Example: Adding a Final then accept Term to a Firewall

Each firewall filter in the Junos OS has an implicit discard action at the end of the filter, which is equivalent to the following explicit filter term:

term implicit-rule {then discard;}

As a result, if a packet matches none of the terms in the filter, it is discarded. In some cases, you might want to override the default by adding a last term to accept all packets that do not match a firewall filter’s series of match conditions. This example adds a final then accept action to any firewall filter that does not already end with it.

In this example, the commit script adds a then accept statement to any firewall filter that does not already end with an explicit then accept statement.

XSLT Syntax

<?xml version="1.0" standalone="yes"?>
<xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:junos="http://xml.juniper.net/junos/*/junos"
    xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm"
    xmlns:jcs="http://xml.juniper.net/junos/commit-scripts/1.0">
    <xsl:import href="../import/junos.xsl"/>
 
    <xsl:template match="configuration">
        <xsl:apply-templates select="firewall/filter | firewall/family/inet
                         | firewall/family/inet6" mode="filter"/>
    </xsl:template>
    <xsl:template match="filter" mode="filter">
        <xsl:param name="last" select="term[position() = last()]"/>
        <xsl:comment>
            <xsl:text>Found </xsl:text>
            <xsl:value-of select="name"/>
            <xsl:text>; last </xsl:text>
            <xsl:value-of select="$last/name"/>
        </xsl:comment>
        <xsl:if test="$last and ($last/from or $last/to or not($last/then/accept))">
            <xnm:warning>
                <xsl:call-template name="jcs:edit-path"/>
                <message>
                    <xsl:text>filter is missing final 'then accept' rule</xsl:text>
                </message>
            </xnm:warning>
            <xsl:call-template name="jcs:emit-change">
                <xsl:with-param name="content">
                    <term>
                        <name>very-last</name>
                        <junos:comment>
                            <xsl:text>This term was added by a commit script</xsl:text>
                        </junos:comment>
                        <then>
                            <accept/>
                        </then>
                    </term>
                </xsl:with-param>
            </xsl:call-template>
        </xsl:if>
    </xsl:template>
</xsl:stylesheet>

SLAX Syntax

version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
 
match configuration {
    apply-templates firewall/filter | firewall/family/inet | firewall/family/inet6 {
        mode "filter";
    }
}
match filter {
    mode "filter";
    param $last = term[position() = last()];
    <xsl:comment> {
        expr "Found ";
        expr name;
        expr "; last ";
        expr $last/name;
    }
    if ($last and ($last/from or $last/to or not($last/then/accept))) {
        <xnm:warning> {
            call jcs:edit-path();
            <message> "filter is missing final 'then accept' rule";
        }
        call jcs:emit-change() {
            with $content = {
                <term> {
                    <name> "very-last";
                    <junos:comment> "This term was added by a commit script";
                    <then> {
                        <accept>;
                    }
                }
            }
        }
    }
}

Testing the ex-add-accept Script

To test the ex-add-accept script, perform the following steps:

  1. Copy the XSLT or SLAX script from Example: Adding a Final then accept Term to a Firewall into a text file, name the file ex-add-accept.xsl or ex-add-accept.slax as appropriate, and copy it to the /var/db/scripts/commit directory on the device.

  2. Select the following configuration stanzas, and press Ctrl+c to copy them to the clipboard. If you are using the SLAX version of the script, change the filename at the [edit system scripts commit file] hierarchy level to ex-add-accept.slax.

    system {scripts {commit {file ex-add-accept.xsl;}}}firewall {policer sgt-friday {if-exceeding {bandwidth-percent 10;burst-size-limit 250k;}then discard;}family inet {filter test {term one {from {interface t1-0/0/0;}then {count ten-network;discard;}}term two {from {forwarding-class assured-forwarding;}then discard;}}}}interfaces {t1-0/0/0 {unit 0 {family inet {policer output sgt-friday;filter input test;}}}}

  3. In configuration mode, issue the load merge terminal command to merge the stanzas into your device configuration:

    [edit]user@host# load merge terminal[Type ^D at a new line to end input]... Paste the contents of the clipboard here ...
    1. At the prompt, paste the contents of the clipboard using the mouse and the paste icon.
    2. Press Enter.
    3. Press Ctrl+d.

  4. Issue the commit command. The following output appears:

    [edit]
    user@host# commit
    [edit firewall family inet filter test]
        warning: filter is missing final 'then accept' rule
    commit complete

  5. Issue the show firewall command. The following output appears:

    [edit]user@host# show firewallpolicer sgt-friday {if-exceeding {bandwidth-percent 10;burst-size-limit 250k;}then discard;}family inet {filter test {term one {from {interface t1-0/0/0;}then {count ten-network;discard;}}term two {from {forwarding-class assured-forwarding;}then {discard;}}term very-last {then accept; /* This term was added by a commit script */}}}
Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.