search

jathanism / acl

Network access control list and firewall policy parsing library.
Other
24 stars 23 forks source link

Trigger should support JunOS policy-options Edit #9

Open jathanism opened 11 years ago

jathanism commented 11 years ago

Take this very benign example of a policy-statement:

policy-statement Martians {
    term T1 {
        from {
            route-filter 0.0.0.0/0 prefix-length-range /25-/32;
            route-filter 10.0.0.0/8 orlonger;
            route-filter 127.0.0.0/8 orlonger;
            route-filter 128.0.0.0/16 orlonger;
            route-filter 169.254.0.0/16 orlonger;
            route-filter 172.16.0.0/12 orlonger;
            route-filter 191.255.0.0/16 orlonger;
            route-filter 192.0.0.0/24 orlonger;
            route-filter 192.0.2.0/24 orlonger;
            route-filter 192.168.0.0/16 orlonger;
            route-filter 224.0.0.0/4 orlonger;
        }
        then reject;
    }
}

which I would call then in some sort of routing policy, in this case it might be for a bgp peer:

bgp {
    log-updown;
    remove-private;
     group Your Mom {
        type external;
        import [ Martians YM_communities-next_hop ];
        export [ Public-Stuff Match_Any_Deny ];
        peer-as 1234;
        neighbor 1.2.3.4;
    }
}

Trigger should be able to handle me modifying either a section of the policy, either to add a new term, possibly insert a statement into an existing term, or change the behavior of the policy-statement in some way:

policy-statement Martians {
    term T1 {
        from {
            route-filter 0.0.0.0/0 prefix-length-range /25-/32;
            route-filter 10.0.0.0/8 orlonger;
            route-filter 127.0.0.0/8 orlonger;
            route-filter 128.0.0.0/16 orlonger;
            route-filter 169.254.0.0/16 orlonger;
            route-filter 172.16.0.0/12 orlonger;
            route-filter 191.255.0.0/16 orlonger;
            route-filter 192.0.0.0/24 orlonger;
            route-filter 192.0.2.0/24 orlonger;
            route-filter 192.168.0.0/16 orlonger;
            route-filter 224.0.0.0/4 orlonger;
        }
        then reject;
     }
    term T2 {
       then log;
   } 

}

Or possibly even add/change another variable of my peer. Lets say I wish to drain this router:

bgp {
    log-updown;
    remove-private;
     group Your Mom {
        type external;
        import [ YM_communities-next_hop ];
        export [ Your_Mom_Drain_Policy ];
        peer-as 1234;
        neighbor 1.2.3.4;
    }
}

Examples could vary. I may roll a new routing policy to a router and add it to an import or export statement. There are also a huge variety of types of policy match conditions and actions that might be useful.