ||
- Make sure snmp 0/0 is not configured. It would mess up with auto-filter !QQ | ||
- The commit will fail if this is the case. | ||
*/ | ||
/* | ||
- This is where we can generate custom error/warning messages | ||
- by modifying the default templates. | ||
*/ | ||
template warn-if-missing ($must, $statement = "unknown", $message = "missing mandatory configuration statement") { | ||
|
||
if (not($must)) { | ||
<xnm:warning> { | ||
<edit-path> { | ||
copy-of $statement; | ||
} | ||
<message> { | ||
copy-of $message; | ||
} | ||
} | ||
} | ||
} | ||
/* | ||
- | ||
- | ||
- | ||
*/ | ||
template error-if-missing ($must, $statement = "unknown", $message = "missing mandatory configuration statement") { | ||
|
||
if (not($must)) { | ||
<xnm:error> { | ||
<edit-path> { | ||
copy-of $statement; | ||
} | ||
<message> { | ||
copy-of $message; | ||
} | ||
} | ||
} | ||
} | ||
/* | ||
- | ||
- | ||
- | ||
*/ | ||
template error-if-present ($must = 1, $message = "invalid configuration statement") { | ||
/* give error if param missing */ | ||
|
||
for-each ($must) { | ||
<xnm:error> { | ||
call jcs:edit-path(); | ||
call jcs:statement(); | ||
<message> { | ||
copy-of $message; | ||
} | ||
} | ||
} | ||
} |
Oops, something went wrong.