Add support for zone filtering for global srx policies

PiperOrigin-RevId: 467965304

Author: Capirca Team

capirca/lib/junipersrx.py

@@ -169,6 +169,22 @@ def __str__(self):
       ret_str.IndentAppend(5, JunipersrxList('dscp-except',
                                              self.term.dscp_except))
 
+    # SOURCE-ZONE
+    if self.term.source_zone:
+      szone_check = set()
+      for szone in self.term.source_zone:
+        szone_check.add(szone)
+      szone_check = sorted(szone_check)
+      ret_str.IndentAppend(5, JunipersrxList('from-zone', szone_check))
+
+    # DESTINATION-ZONE
+    if self.term.destination_zone:
+      dzone_check = set()
+      for dzone in self.term.destination_zone:
+        dzone_check.add(dzone)
+      dzone_check = sorted(dzone_check)
+      ret_str.IndentAppend(5, JunipersrxList('to-zone', dzone_check))
+
     ret_str.IndentAppend(4, '}')
 
     # ACTIONS
@@ -307,9 +323,11 @@ def _BuildTokens(self):
     supported_tokens |= {'dscp_except',
                          'dscp_match',
                          'dscp_set',
+                         'destination_zone',
                          'logging',
                          'option',
                          'owner',
+                         'source_zone',
                          'timeout',
                          'verbatim',
                          'vpn'}
@@ -375,6 +393,14 @@ def _TranslatePolicy(self, pol, exp_info):
       else:
         self.to_zone = filter_options[3]
 
+      # check if source-zone & destination-zone are only used with global policy
+      if filter_options[1] != 'all' or filter_options[3] != 'all':
+        for term in terms:
+          if term.source_zone or term.destination_zone:
+            raise UnsupportedFilterError('Term %s has either source-zone or '
+                                         'destination-zone which can only be '
+                                         'used with global policy' % term.name)
+
       # variables used to collect target-options and set defaults
       filter_type = ''
 

capirca/lib/policy.py

@@ -333,6 +333,8 @@ class Term:
     pan-application: VarType.PAN_APPLICATION
     policer: VarType.POLICER
     priority: VarType.PRIORITY
+    destination-zone: VarType.DZONE
+    source-zone: VarType.SZONE
     vpn: VarType.VPN
   """
   ICMP_TYPE = {4: {'echo-reply': 0,
@@ -458,6 +460,8 @@ def __init__(self, obj):
     self.encapsulate = None
     self.port_mirror = None
     # srx specific
+    self.destination_zone = []
+    self.source_zone = []
     self.vpn = None
     # gce specific
     self.source_tag = []
@@ -677,6 +681,14 @@ def __contains__(self, other):
       if sorted(self.platform_exclude) is not sorted(other.platform_exclude):
         return False
 
+    if self.source_zone:
+      if sorted(self.source_zone) is not sorted(other.source_zone):
+        return False
+
+    if self.destination_zone:
+      if sorted(self.destination_zone) is not sorted(other.destination_zone):
+        return False
+
     # we have containment
     return True
 
@@ -790,6 +802,10 @@ def __str__(self):
                        (vpn_name, pair_policy))
       else:
         ret_str.append('  vpn: name = %s' % vpn_name)
+    if self.source_zone:
+      ret_str.append('  source_zone: %s' % sorted(self.source_zone))
+    if self.destination_zone:
+      ret_str.append('  destination_zone: %s' % sorted(self.destination_zone))
 
     return '\n'.join(ret_str)
 
@@ -937,6 +953,14 @@ def __eq__(self, other):
     if self.port_mirror != other.port_mirror:
       return False
 
+    # source_zone
+    if sorted(self.source_zone) != sorted(other.source_zone):
+      return False
+
+    # destination_zone
+    if sorted(self.destination_zone) != sorted(other.destination_zone):
+      return False
+
     return True
 
   def __ne__(self, other):
@@ -1137,6 +1161,10 @@ def AddObject(self, obj):
           self.target_resources.append(x.value)
         elif x.var_type is VarType.TARGET_SERVICE_ACCOUNTS:
           self.target_service_accounts.append(x.value)
+        elif x.var_type is VarType.SZONE:
+          self.source_zone.append(x.value)
+        elif x.var_type is VarType.DZONE:
+          self.destination_zone.append(x.value)
         else:
           raise TermObjectTypeError(
               '%s isn\'t a type I know how to deal with (contains \'%s\')' % (
@@ -1537,6 +1565,8 @@ class VarType:
   FILTER_TERM = 62
   RESTRICT_ADDRESS_FAMILY = 63
   PORT_MIRROR = 64
+  SZONE = 65
+  DZONE = 66
 
