Skip to content
Snippets Groups Projects
Commit 10eb2ece authored by Aleksandr Kurbatov's avatar Aleksandr Kurbatov
Browse files

Merge branch 'feature/nat-697-sbp' into 'develop' 

FW role finishing

See merge request !200
parents 2ea32c8d c626afe4
No related branches found
No related tags found
1 merge request!200FW role finishing
Pipeline #90786 passed
Stage: linting
Hide whitespace changes
Inline Side-by-side
Showing
with 772 additions and 0 deletions
geant/gap_ansible/roles/deploy_service_config/tasks/main.yml 0 → 100644
+ 26
0
View file @ 10eb2ece
---
# - name: Fetch access port info from the subscription
# ansible.builtin.include_tasks: traverse_subscription.yml
# The "delegate_to" works as expected in conjuction with "import_tasks".
# However, mixing "imports" with "includes" is not recommended.
# Another way is to "apply" the "delegate_to: localhost".
- name: Assemble the config from fragments in previous roles
ansible.builtin.include_tasks: assemble_config.yml
- name: Include set connection tasks
ansible.builtin.include_tasks: connection_tasks.yml
# The "verb == deploy" is (probably) not needed
# because it has already been checked in the
# invoking playbook (nren_l3_core_services.yaml):
#
# - name: Deploy
# block:
# - name: Include deployment role
# ansible.builtin.include_role:
# name: deploy_service_config
# when: verb == deploy
#
- name: Push assembled config to device
ansible.builtin.include_tasks: push_config.yml
geant/gap_ansible/roles/deploy_service_config/tasks/push_config.yml 0 → 100644
+ 39
0
View file @ 10eb2ece
---
- name: Config deploy [CHECK ONLY][NOKIA]
when: >
dry_run | ansible.builtin.bool
and
vendor == "nokia"
geant.gap_ansible.nokia_netconf_config:
format: xml
default_operation: merge
content: "{{ lookup('ansible.builtin.file', '/var/tmp/ansible_run_{{ opid }}/assembled/for_deployment') }}"
commit: true
validate: true
config_mode: private
diff: true
register: output
check_mode: true
- name: Fail if there is any diff
when: >
output.changed | ansible.builtin.bool
and
is_verification_workflow | ansible.builtin.bool
ansible.builtin.fail:
msg: Service "{{ subscription.product.product_type }}" config for "{{ partner_name | upper }}" drifted!
- name: Config deploy [AND COMMIT][NOKIA]
when: >
not dry_run | ansible.builtin.bool
and
vendor == "nokia"
geant.gap_ansible.nokia_netconf_config:
format: xml
default_operation: merge
content: "{{ lookup('ansible.builtin.file', '/var/tmp/ansible_run_{{ opid }}/assembled/for_deployment') }}"
commit: true
commit_comment: "{{ commit_comment }}"
config_mode: private
diff: true
check_mode: false
geant/gap_ansible/roles/deploy_service_config/tasks/traverse_subscription.yml 0 → 100644
+ 45
0
View file @ 10eb2ece
---
# The following tarversal of JSON should be part of
# the entry playbook. Or maybe even better, a separate
# role invoked at its very beginning so that all other
# roles can use it.
#
# Note: This requires python3-jmespath to be installed.
#
- name: Find matching nren_ap_list element
ansible.builtin.set_fact:
filtered_ap_list: "{{ subscription['l3_core_service']['ap_list'] | json_query(query) }}"
vars:
query: "[?sbp.edge_port.node.router_fqdn == `{{ inventory_hostname }}`]"
- name: Check if subscription contradicts inventory_hostname
ansible.builtin.fail:
msg: "The number of router_fqdn elements that match is {{ filtered_ap_list | length }}."
