junipernetworks.junos.junos_acls – ACLs resource module

Note

This plugin is part of the junipernetworks.junos collection (version 1.3.0).

To install it use: ansible-galaxy collection install junipernetworks.junos.

To use it in a playbook, specify: junipernetworks.junos.junos_acls.

New in version 1.0.0: of junipernetworks.junos

Synopsis

• This module provides declarative management of acls/filters on Juniper JUNOS devices

Note

This module has a corresponding action plugin.

Requirements

The below requirements are needed on the host that executes this module.

• ncclient (>=v0.6.4)

• xmltodict (>=0.12.0)

Parameters

Parameter							Choices/Defaults	Comments
config list / elements=dictionary								A dictionary of acls options
	acls list / elements=dictionary							List of Access Control Lists (ACLs).
		aces list / elements=dictionary						List of Access Control Entries (ACEs) for this Access Control List (ACL).
			destination dictionary					Specifies the destination for the filter
				address string				Match IP destination address
				port_protocol dictionary				Specify the destination port or protocol.
					eq string			Match only packets on a given port number.
					range dictionary			Match only packets in the range of port numbers
						end integer		Specify the end of the port range
						start integer		Specify the start of the port range
				prefix_list list / elements=dictionary				Match IP destination prefixes in named list
					name string			Name of the list
			grant string				Choices: permit deny	Action to take after matching condition (allow, discard/reject)
			name string / required					Filter term name
			protocol string					Specify the protocol to match. Refer to vendor documentation for valid values.
			protocol_options dictionary					All possible suboptions for the protocol chosen.
				icmp dictionary				ICMP protocol options.
					dod_host_prohibited boolean		Choices: no yes	Host prohibited
					dod_net_prohibited boolean		Choices: no yes	Net prohibited
					echo boolean		Choices: no yes	Echo (ping)
					echo_reply boolean		Choices: no yes	Echo reply
					host_redirect boolean		Choices: no yes	Host redirect
					host_tos_redirect boolean		Choices: no yes	Host redirect for TOS
					host_tos_unreachable boolean		Choices: no yes	Host unreachable for TOS
					host_unknown boolean		Choices: no yes	Host unknown
					host_unreachable boolean		Choices: no yes	Host unreachable
					net_redirect boolean		Choices: no yes	Network redirect
					net_tos_redirect boolean		Choices: no yes	Net redirect for TOS
					network_unknown boolean		Choices: no yes	Network unknown
					port_unreachable boolean		Choices: no yes	Port unreachable
					protocol_unreachable boolean		Choices: no yes	Protocol unreachable
					reassembly_timeout boolean		Choices: no yes	Reassembly timeout
					redirect boolean		Choices: no yes	All redirects
					router_advertisement boolean		Choices: no yes	Router discovery advertisements
					router_solicitation boolean		Choices: no yes	Router discovery solicitations
					source_route_failed boolean		Choices: no yes	Source route failed
					time_exceeded boolean		Choices: no yes	All time exceeded.
					ttl_exceeded boolean		Choices: no yes	TTL exceeded
			source dictionary					Specifies the source for the filter
				address string				IP source address to use for the filter
				port_protocol dictionary				Specify the source port or protocol.
					eq string			Match only packets on a given port number.
					range dictionary			Match only packets in the range of port numbers
						end integer		Specify the end of the port range
						start integer		Specify the start of the port range
				prefix_list list / elements=dictionary				IP source prefix list to use for the filter
					name string			Name of the list
		name string / required						Name to use for the acl filter
	afi string / required						Choices: ipv4 ipv6	Protocol family to use by the acl filter
state string							Choices: merged ← replaced overridden deleted gathered	The state the configuration should be left in

Notes

Note

• This module requires the netconf system service be enabled on the device being managed.

• This module works with connection netconf. See the Junos OS Platform Options.

• Tested against JunOS v18.4R1

Examples

# Using merged

# Before state:
# -------------
#
# admin# show firewall

- name: Merge JUNOS acl
  junipernetworks.junos.junos_acls:
    config:
    - afi: ipv4
      acls:
      - name: allow_ssh_acl
        aces:
        - name: ssh_rule
          source:
            port_protocol:
              eq: ssh
          protocol: tcp
      state: merged

# After state:
# -------------
# admin# show firewall
# family inet {
#     filter allow_ssh_acl {
#         term ssh_rule {
#             from {
#                 protocol tcp;
#                 source-port ssh;
#             }
#         }
#     }
# }

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
after list / elements=string	when changed	The resulting configuration model invocation. Sample: The configuration returned will always be in the same format of the parameters above.
before list / elements=string	always	The configuration prior to the model invocation. Sample: The configuration returned will always be in the same format of the parameters above.
commands list / elements=string	always	The set of commands pushed to the remote device. Sample: ['command 1', 'command 2', 'command 3']

Authors

• Daniel Mellado (@dmellado)