Manage the firewall configuration on the network device managed through NAPALM. The firewall configuration is generated by Capirca.
New in version 2017.7.0.
| codeauthor: | Mircea Ulinic <mircea@cloudflare.com> |
|---|---|
| maturity: | new |
| depends: | capirca, napalm |
| platform: | unix |
To install Capirca, execute: pip install capirca.
To be able to load configuration on network devices,
it requires NAPALM library to be installed: pip install napalm.
Please check Installation for complete details.
salt.states.netacl.filter(name, filter_name, filter_options=None, terms=None, prepend=True, pillar_key='acl', pillarenv=None, saltenv=None, merge_pillar=False, only_lower_merge=False, revision_id=None, revision_no=None, revision_date=True, revision_date_format='%Y/%m/%d', test=False, commit=True, debug=False)¶Generate and load the configuration of a policy filter.
merge_pillar is set as False.Truemerge_pillar is set as True, the final list of terms generated by merging
the terms from terms with those defined in the pillar (if any): new terms are prepended
at the beginning, while existing ones will preserve the position. To add the new terms
at the end of the list, set this argument to False.aclacl.pillarenv_from_saltenv, and is otherwise ignored.FalseMerge terms with the corresponding value from the pillar. Default: False.
Note
By default this state does not merge, to avoid any unexpected behaviours.
The merge logic depends on the prepend argument.
The terms specified through the terms argument have higher priority
than the pillar.
FalseFalse.
This option requires merge_pillar, otherwise it is ignored.TrueTrue.%Y/%m/%d%Y/%m/%d (<year>/<month>/<day>).FalseTrue, will apply the config, discard and return the changes.
Default: False and will commit the changes on the device.TrueTrue.Falseloaded_config containing the raw configuration loaded on the device.CLI Example:
salt 'edge01.flw01' state.sls router.acl test=True
Output Example:
edge01.flw01:
----------
ID: my-filter
Function: netacl.filter
Result: None
Comment: Testing mode: Configuration discarded.
Started: 12:24:40.598232
Duration: 2437.139 ms
Changes:
----------
diff:
---
+++
@@ -1228,9 +1228,24 @@
!
+ipv4 access-list my-filter
+ 10 remark $Id: my-filter_state $
+ 20 remark $Revision: 5 $
+ 30 remark my-other-term
+ 40 permit tcp any range 5678 5680 any
+!
+!
loaded:
! $Id: my-filter_state $
! $Revision: 5 $
no ipv6 access-list my-filter
ipv6 access-list my-filter
remark $Id: my-filter_state $
remark $Revision: 5 $
remark my-other-term
permit tcp any range 5678 5680 any
exit
Summary for edge01.flw01
------------
Succeeded: 1 (unchanged=1, changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 2.437 s
Pillar example:
acl:
- my-filter:
options:
- inet6
terms:
- my-term:
source_port: [1234, 1235]
protocol:
- tcp
- udp
source_address: 1.2.3.4
action: reject
- my-other-term:
source_port:
- [5678, 5680]
protocol: tcp
action: accept
State SLS Example:
{%- set filter_name = 'my-filter' -%}
{%- set my_filter_cfg = salt.netacl.get_filter_pillar(filter_name, pillar_key='firewall') -%}
my_first_filter_state:
netacl.filter:
- filter_name: {{ filter_name }}
- options: {{ my_filter_cfg['options'] | json }}
- terms: {{ my_filter_cfg['terms'] | json }}
- revision_date: false
- revision_no: 5
- debug: true
Or:
my_first_filter_state:
netacl.filter:
- filter_name: my-filter
- merge_pillar: true
- pillar_key: firewall
- revision_date: false
- revision_no: 5
- debug: true
In the example above, as inet6 has been specified in the filter_options,
the configuration chunk referring to my-term has been ignored as it referred to
IPv4 only (from source_address field).
Note
The first method allows the user to eventually apply complex manipulation and / or retrieve the data from external services before passing the data to the state. The second one is more straightforward, for less complex cases when loading the data directly from the pillar is sufficient.