when: filtered_ap_list | length != 1
- name: Find matching nren_ap_list element
ansible.builtin.set_fact:
ap: "{{ filtered_ap_list[0] }}"
- name: Print the matched nren_ap_list element
ansible.builtin.debug:
msg: "{{ ap }}"
- name: Set the short name for node
ansible.builtin.set_fact:
router: "{{ ap.sbp.edge_port.node }}"
- name: Print the node
ansible.builtin.debug:
msg: "{{ router }}"
- name: Set the short name for vendor
ansible.builtin.set_fact:
vendor: "{{ router.vendor }}"
- name: Print the vendor
ansible.builtin.debug:
msg: "{{ vendor }}"
geant/gap_ansible/roles/deploy_service_config/vars/main.yml 0 → 100644
+ 7
0
View file @ 10eb2ece
---
# vars file for deploy_service_config
dry_run: true
is_verification_workflow: false
router: "{{ ap.sbp.edge_port.node }}"
vendor: "{{ router.vendor }}"
geant/gap_ansible/roles/fw_filters/README.md 0 → 100644
+ 36
0
View file @ 10eb2ece
Role Name
=========
A role for configuring IP filters in Nokia SROS.
Requirements
------------
GEANT custom netconf module with Nokia "commit_comment" and "config_mode" features.
Role Variables
--------------
- vars/main.yaml
- external inventory (group_vars)
- orchestrator (GSO)
Dependencies
------------
n/a
Example Playbook
----------------
Role is supposed to be driven by GSO.
License
-------
MIT
Author Information
------------------
A. Kurbatov, S. Spinelli. GEANT Orchestration and Automation Team (GOAT).
geant/gap_ansible/roles/fw_filters/defaults/main.yml 0 → 100644
+ 2
0
View file @ 10eb2ece
---
# defaults file for fw_filters
geant/gap_ansible/roles/fw_filters/handlers/main.yml 0 → 100644
+ 2
0
View file @ 10eb2ece
---
# handlers file for fw_filters
geant/gap_ansible/roles/fw_filters/meta/main.yml 0 → 100644
+ 35
0
View file @ 10eb2ece
galaxy_info:
author: A. Kurbatov
description: GEANT Orchestration and Automation Team
company: GEANT
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: MIT
min_ansible_version: '2.10'
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
galaxy_tags:
- network
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
geant/gap_ansible/roles/fw_filters/tasks/compile.yaml 0 → 100644
+ 15
0
View file @ 10eb2ece
---
- name: Set ansible host to localhost to compile template
ansible.builtin.set_fact:
ansible_host: "localhost"
ansible_connection: local
- name: Print the template in "/var/tmp/ansible_run_{{ opid }}/{{ partner_name }}_filters.conf"
# when: verb in ["deploy", "update", "terminate"]
ansible.builtin.template:
src: "filters/gen_filters.j2"
dest: "/var/tmp/ansible_run_{{ opid }}/{{ partner_name }}_filters.conf"
lstrip_blocks: true
trim_blocks: true
mode: '0755'
delegate_to: localhost
geant/gap_ansible/roles/fw_filters/tasks/deploy_fw.yaml 0 → 100644
+ 41
0
View file @ 10eb2ece
---
- name: Import variables from 'all'
ansible.builtin.include_vars:
dir: /opt/ansible_inventory/group_vars/all
- name: Set ansible_host to terminal server when router is offline
when: ap.sbp.edge_port.node.router_access_via_ts | ansible.builtin.bool
ansible.builtin.set_fact:
ansible_host: "{{ ap.sbp.edge_port.node.router_site.site_ts_address }}"
ansible_port: "{{ ap.sbp.edge_port.node.router_ts_port }}"
- name: Load netconf connection config
ansible.builtin.set_fact:
ansible_connection: "{{ netconf_access[ap.sbp.edge_port.node.vendor].ansible_connection }}"
ansible_network_os: "{{ netconf_access[ap.sbp.edge_port.node.vendor].ansible_network_os }}"
