SDK Your Net Corporation Policy Manager Example: Policy Server Daemon Documentation



The Policy Manager sample application composed of two daemons on the routing engine (RE), the Policy Server Daemon (PSD) and the Policy Enforcement Daemon (PED). Both daemons will be added to the sync-policy-manager-mgmt package, which for the fictitious company SDK Your Net Corp. (SYNC), demonstrates how to use the correct naming conventions in developing a package to hold RE-SDK daemons. As of the 8.5 package release, the sample application also contains two daemons running on the MS-PIC or even separate PICs optionally. There is the Packet Filtering Daemon (PFD) running as a data application and a Captive Portal Daemon (CPD), which is a simple HTTP server running as a control application. The whole application containing all four daemons is contained in the sync-policy-manager-bundle package.

The goal of this application is to demonstrate the use of some JUNOS SDK APIs. It covers the use of DDL and ODL, respectively, to manage configuration and commands, and to control the output of operational commands. It uses event control from the eventlib API in libisc2 (a library provided by the Internet Software Consortium) to exemplify its use with sockets to provide asynchronous communication services. It demonstrates the use of libjunos-sdk in several ways: Kernel Communication (KCOM) is used to listen for protocol family changes on interfaces, and tracing and logging happens using the APIs exposed in the junos_trace module. This application also demonstrates the use of libjipc for inter-process communication to and from the PSD. Libssd, a major SDK library that communicates with the SDK Service Daemon (SSD), is used to manage routes associated with policies and install service routes to MS-PICs. Lastly, the application demonstrates writing control and data applications for the MP-SDK using libconn and libmp-sdk, performing PIC-PIC and RE-PIC communications.

Policy Server Daemon (PSD)

The PSD is responsible for providing policies, each consisting of a pre-existing (configured) input and output (inet) firewall filter name, and a set of routes for a particular interface. It listens for requests on the RE via IRI2 (it binds to on a port 7077 (we chose this port number as to not conflict with existing Juniper daemons). It accepts connection requests from the PED-style clients; however, we intend on only using one instance of the PED. It processes the client's messages and replies to them as described in this section.


The PSD creates a server-style socket and binds to its service port (7077).


The PSD configuration is actually the policies which will potentially apply to specified interfaces. A policy consists of the interface name, address family, input filter name, output filter name and routes. The interface name is based on an IFL-structured interface name (physical.logical) pattern matching expression. Because of this pattern matching expression for the interface name, a single policy can be returned in response to many requests (for a pattern like *, for example, which matches all interface names).

Creating New Client Connections

When getting a connection request from a client, the PSD creates a new connection to the client and registers the message handler for receiving messages.

Message Process

As a server, the PSD message handler processes the messages received from the clients and replies. The valid message types it receives are:

Server Shutdown

Before closing the server socket itself, it closes all client connections first.

Message content between the PSD and the PED

The PED and the PSD use libjipc over TCP sockets to exchange these messages.


Internal Communication Channels between the Daemons (and SSD)

                 |         |
                 |   PSD   |
                 |         |
                      | IRI2 (libjipc)
                      |            ,--> (libssd)
                 +----x----+      /   +---------+
                 |         |   IRI2   |         |
                 |   PED   x----------x   SSD   |
                 |         x\         |         |
                 +----x----+ \        +---------+

Sample Configuration

The sample configuration below shows an example of how to configure the daemon. The PSD has its configuration under "sync policy-server," and has a policy configuration named "a-pol" in which all Fast Ethernet interfaces on FPC 0 get assigned the filters filter1 and filter2 as the input and output filters respectively.

sync {
    policy-server {
        policy a-pol {
            interface-name fe-0*;
            address-family inet;
            filter {
                input filter1;
                output filter2;
        policy b-pol {
            interface-name sp*;
            address-family inet;
            filter {
                input filter3;
                output filter4;
            route {
                next-hop-type reject;
            route {
                metrics 10;
        traceoptions {
            file psd.trace;
            level all;
            flag all;

2007-2009 Juniper Networks, Inc. All rights reserved. The information contained herein is confidential information of Juniper Networks, Inc., and may not be used, disclosed, distributed, modified, or copied without the prior written consent of Juniper Networks, Inc. in an express license. This information is subject to change by Juniper Networks, Inc. Juniper Networks, the Juniper Networks logo, and JUNOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Generated on Sun May 30 20:27:07 2010 for SDK Your Net Corporation Policy Manager Example: Policy Server Daemon 1.0 by Doxygen 1.5.1