 
   def __init__(self, var_type, value):
@@ -1711,6 +1741,7 @@ def __ne__(self, other):
     'DSCP_RANGE',
     'DSCP_SET',
     'DTAG',
+    'DZONE',
     'ENCAPSULATE',
     'ESCAPEDSTRING',
     'ETHER_TYPE',
@@ -1758,6 +1789,7 @@ def __ne__(self, other):
     'SPFX',
     'ESPFX',
     'SPORT',
+    'SZONE',
     'STAG',
     'STRING',
     'TARGET',
@@ -1793,6 +1825,7 @@ def __ne__(self, other):
     'destination-prefix-except': 'EDPFX',
     'destination-port': 'DPORT',
     'destination-tag': 'DTAG',
+    'destination-zone': 'DZONE',
     'dscp-except': 'DSCP_EXCEPT',
     'dscp-match': 'DSCP_MATCH',
     'dscp-set': 'DSCP_SET',
@@ -1838,6 +1871,7 @@ def __ne__(self, other):
     'source-prefix-except': 'ESPFX',
     'source-port': 'SPORT',
     'source-tag': 'STAG',
+    'source-zone': 'SZONE',
     'target': 'TARGET',
     'target-resources': 'TARGET_RESOURCES',
     'target-service-accounts': 'TARGET_SERVICE_ACCOUNTS',
@@ -2011,6 +2045,7 @@ def p_term_spec(p):
                 | term_spec qos_spec
                 | term_spec pan_application_spec
                 | term_spec routinginstance_spec
+                | term_spec term_zone_spec
                 | term_spec tag_list_spec
                 | term_spec target_resources_spec
                 | term_spec target_service_accounts_spec
@@ -2365,6 +2400,15 @@ def p_verbatim_spec(p):
                     | VERBATIM ':' ':' STRING ESCAPEDSTRING """
   p[0] = VarType(VarType.VERBATIM, [p[4], p[5].strip('"').replace('\\"', '"')])
 
+def p_term_zone_spec(p):
+  """ term_zone_spec : SZONE ':' ':' one_or_more_strings
+                     | DZONE ':' ':' one_or_more_strings """
+  p[0] = []
+  for zone in p[4]:
+    if p[1].find('source-zone') >= 0:
+      p[0].append(VarType(VarType.SZONE, zone))
+    elif p[1].find('destination-zone') >= 0:
+      p[0].append(VarType(VarType.DZONE, zone))
 
 def p_vpn_spec(p):
   """ vpn_spec : VPN ':' ':' STRING STRING

capirca/lib/policy_simple.py

@@ -169,6 +169,8 @@ class DestinationPrefixExcept(Field):
 class DestinationTag(Field):
   """A destination tag field."""
 
+class DestinationZone(Field):
+  """A destination-zone field."""
 
 class DscpMatch(Field):
   """A dscp-match field."""
@@ -297,6 +299,8 @@ class SourcePrefixExcept(Field):
 class SourceTag(Field):
   """A source tag field."""
 
+class SourceZone(Field):
+  """A source-zone field."""
 
 class Target(Field):
   """A target field."""
@@ -337,6 +341,7 @@ class Vpn(Field):
     'destination-prefix': DestinationPrefix,
     'destination-prefix-except': DestinationPrefixExcept,
     'destination-tag': DestinationTag,
+    'destination-zone': DestinationZone,
     'dscp-match': DscpMatch,
     'dscp-set': DscpSet,
     'ether-type': EtherType,
@@ -370,6 +375,7 @@ class Vpn(Field):
     'source-prefix': SourcePrefix,
     'source-prefix-except': SourcePrefixExcept,
     'source-tag': SourceTag,
+    'source-zone': SourceZone,
     'target': Target,
     'timeout': Timeout,
     'traffic-class-count': TrafficClassCount,

