junipernetworks.junos.junos_acls – ACLs resource module
junipernetworks.junos.junos_acls – ACLs resource module
Note
This plugin is part of the junipernetworks.junos collection (version 1.3.0).
To install it use: ansible-galaxy collection install junipernetworks.junos.
To use it in a playbook, specify: junipernetworks.junos.junos_acls.
New in version 1.0.0: of junipernetworks.junos
Synopsis
- This module provides declarative management of acls/filters on Juniper JUNOS devices
Requirements
The below requirements are needed on the host that executes this module.
- ncclient (>=v0.6.4)
- xmltodict (>=0.12.0)
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
|
config list / elements=dictionary |
A dictionary of acls options | |||||||
|
acls list / elements=dictionary |
List of Access Control Lists (ACLs). | |||||||
|
aces list / elements=dictionary |
List of Access Control Entries (ACEs) for this Access Control List (ACL). | |||||||
|
destination dictionary |
Specifies the destination for the filter | |||||||
|
address string |
Match IP destination address | |||||||
|
port_protocol dictionary |
Specify the destination port or protocol. | |||||||
|
eq string |
Match only packets on a given port number. | |||||||
|
range dictionary |
Match only packets in the range of port numbers | |||||||
|
end integer |
Specify the end of the port range | |||||||
|
start integer |
Specify the start of the port range | |||||||
|
prefix_list list / elements=dictionary |
Match IP destination prefixes in named list | |||||||
|
name string |
Name of the list | |||||||
|
grant string |
|
Action to take after matching condition (allow, discard/reject) | ||||||
|
name string / required |
Filter term name | |||||||
|
protocol string |
Specify the protocol to match. Refer to vendor documentation for valid values. | |||||||
|
protocol_options dictionary |
All possible suboptions for the protocol chosen. | |||||||
|
icmp dictionary |
ICMP protocol options. | |||||||
|
dod_host_prohibited boolean |
|
Host prohibited | ||||||
|
dod_net_prohibited boolean |
|
Net prohibited | ||||||
|
echo boolean |
|
Echo (ping) | ||||||
|
echo_reply boolean |
|
Echo reply | ||||||
|
host_redirect boolean |
|
Host redirect | ||||||
|
host_tos_redirect boolean |
|
Host redirect for TOS | ||||||
|
host_tos_unreachable boolean |
|
Host unreachable for TOS | ||||||
|
host_unknown boolean |
|
Host unknown | ||||||
|
host_unreachable boolean |
|
Host unreachable | ||||||
|
net_redirect boolean |
|
Network redirect | ||||||
|
net_tos_redirect boolean |
|
Net redirect for TOS | ||||||
|
network_unknown boolean |
|
Network unknown | ||||||
|
port_unreachable boolean |
|
Port unreachable | ||||||
|
protocol_unreachable boolean |
|
Protocol unreachable | ||||||
|
reassembly_timeout boolean |
|
Reassembly timeout | ||||||
|
redirect boolean |
|
All redirects | ||||||
|
router_advertisement boolean |
|
Router discovery advertisements | ||||||
|
router_solicitation boolean |
|
Router discovery solicitations | ||||||
|
source_route_failed boolean |
|
Source route failed | ||||||
|
time_exceeded boolean |
|
All time exceeded. | ||||||
|
ttl_exceeded boolean |
|
TTL exceeded | ||||||
|
source dictionary |
Specifies the source for the filter | |||||||
|
address string |
IP source address to use for the filter | |||||||
|
port_protocol dictionary |
Specify the source port or protocol. | |||||||
|
eq string |
Match only packets on a given port number. | |||||||
|
range dictionary |
Match only packets in the range of port numbers | |||||||
|
end integer |
Specify the end of the port range | |||||||
|
start integer |
Specify the start of the port range | |||||||
|
prefix_list list / elements=dictionary |
IP source prefix list to use for the filter | |||||||
|
name string |
Name of the list | |||||||
|
name string / required |
Name to use for the acl filter | |||||||
|
afi string / required |
|
Protocol family to use by the acl filter | ||||||
|
state string |
|
The state the configuration should be left in |
Notes
Note
- This module requires the netconf system service be enabled on the device being managed.
- This module works with connection
netconf. See the Junos OS Platform Options. - Tested against JunOS v18.4R1
Examples
# Using merged
# Before state:
# -------------
#
# admin# show firewall
- name: Merge JUNOS acl
junipernetworks.junos.junos_acls:
config:
- afi: ipv4
acls:
- name: allow_ssh_acl
aces:
- name: ssh_rule
source:
port_protocol:
eq: ssh
protocol: tcp
state: merged
# After state:
# -------------
# admin# show firewall
# family inet {
# filter allow_ssh_acl {
# term ssh_rule {
# from {
# protocol tcp;
# source-port ssh;
# }
# }
# }
# }Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
|
after list / elements=string |
when changed |
The resulting configuration model invocation.
Sample: The configuration returned will always be in the same format of the parameters above. |
|
before list / elements=string |
always |
The configuration prior to the model invocation.
Sample: The configuration returned will always be in the same format of the parameters above. |
|
commands list / elements=string |
always |
The set of commands pushed to the remote device.
Sample: ['command 1', 'command 2', 'command 3'] |
Authors
- Daniel Mellado (@dmellado)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.11/collections/junipernetworks/junos/junos_acls_module.html
