Generate ACL (firewall) configuration for network devices.
New in version 2017.7.0.
| codeauthor: | Mircea Ulinic <mircea@cloudflare.com> & Robert Ankeny <robankeny@google.com> |
|---|---|
| maturity: | new |
| depends: | capirca |
| platform: | unix |
The firewall configuration is generated by Capirca.
To install Capirca, execute: pip install capirca.
salt.modules.capirca_acl.get_filter_config(platform, filter_name, filter_options=None, terms=None, prepend=True, pillar_key='acl', pillarenv=None, saltenv=None, merge_pillar=True, only_lower_merge=False, revision_id=None, revision_no=None, revision_date=True, revision_date_format='%Y/%m/%d')¶Return the configuration of a policy filter.
merge_pillar is set as False.Truemerge_pillar is set as True, the final list of terms generated by merging
the terms from terms with those defined in the pillar (if any): new terms are prepended
at the beginning, while existing ones will preserve the position. To add the new terms
at the end of the list, set this argument to False.aclacl.pillarenv_from_saltenv, and is otherwise ignored.TrueTrue.FalseFalse.TrueTrue.%Y/%m/%d%Y/%m/%d (<year>/<month>/<day>).CLI Example:
salt '*' capirca.get_filter_config ciscoxr my-filter pillar_key=netacl
Output Example:
! $Id:$
! $Date:$
! $Revision:$
no ipv4 access-list my-filter
ipv4 access-list my-filter
remark $Id:$
remark my-term
deny ipv4 any eq 1234 any
deny ipv4 any eq 1235 any
remark my-other-term
permit tcp any range 5678 5680 any
exit
The filter configuration has been loaded from the pillar, having the following structure:
netacl:
- my-filter:
terms:
- my-term:
source_port: [1234, 1235]
action: reject
- my-other-term:
source_port:
- [5678, 5680]
protocol: tcp
action: accept
salt.modules.capirca_acl.get_filter_pillar(filter_name, pillar_key='acl', pillarenv=None, saltenv=None)¶Helper that can be used inside a state SLS, in order to get the filter configuration given its name.
pillarenv_from_saltenv, and is otherwise ignored.salt.modules.capirca_acl.get_policy_config(platform, filters=None, prepend=True, pillar_key='acl', pillarenv=None, saltenv=None, merge_pillar=True, only_lower_merge=False, revision_id=None, revision_no=None, revision_date=True, revision_date_format='%Y/%m/%d')¶Return the configuration of the whole policy.
merge_pillar is set as False.Truemerge_pillar is set as True, the final list of filters generated by merging
the filters from filters with those defined in the pillar (if any): new filters are prepended
at the beginning, while existing ones will preserve the position. To add the new filters
at the end of the list, set this argument to False.aclacl.pillarenv_from_saltenv, and is otherwise ignored.TrueTrue.FalseFalse.TrueTrue.%Y/%m/%d%Y/%m/%d (<year>/<month>/<day>).CLI Example:
salt '*' capirca.get_policy_config juniper pillar_key=netacl
Output Example:
firewall {
family inet {
replace:
/*
** $Id:$
** $Date:$
** $Revision:$
**
*/
filter my-filter {
term my-term {
from {
source-port [ 1234 1235 ];
}
then {
reject;
}
}
term my-other-term {
from {
protocol tcp;
source-port 5678-5680;
}
then accept;
}
}
}
}
firewall {
family inet {
replace:
/*
** $Id:$
** $Date:$
** $Revision:$
**
*/
filter my-other-filter {
interface-specific;
term dummy-term {
from {
protocol [ tcp udp ];
}
then {
reject;
}
}
}
}
}
The policy configuration has been loaded from the pillar, having the following structure:
netacl:
- my-filter:
options:
- not-interface-specific
terms:
- my-term:
source_port: [1234, 1235]
action: reject
- my-other-term:
source_port:
- [5678, 5680]
protocol: tcp
action: accept
- my-other-filter:
terms:
- dummy-term:
protocol:
- tcp
- udp
action: reject
salt.modules.capirca_acl.get_term_config(platform, filter_name, term_name, filter_options=None, pillar_key='acl', pillarenv=None, saltenv=None, merge_pillar=True, revision_id=None, revision_no=None, revision_date=True, revision_date_format='%Y/%m/%d', source_service=None, destination_service=None, **term_fields)¶Return the configuration of a single policy term.
inet6, bridge, object-group,
See the complete list of options.aclThe key in the pillar containing the default attributes values. Default: acl.
If the pillar contains the following structure:
firewall:
- my-filter:
terms:
- my-term:
source_port: 1234
source_address:
- 1.2.3.4/32
- 5.6.7.8/32
The pillar_key field would be specified as firewall.
pillarenv_from_saltenv, and is otherwise ignored.TrueTrue.TrueTrue.%Y/%m/%d%Y/%m/%d (<year>/<month>/<day>).A special service to choose from. This is a helper so the user is able to select a source just using the name, instead of specifying a source_port and protocol.
As this module is available on Unix platforms only,
it reads the IANA port assignment from /etc/services.
If the user requires additional shortcuts to be referenced, they can add entries under /etc/services,
which can be managed using the file state.
source_service.Note
The following fields are accepted:
Note
The following fields can be also a single value and a list of values:
Example: destination_address can be either defined as:
destination_address: 172.17.17.1/24
or as a list of destination IP addresses:
destination_address:
- 172.17.17.1/24
- 172.17.19.1/24
or a list of services to be matched:
source_service:
- ntp
- snmp
- ldap
- bgpd
Note
The port fields source_port and destination_port can be used as above to select either
a single value, either a list of values, but also they can select port ranges. Example:
source_port:
- [1000, 2000]
- [3000, 4000]
With the configuration above, the user is able to select the 1000-2000 and 3000-4000 source port ranges.
CLI Example:
salt '*' capirca.get_term_config arista filter-name term-name source_address=1.2.3.4 destination_address=5.6.7.8 action=accept
Output Example:
! $Date: 2017/03/22 $
no ip access-list filter-name
ip access-list filter-name
remark term-name
permit ip host 1.2.3.4 host 5.6.7.8
exit
salt.modules.capirca_acl.get_term_pillar(filter_name, term_name, pillar_key='acl', pillarenv=None, saltenv=None)¶Helper that can be used inside a state SLS, in order to get the term configuration given its name, under a certain filter uniquely identified by its name.
aclacl.pillarenv_from_saltenv, and is otherwise ignored.Docs for previous releases are available on readthedocs.org.
Latest Salt release: 2018.3.3