jathanism / acl

Network access control list and firewall policy parsing library.
Other
24 stars 23 forks source link

ACL parser enhancements for IPv4 Juniper firewall filters #3

Open jathanism opened 11 years ago

jathanism commented 11 years ago

Here's the syntax for the match conditions I have in the filters now:

    term evil-8065_DSCP { 
        /* Project:"non-zero TOS value DCSP"  */ 
        from { 
            dscp-except [ be cs0 ]; 
        } 

    term evil-8065_PRECEDENCE { 
        /* Project:"non-zero TOS value PRECEDENCE"  */ 
        from { 
            precedence-except routine; 
        } 

Would like to go ahead and add the rest of the matches.

DSCP: af11 Assured forwarding class 1, low drop precedence af12 Assured forwarding class 1, medium drop precedence af13 Assured forwarding class 1, high drop precedence af21 Assured forwarding class 2, low drop precedence af22 Assured forwarding class 2, medium drop precedence af23 Assured forwarding class 2, high drop precedence af31 Assured forwarding class 3, low drop precedence af32 Assured forwarding class 3, medium drop precedence af33 Assured forwarding class 3, high drop precedence af41 Assured forwarding class 4, low drop precedence af42 Assured forwarding class 4, medium drop precedence af43 Assured forwarding class 4, high drop precedence be Best effort (default) cs0 Class selector 0 cs1 Class selector 1 cs2 Class selector 2 cs3 Class selector 3 cs4 Class selector 4 cs5 Class selector 5 cs6 Class selector 6 cs7 Class selector 7 ef Expedited forwarding

TOS: Possible completions:

Range of values [ Open a set of values critical-ecp Critical/ECP flash Flash flash-override Flash override immediate Immediate internet-control Internet control net-control Network control priority Priority routine Routine And also (obviously) make sure we support the non-except syntax, so... ``` from { dscp [ all the same match variables ]; ``` and ``` from { precedence [ all the same match variables ]; ```
jathanism commented 11 years ago

Notes on dcp and dscp-except arguments: https://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/junos-xml-ref-config/index.html?jd0e1231663.html

jathanism commented 11 years ago

Notes on precedence: https://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/junos-xml-ref-config/index.html?jd0e1231663.html

chepazzo commented 11 years ago

Added dscp bits to local branch. Parses all of the dscp stuff I throw at it, but fails on a full acl. Will have to wait until tomorrow to investigate further.

chepazzo commented 11 years ago

Initially, it looked like dscp wasn't working (even though dscp-except was) because this config:

        from {
            dscp-except [ af11 cs0 ];
            dscp [ af11 be cs0 cs7 ];
        }

Only showed the dscp-except on ouptut.

However, Juniper does not allow this construct. Observe:

me@router# load merge terminal
[Type ^D at a new line to end input]
firewall filter asdf {
    term DSCP_term {
        /* Project:"non-zero TOS value DCSP" */
        from {
            dscp-except [ af11 cs0 ];
            dscp [ af11 be cs0 cs7 ];
        }   
        then {
            count match_non_zero_DCSP;
            port-mirror;
            next term;
        }   
    }   
}
load complete

[edit]
me@router# show firewall filter asdf
term DSCP_term {
    /* Project:"non-zero TOS value DCSP" */
    from {
        dscp [ af11 be cs0 cs7 ];
    }
    then {
        count match_non_zero_DCSP;
        port-mirror;
        next term;
    }
}

[edit]
me@router#
chepazzo commented 11 years ago

This was fixed a while back (Version 0.3). Now, we need to push these changes into Trigger.