salt.modules.capirca_acl module
Capirca ACL
Generate ACL (firewall) configuration for network devices.
Dependencies
The firewall configuration is generated by Capirca.
To install Capirca, execute: pip install capirca
.
salt.modules.capirca_acl.get_filter_config(platform, filter_name, filter_options=None, terms=None, prepend=True, pillar_key='acl', pillarenv=None, saltenv=None, merge_pillar=True, only_lower_merge=False, revision_id=None, revision_no=None, revision_date=True, revision_date_format='%Y/%m/%d')
-
Return the configuration of a policy filter.
- platform
- The name of the Capirca platform.
- filter_name
- The name of the policy filter.
- filter_options
- Additional filter options. These options are platform-specific. See the complete list of options.
- terms
- List of terms for this policy filter. If not specified or empty, will try to load the configuration from the pillar, unless
merge_pillar
is set as False
. - prepend:
True
- When
merge_pillar
is set as True
, the final list of terms generated by merging the terms from terms
with those defined in the pillar (if any): new terms are prepended at the beginning, while existing ones will preserve the position. To add the new terms at the end of the list, set this argument to False
. - pillar_key:
acl
- The key in the pillar containing the default attributes values. Default:
acl
. - pillarenv
- Query the master to generate fresh pillar data on the fly, specifically from the requested pillar environment.
- saltenv
- Included only for compatibility with
pillarenv_from_saltenv
, and is otherwise ignored. - merge_pillar:
True
- Merge the CLI variables with the pillar. Default:
True
. - only_lower_merge:
False
- Specify if it should merge only the terms fields. Otherwise it will try to merge also filters fields. Default:
False
. - revision_id
- Add a comment in the filter config having the description for the changes applied.
- revision_no
- The revision count.
- revision_date:
True
- Boolean flag: display the date when the filter configuration was generated. Default:
True
. - revision_date_format:
%Y/%m/%d
- The date format to be used when generating the perforce data. Default:
%Y/%m/%d
(<year>/<month>/<day>).
CLI Example:
salt '*' capirca.get_filter_config ciscoxr my-filter pillar_key=netacl
Output Example:
! $Id:$
! $Date:$
! $Revision:$
no ipv4 access-list my-filter
ipv4 access-list my-filter
remark $Id:$
remark my-term
deny ipv4 any eq 1234 any
deny ipv4 any eq 1235 any
remark my-other-term
permit tcp any range 5678 5680 any
exit
The filter configuration has been loaded from the pillar, having the following structure:
netacl:
- my-filter:
terms:
- my-term:
source_port: [1234, 1235]
action: reject
- my-other-term:
source_port:
- [5678, 5680]
protocol: tcp
action: accept
salt.modules.capirca_acl.get_filter_pillar(filter_name, pillar_key='acl', pillarenv=None, saltenv=None)
-
Helper that can be used inside a state SLS, in order to get the filter configuration given its name.
- filter_name
- The name of the filter.
- pillar_key
- The root key of the whole policy config.
- pillarenv
- Query the master to generate fresh pillar data on the fly, specifically from the requested pillar environment.
- saltenv
- Included only for compatibility with
pillarenv_from_saltenv
, and is otherwise ignored.
salt.modules.capirca_acl.get_policy_config(platform, filters=None, prepend=True, pillar_key='acl', pillarenv=None, saltenv=None, merge_pillar=True, only_lower_merge=False, revision_id=None, revision_no=None, revision_date=True, revision_date_format='%Y/%m/%d')
-
Return the configuration of the whole policy.
- platform
- The name of the Capirca platform.
- filters
- List of filters for this policy. If not specified or empty, will try to load the configuration from the pillar, unless
merge_pillar
is set as False
. - prepend:
True
- When
merge_pillar
is set as True
, the final list of filters generated by merging the filters from filters
with those defined in the pillar (if any): new filters are prepended at the beginning, while existing ones will preserve the position. To add the new filters at the end of the list, set this argument to False
. - pillar_key:
acl
- The key in the pillar containing the default attributes values. Default:
acl
. - pillarenv
- Query the master to generate fresh pillar data on the fly, specifically from the requested pillar environment.
- saltenv
- Included only for compatibility with
pillarenv_from_saltenv
, and is otherwise ignored. - merge_pillar:
True
- Merge the CLI variables with the pillar. Default:
True
. - only_lower_merge:
False
- Specify if it should merge only the filters and terms fields. Otherwise it will try to merge everything at the policy level. Default:
False
. - revision_id
- Add a comment in the policy config having the description for the changes applied.
- revision_no
- The revision count.
- revision_date:
True
- Boolean flag: display the date when the policy configuration was generated. Default:
True
. - revision_date_format:
%Y/%m/%d
- The date format to be used when generating the perforce data. Default:
%Y/%m/%d
(<year>/<month>/<day>).
