Dependencies

The firewall configuration is generated by Capirca.

To install Capirca, execute: pip install capirca.

salt.modules.capirca_acl.get_filter_config(platform, filter_name, filter_options=None, terms=None, prepend=True, pillar_key='acl', pillarenv=None, saltenv=None, merge_pillar=True, only_lower_merge=False, revision_id=None, revision_no=None, revision_date=True, revision_date_format='%Y/%m/%d')

Return the configuration of a policy filter.

platform

The name of the Capirca platform.

filter_name

The name of the policy filter.

filter_options

Additional filter options. These options are platform-specific. See the complete list of options.

terms

List of terms for this policy filter. If not specified or empty, will try to load the configuration from the pillar, unless merge_pillar is set as False.

prepend: True

When merge_pillar is set as True, the final list of terms generated by merging the terms from terms with those defined in the pillar (if any): new terms are prepended at the beginning, while existing ones will preserve the position. To add the new terms at the end of the list, set this argument to False.

pillar_key: acl

The key in the pillar containing the default attributes values. Default: acl.

pillarenv

Query the master to generate fresh pillar data on the fly, specifically from the requested pillar environment.

saltenv

Included only for compatibility with pillarenv_from_saltenv, and is otherwise ignored.

merge_pillar: True

Merge the CLI variables with the pillar. Default: True.

only_lower_merge: False

Specify if it should merge only the terms fields. Otherwise it will try to merge also filters fields. Default: False.

revision_id

Add a comment in the filter config having the description for the changes applied.

revision_no

The revision count.

revision_date: True

Boolean flag: display the date when the filter configuration was generated. Default: True.

revision_date_format: %Y/%m/%d

The date format to be used when generating the perforce data. Default: %Y/%m/%d (<year>/<month>/<day>).

CLI Example:

salt '*' capirca.get_filter_config ciscoxr my-filter pillar_key=netacl

Output Example:

! $Id:$
! $Date:$
! $Revision:$
no ipv4 access-list my-filter
ipv4 access-list my-filter
 remark $Id:$
 remark my-term
 deny ipv4 any eq 1234 any
 deny ipv4 any eq 1235 any
 remark my-other-term
 permit tcp any range 5678 5680 any
exit

The filter configuration has been loaded from the pillar, having the following structure:

netacl:
  - my-filter:
      terms:
        - my-term:
            source_port: [1234, 1235]
            action: reject
        - my-other-term:
            source_port:
              - [5678, 5680]
            protocol: tcp
            action: accept

salt.modules.capirca_acl.get_filter_pillar(filter_name, pillar_key='acl', pillarenv=None, saltenv=None)

Helper that can be used inside a state SLS, in order to get the filter configuration given its name.

filter_name

The name of the filter.

pillar_key

The root key of the whole policy config.

pillarenv

Query the master to generate fresh pillar data on the fly, specifically from the requested pillar environment.

saltenv

Included only for compatibility with pillarenv_from_saltenv, and is otherwise ignored.

salt.modules.capirca_acl.get_policy_config(platform, filters=None, prepend=True, pillar_key='acl', pillarenv=None, saltenv=None, merge_pillar=True, only_lower_merge=False, revision_id=None, revision_no=None, revision_date=True, revision_date_format='%Y/%m/%d')

Return the configuration of the whole policy.

platform

The name of the Capirca platform.

filters

List of filters for this policy. If not specified or empty, will try to load the configuration from the pillar, unless merge_pillar is set as False.

prepend: True

When merge_pillar is set as True, the final list of filters generated by merging the filters from filters with those defined in the pillar (if any): new filters are prepended at the beginning, while existing ones will preserve the position. To add the new filters at the end of the list, set this argument to False.

pillar_key: acl

The key in the pillar containing the default attributes values. Default: acl.

pillarenv

Query the master to generate fresh pillar data on the fly, specifically from the requested pillar environment.

saltenv

Included only for compatibility with pillarenv_from_saltenv, and is otherwise ignored.

merge_pillar: True

Merge the CLI variables with the pillar. Default: True.

only_lower_merge: False

Specify if it should merge only the filters and terms fields. Otherwise it will try to merge everything at the policy level. Default: False.

revision_id

Add a comment in the policy config having the description for the changes applied.

revision_no

The revision count.

revision_date: True

Boolean flag: display the date when the policy configuration was generated. Default: True.

revision_date_format: %Y/%m/%d

The date format to be used when generating the perforce data. Default: %Y/%m/%d (<year>/<month>/<day>).

CLI Example:

salt '*' capirca.get_policy_config juniper pillar_key=netacl

Output Example:

firewall {
    family inet {
        replace:
        /*
        ** $Id:$
        ** $Date:$
        ** $Revision:$
        **
        */
        filter my-filter {
            term my-term {
                from {
                    source-port [ 1234 1235 ];
                }
                then {
                    reject;
                }
            }
            term my-other-term {
                from {
                    protocol tcp;
                    source-port 5678-5680;
                }
                then accept;
            }
        }
    }
}
firewall {
    family inet {
        replace:
        /*
        ** $Id:$
        ** $Date:$
        ** $Revision:$
        **
        */
        filter my-other-filter {
            interface-specific;
            term dummy-term {
                from {
                    protocol [ tcp udp ];
                }
                then {
                    reject;
                }
            }
        }
    }
}

