junipernetworks.junos.junos_acls (8.0.0) — module

ACLs resource module

| "added in version" 1.0.0 of junipernetworks.junos"

Authors: Daniel Mellado (@dmellado)

Install collection

Install with ansible-galaxy collection install junipernetworks.junos:==8.0.0


Add to requirements.yml

  collections:
    - name: junipernetworks.junos
      version: 8.0.0

Description

This module provides declarative management of acls/filters on Juniper JUNOS devices


Requirements

Usage examples

  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
# Using merged

# Before state:
# -------------
#
# admin# show firewall

- name: Merge JUNOS acl
  junipernetworks.junos.junos_acls:
    config:
      - afi: ipv4
        acls:
          - name: allow_ssh_acl
            aces:
              - name: ssh_rule
                source:
                  port_protocol:
                    eq: ssh
                protocol: tcp
    state: merged

Inputs

    
state:
    choices:
    - merged
    - replaced
    - overridden
    - deleted
    - gathered
    - rendered
    - parsed
    default: merged
    description:
    - The state the configuration should be left in
    type: str

config:
    description: A dictionary of acls options
    elements: dict
    suboptions:
      acls:
        description:
        - List of Access Control Lists (ACLs).
        elements: dict
        suboptions:
          aces:
            description:
            - List of Access Control Entries (ACEs) for this Access Control List (ACL).
            elements: dict
            suboptions:
              destination:
                description:
                - Specifies the destination for the filter
                suboptions:
                  address:
                    description:
                    - Match IP destination address
                    type: raw
                  port_protocol:
                    description:
                    - Specify the destination port or protocol.
                    suboptions:
                      eq:
                        description:
                        - Match only packets on a given port number.
                        type: str
                      range:
                        description:
                        - Match only packets in the range of port numbers
                        suboptions:
                          end:
                            description:
                            - Specify the end of the port range
                            type: int
                          start:
                            description:
                            - Specify the start of the port range
                            type: int
                        type: dict
                    type: dict
                  prefix_list:
                    description:
                    - Match IP destination prefixes in named list
                    elements: dict
                    suboptions:
                      name:
                        description: Name of the list
                        type: str
                    type: list
                type: dict
              grant:
                choices:
                - permit
                - deny
                description:
                - Action to take after matching condition (allow, discard/reject)
                type: str
              name:
                description:
                - Filter term name
                required: true
                type: str
              protocol:
                description:
                - Specify the protocol to match.
                - Refer to vendor documentation for valid values.
                type: str
              protocol_options:
                description: All possible suboptions for the protocol chosen.
                suboptions:
                  icmp:
                    description: ICMP protocol options.
                    suboptions:
                      dod_host_prohibited:
                        description: Host prohibited
                        type: bool
                      dod_net_prohibited:
                        description: Net prohibited
                        type: bool
                      echo:
                        description: Echo (ping)
                        type: bool
                      echo_reply:
                        description: Echo reply
                        type: bool
                      host_redirect:
                        description: Host redirect
                        type: bool
                      host_tos_redirect:
                        description: Host redirect for TOS
                        type: bool
                      host_tos_unreachable:
                        description: Host unreachable for TOS
                        type: bool
                      host_unknown:
                        description: Host unknown
                        type: bool
                      host_unreachable:
                        description: Host unreachable
                        type: bool
                      net_redirect:
                        description: Network redirect
                        type: bool
                      net_tos_redirect:
                        description: Net redirect for TOS
                        type: bool
                      network_unknown:
                        description: Network unknown
                        type: bool
                      port_unreachable:
                        description: Port unreachable
                        type: bool
                      protocol_unreachable:
                        description: Protocol unreachable
                        type: bool
                      reassembly_timeout:
                        description: Reassembly timeout
                        type: bool
                      redirect:
                        description: All redirects
                        type: bool
                      router_advertisement:
                        description: Router discovery advertisements
                        type: bool
                      router_solicitation:
                        description: Router discovery solicitations
                        type: bool
                      source_route_failed:
                        description: Source route failed
                        type: bool
                      time_exceeded:
                        description: All time exceeded.
                        type: bool
                      ttl_exceeded:
                        description: TTL exceeded
                        type: bool
                    type: dict
                type: dict
              source:
                description:
                - Specifies the source for the filter
                suboptions:
                  address:
                    description:
                    - IP source address to use for the filter
                    type: raw
                  port_protocol:
                    description:
                    - Specify the source port or protocol.
                    suboptions:
                      eq:
                        description:
                        - Match only packets on a given port number.
                        type: str
                      range:
                        description:
                        - Match only packets in the range of port numbers
                        suboptions:
                          end:
                            description:
                            - Specify the end of the port range
                            type: int
                          start:
                            description:
                            - Specify the start of the port range
                            type: int
                        type: dict
                    type: dict
                  prefix_list:
                    description:
                    - IP source prefix list to use for the filter
                    elements: dict
                    suboptions:
                      name:
                        description: Name of the list
                        type: str
                    type: list
                type: dict
            type: list
          name:
            description:
            - Name to use for the acl filter
            required: true
            type: str
        type: list
      afi:
        choices:
        - ipv4
        - ipv6
        description:
        - Protocol family to use by the acl filter
        required: true
        type: str
    type: list

running_config:
    description:
    - This option is used only with state I(parsed).
    - The value of this option should be the output received from the Junos device by
      executing the command B(show firewall).
    - The state I(parsed) reads the configuration from C(running_config) option and transforms
      it into Ansible structured data as per the resource module's argspec and the value
      is then returned in the I(parsed) key within the result
    type: str

Outputs

after:
  description: The resulting configuration model invocation.
  returned: when changed
  sample: "The configuration returned will always be in the same format\n of the parameters\
    \ above.\n"
  type: list
before:
  description: The configuration prior to the model invocation.
  returned: always
  sample: "The configuration returned will always be in the same format\n of the parameters\
    \ above.\n"
  type: list
commands:
  description: The set of commands pushed to the remote device.
  returned: always
  sample:
  - command 1
  - command 2
  - command 3
  type: list