- name: Deploy FW config on "{{ inventory_hostname }}" [CHECK ONLY][NOKIA]
when: dry_run | ansible.builtin.bool
geant.gap_ansible.nokia_netconf_config:
format: xml
default_operation: merge
content: "{{ lookup('ansible.builtin.file', '/var/tmp/ansible_run_{{ opid }}/{{ partner_name }}_filters.conf') }}"
commit: true
validate: true
config_mode: private
diff: true
register: output
check_mode: true
- name: Deploy FW config on "{{ inventory_hostname }}" [COMMIT][NOKIA]
when: not (dry_run | ansible.builtin.bool)
geant.gap_ansible.nokia_netconf_config:
format: xml
default_operation: merge
content: "{{ lookup('ansible.builtin.file', '/var/tmp/ansible_run_{{ opid }}/{{ partner_name }}_filters.conf') }}"
commit: true
commit_comment: "{{ commit_comment }}"
config_mode: private
diff: true
register: output
check_mode: false
geant/gap_ansible/roles/fw_filters/tasks/main.yml 0 → 100644
+ 12
0
View file @ 10eb2ece
---
# tasks file for fw_filters
- name: Include preparation of FW vars
ansible.builtin.include_tasks: merge_variables.yaml
- name: Include filter compilation
ansible.builtin.include_tasks: compile.yaml
- name: Include filter compilation
when: is_standalone_run | ansible.builtin.bool
ansible.builtin.include_tasks: deploy_fw.yaml
geant/gap_ansible/roles/fw_filters/tasks/merge_variables.yaml 0 → 100644
+ 30
0
View file @ 10eb2ece
---
# Prepare FW vars depending on the "service_type" and "custom_filters"
- name: Prepare FW vars for NREN L3 Core Service with custom filters
when: >-
subscription.product.product_type == "L3CoreService"
and
subscription.l3_core_service_type == "GÉANT IP"
and
ap.sbp.custom_firewall_filters | ansible.builtin.bool
block:
- name: Merge NREN custom filters if selected
ansible.builtin.set_fact:
custom_edge_fw: "{{ [STANDARD_NREN_FW__to_merge, CUSTOM_NREN_FW] | community.general.lists_mergeby('name',
recursive=true, list_merge='append') }}"
- name: Combine Custom and standard EDGE filters
ansible.builtin.set_fact:
gen_filters: "{{ [STANDARD_EDGE_FW__to_merge, custom_edge_fw] | community.general.lists_mergeby('name') }}"
- name: Prepare FW vars for NREN L3 Core Service with standard filters
when: >-
subscription.product.product_type == "L3CoreService"
and
subscription.l3_core_service_type == "GÉANT IP"
and
not ap.sbp.custom_firewall_filters | ansible.builtin.bool
block:
- name: Merge NREN standard filters
ansible.builtin.set_fact:
gen_filters: "{{ lookup('community.general.merge_variables', 'FW__to_merge', pattern_type='suffix') }}"
geant/gap_ansible/roles/fw_filters/templates/filters/cpm_filters.j2 0 → 100644
+ 12
0
View file @ 10eb2ece
{% with is_cpm_filter=true, filters=cpm_filters %}
{% include "filters/port_list_definitions.j2" %}
<system>
<security>
<cpm-filter xmlns="urn:nokia.com:sros:ns:yang:sr:conf" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nokia-attr="urn:nokia.com:sros:ns:yang:sr:attributes">
<default-action>{{ cpm_filter_policy.default_action }}</default-action>
{% include "filters/fw_filters.j2" %}
</cpm-filter>
{% endwith %}
</security>
</system>
geant/gap_ansible/roles/fw_filters/templates/filters/fw_filters.j2 0 → 100644
+ 295
0
View file @ 10eb2ece
{# Template is meant to be called from either gen_filters.j2 or cmp_filters.j2 #}
{% for filter in filters %}
{% if filter.family == "ipv4" %}
<ip-filter alu:operation="replace">
