Skip to content
Snippets Groups Projects
Commit d91162c4 authored by Aleksandr Kurbatov's avatar Aleksandr Kurbatov
Browse files

Updated fw_filters template 

- Added support for cases when SRC and DST prefexis are not defined, but
from protocol and ports are - e.g. IPv4 Traceroute term.
- Updated structure for "special cases" of term.from.protocol
- Updated structure for main block (src/dst prefix lists)
parent b1d7dd45
No related branches found
No related tags found
1 merge request!171Updated fw_filters template
Pipeline #89110 passed
Stage: linting
Hide whitespace changes
Inline Side-by-side
geant/gap_ansible/roles/bc_templates/routers/nokia/filters/fw_filters.j2
+ 83
60
View file @ d91162c4
......@@ -34,8 +34,10 @@
{% endif %}
{% if term.from is defined %}
{# This is the case for TCP_ESTABLISHED #}
{% if term.from.protocol is defined and term.from.protocol == "tcp" and term.from.tcp_flag is defined %}
{# Special cases where from.protocol is defined #}
{% if term.from.protocol is defined %}
{# This is the case for TCP_ESTABLISHED #}
{% if term.from.protocol == "tcp" and term.from.tcp_flag is defined %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
......@@ -56,11 +58,11 @@
<{{ term.action }}></{{ term.action }}>
</action>
</entry>
{% set ns3.entry_id = ns3.entry_id + 10 %}
{% endif %}
{# This is to cover CPM-ipv6 ND case where dst_prefix_list is defined, but not src_prefix_list #}
{% if term.from.protocol is defined and term.from.protocol == "ipv6-icmp" and term.from.dst_prefix_list is defined %}
{% for dst_prefix_list_item in term.from.dst_prefix_list %}
{% set ns3.entry_id = ns3.entry_id + 10 %}
{% endif %}
{# This is to cover CPM-ipv6 ND case where dst_prefix_list is defined, but not src_prefix_list #}
{% if term.from.protocol == "ipv6-icmp" and term.from.dst_prefix_list is defined %}
{% for dst_prefix_list_item in term.from.dst_prefix_list %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
......@@ -77,57 +79,58 @@
<{{ term.action }}></{{ term.action }}>
</action>
</entry>
{% set ns3.entry_id = ns3.entry_id + 10 %}
{% endfor %}
{% endif %}
{# Generic ICMP filters with ICMP types #}
{% if term.from.protocol is defined and (term.from.protocol == "icmp" or term.from.protocol == "ipv6-icmp") %}
{% if term.from.icmp_types is defined %}
{% for icmp_type in term.from.icmp_types %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if filter.family == "ipv4" %}
<protocol>{{ term.from.protocol }}</protocol>
{% else %}
<next-header>{{ term.from.protocol }}</next-header>
{% endif %}
<icmp>
<type>{{ icmp_type }}</type>
</icmp>
</match>
<action>
<{{ term.action }}></{{ term.action }}>
</action>
</entry>
{% set ns3.entry_id = ns3.entry_id + 10 %}
{% set ns3.entry_id = ns3.entry_id + 10 %}
{% endfor %}
{% endif %}
{% endif %}
{# Case when only need to match on protocol, e.g. PIM #}
{% if term.from.protocol is defined and term.from.protocol in ['pim', '58'] %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if filter.family == "ipv4" %}
<protocol>{{ term.from.protocol }}</protocol>
{% else %}
<next-header>{{ term.from.protocol }}</next-header>
{% endif %}
</match>
<action>
<{{ term.action }}></{{ term.action }}>
</action>
</entry>
{% set ns3.entry_id = ns3.entry_id + 10 %}
{# Generic ICMP filters with ICMP types #}
{% if (term.from.protocol == "icmp" or term.from.protocol == "ipv6-icmp") %}
{% if term.from.icmp_types is defined %}
{% for icmp_type in term.from.icmp_types %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if filter.family == "ipv4" %}
<protocol>{{ term.from.protocol }}</protocol>
{% else %}
<next-header>{{ term.from.protocol }}</next-header>
{% endif %}
<icmp>
<type>{{ icmp_type }}</type>
</icmp>
</match>
<action>
<{{ term.action }}></{{ term.action }}>
</action>
</entry>
{% set ns3.entry_id = ns3.entry_id + 10 %}
{% endfor %}
{% endif %}
{% endif %}
{# Case when only need to match on protocol, e.g. PIM #}
{% if term.from.protocol in ['pim', '58'] %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if filter.family == "ipv4" %}
<protocol>{{ term.from.protocol }}</protocol>
{% else %}
<next-header>{{ term.from.protocol }}</next-header>
{% endif %}
</match>
<action>
<{{ term.action }}></{{ term.action }}>
</action>
</entry>
{% set ns3.entry_id = ns3.entry_id + 10 %}
{% endif %}
{% endif %}
{# Case when both src_prefix_list and dst_prefix_list are defined #}
{% if term.from.src_prefix_list is defined %}
......@@ -172,7 +175,7 @@
</entry>
{% endfor %}
{% else %}
{# This is the case of CPM-filters, where destination prefix is not defined #}
{# src_prefix_list is defined, dst_prefix_list is not #}
<entry>
<entry-id> {{ ns3.entry_id }} </entry-id>
<description>{{ term.name }}</description>
......@@ -203,9 +206,8 @@
</entry>
{% endif %}
{% endfor %}
{% endif %}
{# Case where only DST prefix list is defined #}
{% if term.from.dst_prefix_list is defined %}
{% elif term.from.dst_prefix_list is defined %}
{% for dst_prefix_list_item in term.from.dst_prefix_list %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
......@@ -236,10 +238,31 @@
</action>
</entry>
{% endfor %}
{# term.from.protocol and ports are defined, but not SRC or DST prefix list - e.g. IPv4 traceroute #}
{% elif term.from.protocol is defined and term.from.protocol in ['udp'] %}
<entry>
<entry-id>{{ ns3.entry_id }}</entry-id>
<description>{{ term.name }}</description>
{% if term.log is defined %}
<log>{{ term.log }}</log>
{% endif %}
<match>
{% if filter.family == "ipv4" %}
<protocol>{{ term.from.protocol }}</protocol>
{% else %}
<next-header>{{ term.from.protocol }}</next-header>
{% endif %}
{% include 'filters/port_list_entries.j2' %}
</match>
<action>
<{{ term.action }}></{{ term.action }}>
</action>
</entry>
{% set ns3.entry_id = ns3.entry_id + 10 %}
{% endif %}
{% endif %}
{% endfor %}
{# Terms end #}
{# Terms end #}
{% if filter.family == "ipv4" %}
</ip-filter>
{% elif filter.family == "ipv6" %}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment