Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Example: Preventing Import of the Full Routing Table
In Junos OS routing policy, if you configure a policy with no match conditions and a terminating action of then accept, and then apply the policy to a routing protocol, the protocol imports the entire routing table. This example shows how to use a commit script to prevent this scenario.
This example inspects the import statements configured at the [edit protocols ospf] and [edit protocols isis] hierarchy levels to determine if any of the named policies contain a then accept term with no match conditions. The script protects against importing the full routing table into these interior gateway protocols (IGPs).
XSLT Syntax
<?xml version="1.0" standalone="yes"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:junos="http://xml.juniper.net/junos/*/junos"
xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm"
xmlns:jcs="http://xml.juniper.net/junos/commit-scripts/1.0">
<xsl:import href="../import/junos.xsl"/>
<xsl:param name="po"
select="commit-script-input/configuration/policy-options"/>
<xsl:template match="configuration">
<xsl:apply-templates select="protocols/ospf/import"/>
<xsl:apply-templates select="protocols/isis/import"/>
</xsl:template>
<xsl:template match="import">
<xsl:param name="test" select="."/>
<xsl:for-each select="$po/policy-statement[name=$test]">
<xsl:choose>
<xsl:when test="then/accept and not(to) and not(from)">
<xnm:error>
<xsl:call-template name="jcs:edit-path">
<xsl:with-param name="dot" select="$test"/>
</xsl:call-template>
<xsl:call-template name="jcs:statement">
<xsl:with-param name="dot" select="$test"/>
</xsl:call-template>
<message>policy contains bare 'then accept'</message>
</xnm:error>
</xsl:when>
</xsl:choose>
</xsl:for-each>
</xsl:template>
</xsl:stylesheet>
SLAX Syntax
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
param $po = commit-script-input/configuration/policy-options;
match configuration {
apply-templates protocols/ospf/import;
apply-templates protocols/isis/import;
}
match import {
param $test = .;
for-each ($po/policy-statement[name=$test]) {
if (then/accept and not(to) and not(from)) {
<xnm:error> {
call jcs:edit-path($dot = $test);
call jcs:statement($dot = $test);
<message> "policy contains bare 'then accept'";
}
}
}
}
Testing the ex-import Script
To test the ex-import script,
perform the following steps:
- Copy the XSLT or SLAX script from Example: Preventing Import of the Full Routing Table into a text file, name the file
ex-import.xslorex-import.slaxas appropriate, and copy it to the/var/db/scripts/commitdirectory on the device. Select the following configuration stanzas, and press Ctrl+c to copy them to the clipboard. If you are using the SLAX version of the script, change the filename at the [edit system scripts commit file] hierarchy level to ex-import.slax.
system {scripts {commit {file ex-import.xsl;}}}protocols {ospf {import bad-news;}}policy-options {policy-statement bad-news {then accept;}}In configuration mode, issue the load merge terminal command to merge the stanzas into your device configuration:
[edit]user@host# load merge terminal[Type ^D at a new line to end input]... Paste the contents of the clipboard here ...- At the prompt, paste the contents of the clipboard using the mouse and the paste icon.
- Press Enter.
- Press Ctrl+d.
Issue the commit command. The following output appears:
[edit]
user@host# commit
[edit protocols ospf import]
'import bad-news;'
policy contains bare 'then accept'
error: 1 error reported by commit scripts
error: commit script failure
