Merge branch 'fix/fw-filter-traceroute' into 'develop'

Updated fw_filters template See merge request !171

Merge branch 'fix/fw-filter-traceroute' into 'develop'
90a607a6 · Aleksandr Kurbatov · b1d7dd45 · d91162c4 · 90a607a6
Commit 90a607a6 authored 8 months ago by Aleksandr Kurbatov
--- a/geant/gap_ansible/roles/bc_templates/routers/nokia/filters/fw_filters.j2
+++ b/geant/gap_ansible/roles/bc_templates/routers/nokia/filters/fw_filters.j2
@@ -34,8 +34,10 @@
    {% endif %}
    {% if term.from is defined %}
-  {# This is the case for TCP_ESTABLISHED #}
+      {# Special cases where from.protocol is defined #}
-      {% if term.from.protocol is defined and term.from.protocol == "tcp" and term.from.tcp_flag is defined %}
+      {% if term.from.protocol is defined %}
+        {# This is the case for TCP_ESTABLISHED #}
+        {% if term.from.protocol == "tcp" and term.from.tcp_flag is defined %}
          <entry>
            <entry-id>{{ ns3.entry_id }}</entry-id>
            <description>{{ term.name }}</description>
@@ -56,11 +58,11 @@
              <{{ term.action }}></{{ term.action }}>
            </action>
          </entry>
-        {% set ns3.entry_id = ns3.entry_id + 10 %}
+          {% set ns3.entry_id = ns3.entry_id + 10 %}
-      {% endif %}
+        {% endif %}
-      {# This is to cover CPM-ipv6 ND case where dst_prefix_list is defined, but not src_prefix_list #}
+        {# This is to cover CPM-ipv6 ND case where dst_prefix_list is defined, but not src_prefix_list #}
-      {%  if term.from.protocol is defined and term.from.protocol == "ipv6-icmp" and term.from.dst_prefix_list is defined %}
+        {% if term.from.protocol == "ipv6-icmp" and term.from.dst_prefix_list is defined %}
-        {% for dst_prefix_list_item in term.from.dst_prefix_list %}
+          {% for dst_prefix_list_item in term.from.dst_prefix_list %}
          <entry>
            <entry-id>{{ ns3.entry_id }}</entry-id>
            <description>{{ term.name }}</description>
@@ -77,57 +79,58 @@
              <{{ term.action }}></{{ term.action }}>
            </action>
          </entry>
-        {% set ns3.entry_id = ns3.entry_id + 10 %}
+          {% set ns3.entry_id = ns3.entry_id + 10 %}
-          {% endfor %}
-      {% endif %}
-      {# Generic ICMP filters with ICMP types #}
-      {% if term.from.protocol is defined and (term.from.protocol == "icmp" or term.from.protocol == "ipv6-icmp") %}
-        {% if term.from.icmp_types is defined %}
-          {% for icmp_type in term.from.icmp_types %}
-          <entry>
-            <entry-id>{{ ns3.entry_id }}</entry-id>
-            <description>{{ term.name }}</description>
-            {% if term.log is defined %}
-            <log>{{ term.log }}</log>
-            {% endif %}
-            <match>
-                  {% if filter.family == "ipv4" %}
-              <protocol>{{ term.from.protocol }}</protocol>
-                  {% else %}
-              <next-header>{{ term.from.protocol }}</next-header>
-                  {% endif %}
-                <icmp>
-                  <type>{{ icmp_type }}</type>
-                </icmp>
-            </match>
-            <action>
-              <{{ term.action }}></{{ term.action }}>
-            </action>
-          </entry>
-        {% set ns3.entry_id = ns3.entry_id + 10 %}
          {% endfor %}
        {% endif %}
-      {% endif %}
+        {# Generic ICMP filters with ICMP types #}
-      {# Case when only need to match on protocol, e.g. PIM #}
+        {% if (term.from.protocol == "icmp" or term.from.protocol == "ipv6-icmp") %}
-        {% if term.from.protocol is defined and term.from.protocol in ['pim', '58'] %}
+          {% if term.from.icmp_types is defined %}
-          <entry>
+            {% for icmp_type in term.from.icmp_types %}
-            <entry-id>{{ ns3.entry_id }}</entry-id>
+            <entry>
-            <description>{{ term.name }}</description>
+              <entry-id>{{ ns3.entry_id }}</entry-id>
-            {% if term.log is defined %}
+              <description>{{ term.name }}</description>
-            <log>{{ term.log }}</log>
+              {% if term.log is defined %}
