Skip to content
Snippets Groups Projects
Commit 91ac80d3 authored by Aleksandr Kurbatov's avatar Aleksandr Kurbatov
Browse files

FW_filters template reworked 

- Added support for `term.log` statement
- Added additional checks for if term.from.protocol is defined
- Added section for the case where DST prefix list is defined, but SRC
prefix list not (e.g. `DF_DENY` in PE CPM filters).
parent d0fa6e83
Branches
Tags
1 merge request!159FW_filters template reworked
Hide whitespace changes
Inline Side-by-side
geant/gap_ansible/roles/base_config/templates/routers/nokia/filters/fw_filters.j2
+ 61
4
View file @ 91ac80d3
......@@ -17,10 +17,16 @@
<admin-state>{{ filter.admin_state }}</admin-state>
{% endif %}
{% for term in filter.terms %}
{% if term.offset is defined %}
{% set ns3 = namespace(entry_id = term.offset | int) %}
{% endif %}
{% if term.from is not defined %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<action>
<{{term.action}}></{{term.action}}>
</action>
......@@ -29,10 +35,13 @@
{% if term.from is defined %}
{# This is the case for TCP_ESTABLISHED #}
{% if term.from.protocol == "tcp" and term.from.tcp_flag is defined %}
{% if term.from.protocol is defined and term.from.protocol == "tcp" and term.from.tcp_flag is defined %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if filter.family == "ipv4" %}
<protocol>{{ term.from.protocol }}</protocol>
......@@ -50,11 +59,14 @@
{% set ns3.entry_id = ns3.entry_id + 10 %}
{% endif %}
{# This is to cover CPM-ipv6 ND case where dst_prefix_list is defined, but not src_prefix_list #}
{% if term.from.protocol == "ipv6-icmp" and term.from.dst_prefix_list is defined %}
{% if term.from.protocol is defined and term.from.protocol == "ipv6-icmp" and term.from.dst_prefix_list is defined %}
{% for dst_prefix_list_item in term.from.dst_prefix_list %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
<next-header>{{ term.from.protocol }}</next-header>
<dst-ip>
......@@ -69,12 +81,15 @@
{% endfor %}
{% endif %}
{# Generic ICMP filters with ICMP types #}
{% if term.from.protocol == "icmp" or term.from.protocol == "ipv6-icmp" %}
{% if term.from.protocol is defined and (term.from.protocol == "icmp" or term.from.protocol == "ipv6-icmp") %}
{% if term.from.icmp_types is defined %}
{% for icmp_type in term.from.icmp_types %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if filter.family == "ipv4" %}
<protocol>{{ term.from.protocol }}</protocol>
......@@ -94,10 +109,13 @@
{% endif %}
{% endif %}
{# Case when only need to match on protocol, e.g. PIM #}
{% if term.from.protocol == 'pim' %}
{% if term.from.protocol is defined and term.from.protocol == 'pim' %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if filter.family == "ipv4" %}
<protocol>{{ term.from.protocol }}</protocol>
......@@ -120,6 +138,9 @@
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if term.from.protocol is defined %}
{% if filter.family == "ipv4" %}
......@@ -155,6 +176,9 @@
<entry>
<entry-id> {{ ns3.entry_id }} </entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if term.from.protocol is defined %}
{% if filter.family == "ipv4" %}
......@@ -180,6 +204,39 @@
{% endif %}
{% endfor %}
{% endif %}
{# Case where only DST prefix list is defined #}
{% if term.from.dst_prefix_list is defined %}
{% for dst_prefix_list_item in term.from.dst_prefix_list %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if term.from.protocol is defined %}
{% if filter.family == "ipv4" %}
<protocol>{{term.from.protocol}}</protocol>
{% else %}
<next-header>{{ term.from.protocol }}</next-header>
{% endif %}
{% endif %}
{% include 'port_list_entries.j2' %}
<dst-ip>
{% if filter.family == "ipv4" %}
<ip-prefix-list>{{term.from.dst_prefix_list[loop.index0]}}</ip-prefix-list>
{% else %}
<ipv6-prefix-list>{{term.from.dst_prefix_list[loop.index0]}}</ipv6-prefix-list>
{% endif %}
</dst-ip>
</match>
{% set ns3.entry_id = ns3.entry_id + 10 %}
<action>
<{{term.action}}></{{term.action}}>
</action>
</entry>
{% endfor %}
{% endif %}
{% endif %}
{% endfor %}
{# Terms end #}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment