SRX device supports only up to 8 terms per application

[GoogleCodeExporter]

What steps will reproduce the problem?
1.
Policy:
term test-access {
  destination-port:: TEST
  action:: accept
}

SERVICES.svc:
TEST = 1/tcp
       2/tcp
       3/tcp
       4/tcp
       5/tcp
       6/tcp
       7/tcp
       8/tcp
       9/tcp
       10/tcp

2. Generate output. Application part:
    application test-access-app {
        term t1 protocol tcp destination-port 1;
        term t2 protocol tcp destination-port 2;
        term t3 protocol tcp destination-port 3;
        term t4 protocol tcp destination-port 4;
        term t5 protocol tcp destination-port 5;
        term t6 protocol tcp destination-port 6;
        term t7 protocol tcp destination-port 7;
        term t8 protocol tcp destination-port 8;
        term t9 protocol tcp destination-port 9;
        term t10 protocol tcp destination-port 10;
    }

3. Apply to an SRX:

root# commit check
[edit applications application test-access-app]
 'term'
  number of elements exceeds limit of 8
error: configuration check-out failed: (number of elements exceeds limit)

The SRX does not allow more than 8 terms per application definition (maybe 
different platforms have different limits?). There are two solutions in my 
opinion:
- Create one application per port (cleaner imho).
- Create each application with max N terms (where N is 8?) and create new 
applications as long as necessary...

Original issue reported on code.google.com by m...@google.com on 25 Jun 2012 at 7:48

[GoogleCodeExporter]

I'll be taking a look at this shortly and see how best to implement a fix.  It 
is possible that nesting application groups within other application groups 
will also run into the same limitation, as well as possible limitation on apps 
allowed per term.  Need to investigate these all further.

In the meantime, an issue being opened with Juniper TAC by an colleague to see 
if this limit is platform specific, related to licensing, and if they can 
increase this limitation.

Original comment by watson@google.com on 25 Jun 2012 at 9:42

• Changed state: Accepted
• Added labels: Component-Logic, Priority-High
• Removed labels: Priority-Medium

[GoogleCodeExporter]

FYI, what I would suggest is basically introducing the usage application-set. 
One set per term I assume.

For the following example, say this is the definition:

Policy:
term http-access {
  destination-port:: HTTP
  action:: accept
}

SERVICES.svc:
HTTP = 80/tcp
       443/tcp

So instead of what is produced right now in the applications section:

   application http-access-app {
       term t1 protocol tcp destination-port 80;
       term t2 protocol tcp destination-port 443;
   }

I suggest generating output like this:

   application-set http-access-app-set {
       application http-access-app1;
       application http-access-app2;
   }
   application http-access-app1 {
       term t1 protocol tcp destination-port 80;
   }
   application http-access-app2 {
       term t1 protocol tcp destination-port 443;
   }

Original comment by m...@google.com on 2 Jul 2012 at 9:57

[GoogleCodeExporter]

This should be fixed now with r200:
http://code.google.com/p/capirca/source/detail?r=200

Original comment by m...@google.com on 17 Aug 2012 at 8:53

• Changed state: Fixed