junipernetworks.junos.junos_acls – ACLs resource module
Note
This plugin is part of the junipernetworks.junos collection (version 1.2.1).
To install it use: ansible-galaxy collection install junipernetworks.junos.
To use it in a playbook, specify: junipernetworks.junos.junos_acls.
New in version 1.0.0: of junipernetworks.junos
Synopsis
- This module provides declarative management of acls/filters on Juniper JUNOS devices
Note
This module has a corresponding action plugin.
Requirements
The below requirements are needed on the host that executes this module.
- ncclient (>=v0.6.4)
- xmltodict (>=0.12.0)
Parameters
| Parameter | Choices/Defaults | Comments | ||||||
|---|---|---|---|---|---|---|---|---|
| config list / elements=dictionary | A dictionary of acls options | |||||||
| acls list / elements=dictionary | List of Access Control Lists (ACLs). | |||||||
| aces list / elements=dictionary | List of Access Control Entries (ACEs) for this Access Control List (ACL). | |||||||
| destination dictionary | Specifies the destination for the filter | |||||||
| address string | Match IP destination address | |||||||
| port_protocol dictionary | Specify the destination port or protocol. | |||||||
| eq string | Match only packets on a given port number. | |||||||
| range dictionary | Match only packets in the range of port numbers | |||||||
| end integer | Specify the end of the port range | |||||||
| start integer | Specify the start of the port range | |||||||
| prefix_list string | Match IP destination prefixes in named list | |||||||
| grant string |
| Action to take after matching condition (allow, discard/reject) | ||||||
| name string / required | Filter term name | |||||||
| protocol string | Specify the protocol to match. Refer to vendor documentation for valid values. | |||||||
| protocol_options dictionary | All possible suboptions for the protocol chosen. | |||||||
| icmp dictionary | ICMP protocol options. | |||||||
| dod_host_prohibited boolean |
| Host prohibited | ||||||
| dod_net_prohibited boolean |
| Net prohibited | ||||||
| echo boolean |
| Echo (ping) | ||||||
| echo_reply boolean |
| Echo reply | ||||||
| host_redirect boolean |
| Host redirect | ||||||
| host_tos_redirect boolean |
| Host redirect for TOS | ||||||
| host_tos_unreachable boolean |
| Host unreachable for TOS | ||||||
| host_unknown boolean |
| Host unknown | ||||||
| host_unreachable boolean |
| Host unreachable | ||||||
| net_redirect boolean |
| Network redirect | ||||||
| net_tos_redirect boolean |
| Net redirect for TOS | ||||||
| network_unknown boolean |
| Network unknown | ||||||
| port_unreachable boolean |
| Port unreachable | ||||||
| protocol_unreachable boolean |
| Protocol unreachable | ||||||
| reassembly_timeout boolean |
| Reassembly timeout | ||||||
| redirect boolean |
| All redirects | ||||||
| router_advertisement boolean |
| Router discovery advertisements | ||||||
| router_solicitation boolean |
| Router discovery solicitations | ||||||
| source_route_failed boolean |
| Source route failed | ||||||
| time_exceeded boolean |
| All time exceeded. | ||||||
| ttl_exceeded boolean |
| TTL exceeded | ||||||
| source dictionary | Specifies the source for the filter | |||||||
| address string | IP source address to use for the filter | |||||||
| port_protocol dictionary | Specify the source port or protocol. | |||||||
| eq string | Match only packets on a given port number. | |||||||
| range dictionary | Match only packets in the range of port numbers | |||||||
| end integer | Specify the end of the port range | |||||||
| start integer | Specify the start of the port range | |||||||
| prefix_list string | IP source prefix list to use for the filter | |||||||
| name string / required | Name to use for the acl filter | |||||||
| afi string / required |
| Protocol family to use by the acl filter | ||||||
| state string |
| The state the configuration should be left in | ||||||
Notes
Note
- This module requires the netconf system service be enabled on the device being managed.
- This module works with connection
netconf. See the Junos OS Platform Options. - Tested against JunOS v18.4R1
Examples
# Using merged
# Before state:
# -------------
#
# admin# show firewall
- name: Merge JUNOS acl
junipernetworks.junos.junos_acls:
config:
- afi: ipv4
acls:
- name: allow_ssh_acl
aces:
- name: ssh_rule
source:
port_protocol:
eq: ssh
protocol: tcp
state: merged
# After state:
# -------------
# admin# show firewall
# family inet {
# filter allow_ssh_acl {
# term ssh_rule {
# from {
# protocol tcp;
# source-port ssh;
# }
# }
# }
# }
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| after list / elements=string | when changed | The resulting configuration model invocation. Sample: The configuration returned will always be in the same format of the parameters above. |
| before list / elements=string | always | The configuration prior to the model invocation. Sample: The configuration returned will always be in the same format of the parameters above. |
| commands list / elements=string | always | The set of commands pushed to the remote device. Sample: ['command 1', 'command 2', 'command 3'] |
Authors
- Daniel Mellado (@dmellado)
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.10/collections/junipernetworks/junos/junos_acls_module.html