{% elif filter.family == "ipv6" %}
<ipv6-filter alu:operation="replace">
{% endif %}
{% if not is_cpm_filter %}
<filter-name>{{ filter.name }}</filter-name>
{% if filter.scope is defined %}
<scope>{{ filter.scope }}</scope>
{% endif %}
{% if filter.default_action is defined %}
<default-action>{{ filter.default_action }}</default-action>
{% endif %}
{% if filter.chain_to_system_filter is defined %}
<chain-to-system-filter>{{ filter.chain_to_system_filter | lower }}</chain-to-system-filter>
{% endif %}
{% if filter.embed is defined %}
<embed>
{% for embed in filter.embed %}
{% if embed.type == 'filter' %}
<filter>
<name>{{ embed.name }}</name>
<offset>{{ embed.offset }}</offset>
</filter>
{% elif embed.type == 'flowspec' %}
<flowspec>
<offset>{{ embed.offset }}</offset>
<router-instance>{{ embed.router_instance }}</router-instance>
</flowspec>
{% endif %}
{% endfor %}
</embed>
{% endif %}
{% endif %}
{% if filter.offset is defined %}
{% set ns3 = namespace(entry_id = filter.offset | int) %}
{% else %}
{% set ns3 = namespace(entry_id = 10 | int) %}
{% endif %}
{% if is_cpm_filter %}
<admin-state>{{ filter.admin_state }}</admin-state>
{% endif %}
{# Filter can be without terms, but with embedded items #}
{% if filter.terms is defined %}
{% for term in filter.terms %}
{% if term.offset is defined %}
{% set ns3 = namespace(entry_id = term.offset | int) %}
{% endif %}
{% if term.from is not defined %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
{% include 'filters/term_action.j2' if term.action is defined %}
</entry>
{% endif %}
{% if term.from is defined %}
{# Special cases where from.protocol is defined #}
{% if term.from.protocol is defined %}
{# This is the case for TCP_ESTABLISHED #}
{% if term.from.protocol == "tcp" and term.from.tcp_flag is defined %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if filter.family == "ipv4" %}
<protocol>{{ term.from.protocol }}</protocol>
{% else %}
<next-header>{{ term.from.protocol }}</next-header>
{% endif %}
<tcp-flags>
<{{ term.from.tcp_flag }}>true</{{ term.from.tcp_flag }}>
</tcp-flags>
</match>
{% if term.action is defined %}
{% include 'filters/term_action.j2' %}
{% endif %}
</entry>
{% set ns3.entry_id = ns3.entry_id + 10 %}
{% endif %}
{# Generic ICMP filters with ICMP types #}
{% if (term.from.protocol == "icmp" or term.from.protocol == "ipv6-icmp") %}
{% if term.from.icmp_types is defined %}
{% for icmp_type in term.from.icmp_types %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if filter.family == "ipv4" %}
<protocol>{{ term.from.protocol }}</protocol>
{% else %}
<next-header>{{ term.from.protocol }}</next-header>
{% endif %}
<icmp>
<type>{{ icmp_type }}</type>
</icmp>
</match>
{% if term.action is defined %}
{% include 'filters/term_action.j2' %}
{% endif %}
</entry>
{% set ns3.entry_id = ns3.entry_id + 10 %}
{% endfor %}
{% endif %}
{% endif %}
{# Case when only need to match on protocol, e.g. PIM #}
{% if term.from.protocol in ['pim', '58'] %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if filter.family == "ipv4" %}
<protocol>{{ term.from.protocol }}</protocol>
{% else %}
<next-header>{{ term.from.protocol }}</next-header>
{% endif %}
</match>
{% if term.action is defined %}
{% include 'filters/term_action.j2' %}
{% endif %}
</entry>
{% set ns3.entry_id = ns3.entry_id + 10 %}
{% endif %}
{% endif %}
