Merge pull request #293 from XioNoX:filter_term

Capirca Team · Capirca Team · commit d6b1fb4b819b · 2021-12-14T17:20:40.000-08:00
PiperOrigin-RevId: 416431802
diff --git a/capirca/lib/aclgenerator.py b/capirca/lib/aclgenerator.py
@@ -219,6 +219,7 @@ class ACLGenerator:
       'restrict_address_family',
       'counter',
       'destination_tag',
+      'filter_term',
       'logging',
       'loss_priority',
       'owner',
diff --git a/capirca/lib/juniper.py b/capirca/lib/juniper.py
@@ -279,7 +279,13 @@ def __str__(self):
       term_prefix = ''
 
     # term name
-    config.Append('%s term %s {' %(term_prefix, self.term.name))
+    config.Append('%s term %s {' % (term_prefix, self.term.name))
+
+    # The "filter" keyword is not compatible with from or then
+    if self.term.filter_term:
+      config.Append('filter %s;' % self.term.filter_term)
+      config.Append('}')  # end term accept-foo-to-bar { ... }
+      return str(config)
 
     # a default action term doesn't have any from { clause
     has_match_criteria = (self.term.address or
@@ -445,8 +451,7 @@ def __str__(self):
       # protocol
       if self.term.protocol_except:
         # same as above
-        config.Append(family_keywords['protocol-except'] + ' '
-                      + self._Group(self.term.protocol_except))
+        config.Append(family_keywords['protocol-except'] + ' ' + self._Group(self.term.protocol_except))
 
       # port
       if self.term.port:
@@ -880,6 +885,7 @@ def _BuildTokens(self):
                          'dscp_set',
                          'encapsulate',
                          'ether_type',
+                         'filter_term',
                          'flexible_match_range',
                          'forwarding_class',
                          'forwarding_class_except',
@@ -913,7 +919,7 @@ def _BuildTokens(self):
             'tcp-established',
             'tcp-initial',
             'inactive'}
-        })
+         })
     return supported_tokens, supported_sub_tokens
 
   def _TranslatePolicy(self, pol, exp_info):
diff --git a/capirca/lib/policy.py b/capirca/lib/policy.py
@@ -318,6 +318,7 @@ class Term:
     dscp-except: VarType.DSCP_EXCEPT
     comments: VarType.COMMENT
     encapsulate: VarType.ENCAPSULATE
+    filter-term: VarType.FILTER_TERM
     flexible-match-range: VarType.FLEXIBLE_MATCH_RANGE
     forwarding-class: VarType.FORWARDING_CLASS
     forwarding-class-except: VarType.FORWARDING_CLASS_EXCEPT
@@ -411,6 +412,7 @@ def __init__(self, obj):
     self.destination_address_exclude = []
     self.destination_port = []
     self.destination_prefix = []
+    self.filter_term = None
     self.forwarding_class = []
     self.forwarding_class_except = []
     self.logging = []
@@ -709,6 +711,8 @@ def __str__(self):
     if self.destination_prefix_except:
       ret_str.append('  destination_prefix_except: %s' %
                      self.destination_prefix_except)
+    if self.filter_term:
+      ret_str.append('  filter_term: %s' % self.filter_term)
     if self.forwarding_class:
       ret_str.append('  forwarding_class: %s' % self.forwarding_class)
     if self.forwarding_class_except:
@@ -896,6 +900,10 @@ def __eq__(self, other):
     if self.precedence != other.precedence:
       return False
 
+    # filter
+    if self.filter_term != other.filter_term:
+      return False
+
     # forwarding-class
     if sorted(self.forwarding_class) != sorted(other.forwarding_class):
       return False
@@ -1193,6 +1201,8 @@ def AddObject(self, obj):
         self.target_resources.append(obj.value)
       elif obj.var_type is VarType.TARGET_SERVICE_ACCOUNTS:
         self.target_service_accounts.append(obj.value)
+      elif obj.var_type is VarType.FILTER_TERM:
+        self.filter_term = obj.value
       else:
         raise TermObjectTypeError(
             '%s isn\'t a type I know how to deal with' % (type(obj)))
@@ -1226,8 +1236,11 @@ def SanityCheck(self):
         raise ParseError(
             'term "%s" has both verbatim and non-verbatim tokens.' % self.name)
     else:
-      if not self.action and not self.routing_instance and not self.next_ip and not self.encapsulate:
+      if (not self.action and not self.routing_instance and not self.next_ip and
+          not self.encapsulate and not self.filter_term):
         raise TermNoActionError('no action specified for term %s' % self.name)
+      if self.filter_term and self.action:
+        raise InvalidTermActionError('term "%s" has both filter and action tokens.' % self.name)
       # have we specified a port with a protocol that doesn't support ports?
       if self.source_port or self.destination_port or self.port:
         if not any(proto in self.protocol for proto in ['tcp', 'udp', 'sctp']):
@@ -1497,8 +1510,10 @@ class VarType:
   TARGET_RESOURCES = 59
   TARGET_SERVICE_ACCOUNTS = 60
   ENCAPSULATE = 61
+  FILTER_TERM = 62
   RESTRICT_ADDRESS_FAMILY = 63
 
