[Contents] [Prev] [Next] [Index] [Report an Error]

Preventing Import of the Full Routing Table

In JUNOS software routing policy, if you configure a policy with no match conditions and a terminating action of then accept, and then apply the policy to a routing protocol, the protocol imports the entire routing table. This example shows how to use a commit script to prevent this scenario.

This example inspects the import statements configured at the [edit protocols ospf] and [edit protocols isis] hierarchy levels to determine if any of the named policies contain a then accept term with no match conditions. The script protects against importing the full routing table into these interior gateway protocols (IGPs).

XSLT Syntax 

<?xml version="1.0" standalone="yes"?>


<xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:junos="http://xml.juniper.net/junos/*/junos"
    xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm"
    xmlns:jcs="http://xml.juniper.net/junos/commit-scripts/1.0">


    <xsl:import href="../import/junos.xsl"/>


    <xsl:param name="po"                   select="commit-script-input/configuration/policy-options"/>


    <xsl:template match="configuration">
        <xsl:apply-templates select="protocols/ospf/import"/>
        <xsl:apply-templates select="protocols/isis/import"/>
    </xsl:template>


    <xsl:template match="import">
        <xsl:param name="test" select="."/>
        <xsl:for-each select="$po/policy-statement[name=$test]">
            <xsl:choose>
                <xsl:when test="then/accept and not(to) and not(from)">
                    <xnm:error>
                        <xsl:call-template name="jcs:edit-path">
                            <xsl:with-param name="dot" select="$test"/>
                        </xsl:call-template>
                        <xsl:call-template name="jcs:statement">
                            <xsl:with-param name="dot" select="$test"/>
                        </xsl:call-template>
                        <message>policy contains bare 'then accept'</message>
                    </xnm:error>
                </xsl:when>
            </xsl:choose>
        </xsl:for-each>
    </xsl:template>


</xsl:stylesheet>

SLAX Syntax 

version 1.0;


ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";


import "../import/junos.xsl";


param $po = commit-script-input/configuration/policy-options;


match configuration {
    apply-templates protocols/ospf/import;
    apply-templates protocols/isis/import;
}
match import {
    param $test = .;


    for-each ($po/policy-statement[name=$test]) {
        if (then/accept and not(to) and not(from)) {
            <xnm:error> {
                call jcs:edit-path($dot = $test);
                call jcs:statement($dot = $test);
                <message> "policy contains bare 'then accept'";
            }
        }
    }
}
[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.