[Contents] [Prev] [Next] [Index] [Report an Error]

Adding a Final then accept Term to a Firewall

Each firewall filter in the JUNOS software has an implicit discard action at the end of the filter, which is equivalent to the following explicit filter term:



term implicit-rule {
    then discard;
}

As a result, if a packet matches none of the terms in the filter, it is discarded. In some cases, you might want to override the default by adding a last term to accept all packets that do not match a firewall filter’s series of match conditions. This example adds a final then accept action to any firewall filter that does not already end with it.

In this example, the commit script adds a then accept statement to any firewall filter that does not already end with an explicit then accept statement.

XSLT Syntax



<?xml version="1.0" standalone="yes"?>


<xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:junos="http://xml.juniper.net/junos/*/junos"
    xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm"
    xmlns:jcs="http://xml.juniper.net/junos/commit-scripts/1.0">


    <xsl:import href="../import/junos.xsl"/>


    <xsl:template match="configuration">
        <xsl:apply-templates select="firewall/filter | firewall/family/inet                          | firewall/family/inet6" mode="filter"/>
    </xsl:template>


    <xsl:template match="filter" mode="filter">
        <xsl:param name="last" select="term[position() = last()]"/>
        <xsl:comment>
            <xsl:text>Found </xsl:text>
            <xsl:value-of select="name"/>
            <xsl:text>; last </xsl:text>
            <xsl:value-of select="$last/name"/>
        </xsl:comment>
        <xsl:if test="$last and ($last/from or $last/to or not($last/then/accept))">
            <xnm:warning>
                <xsl:call-template name="jcs:edit-path"/>
                <message>
                    <xsl:text>filter is missing final 'then accept' rule</xsl:text>
                </message>
            </xnm:warning>
            <xsl:call-template name="jcs:emit-change">
                <xsl:with-param name="content">
                    <term>
                        <name>very-last</name>
                        <junos:comment>
                            <xsl:text>This term was added by a commit script</xsl:text>
                        </junos:comment>
                        <then>
                            <accept/>
                        </then>
                    </term>
                </xsl:with-param>
            </xsl:call-template>
        </xsl:if>
    </xsl:template>
</xsl:stylesheet>

SLAX Syntax



version 1.0;


ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";


import "../import/junos.xsl";
match configuration {
    apply-templates firewall/filter | firewall/family/inet | firewall/family/inet6 {
        mode "filter";
    }
}
match filter {
    mode "filter";
    param $last = term[position() = last()];


    <xsl:comment> {
        expr "Found ";
        expr name;
        expr "; last ";
        expr $last/name;
    }
    if ($last and ($last/from or $last/to or not($last/then/accept))) {
        <xnm:warning> {
            call jcs:edit-path();
            <message> "filter is missing final 'then accept' rule";
        }
        call jcs:emit-change() {
            with $content = {
                <term> {
                    <name> "very-last";
                    <junos:comment> "This term was added by a commit script";
                    <then> {
                        <accept>;
                    }
                }
            }
        }
    }
}

[Contents] [Prev] [Next] [Index] [Report an Error]