The policy configuration has been loaded from the pillar, having the following structure:

netacl:
  - my-filter:
      options:
        - not-interface-specific
      terms:
        - my-term:
            source_port: [1234, 1235]
            action: reject
        - my-other-term:
            source_port:
              - [5678, 5680]
            protocol: tcp
            action: accept
  - my-other-filter:
      terms:
        - dummy-term:
            protocol:
              - tcp
              - udp
            action: reject

salt.modules.capirca_acl.get_term_config(platform, filter_name, term_name, filter_options=None, pillar_key='acl', pillarenv=None, saltenv=None, merge_pillar=True, revision_id=None, revision_no=None, revision_date=True, revision_date_format='%Y/%m/%d', source_service=None, destination_service=None, **term_fields)

Return the configuration of a single policy term.

platform

The name of the Capirca platform.

filter_name

The name of the policy filter.

term_name

The name of the term.

filter_options

Additional filter options. These options are platform-specific. E.g.: inet6, bridge, object-group, See the complete list of options.

pillar_key: acl

The key in the pillar containing the default attributes values. Default: acl. If the pillar contains the following structure:

firewall:
  - my-filter:
      terms:
        - my-term:
            source_port: 1234
            source_address:
                - 1.2.3.4/32
                - 5.6.7.8/32

The pillar_key field would be specified as firewall.

pillarenv

Query the master to generate fresh pillar data on the fly, specifically from the requested pillar environment.

saltenv

Included only for compatibility with pillarenv_from_saltenv, and is otherwise ignored.

merge_pillar: True

Merge the CLI variables with the pillar. Default: True.

revision_id

Add a comment in the term config having the description for the changes applied.

revision_no

The revision count.

revision_date: True

Boolean flag: display the date when the term configuration was generated. Default: True.

revision_date_format: %Y/%m/%d

The date format to be used when generating the perforce data. Default: %Y/%m/%d (<year>/<month>/<day>).

source_service

A special service to choose from. This is a helper so the user is able to select a source just using the name, instead of specifying a source_port and protocol.

As this module is available on Unix platforms only, it reads the IANA port assignment from /etc/services.

If the user requires additional shortcuts to be referenced, they can add entries under /etc/services, which can be managed using the file state.

destination_service

A special service to choose from. This is a helper so the user is able to select a source just using the name, instead of specifying a destination_port and protocol. Allows the same options as source_service.

term_fields

Term attributes. To see what fields are supported, please consult the list of supported keywords. Some platforms have few other optional keywords.

Note

The following fields are accepted:

• action
• address
• address_exclude
• comment
• counter
• expiration
• destination_address
• destination_address_exclude
• destination_port
• destination_prefix
• forwarding_class
• forwarding_class_except
• logging
• log_name
• loss_priority
• option
• policer
• port
• precedence
• principals
• protocol
• protocol_except
• qos
• pan_application
• routing_instance
• source_address
• source_address_exclude
• source_port
• source_prefix
• verbatim
• packet_length
• fragment_offset
• hop_limit
• icmp_type
• ether_type
• traffic_class_count
• traffic_type
• translated
• dscp_set
• dscp_match
• dscp_except
• next_ip
• flexible_match_range
• source_prefix_except
• destination_prefix_except
• vpn
• source_tag
• destination_tag
• source_interface
• destination_interface
• flattened
• flattened_addr
• flattened_saddr
• flattened_daddr
• priority

Note

The following fields can be also a single value and a list of values:

• action
• address
• address_exclude
• comment
• destination_address
• destination_address_exclude
• destination_port
• destination_prefix
• forwarding_class
• forwarding_class_except
• logging
• option
• port
• precedence
• principals
• protocol
• protocol_except
• pan_application
• source_address
• source_address_exclude
• source_port
• source_prefix
• verbatim
• icmp_type
• ether_type
• traffic_type
• dscp_match
• dscp_except
• flexible_match_range
• source_prefix_except
• destination_prefix_except
• source_tag
• destination_tag
• source_service
• destination_service

Example: destination_address can be either defined as:

destination_address: 172.17.17.1/24

or as a list of destination IP addresses:

destination_address:
    - 172.17.17.1/24
    - 172.17.19.1/24

or a list of services to be matched:

source_service:
    - ntp
    - snmp
    - ldap
    - bgpd

Note

The port fields source_port and destination_port can be used as above to select either a single value, either a list of values, but also they can select port ranges. Example:

source_port:
    - [1000, 2000]
    - [3000, 4000]

With the configuration above, the user is able to select the 1000-2000 and 3000-4000 source port ranges.

CLI Example:

salt '*' capirca.get_term_config arista filter-name term-name source_address=1.2.3.4 destination_address=5.6.7.8 action=accept

Output Example:

! $Date: 2017/03/22 $
no ip access-list filter-name
ip access-list filter-name
 remark term-name
 permit ip host 1.2.3.4 host 5.6.7.8
exit

salt.modules.capirca_acl.get_term_pillar(filter_name, term_name, pillar_key='acl', pillarenv=None, saltenv=None)

Helper that can be used inside a state SLS, in order to get the term configuration given its name, under a certain filter uniquely identified by its name.

filter_name

The name of the filter.

term_name

The name of the term.

pillar_key: acl

The root key of the whole policy config. Default: acl.

pillarenv

Query the master to generate fresh pillar data on the fly, specifically from the requested pillar environment.

saltenv

Included only for compatibility with pillarenv_from_saltenv, and is otherwise ignored.