+
   def __init__(self, var_type, value):
     self.var_type = var_type
     if self.var_type == self.COMMENT or self.var_type == self.LOG_NAME:
@@ -1675,6 +1690,7 @@ def __ne__(self, other):
     'ESCAPEDSTRING',
     'ETHER_TYPE',
     'EXPIRATION',
+    'FILTER_TERM',
     'FLEXIBLE_MATCH_RANGE',
     'FORWARDING_CLASS',
     'FORWARDING_CLASS_EXCEPT',
@@ -1757,6 +1773,7 @@ def __ne__(self, other):
     'encapsulate': 'ENCAPSULATE',
     'ether-type': 'ETHER_TYPE',
     'expiration': 'EXPIRATION',
+    'filter-term': 'FILTER_TERM',
     'flexible-match-range': 'FLEXIBLE_MATCH_RANGE',
     'forwarding-class': 'FORWARDING_CLASS',
     'forwarding-class-except': 'FORWARDING_CLASS_EXCEPT',
@@ -1939,6 +1956,7 @@ def p_term_spec(p):
                 | term_spec ether_type_spec
                 | term_spec exclude_spec
                 | term_spec expiration_spec
+                | term_spec filter_term_spec
                 | term_spec flexible_match_range_spec
                 | term_spec forwarding_class_spec
                 | term_spec forwarding_class_except_spec
@@ -2380,6 +2398,9 @@ def p_ttl_spec(p):
   """ ttl_spec : TTL ':' ':' INTEGER """
   p[0] = VarType(VarType.TTL, p[4])
 
+def p_filter_term_spec(p):
+  """ filter_term_spec : FILTER_TERM ':' ':' STRING """
+  p[0] = VarType(VarType.FILTER_TERM, p[4])
 
 def p_one_or_more_strings(p):
   """ one_or_more_strings : one_or_more_strings STRING
diff --git a/doc/generators/juniper.md b/doc/generators/juniper.md
@@ -46,6 +46,7 @@ The default format is _inet4_, and is implied if not other argument is given.
 * _dscp_set::_ Match a DSCP set.
 * _ether_type::_ Match EtherType field.
 * _expiration::_ stop rendering this term after specified date. [YYYY](YYYY.md)-[MM](MM.md)-[DD](DD.md)
+* _filter-term::_ Include another filter
 * _flexible-match-range Filter based on flexible match options.
 * _forwarding-class::_ Specify the forwarding class to match.
 * _forwarding-class_except::_ Do not match the specified forwarding classes.
diff --git a/policies/pol/sample_juniper_loopback.pol b/policies/pol/sample_juniper_loopback.pol
@@ -196,6 +196,10 @@ term reject-imap-requests {
   action:: reject-with-tcp-rst
 }
 
+term next-filter {
+  filter-term:: my-next-filter
+}
+
 term af-mismatch {
   comment:: "Will not be generated as target is inet"
   comment:: "but address_family is inet6"
diff --git a/tests/lib/juniper_test.py b/tests/lib/juniper_test.py
@@ -393,6 +393,12 @@
   action:: accept
 }
 """
+GOOD_TERM_FILTER = """
+term good-term-filter {
+  comment:: "This is a COMMENT"
+  filter-term:: my-filter
+}
+"""
 BAD_TERM_1 = """
 term bad-term-1 {
   protocol:: tcp udp
@@ -545,6 +551,12 @@
   action:: deny
 }
 """
+BAD_TERM_FILTER = """
+term bad_term_filter {
+  filter-term:: my-filter
+  action:: deny
+}
+"""
 
 MIXED_TESTING_TERM = """
 term good-term {
@@ -572,6 +584,7 @@
     'encapsulate',
     'ether_type',
     'expiration',
+    'filter_term',
     'flexible_match_range',
     'forwarding_class',
     'forwarding_class_except',
@@ -1194,6 +1207,16 @@ def testMultiplePrecedence(self):
 
     self.naming.GetServiceByProto.assert_called_once_with('SSH', 'tcp')
 
+  def testFilterTerm(self):
+    jcl = juniper.Juniper(policy.ParsePolicy(GOOD_HEADER + GOOD_TERM_FILTER,
+                                             self.naming), EXP_INFO)
+    output = str(jcl)
+    self.assertIn('filter my-filter;', output, output)
+
+  def testFilterActionTerm(self):
+    with self.assertRaises(policy.InvalidTermActionError):
+      policy.ParsePolicy(GOOD_HEADER + BAD_TERM_FILTER, self.naming)
+
   def testArbitraryOptions(self):
     self.naming.GetServiceByProto.return_value = ['22']
 
diff --git a/tests/lib/srxlo_test.py b/tests/lib/srxlo_test.py
@@ -76,6 +76,7 @@
     'dscp_set',
     'ether_type',
     'expiration',
+    'filter_term',
     'forwarding_class',
     'forwarding_class_except',
     'fragment_offset',
