Unique Identifiers for Firewall Variables
The system uses unique identifiers (UIDs) to aid with scaling. The UID enables the system to determine when configuration objects from multiple subscribers are identical and can be shared. In many situations, such as a filter definition, sharing a single filter among multiple subscribers instead of creating a new filter for every subscriber helps to conserve system resources.
Within a dynamic profile a UID is used to name a configuration
object. The system assigns the value of the UID (the object's name)
based upon all the variables contained within that configuration stanza
along with the dynamic profile's name. The assigned UID value consists
of the UID name combined with the string _UID and a unique
number. For instance, the UID $my-filter might be given
the value my-filter_UID1022.
You must first define a UID under the variable stanza
using the option uid. The UID must be defined at the end,
after all the variables that are assigned values externally.
dynamic-profile test-profile {
variables {
... [other variables] ...
[my-filter] {
uid;
}
}
}
After a UID has been defined, it can then be used to name an object:
dynamic-profile test-profile {
firewall {
family inet {
filter [$my-filter] {
... [filter definition that makes use of other variables] ...
}
}
}
}
As previously described, the system assigns the value of $my-filter depending on the values of the variables used within
that filter's definition.
The UID is also used in any other place that the object's name
is used. For example, here is an interface stanza to use $my-filter as an input filter:
dynamic-profile [test-profile] {
interfaces {
[$junos-interface-ifd-name]" {
unit [$junos-interface-unit] {
family inet {
filter {
input [$my-filter];
}
}
}
}
}
}
You can define multiple configuration objects of the same type (that is, multiple filters) as long as each one uses its own, individual, UID. To ensure that the system selects the correct object when assigning a name, use the uid-reference variable.
When the uid-reference is used, it is effectively evaluated twice. First, the value of the uid-reference variable is retrieved. Second, that value is used as the name of a UID and that UID value is retrieved. A uid-reference with a value that is not the name of a UID is considered an error.
A uid-reference is defined similarly to any other variable:
dynamic-profile [test-profile] {
variables {
[my-filter-selector] {
uid-reference;
}
}
}
A uid-reference is used wherever the name of the object is needed. One example is the name of the input filter in the following interface stanza:
dynamic-profile [test-profile] {
interfaces {
[$junos-interface-ifd-name] {
unit [$junos-interface-unit] {
family inet {
filter {
input [$my-filter-selector];
}
}
}
}
}
}
Consider the case where two parameterized filters are defined: $my-filter-1 and $my-filter-2. The $my-filter-selector variable might be assigned the value my-filter-1 or my-filter-2, depending upon which filter is appropriate.