Note
When passing retrieved pillar data into the state file, it is strongly recommended to use the json serializer explicitly (`` | json``), instead of relying on the default Python serializer.
salt.states.netacl.managed(name, filters=None, prepend=True, pillar_key='acl', pillarenv=None, saltenv=None, merge_pillar=False, only_lower_merge=False, revision_id=None, revision_no=None, revision_date=True, revision_date_format='%Y/%m/%d', test=False, commit=True, debug=False)¶Manage the whole firewall configuration.
merge_pillar is set as False.Truemerge_pillar is set as True, the final list of filters generated by merging
the filters from filters with those defined in the pillar (if any): new filters are prepended
at the beginning, while existing ones will preserve the position. To add the new filters
at the end of the list, set this argument to False.aclacl.pillarenv_from_saltenv, and is otherwise ignored.FalseMerge the filters will the corresponding values from the pillar. Default: False.
Note
By default this state does not merge, to avoid any unexpected behaviours.
The merge logic depends on the prepend argument.
The filters specified through the filters argument have higher priority
than the pillar.
FalseFalse.
This option requires merge_pillar, otherwise it is ignored.FalseTrue, will apply the config, discard and return the changes.
Default: False and will commit the changes on the device.TrueTrue.%Y/%m/%d%Y/%m/%d (<year>/<month>/<day>).TrueTrue.Falseloaded_config containing the raw configuration loaded on the device.CLI Example:
salt 'edge01.bjm01' state.sls router.acl test=True
Output Example:
edge01.bjm01:
-------------
ID: netacl_example
Function: netacl.managed
Result: None
Comment: Testing mode: Configuration discarded.
Started: 12:03:24.807023
Duration: 5569.453 ms
Changes:
----------
diff:
[edit firewall]
+ family inet {
+ /*
+ ** $Id: netacl_example $
+ ** $Date: 2017/07/03 $
+ ** $Revision: 2 $
+ **
+ */
+ filter my-filter {
+ interface-specific;
+ term my-term {
+ from {
+ source-address {
+ 1.2.3.4/32;
+ }
+ protocol [ tcp udp ];
+ source-port [ 1234 1235 ];
+ }
+ then {
+ reject;
+ }
+ }
+ term my-other-term {
+ from {
+ protocol tcp;
+ source-port 5678-5680;
+ }
+ then accept;
+ }
+ }
+ /*
+ ** $Id: netacl_example $
+ ** $Date: 2017/07/03 $
+ ** $Revision: 2 $
+ **
+ */
+ filter block-icmp {
+ interface-specific;
+ term first-term {
+ from {
+ protocol icmp;
+ }
+ then {
+ reject;
+ }
+ }
+ }
+ }
loaded:
firewall {
family inet {
replace:
/*
** $Id: netacl_example $
** $Date: 2017/07/03 $
** $Revision: 2 $
**
*/
filter my-filter {
interface-specific;
term my-term {
from {
source-address {
1.2.3.4/32;
}
protocol [ tcp udp ];
source-port [ 1234 1235 ];
}
then {
reject;
}
}
term my-other-term {
from {
protocol tcp;
source-port 5678-5680;
}
then accept;
}
}
}
}
firewall {
family inet {
replace:
/*
** $Id: netacl_example $
** $Date: 2017/07/03 $
** $Revision: 2 $
**
*/
filter block-icmp {
interface-specific;
term first-term {
from {
protocol icmp;
}
then {
reject;
}
}
}
}
}
Summary for edge01.bjm01
------------
Succeeded: 1 (unchanged=1, changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 5.569 s
The policy configuration has been loaded from the pillar, having the following structure:
firewall:
- my-filter:
terms:
- my-term:
source_port: [1234, 1235]
protocol:
- tcp
- udp
source_address: 1.2.3.4
action: reject
- my-other-term:
source_port:
- [5678, 5680]
protocol: tcp
action: accept
- block-icmp:
terms:
- first-term:
protocol:
- icmp
action: reject
Example SLS file:
{%- set fw_filters = pillar.get('firewall', {}) -%}
netacl_example:
netacl.managed:
- filters: {{ fw_filters | json }}
- revision_no: 2
- debug: true
Or:
netacl_example:
netacl.managed:
- pillar_key: firewall
- merge_pillar: true
- revision_no: 2
- debug: true
Note
The first method allows the user to eventually apply complex manipulation and / or retrieve the data from external services before passing the data to the state. The second one is more straightforward, for less complex cases when loading the data directly from the pillar is sufficient.