-            {% endif %}
+              <log>{{ term.log }}</log>
-            <match>
+              {% endif %}
-                  {% if filter.family == "ipv4" %}
+              <match>
-              <protocol>{{ term.from.protocol }}</protocol>
+                    {% if filter.family == "ipv4" %}
-                  {% else %}
+                <protocol>{{ term.from.protocol }}</protocol>
-              <next-header>{{ term.from.protocol }}</next-header>
+                    {% else %}
-                  {% endif %}
+                <next-header>{{ term.from.protocol }}</next-header>
-            </match>
+                    {% endif %}
-            <action>
+                  <icmp>
-              <{{ term.action }}></{{ term.action }}>
+                    <type>{{ icmp_type }}</type>
-            </action>
+                  </icmp>
-          </entry>
+              </match>
-        {% set ns3.entry_id = ns3.entry_id + 10 %}
+              <action>
+                <{{ term.action }}></{{ term.action }}>
+              </action>
+            </entry>
+          {% set ns3.entry_id = ns3.entry_id + 10 %}
+            {% endfor %}
+          {% endif %}
+        {% endif %}
+        {# Case when only need to match on protocol, e.g. PIM #}
+        {% if term.from.protocol in ['pim', '58'] %}
+            <entry>
+              <entry-id>{{ ns3.entry_id }}</entry-id>
+              <description>{{ term.name }}</description>
+              {% if term.log is defined %}
+              <log>{{ term.log }}</log>
+              {% endif %}
+              <match>
+                    {% if filter.family == "ipv4" %}
+                <protocol>{{ term.from.protocol }}</protocol>
+                    {% else %}
+                <next-header>{{ term.from.protocol }}</next-header>
+                    {% endif %}
+              </match>
+              <action>
+                <{{ term.action }}></{{ term.action }}>
+              </action>
+            </entry>
+          {% set ns3.entry_id = ns3.entry_id + 10 %}
+        {% endif %}
      {% endif %}
      {# Case when both src_prefix_list and dst_prefix_list are defined #}
      {% if term.from.src_prefix_list is defined %}
@@ -172,7 +175,7 @@
          </entry>
            {% endfor %}
          {% else %}
-{# This is the case of CPM-filters, where destination prefix is not defined #}
+            {# src_prefix_list is defined, dst_prefix_list is not #}
          <entry>
            <entry-id> {{ ns3.entry_id }} </entry-id>
            <description>{{ term.name }}</description>
@@ -203,9 +206,8 @@
          </entry>
          {% endif %}
        {% endfor %}
-      {% endif %}
      {# Case where only DST prefix list is defined #}
-      {% if term.from.dst_prefix_list is defined %}
+      {% elif term.from.dst_prefix_list is defined %}
        {% for dst_prefix_list_item in term.from.dst_prefix_list %}
          <entry>
            <entry-id>{{ ns3.entry_id }}</entry-id>
@@ -236,10 +238,31 @@
            </action>
          </entry>
        {% endfor %}
+      {# term.from.protocol and ports are defined, but not SRC or DST prefix list - e.g. IPv4 traceroute #}
+      {% elif term.from.protocol is defined and term.from.protocol in ['udp'] %}
+          <entry>
+            <entry-id>{{ ns3.entry_id }}</entry-id>
+            <description>{{ term.name }}</description>
+            {% if term.log is defined %}
+            <log>{{ term.log }}</log>
+            {% endif %}
+            <match>
+                  {% if filter.family == "ipv4" %}
+              <protocol>{{ term.from.protocol }}</protocol>
+                  {% else %}
+              <next-header>{{ term.from.protocol }}</next-header>
+                  {% endif %}
+            {% include 'filters/port_list_entries.j2' %}
+            </match>
+            <action>
+              <{{ term.action }}></{{ term.action }}>
+            </action>
+          </entry>
+          {% set ns3.entry_id = ns3.entry_id + 10 %}
      {% endif %}
    {% endif %}
  {% endfor %}
-{# Terms end #}
+  {# Terms end #}
  {% if filter.family == "ipv4" %}
        </ip-filter>
  {% elif filter.family == "ipv6" %}