doc/generators/junipersrx.md

@@ -13,6 +13,7 @@ target:: srx from-zone [zone name] to-zone [zone name] {inet}
 * _destination-address::_ One or more destination address tokens
 * _destination-exclude::_ Exclude one or more address tokens from the specified destination-address
 * _destination-port::_ One or more service definition tokens
+* _destination-zone::_ one or more destination zones tokens. Only supported by global policy
 * _dscp_except::_ Do not match the DSCP number.
 * _dscp_match::_ Match a DSCP number.
 * _dscp_set::_ Match a DSCP set.
@@ -36,6 +37,7 @@ target:: srx from-zone [zone name] to-zone [zone name] {inet}
 * _source-address::_ one or more source address tokens.
 * _source-exclude::_ exclude one or more address tokens from the specified source-address.
 * _source-port::_ one or more service definition tokens.
+* _source-zone::_ one or more source zones tokens. Only supported by global policy
 * _timeout::_ specify application timeout. (default 60)
 * _verbatim::_ this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification.  This is sometimes used as a temporary workaround while new required features are being added.
 * _vpn::_ Encapsulate outgoing IP packets and decapsulate incomfing IP packets.

tests/lib/junipersrx_test.py

@@ -506,6 +506,16 @@
 }
 """
 
+GLOBAL_ZONE_TERM = """
+term global-zone-term {
+  protocol:: icmp
+  icmp-type:: echo-request
+  source-zone:: szone2 szone1
+  destination-zone:: dzone2 dzone1
+  action:: accept
+}
+"""
+
 PLATFORM_EXCLUDE_TERM = """
 term platform-exclude-term {
   protocol:: tcp udp
@@ -531,15 +541,17 @@
 }
 """
 
-SUPPORTED_TOKENS = {
+SUPPORTED_TOKENS = frozenset({
     'action',
     'comment',
     'destination_address',
     'destination_address_exclude',
     'destination_port',
+    'destination_zone',
     'dscp_except',
     'dscp_match',
     'dscp_set',
+    'source_zone',
     'expiration',
     'icmp_type',
     'stateless_reply',
@@ -557,7 +569,7 @@
     'translated',
     'verbatim',
     'vpn'
-}
+})
 
 SUPPORTED_SUB_TOKENS = {
     'action': {'accept', 'deny', 'reject', 'count', 'log', 'dscp'},
@@ -911,6 +923,19 @@ def testTimeout(self):
     output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
     self.assertIn('timeout 77', output, output)
 
+  def testZoneGlobal(self):
+    pol = policy.ParsePolicy(GOOD_HEADER_10 + GLOBAL_ZONE_TERM, self.naming)
+    output = str(junipersrx.JuniperSRX(pol, EXP_INFO))
+    self.assertIn('from-zone', output, output)
+    self.assertIn('szone1 szone2', output, output)
+    self.assertIn('to-zone', output, output)
+    self.assertIn('dzone1 dzone2', output, output)
+
+  def testZoneNonGlobal(self):
+    pol = policy.ParsePolicy(GOOD_HEADER + GLOBAL_ZONE_TERM, self.naming)
+    self.assertRaises(junipersrx.UnsupportedFilterError,
+                      junipersrx.JuniperSRX, pol, EXP_INFO)
+
   def testIcmpV6(self):
     pol = policy.ParsePolicy(GOOD_HEADER + IPV6_ICMP_TERM, self.naming)
     output = str(junipersrx.JuniperSRX(pol, EXP_INFO))

tests/lib/policy_test.py

@@ -431,6 +431,14 @@
   port-mirror:: true
 }
 """
+GOOD_TERM_48 = """
+term good-term-48 {
+  protocol:: icmp
+  source-zone:: zone1 zone2
+  destination-zone:: zone1 zone2
+  action:: accept
+}
+"""
 GOOD_TERM_V6_1 = """
 term good-term-v6-1 {
   hop-limit:: 5
@@ -1242,6 +1250,15 @@ def testPortMirror(self):
     result = policy.ParsePolicy(pol, self.naming)
     self.assertIn('port_mirror: true', str(result))
 
+  def testSrxGLobalZone(self):
+    pol = HEADER + GOOD_TERM_48
+    result = policy.ParsePolicy(pol, self.naming)
+    zones = ['zone1', 'zone2']
+    expected_source = 'source_zone: %s' % zones
+    expected_destination = 'destination_zone: %s' % zones
+    self.assertIn(expected_source, str(result))
+    self.assertIn(expected_destination, str(result))
+
   def testTTL(self):
     pol = HEADER + GOOD_TERM_43
     result = policy.ParsePolicy(pol, self.naming)