junipernetworks.junos.junos_acls – ACLs resource module
Note
This plugin is part of the junipernetworks.junos collection (version 2.6.0).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install junipernetworks.junos
.
To use it in a playbook, specify: junipernetworks.junos.junos_acls
.
New in version 1.0.0: of junipernetworks.junos
Synopsis
- This module provides declarative management of acls/filters on Juniper JUNOS devices
Note
This module has a corresponding action plugin.
Requirements
The below requirements are needed on the host that executes this module.
- ncclient (>=v0.6.4)
- xmltodict (>=0.12.0)
Parameters
Parameter | Choices/Defaults | Comments | ||||||
---|---|---|---|---|---|---|---|---|
config list / elements=dictionary | A dictionary of acls options | |||||||
acls list / elements=dictionary | List of Access Control Lists (ACLs). | |||||||
aces list / elements=dictionary | List of Access Control Entries (ACEs) for this Access Control List (ACL). | |||||||
destination dictionary | Specifies the destination for the filter | |||||||
address raw | Match IP destination address | |||||||
port_protocol dictionary | Specify the destination port or protocol. | |||||||
eq string | Match only packets on a given port number. | |||||||
range dictionary | Match only packets in the range of port numbers | |||||||
end integer | Specify the end of the port range | |||||||
start integer | Specify the start of the port range | |||||||
prefix_list list / elements=dictionary | Match IP destination prefixes in named list | |||||||
name string | Name of the list | |||||||
grant string |
| Action to take after matching condition (allow, discard/reject) | ||||||
name string / required | Filter term name | |||||||
protocol string | Specify the protocol to match. Refer to vendor documentation for valid values. | |||||||
protocol_options dictionary | All possible suboptions for the protocol chosen. | |||||||
icmp dictionary | ICMP protocol options. | |||||||
dod_host_prohibited boolean |
| Host prohibited | ||||||
dod_net_prohibited boolean |
| Net prohibited | ||||||
echo boolean |
| Echo (ping) | ||||||
echo_reply boolean |
| Echo reply | ||||||
host_redirect boolean |
| Host redirect | ||||||
host_tos_redirect boolean |
| Host redirect for TOS | ||||||
host_tos_unreachable boolean |
| Host unreachable for TOS | ||||||
host_unknown boolean |
| Host unknown | ||||||
host_unreachable boolean |
| Host unreachable | ||||||
net_redirect boolean |
| Network redirect | ||||||
net_tos_redirect boolean |
| Net redirect for TOS | ||||||
network_unknown boolean |
| Network unknown | ||||||
port_unreachable boolean |
| Port unreachable | ||||||
protocol_unreachable boolean |
| Protocol unreachable | ||||||
reassembly_timeout boolean |
| Reassembly timeout | ||||||
redirect boolean |
| All redirects | ||||||
router_advertisement boolean |
| Router discovery advertisements | ||||||
router_solicitation boolean |
| Router discovery solicitations | ||||||
source_route_failed boolean |
| Source route failed | ||||||
time_exceeded boolean |
| All time exceeded. | ||||||
ttl_exceeded boolean |
| TTL exceeded | ||||||
source dictionary | Specifies the source for the filter | |||||||
address raw | IP source address to use for the filter | |||||||
port_protocol dictionary | Specify the source port or protocol. | |||||||
eq string | Match only packets on a given port number. | |||||||
range dictionary | Match only packets in the range of port numbers | |||||||
end integer | Specify the end of the port range | |||||||
start integer | Specify the start of the port range | |||||||
prefix_list list / elements=dictionary | IP source prefix list to use for the filter | |||||||
name string | Name of the list | |||||||
name string / required | Name to use for the acl filter | |||||||
afi string / required |
| Protocol family to use by the acl filter | ||||||
state string |
| The state the configuration should be left in |
Notes
Note
- This module requires the netconf system service be enabled on the device being managed.
- This module works with connection
netconf
. See the Junos OS Platform Options. - Tested against JunOS v18.4R1
Examples
# Using merged # Before state: # ------------- # # admin# show firewall - name: Merge JUNOS acl junipernetworks.junos.junos_acls: config: - afi: ipv4 acls: - name: allow_ssh_acl aces: - name: ssh_rule source: port_protocol: eq: ssh protocol: tcp state: merged # After state: # ------------- # admin# show firewall # family inet { # filter allow_ssh_acl { # term ssh_rule { # from { # protocol tcp; # source-port ssh; # } # } # } # }
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
after list / elements=string | when changed | The resulting configuration model invocation. Sample: The configuration returned will always be in the same format of the parameters above. |
before list / elements=string | always | The configuration prior to the model invocation. Sample: The configuration returned will always be in the same format of the parameters above. |
commands list / elements=string | always | The set of commands pushed to the remote device. Sample: ['command 1', 'command 2', 'command 3'] |
Authors
- Daniel Mellado (@dmellado)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/junipernetworks/junos/junos_acls_module.html