def testConfigHelper(self):
config = juniper.Config()
config.Append('test {')
config.Append('blah {')
config.Append('foo;')
config.Append('bar;')
config.Append('}') # close blah{}
config.Append(' Mr. T Pities the fool!', verbatim=True)
# haven't closed everything yet
self.assertRaises(juniper.JuniperIndentationError, lambda: str(config))
config.Append('}') # close test{}
self.assertMultiLineEqual(str(config),
'test {\n'
' blah {\n'
' foo;\n'
' bar;\n'
' }\n'
' Mr. T Pities the fool!\n'
'}')
# one too many '}'
self.assertRaises(juniper.JuniperIndentationError,
lambda: config.Append('}'))
def __str__(self):
target = juniper.Config()
for (header, filter_name, filter_direction,
terms) in self.junipermsmpc_policies:
target.Append('groups {')
target.Append('replace:')
target.Append('/*')
# we want the acl to contain id and date tags, but p4 will expand
# the tags here when we submit the generator, so we have to trick
# p4 into not knowing these words. like taking c-a-n-d-y from a
# baby.
for line in aclgenerator.AddRepositoryTags('** '):
target.Append(line)
target.Append('**')
for comment in header.comment:
for line in comment.split('\n'):
target.Append('** ' + line)
target.Append('*/')
target.Append('%s {' % filter_name)
target.Append('services {')
target.Append('stateful-firewall {')
target.Append('rule %s {' % filter_name)
target.Append('match-direction %s;' % filter_direction)
for term in terms:
term_str = str(term)
if term_str:
target.Append(term_str, verbatim=True)
target.Append('}') # rule { ... }
target.Append('}') # stateful-firewall { ... }
target.Append('}') # services { ... }
for line in self._GenerateApplications(filter_name):
target.Append(line)
target.Append('}') # filter_name { ... }
target.Append('}') # groups { ... }
target.Append('apply-groups %s;' % filter_name)
return str(target) + '\n'
def __str__(self):
# Verify platform specific terms. Skip whole term if platform does not
# match.
if self.term.platform:
if self._PLATFORM not in self.term.platform:
return ''
if self.term.platform_exclude:
if self._PLATFORM in self.term.platform_exclude:
return ''
if self.enable_dsmo:
raise NotImplementedError('enable_dsmo not implemented for msmpc')
ret_str = juniper.Config(indent=self._DEFAULT_INDENT)
# COMMENTS
# this deals just fine with multi line comments, but we could probably
# output them a little cleaner; do things like make sure the
# len(output) < 80, etc. Note, if 'noverbose' is set for the filter, skip
# all comment processing.
if not self.noverbose:
if self.term.owner:
self.term.comment.append('Owner: %s' % self.term.owner)
if self.term.comment:
ret_str.Append('/*')
for comment in self.term.comment:
for line in comment.split('\n'):
ret_str.Append('** ' + line)
ret_str.Append('*/')
# Term verbatim output - this will skip over normal term creation
# code. Warning generated from policy.py if appropriate.
if self.term.verbatim:
for next_term in self.term.verbatim:
if next_term[0] == self._PLATFORM:
ret_str.Append(str(next_term[1]), verbatim=True)
return str(ret_str)
# Determine whether there are any match conditions for the term.
has_match_criteria = (
self.term.address or self.term.dscp_except or self.term.dscp_match or
self.term.destination_address or self.term.destination_port or
self.term.destination_prefix or self.term.destination_prefix_except or
self.term.encapsulate or self.term.ether_type or
self.term.flexible_match_range or self.term.forwarding_class or
self.term.forwarding_class_except or self.term.fragment_offset or
self.term.hop_limit or self.term.next_ip or self.term.port or
self.term.precedence or self.term.protocol or
self.term.protocol_except or self.term.source_address or
self.term.source_port or self.term.source_prefix or
self.term.source_prefix_except or self.term.traffic_type or
self.term.ttl)
suffixes = []
duplicate_term = False
has_icmp = 'icmp' in self.term.protocol
has_icmpv6 = 'icmpv6' in self.term.protocol
has_v4_ip = self.term.GetAddressOfVersion(
'source_address',
self.AF_MAP.get('inet')) or self.term.GetAddressOfVersion(
'source_address_exclude',
self.AF_MAP.get('inet')) or self.term.GetAddressOfVersion(
'destination_address',
self.AF_MAP.get('inet')) or self.term.GetAddressOfVersion(
'destination_address_exclude', self.AF_MAP.get('inet'))
has_v6_ip = self.term.GetAddressOfVersion(
'source_address',
self.AF_MAP.get('inet6')) or self.term.GetAddressOfVersion(
'source_address_exclude',
self.AF_MAP.get('inet6')) or self.term.GetAddressOfVersion(
'destination_address',
self.AF_MAP.get('inet6')) or self.term.GetAddressOfVersion(
'destination_address_exclude', self.AF_MAP.get('inet6'))
if self.term_type == 'mixed':
if not (has_v4_ip or has_v6_ip):
suffixes = ['inet']
elif not has_v6_ip:
suffixes = ['inet']
elif not has_v4_ip:
suffixes = ['inet6']
else:
suffixes = ['inet', 'inet6']
duplicate_term = True
if not suffixes and self.term_type in ['inet', 'inet6']:
suffixes = [self.term_type]
for suffix in suffixes:
if self.term_type == 'mixed' and (not (has_icmp and has_icmpv6)) and (
has_v4_ip and has_v6_ip):
if (has_icmp and suffix != 'inet') or (has_icmpv6 and
suffix != 'inet6'):
continue
source_address = self.term.GetAddressOfVersion('source_address',
self.AF_MAP.get(suffix))
source_address_exclude = self.term.GetAddressOfVersion(
'source_address_exclude', self.AF_MAP.get(suffix))
source_address, source_address_exclude = self._MinimizePrefixes(
source_address, source_address_exclude)
destination_address = self.term.GetAddressOfVersion(
'destination_address', self.AF_MAP.get(suffix))
destination_address_exclude = self.term.GetAddressOfVersion(
'destination_address_exclude', self.AF_MAP.get(suffix))
destination_address, destination_address_exclude = self._MinimizePrefixes(
destination_address, destination_address_exclude)
if ((not source_address) and self.term.GetAddressOfVersion(
'source_address', self.AF_MAP.get('mixed')) and
not source_address_exclude) or (
(not destination_address) and self.term.GetAddressOfVersion(
'destination_address', self.AF_MAP.get('mixed')) and
not destination_address_exclude):
continue
if ((has_icmpv6 and not has_icmp and suffix == 'inet') or
(has_icmp and not has_icmpv6 and
suffix == 'inet6')) and self.term_type != 'mixed':
logging.debug(
self.NO_AF_LOG_PROTO.substitute(
term=self.term.name,
proto=', '.join(self.term.protocol),
af=suffix))
return ''
# NAME
# if the term is inactive we have to set the prefix
if self.term.inactive:
term_prefix = 'inactive:'
else:
term_prefix = ''
ret_str.Append(
'%s term %s%s {' %
(term_prefix, self.term.name, '-' + suffix if duplicate_term else ''))
