junipernetworks.junos.junos_acls – ACLs resource module
Note
This plugin is part of the junipernetworks.junos collection (version 2.6.0).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install junipernetworks.junos.
To use it in a playbook, specify: junipernetworks.junos.junos_acls.
New in version 1.0.0: of junipernetworks.junos
Synopsis
- This module provides declarative management of acls/filters on Juniper JUNOS devices
Note
This module has a corresponding action plugin.
Requirements
The below requirements are needed on the host that executes this module.
- ncclient (>=v0.6.4)
- xmltodict (>=0.12.0)
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
| config
list / elements=dictionary
|
A dictionary of acls options
|
|||||||
| acls
list / elements=dictionary
|
List of Access Control Lists (ACLs).
|
|||||||
| aces
list / elements=dictionary
|
List of Access Control Entries (ACEs) for this Access Control List (ACL).
|
|||||||
| destination
dictionary
|
Specifies the destination for the filter
|
|||||||
| address
raw
|
Match IP destination address
|
|||||||
| port_protocol
dictionary
|
Specify the destination port or protocol.
|
|||||||
| eq
string
|
Match only packets on a given port number.
|
|||||||
| range
dictionary
|
Match only packets in the range of port numbers
|
|||||||
| end
integer
|
Specify the end of the port range
|
|||||||
| start
integer
|
Specify the start of the port range
|
|||||||
| prefix_list
list / elements=dictionary
|
Match IP destination prefixes in named list
|
|||||||
| name
string
|
Name of the list
|
|||||||
| grant
string
|
|
Action to take after matching condition (allow, discard/reject)
|
||||||
| name
string / required
|
Filter term name
|
|||||||
| protocol
string
|
Specify the protocol to match.
Refer to vendor documentation for valid values.
|
|||||||
| protocol_options
dictionary
|
All possible suboptions for the protocol chosen.
|
|||||||
| icmp
dictionary
|
ICMP protocol options.
|
|||||||
| dod_host_prohibited
boolean
|
|
Host prohibited
|
||||||
| dod_net_prohibited
boolean
|
|
Net prohibited
|
||||||
| echo
boolean
|
|
Echo (ping)
|
||||||
| echo_reply
boolean
|
|
Echo reply
|
||||||
| host_redirect
boolean
|
|
Host redirect
|
||||||
| host_tos_redirect
boolean
|
|
Host redirect for TOS
|
||||||
| host_tos_unreachable
boolean
|
|
Host unreachable for TOS
|
||||||
| host_unknown
boolean
|
|
Host unknown
|
||||||
| host_unreachable
boolean
|
|
Host unreachable
|
||||||
| net_redirect
boolean
|
|
Network redirect
|
||||||
| net_tos_redirect
boolean
|
|
Net redirect for TOS
|
||||||
| network_unknown
boolean
|
|
Network unknown
|
||||||
| port_unreachable
boolean
|
|
Port unreachable
|
||||||
| protocol_unreachable
boolean
|
|
Protocol unreachable
|
||||||
| reassembly_timeout
boolean
|
|
Reassembly timeout
|
||||||
| redirect
boolean
|
|
All redirects
|
||||||
| router_advertisement
boolean
|
|
Router discovery advertisements
|
||||||
| router_solicitation
boolean
|
|
Router discovery solicitations
|
||||||
| source_route_failed
boolean
|
|
Source route failed
|
||||||
| time_exceeded
boolean
|
|
All time exceeded.
|
||||||
| ttl_exceeded
boolean
|
|
TTL exceeded
|
||||||
| source
dictionary
|
Specifies the source for the filter
|
|||||||
| address
raw
|
IP source address to use for the filter
|
|||||||
| port_protocol
dictionary
|
Specify the source port or protocol.
|
|||||||
| eq
string
|
Match only packets on a given port number.
|
|||||||
| range
dictionary
|
Match only packets in the range of port numbers
|
|||||||
| end
integer
|
Specify the end of the port range
|
|||||||
| start
integer
|
Specify the start of the port range
|
|||||||
| prefix_list
list / elements=dictionary
|
IP source prefix list to use for the filter
|
|||||||
| name
string
|
Name of the list
|
|||||||
| name
string / required
|
Name to use for the acl filter
|
|||||||
| afi
string / required
|
|
Protocol family to use by the acl filter
|
||||||
| state
string
|
|
The state the configuration should be left in
|
||||||
Notes
Note
- This module requires the netconf system service be enabled on the device being managed.
- This module works with connection
netconf. See the Junos OS Platform Options. - Tested against JunOS v18.4R1
Examples
# Using merged
# Before state:
# -------------
#
# admin# show firewall
- name: Merge JUNOS acl
junipernetworks.junos.junos_acls:
config:
- afi: ipv4
acls:
- name: allow_ssh_acl
aces:
- name: ssh_rule
source:
port_protocol:
eq: ssh
protocol: tcp
state: merged
# After state:
# -------------
# admin# show firewall
# family inet {
# filter allow_ssh_acl {
# term ssh_rule {
# from {
# protocol tcp;
# source-port ssh;
# }
# }
# }
# }
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| after
list / elements=string
|
when changed |
The resulting configuration model invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| before
list / elements=string
|
always |
The configuration prior to the model invocation.
Sample:
The configuration returned will always be in the same format of the parameters above.
|
| commands
list / elements=string
|
always |
The set of commands pushed to the remote device.
Sample:
['command 1', 'command 2', 'command 3']
|
Authors
- Daniel Mellado (@dmellado)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/junipernetworks/junos/junos_acls_module.html