acl_script - Modify ACLs from the command-line¶
About¶
acl_script is a tool and an API shipped that allows for the quick and easy modifications of filters based on various criteria. This is used most in an automated fashion, allowing for users to quickly and efficiently setup small scripts to auto-generate various portions of an ACL.
Usage¶
Here is the usage output:
usage: acl_script [options]
ACL modify/generator from the commandline.
options:
-h, --help
-aACL, --acl=ACL specify the acl file
-n, --no-changes don't make the changes
--show-mods show modifications being made in a simple format.
--no-worklog don't make a worklog entry
-N, --no-input require no input (good for scripts)
-sSOURCE_ADDRESS, --source-address=SOURCE_ADDRESS
define a source address
-dDESTINATION_ADDRESS, --destination-address=DESTINATION_ADDRESS
define a destination address
--destination-address-from-file=DESTINATION_ADDRESS_FROM_FILE
read a set of destination-addresses from a file
--source-address-from-file=SOURCE_ADDRESS_FROM_FILE
read a set of source-addresses from a file
--protocol=PROTOCOL define a protocol
-pSOURCE_PORT, --source-port=SOURCE_PORT
define a source-port
--source-port-range=SOURCE_PORT_RANGE
define a source-port range
--destination-port-range=DESTINATION_PORT_RANGE
define a destination-port range
-PDESTINATION_PORT, --destination-port=DESTINATION_PORT
define a destination port
-tMODIFY_SPECIFIC_TERM, --modify-specific-term=MODIFY_SPECIFIC_TERM
When modifying a JUNOS type ACL, you may specify this
option one or more times to define a specific JUNOS
term you want to modify. This takes one argument which
should be the name of term.
-cMODIFY_BETWEEN_COMMENTS, --modify-between-comments=MODIFY_BETWEEN_COMMENTS
When modifying a IOS type ACL, you may specify this
option one or more times to define a specific AREA of
the ACL you want to modify. You must have at least 2
comments defined in the ACL prior to running. This
requires two arguments, the start comment, and the end
comment. Your modifications will be done between the
two.
--insert-defined This option works differently based on the type of ACL
we are modifying. The one similar characteristic is
that this will never remove any access already defined,
just append.
--replace-defined This option works differently based on the type of ACL
we are modifying. The one similar characteristic is
that access can be removed, since this replaces whole
sets of defined data.
Examples¶
Understanding --insert-defined
¶
This flag will tell acl_script
to append (read: never remove) information
to a portion of an ACL.
Junos¶
On a Junos-type ACL using --insert-defined
, this will only replace parts of
the term that have been specified on the command-line. This may sound confusing
but this example should clear things up.
Take the following term:
term sr31337 {
from {
source-address {
10.0.0.0/8;
11.0.0.0/8;
}
destination-address {
192.168.0.1/32;
}
destination-port 80;
protocol tcp;
}
then {
accept;
count sr31337;
}
}
If you run acl_script
with the following arguments:
acl_script --modify-specific-term sr31337 --source-address 5.5.5.5/32 --destination-port 81 --insert-defined
The following is generated:
term sr31337 {
from {
source-address {
5.5.5.5/32;
10.0.0.0/8;
11.0.0.0/8;
}
destination-address {
192.168.0.1/32;
}
destination-port 80-81;
protocol tcp;
}
then {
accept;
count sr31337;
}
}
As you can see 5.5.5.5/32
was added to the source-address
portion, and
81
was added as a destination-port
. Notice that all other fields were
left alone.
IOS-like¶
On IOS-like ACLs --insert-defined
behaves a little bit differently. In this
case the acl_script
will only add access where it is needed.
Take the following example:
!!! I AM L33T
access-list 101 permit udp host 192.168.0.1 host 192.168.1.1 eq 80
access-list 101 permit ip host 192.168.0.5 host 192.168.1.10
access-list 101 permit tcp host 192.168.0.6 host 192.168.1.11 eq 22
!!! I AM NOT L33T
If you run acl_script
with the following arguments:
acl_script --modify-between-comments "I AM L33T" "I AM NOT L33T" \
--source-address 192.168.0.5 \
--destination-address 192.168.1.10 \
--destination-address 192.168.1.11 \
--protocol tcp \
--destination-port 80 \
--insert-defined
This output is generated:
!!! I AM L33T
access-list 101 permit udp host 192.168.0.1 host 192.168.1.1 eq 80
access-list 101 permit ip host 192.168.0.5 host 192.168.1.10
access-list 101 permit tcp host 192.168.0.6 host 192.168.1.11 eq 22
access-list 101 permit tcp host 192.168.0.5 host 192.168.1.11 eq 80
!!! I AM NOT L33T
As you can see the last line was added, take note that the
192.168.0.5->192.168.1.10:80
access was not added because it was already
permitted previously.
Understanding --replace-defined
¶
This flag will completely replace portions of an ACL with newly-defined information.
Junos¶
Take the following term:
term sr31337 {
from {
source-address {
10.0.0.0/8;
11.0.0.0/8;
}
destination-address {
192.168.0.1/32;
}
destination-port 80;
protocol tcp;
}
then {
accept;
count sr31337;
}
}
- With the following arguments to
acl_script
:: - acl_script –modify-specific-term sr31337 –source-address 5.5.5.5 –replace-defined
The following is generated:
term sr31337 {
from {
source-address {
5.5.5.5/32;
}
destination-address {
192.168.0.1/32;
}
destination-port 80;
protocol tcp;
}
then {
accept;
count sr31337;
}
}