{# Case when both src_prefix_list and dst_prefix_list are defined #}
{% if term.from.src_prefix_list is defined %}
{% for src_prefix_list_item in term.from.src_prefix_list%}
{% set src_index = loop.index0 %}
{% if term.from.dst_prefix_list is defined %}
{% for dst_prefix_list_item in term.from.dst_prefix_list %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if term.from.protocol is defined %}
{% if filter.family == "ipv4" %}
<protocol>{{term.from.protocol}}</protocol>
{% else %}
<next-header>{{ term.from.protocol }}</next-header>
{% endif %}
{% elif term.from.protocol_list is defined %}
{% if filter.family == "ipv4" %}
<protocol-list>{{ filter.name }}-{{ term.name }}-PROTO</protocol-list>
{% else %}
<next-header-list>{{ filter.name }}-{{ term.name }}-PROTO</next-header-list>
{% endif %}
{% endif %}
{% include 'filters/port_list_entries.j2' %}
<src-ip>
{% if filter.family == "ipv4" %}
<ip-prefix-list>{{term.from.src_prefix_list[src_index]}}</ip-prefix-list>
{% else %}
<ipv6-prefix-list>{{term.from.src_prefix_list[src_index]}}</ipv6-prefix-list>
{% endif %}
</src-ip>
<dst-ip>
{% if filter.family == "ipv4" %}
<ip-prefix-list>{{term.from.dst_prefix_list[loop.index0]}}</ip-prefix-list>
{% else %}
<ipv6-prefix-list>{{term.from.dst_prefix_list[loop.index0]}}</ipv6-prefix-list>
{% endif %}
</dst-ip>
</match>
{% if term.action is defined %}
{% include 'filters/term_action.j2' %}
{% endif %}
{% set ns3.entry_id = ns3.entry_id + 10 %}
</entry>
{% endfor %}
{% else %}
{# src_prefix_list is defined, dst_prefix_list is not #}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if term.from.protocol is defined %}
{% if filter.family == "ipv4" %}
<protocol>{{term.from.protocol}}</protocol>
{% else %}
<next-header>{{ term.from.protocol }}</next-header>
{% endif %}
{% elif term.from.protocol_list is defined %}
{% if filter.family == "ipv4" %}
<protocol-list>{{ filter.name }}-{{ term.name }}-PROTO</protocol-list>
{% else %}
<next-header-list>{{ filter.name }}-{{ term.name }}-PROTO</next-header-list>
{% endif %}
{% endif %}
{% include 'filters/port_list_entries.j2' %}
<src-ip>
{% if filter.family == "ipv4" %}
<ip-prefix-list>{{term.from.src_prefix_list[src_index]}}</ip-prefix-list>
{% else %}
<ipv6-prefix-list>{{term.from.src_prefix_list[src_index]}}</ipv6-prefix-list>
{% endif %}
</src-ip>
</match>
{% if term.action is defined %}
{% include 'filters/term_action.j2' %}
{% endif %}
{% set ns3.entry_id = ns3.entry_id + 10 %}
</entry>
{% endif %}
{% endfor %}
{# Case where only DST prefix list is defined #}
{% elif term.from.dst_prefix_list is defined %}
{% for dst_prefix_list_item in term.from.dst_prefix_list %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if term.from.protocol is defined %}
{% if filter.family == "ipv4" %}
<protocol>{{term.from.protocol}}</protocol>
{% else %}
<next-header>{{ term.from.protocol }}</next-header>
{% endif %}
{% elif term.from.protocol_list is defined %}
{% if filter.family == "ipv4" %}
<protocol-list>{{ filter.name }}-{{ term.name }}-PROTO</protocol-list>
{% else %}
<next-header-list>{{ filter.name }}-{{ term.name }}-PROTO</next-header-list>
{% endif %}
{% endif %}
{% include 'filters/port_list_entries.j2' %}
<dst-ip>
{% if filter.family == "ipv4" %}
<ip-prefix-list>{{term.from.dst_prefix_list[loop.index0]}}</ip-prefix-list>
{% else %}
<ipv6-prefix-list>{{term.from.dst_prefix_list[loop.index0]}}</ipv6-prefix-list>