CLI Example:
salt '*' capirca.get_policy_config juniper pillar_key=netacl
Output Example:
firewall {
family inet {
replace:
/*
** $Id:$
** $Date:$
** $Revision:$
**
*/
filter my-filter {
term my-term {
from {
source-port [ 1234 1235 ];
}
then {
reject;
}
}
term my-other-term {
from {
protocol tcp;
source-port 5678-5680;
}
then accept;
}
}
}
}
firewall {
family inet {
replace:
/*
** $Id:$
** $Date:$
** $Revision:$
**
*/
filter my-other-filter {
interface-specific;
term dummy-term {
from {
protocol [ tcp udp ];
}
then {
reject;
}
}
}
}
}
The policy configuration has been loaded from the pillar, having the following structure:
netacl:
- my-filter:
options:
- not-interface-specific
terms:
- my-term:
source_port: [1234, 1235]
action: reject
- my-other-term:
source_port:
- [5678, 5680]
protocol: tcp
action: accept
- my-other-filter:
terms:
- dummy-term:
protocol:
- tcp
- udp
action: reject
salt.modules.capirca_acl.get_term_config(platform, filter_name, term_name, filter_options=None, pillar_key='acl', pillarenv=None, saltenv=None, merge_pillar=True, revision_id=None, revision_no=None, revision_date=True, revision_date_format='%Y/%m/%d', source_service=None, destination_service=None, **term_fields)
-
Return the configuration of a single policy term.
- platform
- The name of the Capirca platform.
- filter_name
- The name of the policy filter.
- term_name
- The name of the term.
- filter_options
- Additional filter options. These options are platform-specific. E.g.:
inet6
, bridge
, object-group
, See the complete list of options. - pillar_key:
acl
-
The key in the pillar containing the default attributes values. Default: acl
. If the pillar contains the following structure:
firewall:
- my-filter:
terms:
- my-term:
source_port: 1234
source_address:
- 1.2.3.4/32
- 5.6.7.8/32
The pillar_key
field would be specified as firewall
.
- pillarenv
- Query the master to generate fresh pillar data on the fly, specifically from the requested pillar environment.
- saltenv
- Included only for compatibility with
pillarenv_from_saltenv
, and is otherwise ignored. - merge_pillar:
True
- Merge the CLI variables with the pillar. Default:
True
. - revision_id
- Add a comment in the term config having the description for the changes applied.
- revision_no
- The revision count.
- revision_date:
True
- Boolean flag: display the date when the term configuration was generated. Default:
True
. - revision_date_format:
%Y/%m/%d
- The date format to be used when generating the perforce data. Default:
%Y/%m/%d
(<year>/<month>/<day>). - source_service
-
A special service to choose from. This is a helper so the user is able to select a source just using the name, instead of specifying a source_port and protocol.
As this module is available on Unix platforms only, it reads the IANA port assignment from /etc/services
.
If the user requires additional shortcuts to be referenced, they can add entries under /etc/services
, which can be managed using the file state
.
- destination_service
- A special service to choose from. This is a helper so the user is able to select a source just using the name, instead of specifying a destination_port and protocol. Allows the same options as
source_service
. - term_fields
- Term attributes. To see what fields are supported, please consult the list of supported keywords. Some platforms have few other optional keywords.
Note
The following fields are accepted:
- action
- address
- address_exclude
- comment
- counter
- expiration
- destination_address
- destination_address_exclude
- destination_port
- destination_prefix
- forwarding_class
- forwarding_class_except
- logging
- log_name
- loss_priority
- option
- policer
- port
- precedence
- principals
- protocol
- protocol_except
- qos
- pan_application
- routing_instance
- source_address
- source_address_exclude
- source_port
- source_prefix
- verbatim
- packet_length
- fragment_offset
- hop_limit
- icmp_type
- ether_type
- traffic_class_count
- traffic_type
- translated
- dscp_set
- dscp_match
- dscp_except
- next_ip
- flexible_match_range
- source_prefix_except
- destination_prefix_except
- vpn
- source_tag
- destination_tag
- source_interface
- destination_interface
- flattened
- flattened_addr
- flattened_saddr
- flattened_daddr
- priority
Note
The following fields can be also a single value and a list of values:
- action
- address
- address_exclude
- comment
- destination_address
- destination_address_exclude
- destination_port
- destination_prefix
- forwarding_class
- forwarding_class_except
- logging
- option
- port
- precedence
- principals
- protocol
- protocol_except
- pan_application
- source_address
- source_address_exclude
- source_port
- source_prefix
- verbatim
- icmp_type
- ether_type
- traffic_type
- dscp_match
- dscp_except
- flexible_match_range
- source_prefix_except
- destination_prefix_except
- source_tag
- destination_tag
- source_service
- destination_service
Example: destination_address
can be either defined as:
destination_address: 172.17.17.1/24
or as a list of destination IP addresses:
destination_address:
- 172.17.17.1/24
- 172.17.19.1/24
or a list of services to be matched:
source_service:
- ntp
- snmp
- ldap
- bgpd
Note
The port fields source_port
and destination_port
can be used as above to select either a single value, either a list of values, but also they can select port ranges. Example:
source_port:
- [1000, 2000]
- [3000, 4000]
With the configuration above, the user is able to select the 1000-2000 and 3000-4000 source port ranges.
CLI Example:
salt '*' capirca.get_term_config arista filter-name term-name source_address=1.2.3.4 destination_address=5.6.7.8 action=accept
Output Example:
! $Date: 2017/03/22 $
no ip access-list filter-name
ip access-list filter-name
remark term-name
permit ip host 1.2.3.4 host 5.6.7.8
exit
salt.modules.capirca_acl.get_term_pillar(filter_name, term_name, pillar_key='acl', pillarenv=None, saltenv=None)
-
Helper that can be used inside a state SLS, in order to get the term configuration given its name, under a certain filter uniquely identified by its name.
- filter_name
- The name of the filter.
- term_name
- The name of the term.
- pillar_key:
acl
- The root key of the whole policy config. Default:
acl
. - pillarenv
- Query the master to generate fresh pillar data on the fly, specifically from the requested pillar environment.
- saltenv
- Included only for compatibility with
pillarenv_from_saltenv
, and is otherwise ignored.