Note
When passing retrieved pillar data into the state file, it is strongly recommended to use the json serializer explicitly (`` | json``), instead of relying on the default Python serializer.
salt.states.netacl.term(name, filter_name, term_name, filter_options=None, pillar_key='acl', pillarenv=None, saltenv=None, merge_pillar=False, revision_id=None, revision_no=None, revision_date=True, revision_date_format='%Y/%m/%d', test=False, commit=True, debug=False, source_service=None, destination_service=None, **term_fields)¶Manage the configuration of a specific policy term.
aclacl.pillarenv_from_saltenv, and is otherwise ignored.FalseMerge the CLI variables with the pillar. Default: False.
The properties specified through the state arguments have higher priority than the pillar.
TrueTrue.%Y/%m/%d%Y/%m/%d (<year>/<month>/<day>).FalseTrue, will apply the config, discard and return the changes.
Default: False and will commit the changes on the device.TrueTrue.Falseloaded_config containing the raw configuration loaded on the device.A special service to choose from. This is a helper so the user is able to select a source just using the name, instead of specifying a source_port and protocol.
As this module is available on Unix platforms only, it reads the IANA port assignment from /etc/services.
If the user requires additional shortcuts to be referenced, they can add entries under /etc/services,
which can be managed using the file state.
source_service.Note
The following fields are accepted:
Note
The following fields can be also a single value and a list of values:
Example: destination_address can be either defined as:
destination_address: 172.17.17.1/24
or as a list of destination IP addresses:
destination_address:
- 172.17.17.1/24
- 172.17.19.1/24
or a list of services to be matched:
source_service:
- ntp
- snmp
- ldap
- bgpd
Note
The port fields source_port and destination_port can be used as
above to select either a single value, either a list of values, but
also they can select port ranges. Example:
source_port:
- [1000, 2000]
- [3000, 4000]
With the configuration above, the user is able to select the 1000-2000 and 3000-4000 source port ranges.
CLI Example:
salt 'edge01.bjm01' state.sls router.acl
Output Example:
edge01.bjm01:
----------
ID: update_icmp_first_term
Function: netacl.term
Result: None
Comment: Testing mode: Configuration discarded.
Started: 12:49:09.174179
Duration: 5751.882 ms
Changes:
----------
diff:
[edit firewall]
+ family inet {
+ /*
+ ** $Id: update_icmp_first_term $
+ ** $Date: 2017/02/30 $
+ **
+ */
+ filter block-icmp {
+ term first-term {
+ from {
+ protocol icmp;
+ }
+ then {
+ reject;
+ }
+ }
+ }
+ }
Summary for edge01.bjm01
------------
Succeeded: 1 (unchanged=1, changed=1)
Failed: 0
------------
Total states run: 1
Total run time: 5.752 s
Pillar example:
firewall:
- block-icmp:
terms:
- first-term:
protocol:
- icmp
action: reject
State SLS example:
{%- set filter_name = 'block-icmp' -%}
{%- set term_name = 'first-term' -%}
{%- set my_term_cfg = salt.netacl.get_term_pillar(filter_name, term_name) -%}
update_icmp_first_term:
netacl.term:
- filter_name: {{ filter_name }}
- filter_options:
- not-interface-specific
- term_name: {{ term_name }}
- {{ my_term_cfg | json }}
Or directly referencing the pillar keys:
update_icmp_first_term:
netacl.term:
- filter_name: block-icmp
- filter_options:
- not-interface-specific
- term_name: first-term
- merge_pillar: true
Note
The first method allows the user to eventually apply complex manipulation and / or retrieve the data from external services before passing the data to the state. The second one is more straightforward, for less complex cases when loading the data directly from the pillar is sufficient.
Note
When passing retrieved pillar data into the state file, it is strongly recommended to use the json serializer explicitly (`` | json``), instead of relying on the default Python serializer.
Docs for previous releases are available on readthedocs.org.
Latest Salt release: 2018.3.3