Comments (5)
[Haven't followed threads here for a while but just saw this coming in and decided to have a look.]
This is is a specific check in the junipersrx.py:
for application_set in self.applications:
if (term.name == application_set['name'] and
new_application_set != application_set):
raise ConflictingApplicationSets(
'Application set %s has a conflicting entry' % term.name)
https://github.com/google/capirca/blob/master/lib/junipersrx.py#L481
This specifically checks for all policy names that over all policy terms globally, none has the same name.
Just now I don't have an SRX handy to check whether policy names have to be unique just within a scr/dst zone tuple or globally. I tried to find some Juniper docs but didn't find anything conclusive:
http://www.juniper.net/documentation/en_US/junos15.1x49/topics/concept/policy-rule-understanding.html
Do you have an SRX around or a pointer to docs that confirm it's ok to have dupes in policy names?
from capirca.
It is okay to have dupes as long as they are in different source/destination zones tuples.
This example is from our current prod SRXs and was working with Capirca before the recent large commit.
from capirca.
Thanks!
Yeah looks like this check was introduced by the sync @ankenyr is working on:
d450b92?diff=split
Rob, thoughts? Seems to be easy enough to just iterate over the term names in the same src/dst zone tuple.
from capirca.
The SRX generator has had problems with its address book since I first created it. Most of these have to do with the fact that it tries to preserve the naming.py definition names.
I have it on our wishlist / roadmap that we would like to rethink SRX addressbooks and how they work.
There are other problems that we have found such as if a definition is used in two different places and the second one collapses differently, it will affect the addressbook and likely make an unintended change to the other places it was used.
The way I am currently leaning is to change addressbook to have entries for each term.
Therefore the ACL would look something like the following
global {
address test-icmp-src_0 10.0.0.1/32;
address test-icmp-src_1 10.0.0.2/32;
address-set test-icmp {
test-icmp-src_0;
test-icmp-src_1;
}
from-zone foo to-zone bar {
policy test-icmp {
match{
source-address test-icmp-src
then {
......
The benefit of this is it works more like every other generator where the addresses are a set of the IPs in its source and destination. The downside is we would lose the brevity we have with the current address book. If there are duplicate entries they will not be re-used.
from capirca.
Ok took a look at things and I feel this is working as intended.
The error comes up when there would be a conflicting name but the application sets are not equal
In other words the following is valid
header {
target:: srx from-zone a to-zone b
}
term accept-http {
destination-address:: WEB_SERVERS
destination-port:: HTTP
protocol:: tcp
action:: accept
}
header {
target:: srx from-zone c to-zone b
}
term accept-http {
destination-address:: WEB_SERVERS
destination-port:: HTTP
protocol:: tcp
action:: accept
}
both terms are named the same and expose the same ports and thus the application-set will not be modified.
Switching one destination-port
to something like SSH will cause this error and I feel that is correct. I don't see how you would resolve this besides renaming the term. Let me know if you disagree.
from capirca.
Related Issues (20)
- Release new PyPi version HOT 1
- Support for IOSXR IPv6 Object Group ACLs
- Cisco object-group ACLs don't properly render ICMP type and code
- Cisco remarks missing quotes HOT 2
- Indentation is wrong for the return statement HOT 1
- iptables does not generate any rules from protocol:: icmp icmpv6
- Installer doesn't put capirca command in ~/.local/bin HOT 1
- Juniper ethernet-switching for EX or QFX
- Capirca overwrites the tools namespace HOT 1
- Add support in ArubaOS-Switch and AOS-CX-Switch HOT 4
- Add support in HP Advanced ACL
- Add support in Cisco WLC ACL
- ACL with line numbering
- Add a generator for NSX-T HOT 3
- Allow dot in token names
- Implement atomic acl updates on cisco ios
- Add support for MikroTik RouterOS ACLs
- Build is broken on Python 3.8 due to types used in NSX-T plugin HOT 1
- NSX-T plugin generates invalid payload: netblocks including 0.0.0.0/anything, port ranges consisting of one port HOT 2
- Add support for OPNSense
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from capirca.