search

azet / capirca

Fork: Multi-platform ACL generation system
https://code.google.com/p/capirca
Apache License 2.0
0 stars 0 forks source link

SRX generator creates terms with "protocol" statement which is not supported by the SRX platform #29

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Create a policy like this one:

header {
  target:: srx from-zone trust to-zone untrust
}

term accept-icmp {
  protocol:: icmp
  action:: accept
}

term accept-tcp {
  protocol:: tcp
  action:: accept
}

2. Run the generator

What is the expected output?

security {
    zones {
    }
    policies {
        from-zone trust to-zone untrust {
            policy accept-icmp {
                match {
                    source-address any;
                    destination-address any;
                    application accept-icmp-app;
                }
                then {
                    permit;
                }
            }
            policy accept-tcp {
                match {
                    source-address any;
                    destination-address any;
                    application accept-tcp-app;
                }
                then {
                    permit;
                }
            }
        }
    }
}
applications {
    application accept-icmp-app {
        term t1 protocol icmp; # equals to "junos-icmp-all"
    }
    application accept-tcp-app {
        term t1 protocol tcp; # equals to "junos-tcp-any"
    }
}

What do you see instead?

security {
    zones {
    }
    policies {
        from-zone trust to-zone untrust {
            policy accept-icmp {
                match {
                    source-address any;
                    destination-address any;
                    protocol icmp;
                }
                then {
                    permit;
                }
            }
            policy accept-tcp {
                match {
                    source-address any;
                    destination-address any;
                    protocol tcp;
                }
                then {
                    permit;
                }
            }
        }
    }
}
applications {
}

Original issue reported on code.google.com by m...@google.com on 6 Jun 2012 at 8:41

GoogleCodeExporter commented 9 years ago 
Thanks for reporting this issue.  Looking into it.

Original comment by watson on 6 Jun 2012 at 4:37

GoogleCodeExporter commented 9 years ago 
Fixed at rev.186

Original comment by watson on 6 Jun 2012 at 9:14