junoser 0.4.1 → 0.4.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +16 -1
  3. data/Gemfile.lock +1 -1
  4. data/Rakefile +10 -1
  5. data/example/mx-19.3R3-S1.3.rb +161 -297
  6. data/example/vsrx-18.3R1.9.rb +1305 -1305
  7. data/lib/junoser/parser.rb +170 -306
  8. data/lib/junoser/ruler.rb +8 -0
  9. data/lib/junoser/version.rb +1 -1
  10. data/lib/junoser/xsd/base.rb +4 -2
  11. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b370402809bb2214265f0dd6e692c591337882121f7f5c1f8f3653553cd29f83
4
- data.tar.gz: 72dd3c61381706e34cba7618e6402f6be59380137c3b7198747d898e17d550c0
3
+ metadata.gz: f37eb9172418859fd2a4144cdd0d4b47c657162e02117cfb9fe73a33fe9ca0e2
4
+ data.tar.gz: 4791fbaf136985e1b16a4dba7daaf2fc2dbcee8ed85508d2e3c65b5b3f4575b9
5
5
  SHA512:
6
- metadata.gz: 606fec606c9882cddbef3f1cc687d00f19cf0f535acdb84da448dfea730e5c7d69f16d4837014c5b7c4b1a68fea00c957f72c867ffcdccae3773b7fbf2c76b5d
7
- data.tar.gz: d88215e1ef62177ed15e5c0e76a149ac53a96880fb19c9bfd32c275e750b2aa298bb39a6a01b6a3ee3b650592da1d843b7bb443ac9bbfa75ef620b1e2c061752
6
+ metadata.gz: 5961c24e760831bf52f6edb82c5972aefb023d99639091fb2c12d95f083ef57e9e2703fd441dbb0c1d5e44b5e386834679e910873e44825c9a7c103243fa2c6c
7
+ data.tar.gz: 9e41dcfb72bfe2f5b801506c50725a4a0da2f56a09a8ddeedb8cb7d4b8ae82864008c89cdf2da837ced1c83d39d2e7d53640bba5f7dcb459d434e0d173862659
data/CHANGELOG.md CHANGED
@@ -1,3 +1,18 @@
1
+ ## [0.4.2] - 2021-08-30
2
+
3
+ ### Added
4
+
5
+ * Newly supported syntax
6
+ * "virtual-chassis vcp-snmp-statistics"
7
+ * "application_object"
8
+
9
+ ### Fixed
10
+
11
+ * Keywords "tls", "group", "dest-nat-rule-match", "src-nat-rule-match", and "static-nat-rule-match" might be marked as invalid in some hierarchies
12
+ * "applications application xxx term xxx"
13
+ * "security"
14
+
15
+
1
16
  ## [0.4.1] - 2021-06-06
2
17
 
3
18
  ### Added
@@ -7,7 +22,7 @@
7
22
 
8
23
  ### Fixed
9
24
 
10
- * "scpf-link", "https", "inet6", "icmp6", "icmpv6", "ospf3", and "snmptrap" keywords might be marked as invalid in some hierarchies
25
+ * Keywords "scpf-link", "https", "inet6", "icmp6", "icmpv6", "ospf3", and "snmptrap" might be marked as invalid in some hierarchies
11
26
  * "policy-options community xxx members"
12
27
  * "policy-options route-distinguisher xxx members"
13
28
  * "routing-options confederation members"
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- junoser (0.4.1)
4
+ junoser (0.4.2)
5
5
  parslet
6
6
 
7
7
  GEM
data/Rakefile CHANGED
@@ -19,12 +19,22 @@ def open_files(input, output, &block)
19
19
  o.close
20
20
  end
21
21
 
22
+ def move_wildcards(element)
23
+ ['ipaddr', 'ipv6addr', 'ipprefix'].each do |pattern|
24
+ element.xpath(%[.//xsd:element[@type="#{pattern}"]/xsd:annotation/xsd:appinfo/flag[text()="nokeyword"]/../../..]).each do |wildcard|
25
+ parent = wildcard.parent
26
+ removed = wildcard.remove
27
+ parent << removed
28
+ end
29
+ end
30
+ end
22
31
 