# We only need a "from {" clause if there are any conditions to match.
if has_match_criteria:
ret_str.Append('from {')
# SOURCE ADDRESS
if source_address or source_address_exclude:
ret_str.Append('source-address {')
if source_address:
for saddr in source_address:
for comment in self._Comment(saddr):
ret_str.Append('%s' % comment)
if saddr.version == 6 and 0 < saddr.prefixlen < 16:
for saddr2 in saddr.subnets(new_prefix=16):
ret_str.Append('%s;' % saddr2)
else:
if saddr == nacaddr.IPv6('0::0/0'):
saddr = 'any-ipv6'
elif saddr == nacaddr.IPv4('0.0.0.0/0'):
saddr = 'any-ipv4'
ret_str.Append('%s;' % saddr)
# SOURCE ADDRESS EXCLUDE
if source_address_exclude:
for ex in source_address_exclude:
for comment in self._Comment(ex):
ret_str.Append('%s' % comment)
if ex.version == 6 and 0 < ex.prefixlen < 16:
for ex2 in ex.subnets(new_prefix=16):
ret_str.Append('%s except;' % ex2)
else:
if ex == nacaddr.IPv6('0::0/0'):
ex = 'any-ipv6'
elif ex == nacaddr.IPv4('0.0.0.0/0'):
ex = 'any-ipv4'
ret_str.Append('%s except;' % ex)
ret_str.Append('}') # source-address {...}
# DESTINATION ADDRESS
if destination_address or destination_address_exclude:
ret_str.Append('destination-address {')
if destination_address:
for daddr in destination_address:
for comment in self._Comment(daddr):
ret_str.Append('%s' % comment)
if daddr.version == 6 and 0 < daddr.prefixlen < 16:
for daddr2 in daddr.subnets(new_prefix=16):
ret_str.Append('%s;' % daddr2)
else:
if daddr == nacaddr.IPv6('0::0/0'):
daddr = 'any-ipv6'
elif daddr == nacaddr.IPv4('0.0.0.0/0'):
daddr = 'any-ipv4'
ret_str.Append('%s;' % daddr)
# DESTINATION ADDRESS EXCLUDE
if destination_address_exclude:
for ex in destination_address_exclude:
for comment in self._Comment(ex):
ret_str.Append('%s' % comment)
if ex.version == 6 and 0 < ex.prefixlen < 16:
for ex2 in ex.subnets(new_prefix=16):
ret_str.Append('%s except;' % ex2)
else:
if ex == nacaddr.IPv6('0::0/0'):
ex = 'any-ipv6'
elif ex == nacaddr.IPv4('0.0.0.0/0'):
ex = 'any-ipv4'
ret_str.Append('%s except;' % ex)
ret_str.Append('}') # destination-address {...}
# source prefix <except> list
if self.term.source_prefix or self.term.source_prefix_except:
for pfx in self.term.source_prefix:
ret_str.Append('source-prefix-list ' + pfx + ';')
for epfx in self.term.source_prefix_except:
ret_str.Append('source-prefix-list ' + epfx + ' except;')
# destination prefix <except> list
if self.term.destination_prefix or self.term.destination_prefix_except:
for pfx in self.term.destination_prefix:
ret_str.Append('destination-prefix-list ' + pfx + ';')
for epfx in self.term.destination_prefix_except:
ret_str.Append('destination-prefix-list ' + epfx + ' except;')
# APPLICATION
if (self.term.source_port or self.term.destination_port or
self.term.icmp_type or self.term.protocol):
if hasattr(self.term, 'replacement_application_name'):
ret_str.Append('application-sets ' +
self.term.replacement_application_name + '-app;')
else:
ret_str.Append('application-sets ' +
self.filter_name[:((MAX_IDENTIFIER_LEN) // 2)] +
self.term.name[-((MAX_IDENTIFIER_LEN) // 2):] +
'-app;')
ret_str.Append('}') # from {...}
ret_str.Append('then {')
# ACTION
for action in self.term.action:
ret_str.Append(self._ACTIONS.get(str(action)) + ';')
if self.term.logging and 'disable' not in [
x.value for x in self.term.logging
]:
ret_str.Append('syslog;')
ret_str.Append('}') # then {...}
ret_str.Append('}') # term {...}
return str(ret_str)
