[Contents] [Prev] [Next] [Index] [Report an Error]

Adding a Final then accept Term to a Firewall

Each firewall filter in the JUNOS software has an implicit discard action at the end of the filter, which is equivalent to the following explicit filter term:

term implicit-rule {
    then discard;
}

As a result, if a packet matches none of the terms in the filter, it is discarded. In some cases, you might want to override the default by adding a last term to accept all packets that do not match a firewall filter’s series of match conditions. This example adds a final then accept action to any firewall filter that does not already end with it.

In this example, the commit script adds a then accept statement to any firewall filter that does not already end with an explicit then accept statement.

XSLT Syntax 

<?xml version="1.0" standalone="yes"?>


<xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:junos="http://xml.juniper.net/junos/*/junos"
    xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm"
    xmlns:jcs="http://xml.juniper.net/junos/commit-scripts/1.0">


    <xsl:import href="../import/junos.xsl"/>


    <xsl:template match="configuration">
        <xsl:apply-templates select="firewall/filter | firewall/family/inet                          | firewall/family/inet6" mode="filter"/>
    </xsl:template>


    <xsl:template match="filter" mode="filter">
        <xsl:param name="last" select="term[position() = last()]"/>
        <xsl:comment>
            <xsl:text>Found </xsl:text>
            <xsl:value-of select="name"/>
            <xsl:text>; last </xsl:text>
            <xsl:value-of select="$last/name"/>
        </xsl:comment>
        <xsl:if test="$last and ($last/from or $last/to or not($last/then/accept))">
            <xnm:warning>
                <xsl:call-template name="jcs:edit-path"/>
                <message>
                    <xsl:text>filter is missing final 'then accept' rule</xsl:text>
                </message>
            </xnm:warning>
            <xsl:call-template name="jcs:emit-change">
                <xsl:with-param name="content">
                    <term>
                        <name>very-last</name>
                        <junos:comment>
                            <xsl:text>This term was added by a commit script</xsl:text>
                        </junos:comment>
                        <then>
                            <accept/>
                        </then>
                    </term>
                </xsl:with-param>
            </xsl:call-template>
        </xsl:if>
    </xsl:template>
</xsl:stylesheet>

SLAX Syntax 

version 1.0;


ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";


import "../import/junos.xsl";
match configuration {
    apply-templates firewall/filter | firewall/family/inet | firewall/family/inet6 {
        mode "filter";
    }
}
match filter {
    mode "filter";
    param $last = term[position() = last()];


    <xsl:comment> {
        expr "Found ";
        expr name;
        expr "; last ";
        expr $last/name;
    }
    if ($last and ($last/from or $last/to or not($last/then/accept))) {
        <xnm:warning> {
            call jcs:edit-path();
            <message> "filter is missing final 'then accept' rule";
        }
        call jcs:emit-change() {
            with $content = {
                <term> {
                    <name> "very-last";
                    <junos:comment> "This term was added by a commit script";
                    <then> {
                        <accept>;
                    }
                }
            }
        }
    }
}

Testing ex-add-accept.xsl

To test the example in this section, perform the following steps:

  1. From Adding a Final then accept Term to a Firewall, copy the Extensible Stylesheet Language Transformations (XSLT) or SLAX script into a text file, and name the file ex-add-accept.xsl. Copy the ex-add-accept.xsl file to the /var/db/scripts/commit directory on your routing platform.
  2. Select the following configuration, and press Ctrl+c to copy it to the clipboard. If you are using the SLAX version of the script, change the filename to filename.slax. 
    system {
        scripts {
            commit {
                file ex-add-accept.xsl;
            }
        }
    }
    firewall {
        policer sgt-friday {
            if-exceeding {
                bandwidth-percent 10;
                burst-size-limit 250k;
            }
            then discard;
        }
        family inet {
            filter test {
                term one {
                    from {
                        interface t1-0/0/0;
                    }
                    then {
                        count ten-network;
                        discard;
                    }
                }
                term two {
                    from {
                        forwarding-class assured-forwarding;
                    }
                    then discard;
                }
            }
        }
    }
    interfaces {
        t1-0/0/0 {
            unit 0 {
                family inet {
                    policer output sgt-friday;
                    filter input test;
                }
            }
        }
    }
  3. Merge the configuration into your routing platform configuration by issuing the load merge terminal configuration mode command:
    [edit]
    user@host# load merge terminal
    [Type ^D at a new line to end input]
    > Paste the contents of the clipboard here<
    1. At the prompt, paste the contents of the clipboard using the mouse and the paste icon.
    2. Press Enter.
    3. Press Ctrl+d.
  4. Issue the commit command. When you issue the commit command, the following output appears: 
    [edit]
    user@host# commit

    [edit firewall family inet filter test]
        warning: filter is missing final 'then accept' rule
    commit complete
  5. Issue the show firewall command. The following output appears: 
    [edit]
    user@host# show firewall

    policer sgt-friday {
        if-exceeding {
            bandwidth-percent 10;
            burst-size-limit 250k;
        }
        then discard;
    }
    family inet {
        filter test {
            term one {
                from {
                    interface t1-0/0/0;
                }
                then {
                    count ten-network;
                    discard;
                }
            }
            term two {
                from {
                    forwarding-class assured-forwarding;
                }
                then {
                    discard;
                }
            }
    		
term very-last {

    
			then accept; /* This term was added by a commit script */
            }
        }
[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.