23
32
  namespace :build do
24
33
  desc 'Build an intermediate config hierarchy'
25
34
  task :config do
26
35
  open_files(xsd_path, rule_path) do |input, output|
27
36
  Nokogiri::XML(input).root.remove_unused.xpath('/xsd:schema/*').each do |e|
37
+ move_wildcards e # Move wildcard elements to the end of siblings as they capture keywords unexpectedly
28
38
  output.puts e.to_config
29
39
  end
30
40
  end
@@ -56,7 +66,6 @@ task 'find-srx-methods' do
56
66
  end
57
67
  end
58
68
 
59
-
60
69
  Rake::TestTask.new do |t|
61
70
  t.libs << 'test'
62
71
 
data/example/mx-19.3R3-S1.3.rb CHANGED
@@ -1996,10 +1996,10 @@ rule(:configuration) do
1996
1996
  ),
1997
1997
  "wildcard-address" ( /* IP wildcard address and mask */
1998
1998
  sc(
1999
- ipaddr /* IP wildcard address */,
2000
1999
  "wildcard-mask" ( /* IP wildcard address mask */
2001
2000
  ipaddr /* IP wildcard address mask */
2002
- )
2001
+ ),
2002
+ ipaddr /* IP wildcard address */
2003
2003
  )
2004
2004
  ).as(:oneline),
2005
2005
  "port-range" ( /* IP port ranges */
@@ -2017,10 +2017,10 @@ rule(:configuration) do
2017
2017
  ),
2018
2018
  "wildcard-address" ( /* IP wildcard address and mask */
2019
2019
  sc(
2020
- ipaddr /* IP wildcard address */,
2021
2020
  "wildcard-mask" ( /* IP wildcard address mask */
2022
2021
  ipaddr /* IP wildcard address mask */
2023
- )
2022
+ ),
2023
+ ipaddr /* IP wildcard address */
2024
2024
  )
2025
2025
  ).as(:oneline),
2026
2026
  "port-range" ( /* IP port ranges */
@@ -5912,34 +5912,34 @@ rule(:configuration) do
5912
5912
  c(
5913
5913
  "source-ip" ( /* Filter based on source-ip (and wildcard) */
5914
5914
  sc(
5915
- ipaddr /* Source IP */,
5916
5915
  "wildcard" ( /* Source IP wildcard */
5917
5916
  ipaddr /* Source IP wildcard */
5918
- )
5917
+ ),
5918
+ ipaddr /* Source IP */
5919
5919
  )
5920
5920
  ).as(:oneline),
5921
5921
  "dest-ip" ( /* Filter based on dest-ip (and wildcard) */
5922
5922
  sc(
5923
- ipaddr /* Dest IP */,
5924
5923
  "wildcard" ( /* Dest IP wildcard */
5925
5924
  ipaddr /* Dest IP wildcard */
5926
- )
5925
+ ),
5926
+ ipaddr /* Dest IP */
5927
5927
  )
5928
5928
  ).as(:oneline),
5929
5929
  "sw-sip" ( /* Filter based on source softwire ip (and wildcard) */
5930
5930
  sc(
5931
- ipv6addr /* Source softwire IP */,
5932
5931
  "wildcard" ( /* Source IP wildcard */
5933
5932
  ipv6addr /* Source IP wildcard */
5934
- )
5933
+ ),
5934
+ ipv6addr /* Source softwire IP */
5935
5935
  )
5936
5936
  ).as(:oneline),
5937
5937
  "sw-dip" ( /* Filter based on destination softwire ip (and wildcard) */
5938
5938
  sc(
5939
- ipaddr /* Destination softwire IP */,
5940
5939
  "wildcard" ( /* Destination IP wildcard */
5941
5940
  ipaddr /* Destination IP wildcard */
5942
- )
5941
+ ),
5942
+ ipaddr /* Destination softwire IP */
5943
5943
  )
5944
5944
  ).as(:oneline),
5945
5945
  "sport-range" ( /* Filter based on source port */
@@ -10594,7 +10594,8 @@ rule(:configuration) do
10594
10594
  "no-auto-conversion" /* Disable automatic VC port conversion */,
10595
10595
  "auto-conversion" /* Enable automatic VC port conversion */
10596
10596
  ),
10597
- "vcp-no-hold-time" /* Set no hold time for vcp interfaces */
10597
+ "vcp-no-hold-time" /* Set no hold time for vcp interfaces */,
10598
+ "vcp-snmp-statistics"
10598
10599
  )
10599
10600
  ),
10600
10601
  "ethernet-switching-options" (
@@ -17879,53 +17880,6 @@ rule(:any_template) do
17879
17880
  )
17880
17881
  end
17881
17882
 
