junipernetworks.junos.junos_acls module – ACLs resource module

Note

This module is part of the junipernetworks.junos collection (version 2.10.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install junipernetworks.junos.

To use it in a playbook, specify: junipernetworks.junos.junos_acls.

New in version 1.0.0: of junipernetworks.junos

Synopsis

  • This module provides declarative management of acls/filters on Juniper JUNOS devices

Note

This module has a corresponding action plugin.

Requirements

The below requirements are needed on the host that executes this module.

  • ncclient (>=v0.6.4)

  • xmltodict (>=0.12.0)

Parameters

Parameter

Comments

config

list / elements=dictionary

A dictionary of acls options

acls

list / elements=dictionary

List of Access Control Lists (ACLs).

aces

list / elements=dictionary

List of Access Control Entries (ACEs) for this Access Control List (ACL).

destination

dictionary

Specifies the destination for the filter

address

raw

Match IP destination address

port_protocol

dictionary

Specify the destination port or protocol.

eq

string

Match only packets on a given port number.

range

dictionary

Match only packets in the range of port numbers

end

integer

Specify the end of the port range

start

integer

Specify the start of the port range

prefix_list

list / elements=dictionary

Match IP destination prefixes in named list

name

string

Name of the list

grant

string

Action to take after matching condition (allow, discard/reject)

Choices:

  • permit

  • deny

name

string / required

Filter term name

protocol

string

Specify the protocol to match.

Refer to vendor documentation for valid values.

protocol_options

dictionary

All possible suboptions for the protocol chosen.

icmp

dictionary

ICMP protocol options.

dod_host_prohibited

boolean

Host prohibited

Choices:

  • no

  • yes

dod_net_prohibited

boolean

Net prohibited

Choices:

  • no

  • yes

echo

boolean

Echo (ping)

Choices:

  • no

  • yes

echo_reply

boolean

Echo reply

Choices:

  • no

  • yes

host_redirect

boolean

Host redirect

Choices:

  • no

  • yes

host_tos_redirect

boolean

Host redirect for TOS

Choices:

  • no

  • yes

host_tos_unreachable

boolean

Host unreachable for TOS

Choices:

  • no

  • yes

host_unknown

boolean

Host unknown

Choices:

  • no

  • yes

host_unreachable

boolean

Host unreachable

Choices:

  • no

  • yes

net_redirect

boolean

Network redirect

Choices:

  • no

  • yes

net_tos_redirect

boolean

Net redirect for TOS

Choices:

  • no

  • yes

network_unknown

boolean

Network unknown

Choices:

  • no

  • yes

port_unreachable

boolean

Port unreachable

Choices:

  • no

  • yes

protocol_unreachable

boolean

Protocol unreachable

Choices:

  • no

  • yes

reassembly_timeout

boolean

Reassembly timeout

Choices:

  • no

  • yes

redirect

boolean

All redirects

Choices:

  • no

  • yes

router_advertisement

boolean

Router discovery advertisements

Choices:

  • no

  • yes

router_solicitation

boolean

Router discovery solicitations

Choices:

  • no

  • yes

source_route_failed

boolean

Source route failed

Choices:

  • no

  • yes

time_exceeded

boolean

All time exceeded.

Choices:

  • no

  • yes

ttl_exceeded

boolean

TTL exceeded

Choices:

  • no

  • yes

source

dictionary

Specifies the source for the filter

address

raw

IP source address to use for the filter

port_protocol

dictionary

Specify the source port or protocol.

eq

string

Match only packets on a given port number.

range

dictionary

Match only packets in the range of port numbers

end

integer

Specify the end of the port range

start

integer

Specify the start of the port range

prefix_list

list / elements=dictionary

IP source prefix list to use for the filter

name

string

Name of the list

name

string / required

Name to use for the acl filter

afi

string / required

Protocol family to use by the acl filter

Choices:

  • ipv4

  • ipv6

state

string

The state the configuration should be left in

Choices:

  • merged ← (default)

  • replaced

  • overridden

  • deleted

  • gathered

Notes

Note

  • This module requires the netconf system service be enabled on the device being managed.

  • This module works with connection netconf. See the Junos OS Platform Options.

  • Tested against JunOS v18.4R1

Examples

# Using merged

# Before state:
# -------------
#
# admin# show firewall

- name: Merge JUNOS acl
  junipernetworks.junos.junos_acls:
    config:
    - afi: ipv4
      acls:
      - name: allow_ssh_acl
        aces:
        - name: ssh_rule
          source:
            port_protocol:
              eq: ssh
          protocol: tcp
      state: merged

# After state:
# -------------
# admin# show firewall
# family inet {
#     filter allow_ssh_acl {
#         term ssh_rule {
#             from {
#                 protocol tcp;
#                 source-port ssh;
#             }
#         }
#     }
# }

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

after

list / elements=string

The resulting configuration model invocation.

Returned: when changed

Sample: “The configuration returned will always be in the same format\n of the parameters above.\n”

before

list / elements=string

The configuration prior to the model invocation.

Returned: always

Sample: “The configuration returned will always be in the same format\n of the parameters above.\n”

commands

list / elements=string

The set of commands pushed to the remote device.

Returned: always

Sample: [“command 1”, “command 2”, “command 3”]

Authors

  • Daniel Mellado (@dmellado)