{% endif %}
</dst-ip>
</match>
{% if term.action is defined %}
{% include 'filters/term_action.j2' %}
{% endif %}
{% set ns3.entry_id = ns3.entry_id + 10 %}
</entry>
{% endfor %}
{# term.from.protocol and ports are defined, but not SRC or DST prefix list - e.g. IPv4 traceroute #}
{% elif term.from.protocol is defined and term.from.protocol in ['udp'] %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if filter.family == "ipv4" %}
<protocol>{{ term.from.protocol }}</protocol>
{% else %}
<next-header>{{ term.from.protocol }}</next-header>
{% endif %}
{% include 'filters/port_list_entries.j2' %}
</match>
{% if term.action is defined %}
{% include 'filters/term_action.j2' %}
{% endif %}
</action>
</entry>
{% set ns3.entry_id = ns3.entry_id + 10 %}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{# Terms end #}
{% if filter.family == "ipv4" %}
</ip-filter>
{% elif filter.family == "ipv6" %}
</ipv6-filter>
{% endif %}
{% endfor %}
geant/gap_ansible/roles/fw_filters/templates/filters/gen_filters.j2 0 → 100644
+ 20
0
View file @ 10eb2ece
{% if is_standalone_run %}
<config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:alu="urn:ietf:params:xml:ns:netconf:base:1.0">
<configure xmlns="urn:nokia.com:sros:ns:yang:sr:conf">
{% endif %}
{% with is_cpm_filter=False, filters=gen_filters %}
<filter xmlns="urn:nokia.com:sros:ns:yang:sr:conf" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nokia-attr="urn:nokia.com:sros:ns:yang:sr:attributes">
{% include "filters/port_list_definitions.j2" %}
{% include "filters/protocol_list_definitions.j2" %}
{% include "filters/fw_filters.j2" %}
</filter>
{% endwith %}
{% if is_standalone_run %}
</configure>
</config>
{% endif %}
geant/gap_ansible/roles/fw_filters/templates/filters/port_list_definitions.j2 0 → 100644
+ 68
0
View file @ 10eb2ece
{# Goes through the list of terms in a filter and configures port-lists #}
<match-list>
{% for filter in filters %}
{% if filter.terms is defined %}
{% for term in filter.terms %}
{% if term.from.port is defined and term.from.port.__class__.__name__ == 'list'%}
<port-list>
<port-list-name>{{filter.name}}-{{term.name}}-PORTS</port-list-name>
{%for port in term.from.port %}
<port>
<value>{{port}}</value>
</port>
{% endfor %}
</port-list>
{% endif %}
{% if term.from.src_port is defined and term.from.src_port.__class__.__name__ == 'list'%}
<port-list>
<port-list-name>{{filter.name}}-{{term.name}}-SRC_PORTS</port-list-name>
{%for port in term.from.src_port %}
<port>
<value>{{port}}</value>
</port>
{% endfor %}
</port-list>
{% endif %}
{% if term.from.dst_port is defined and term.from.dst_port.__class__.__name__ == 'list'%}
<port-list>
<port-list-name>{{filter.name}}-{{term.name}}-DST_PORTS</port-list-name>
{%for port in term.from.dst_port %}
<port>
<value>{{port}}</value>
</port>
{% endfor %}
</port-list>
{% endif %}
{% if term.from.port_range is defined %}
<port-list>
<port-list-name>{{filter.name}}-{{term.name}}-PORT_RANGE</port-list-name>
<range>
<start>{{ term.from.port_range.start }}</start>
<end>{{ term.from.port_range.end }}</end>
</range>
</port-list>
{% endif %}
{% if term.from.src_port_range is defined %}
<port-list>
<port-list-name>{{filter.name}}-{{term.name}}-SRC_PORT_RANGE</port-list-name>
<range>
<start>{{ term.from.src_port_range.start }}</start>
<end>{{ term.from.src_port_range.end }}</end>