17882
- rule(:application_object) do
17883
- arg.as(:arg) (
17884
- c(
17885
- "application-protocol" ( /* Application protocol type */
17886
- ("bootp" | "dce-rpc" | "dce-rpc-portmap" | "dns" | "exec" | "ftp" | "ftp-data" | "gprs-gtp-c" | "gprs-gtp-u" | "gprs-gtp-v0" | "gprs-sctp" | "h323" | "icmp" | "icmpv6" | "ignore" | "iiop" | "ike-esp-nat" | "ip" | "login" | "mgcp-ca" | "mgcp-ua" | "ms-rpc" | "netbios" | "netshow" | "none" | "pptp" | "q931" | "ras" | "realaudio" | "rpc" | "rpc-portmap" | "rsh" | "rtsp" | "sccp" | "sip" | "shell" | "snmp" | "sqlnet" | "sqlnet-v2" | "sun-rpc" | "talk" | "tftp" | "traceroute" | "http" | "winframe" | "https" | "imap" | "smtp" | "ssh" | "telnet" | "twamp")
17887
- ),
17888
- "protocol" ( /* Match IP protocol type */
17889
- ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg)
17890
- ),
17891
- "source-port" ( /* Match TCP/UDP source port */
17892
- ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg)
17893
- ),
17894
- "destination-port" ( /* Match TCP/UDP destination port */
17895
- ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg)
17896
- ),
17897
- "ether-type" arg /* Match ether type */,
17898
- "snmp-command" ( /* Match SNMP command */
17899
- ("get" | "get-next" | "get-response" | "set" | "trap")
17900
- ),
17901
- "icmp-type" ( /* Match ICMP message type */
17902
- ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg)
17903
- ),
17904
- "icmp6-type" ( /* Match ICMP6 message type */
17905
- ("echo-request" | "echo-reply" | "destination-unreachable" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "packet-too-big" | "membership-query" | "membership-report" | "membership-termination" | "redirect" | "neighbor-solicit" | "neighbor-advertisement" | "router-renumbering" | "node-information-request" | "node-information-reply" | arg)
17906
- ),
17907
- "icmp-code" ( /* Match ICMP message code */
17908
- ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg)
17909
- ),
17910
- "icmp6-code" ( /* Match ICMP6 message code */
17911
- ("no-route-to-destination" | "administratively-prohibited" | "address-unreachable" | "port-unreachable" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip6-header-bad" | "unrecognized-next-header" | "unrecognized-option" | arg)
17912
- ),
17913
- "ttl-threshold" arg /* Traceroute TTL threshold */,
17914
- "rpc-program-number" arg /* Match range of RPC program numbers */,
17915
- "uuid" arg /* Match universal unique identifier for DCE RPC objects */,
17916
- "inactivity-timeout" ( /* Application-specific inactivity timeout */
17917
- ("never" | arg)
17918
- ),
17919
- "gate-timeout" arg /* Application-specific gate timeout */,
17920
- "child-inactivity-timeout" arg /* Application-specific child session inactivity timeout */,
17921
- c(
17922
- "do-not-translate-AAAA-query-to-A-query" /* Knob to control the translation of AAAA query to A query */,
17923
- "do-not-translate-A-query-to-AAAA-query" /* Knob to control the translation of A query to AAAA query */
17924
- )
17925
- )
17926
- )
17927
- end
17928
-
17929
17883
  rule(:application_set_object) do
17930
17884
  arg.as(:arg) (
17931
17885
  c(
@@ -28321,34 +28275,34 @@ rule(:interfaces_type) do
28321
28275
  c(
28322
28276
  "source-ip" ( /* Filter based on source-ip (and wildcard) */
28323
28277
  sc(
28324
