junipernetworks.junos.junos_acls – ACLs resource module
Note
This plugin is part of the junipernetworks.junos collection (version 1.2.1).
To install it use: ansible-galaxy collection install junipernetworks.junos.
To use it in a playbook, specify: junipernetworks.junos.junos_acls.
New in version 1.0.0: of junipernetworks.junos
Synopsis
- This module provides declarative management of acls/filters on Juniper JUNOS devices
Note
This module has a corresponding action plugin.
Requirements
The below requirements are needed on the host that executes this module.
- ncclient (>=v0.6.4)
- xmltodict (>=0.12.0)
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
| config
list / elements=dictionary
|
A dictionary of acls options
|
|||||||
| acls
list / elements=dictionary
|
List of Access Control Lists (ACLs).
|
|||||||
| aces
list / elements=dictionary
|
List of Access Control Entries (ACEs) for this Access Control List (ACL).
|
|||||||
| destination
dictionary
|
Specifies the destination for the filter
|
|||||||
| address
string
|
Match IP destination address
|
|||||||
| port_protocol
dictionary
|
Specify the destination port or protocol.
|
|||||||
| eq
string
|
Match only packets on a given port number.
|
|||||||
| range
dictionary
|
Match only packets in the range of port numbers
|
|||||||
| end
integer
|
Specify the end of the port range
|
|||||||
| start
integer
|
Specify the start of the port range
|
|||||||
| prefix_list
string
|
Match IP destination prefixes in named list
|
|||||||
| grant
string
|
|
Action to take after matching condition (allow, discard/reject)
|
||||||
| name
string / required
|
Filter term name
|
|||||||
| protocol
string
|
Specify the protocol to match.
Refer to vendor documentation for valid values.
|
|||||||
| protocol_options
dictionary
|
All possible suboptions for the protocol chosen.
|
|||||||
| icmp
dictionary
|
ICMP protocol options.
|
|||||||
| dod_host_prohibited
boolean
|
|
Host prohibited
|
||||||
| dod_net_prohibited
boolean
|
|
Net prohibited
|
||||||
| echo
boolean
|
|
Echo (ping)
|
||||||
| echo_reply
boolean
|
|
Echo reply
|
||||||
| host_redirect
boolean
|
|
Host redirect
|
||||||
| host_tos_redirect
boolean
|
|
Host redirect for TOS
|
||||||
| host_tos_unreachable
boolean
|
|
Host unreachable for TOS
|
||||||
| host_unknown
boolean
|
|
Host unknown
|
||||||
| host_unreachable
boolean
|
|
Host unreachable
|
||||||
| net_redirect
boolean
|
|
Network redirect
|
||||||
| net_tos_redirect
boolean
|
|
Net redirect for TOS
|
||||||
| network_unknown
boolean
|
|
Network unknown
|
||||||
| port_unreachable
boolean
|
|
Port unreachable
|
||||||
| protocol_unreachable
boolean
|
|
Protocol unreachable
|
||||||
| reassembly_timeout
boolean
|
|
Reassembly timeout
|
||||||
| redirect
boolean
|
|
All redirects
|
||||||
| router_advertisement
boolean
|
|
Router discovery advertisements
|
||||||
| router_solicitation
boolean
|
|
Router discovery solicitations
|
||||||
| source_route_failed
boolean
|
|
Source route failed
|
||||||
| time_exceeded
boolean
|
|
All time exceeded.
|
||||||
| ttl_exceeded
boolean
|
|
TTL exceeded
|
||||||
| source
dictionary
|
Specifies the source for the filter
|
|||||||
| address
string
|
IP source address to use for the filter
|
|||||||
| port_protocol
dictionary
|
Specify the source port or protocol.
|
|||||||
| eq
string
|
Match only packets on a given port number.
|
|||||||
| range
dictionary
|
Match only packets in the range of port numbers
|
|||||||
| end
integer
|
Specify the end of the port range
|
|||||||
| start
integer
|
Specify the start of the port range
|
|||||||
| prefix_list
string
|
IP source prefix list to use for the filter
|
|||||||
| name
string / required
|
Name to use for the acl filter
|
|||||||
| afi
string / required
|
|
Protocol family to use by the acl filter
|
||||||
| state
string
|
|
The state the configuration should be left in
|
||||||
Notes
Note
- This module requires the netconf system service be enabled on the device being managed.
- This module works with connection
netconf. See the Junos OS Platform Options. - Tested against JunOS v18.4R1
Examples
# Using merged
# Before state:
# -------------
#
# admin# show firewall
- name: Merge JUNOS acl
junipernetworks.junos.junos_acls:
config:
- afi: ipv4
acls:
- name: allow_ssh_acl
aces:
- name: ssh_rule
source:
port_protocol:
eq: ssh
protocol: tcp
state: merged
# After state:
# -------------
# admin# show firewall
# family inet {
# filter allow_ssh_acl {
# term ssh_rule {
# from {
# protocol tcp;
# source-port ssh;
# }
# }
# }
# }
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| after
list / elements=string
|
when changed |
The resulting configuration model invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| before
list / elements=string
|
always |
The configuration prior to the model invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| commands
list / elements=string
|
always |
The set of commands pushed to the remote device.
Sample:
['command 1', 'command 2', 'command 3']
|
Authors
- Daniel Mellado (@dmellado)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/junipernetworks/junos/junos_acls_module.html