</range>
</port-list>
{% endif %}
{% if term.from.dst_port_range is defined %}
<port-list>
<port-list-name>{{filter.name}}-{{term.name}}-DST_PORT_RANGE</port-list-name>
<range>
<start>{{ term.from.dst_port_range.start }}</start>
<end>{{ term.from.dst_port_range.end }}</end>
</range>
</port-list>
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
</match-list>
geant/gap_ansible/roles/fw_filters/templates/filters/port_list_entries.j2 0 → 100644
+ 48
0
View file @ 10eb2ece
{#This is the case it's a port-list #}
{% if term.from.port is defined and term.from.port.__class__.__name__ == 'list'%}
<port>
<port-list>{{filter.name}}-{{term.name}}-PORTS</port-list>
</port>
{% endif %}
{% if term.from.src_port is defined and term.from.src_port.__class__.__name__ == 'list'%}
<src-port>
<port-list>{{filter.name}}-{{term.name}}-SRC_PORTS</port-list>
</src-port>
{% endif %}
{% if term.from.dst_port is defined and term.from.dst_port.__class__.__name__ == 'list'%}
<dst-port>
<port-list>{{filter.name}}-{{term.name}}-DST_PORTS</port-list>
</dst-port>
{% endif %}
{#This is the case it's a single port #}
{% if term.from.port is defined and term.from.port.__class__.__name__ != 'list'%}
<port>
<eq>{{term.from.port}}</eq>
</port>
{% endif %}
{% if term.from.src_port is defined and term.from.src_port.__class__.__name__ != 'list'%}
<src-port>
<eq>{{term.from.src_port}}</eq>
</src-port>
{% endif %}
{% if term.from.dst_port is defined and term.from.dst_port.__class__.__name__ != 'list'%}
<dst-port>
<eq>{{term.from.dst_port}}</eq>
</dst-port>
{% endif %}
{# Port range #}
{% if term.from.port_range is defined %}
<port>
<port-list>{{filter.name}}-{{term.name}}-PORT_RANGE</port-list>
</port>
{% endif %}
{% if term.from.src_port_range is defined %}
<src-port>
<port-list>{{filter.name}}-{{term.name}}-SRC_PORT_RANGE</port-list>
</src-port>
{% endif %}
{% if term.from.dst_port_range is defined %}
<dst-port>
<port-list>{{filter.name}}-{{term.name}}-DST_PORT_RANGE</port-list>
</dst-port>
{% endif %}
geant/gap_ansible/roles/fw_filters/templates/filters/protocol_list_definitions.j2 0 → 100644
+ 21
0
View file @ 10eb2ece
{# This template takes care of configuring connectors and breakouts #}
<match-list>
{% for filter in filters %}
{% if filter.terms is defined %}
{% for term in filter.terms %}
{% if term.from.protocol_list is defined and term.from.protocol_list.__class__.__name__ == 'list' %}
<protocol-list>
<protocol-list-name>{{ filter.name }}-{{ term.name }}-PROTO</protocol-list-name>
{%for protocol in term.from.protocol_list %}
<protocol>
<protocol-id>{{ protocol }}</protocol-id>
</protocol>
{% endfor %}
</protocol-list>
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
</match-list>
geant/gap_ansible/roles/fw_filters/templates/filters/term_action.j2 0 → 100644
+ 15
0
View file @ 10eb2ece
<action>
<{{term.action}}></{{term.action}}>
{% if term.action_context is defined %}
{% for act in term.action_context %}
{% if act.type in ['rate-limit'] %}
<{{ act.type }}>
{% for kind, kind_val in act.kinds.items() %}
<{{ kind }}>{{ kind_val }}</{{ kind }}>
{% endfor %}
</{{ act.type }}>
{% endif %}
{% endfor %}
{% endif %}
</action>
geant/gap_ansible/roles/fw_filters/vars/main.yml 0 → 100644
+ 3
0
View file @ 10eb2ece
---
# vars file for fw_filters
is_standalone_run: false
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment