junipernetworks.junos.junos_acls – ACLs resource module

Note

This plugin is part of the junipernetworks.junos collection (version 1.3.0).

To install it use: ansible-galaxy collection install junipernetworks.junos.

To use it in a playbook, specify: junipernetworks.junos.junos_acls.

New in version 1.0.0: of junipernetworks.junos

Synopsis

  • This module provides declarative management of acls/filters on Juniper JUNOS devices

Note

This module has a corresponding action plugin.

Requirements

The below requirements are needed on the host that executes this module.

  • ncclient (>=v0.6.4)

  • xmltodict (>=0.12.0)

Parameters

Parameter Choices/Defaults Comments
config
list / elements=dictionary
A dictionary of acls options
acls
list / elements=dictionary
List of Access Control Lists (ACLs).
aces
list / elements=dictionary
List of Access Control Entries (ACEs) for this Access Control List (ACL).
destination
dictionary
Specifies the destination for the filter
address
string
Match IP destination address
port_protocol
dictionary
Specify the destination port or protocol.
eq
string
Match only packets on a given port number.
range
dictionary
Match only packets in the range of port numbers
end
integer
Specify the end of the port range
start
integer
Specify the start of the port range
prefix_list
list / elements=dictionary
Match IP destination prefixes in named list
name
string
Name of the list
grant
string
    Choices:
  • permit
  • deny
Action to take after matching condition (allow, discard/reject)
name
string / required
Filter term name
protocol
string
Specify the protocol to match.
Refer to vendor documentation for valid values.
protocol_options
dictionary
All possible suboptions for the protocol chosen.
icmp
dictionary
ICMP protocol options.
dod_host_prohibited
boolean
    Choices:
  • no
  • yes
Host prohibited
dod_net_prohibited
boolean
    Choices:
  • no
  • yes
Net prohibited
echo
boolean
    Choices:
  • no
  • yes
Echo (ping)
echo_reply
boolean
    Choices:
  • no
  • yes
Echo reply
host_redirect
boolean
    Choices:
  • no
  • yes
Host redirect
host_tos_redirect
boolean
    Choices:
  • no
  • yes
Host redirect for TOS
host_tos_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable for TOS
host_unknown
boolean
    Choices:
  • no
  • yes
Host unknown
host_unreachable
boolean
    Choices:
  • no
  • yes
Host unreachable
net_redirect
boolean
    Choices:
  • no
  • yes
Network redirect
net_tos_redirect
boolean
    Choices:
  • no
  • yes
Net redirect for TOS
network_unknown
boolean
    Choices:
  • no
  • yes
Network unknown
port_unreachable
boolean
    Choices:
  • no
  • yes
Port unreachable
protocol_unreachable
boolean
    Choices:
  • no
  • yes
Protocol unreachable
reassembly_timeout
boolean
    Choices:
  • no
  • yes
Reassembly timeout
redirect
boolean
    Choices:
  • no
  • yes
All redirects
router_advertisement
boolean
    Choices:
  • no
  • yes
Router discovery advertisements
router_solicitation
boolean
    Choices:
  • no
  • yes
Router discovery solicitations
source_route_failed
boolean
    Choices:
  • no
  • yes
Source route failed
time_exceeded
boolean
    Choices:
  • no
  • yes
All time exceeded.
ttl_exceeded
boolean
    Choices:
  • no
  • yes
TTL exceeded
source
dictionary
Specifies the source for the filter
address
string
IP source address to use for the filter
port_protocol
dictionary
Specify the source port or protocol.
eq
string
Match only packets on a given port number.
range
dictionary
Match only packets in the range of port numbers
end
integer
Specify the end of the port range
start
integer
Specify the start of the port range
prefix_list
list / elements=dictionary
IP source prefix list to use for the filter
name
string
Name of the list
name
string / required
Name to use for the acl filter
afi
string / required
    Choices:
  • ipv4
  • ipv6
Protocol family to use by the acl filter
state
string
    Choices:
  • merged ←
  • replaced
  • overridden
  • deleted
  • gathered
The state the configuration should be left in

Notes

Note

  • This module requires the netconf system service be enabled on the device being managed.

  • This module works with connection netconf. See the Junos OS Platform Options.

  • Tested against JunOS v18.4R1

Examples

# Using merged

# Before state:
# -------------
#
# admin# show firewall

- name: Merge JUNOS acl
  junipernetworks.junos.junos_acls:
    config:
    - afi: ipv4
      acls:
      - name: allow_ssh_acl
        aces:
        - name: ssh_rule
          source:
            port_protocol:
              eq: ssh
          protocol: tcp
      state: merged

# After state:
# -------------
# admin# show firewall
# family inet {
#     filter allow_ssh_acl {
#         term ssh_rule {
#             from {
#                 protocol tcp;
#                 source-port ssh;
#             }
#         }
#     }
# }

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
after
list / elements=string
when changed
The resulting configuration model invocation.

Sample:
The configuration returned will always be in the same format of the parameters above.
before
list / elements=string
always
The configuration prior to the model invocation.

Sample:
The configuration returned will always be in the same format of the parameters above.
commands
list / elements=string
always
The set of commands pushed to the remote device.

Sample:
['command 1', 'command 2', 'command 3']


Authors

  • Daniel Mellado (@dmellado)