- ipaddr /* Source IP */,
28325
28278
  "wildcard" ( /* Source IP wildcard */
28326
28279
  ipaddr /* Source IP wildcard */
28327
- )
28280
+ ),
28281
+ ipaddr /* Source IP */
28328
28282
  )
28329
28283
  ).as(:oneline),
28330
28284
  "dest-ip" ( /* Filter based on dest-ip (and wildcard) */
28331
28285
  sc(
28332
- ipaddr /* Dest IP */,
28333
28286
  "wildcard" ( /* Dest IP wildcard */
28334
28287
  ipaddr /* Dest IP wildcard */
28335
- )
28288
+ ),
28289
+ ipaddr /* Dest IP */
28336
28290
  )
28337
28291
  ).as(:oneline),
28338
28292
  "sw-sip" ( /* Filter based on source softwire ip (and wildcard) */
28339
28293
  sc(
28340
- ipv6addr /* Source softwire IP */,
28341
28294
  "wildcard" ( /* Source IP wildcard */
28342
28295
  ipv6addr /* Source IP wildcard */
28343
- )
28296
+ ),
28297
+ ipv6addr /* Source softwire IP */
28344
28298
  )
28345
28299
  ).as(:oneline),
28346
28300
  "sw-dip" ( /* Filter based on destination softwire ip (and wildcard) */
28347
28301
  sc(
28348
- ipaddr /* Destination softwire IP */,
28349
28302
  "wildcard" ( /* Destination IP wildcard */
28350
28303
  ipaddr /* Destination IP wildcard */
28351
- )
28304
+ ),
28305
+ ipaddr /* Destination softwire IP */
28352
28306
  )
28353
28307
  ).as(:oneline),
28354
28308
  "sport-range" ( /* Filter based on source port */
@@ -43766,34 +43720,34 @@ rule(:juniper_dynamic_profile_object) do
43766
43720
  c(
43767
43721
  "source-ip" ( /* Filter based on source-ip (and wildcard) */
43768
43722
  sc(
43769
- ipaddr /* Source IP */,
43770
43723
  "wildcard" ( /* Source IP wildcard */
43771
43724
  ipaddr /* Source IP wildcard */
43772
- )
43725
+ ),
43726
+ ipaddr /* Source IP */
43773
43727
  )
43774
43728
  ).as(:oneline),
43775
43729
  "dest-ip" ( /* Filter based on dest-ip (and wildcard) */
43776
43730
  sc(
43777
- ipaddr /* Dest IP */,
43778
43731
  "wildcard" ( /* Dest IP wildcard */
43779
43732
  ipaddr /* Dest IP wildcard */
43780
- )
43733
+ ),
43734
+ ipaddr /* Dest IP */
43781
43735
  )
43782
43736
  ).as(:oneline),
43783
43737
  "sw-sip" ( /* Filter based on source softwire ip (and wildcard) */
43784
43738
  sc(
43785
- ipv6addr /* Source softwire IP */,
43786
43739
  "wildcard" ( /* Source IP wildcard */
43787
43740
  ipv6addr /* Source IP wildcard */
43788
- )
43741
+ ),
43742
+ ipv6addr /* Source softwire IP */
43789
43743
  )
43790
43744
  ).as(:oneline),
43791
43745
  "sw-dip" ( /* Filter based on destination softwire ip (and wildcard) */
43792
43746
  sc(
43793
- ipaddr /* Destination softwire IP */,
43794
43747
  "wildcard" ( /* Destination IP wildcard */
43795
43748
  ipaddr /* Destination IP wildcard */
43796
- )
43749
+ ),
43750
+ ipaddr /* Destination softwire IP */
43797
43751
  )
43798
43752
  ).as(:oneline),
43799
43753
  "sport-range" ( /* Filter based on source port */
@@ -47223,34 +47177,34 @@ rule(:juniper_dynamic_profile_object) do
47223
47177
  c(
47224
47178
  "source-ip" ( /* Filter based on source-ip (and wildcard) */
47225
47179
  sc(
47226
- ipaddr /* Source IP */,
47227
47180
  "wildcard" ( /* Source IP wildcard */
47228
47181
  ipaddr /* Source IP wildcard */
47229
- )
47182
+ ),
47183
+ ipaddr /* Source IP */
47230
47184
  )
47231
47185
  ).as(:oneline),
47232
47186
  "dest-ip" ( /* Filter based on dest-ip (and wildcard) */
47233
47187
  sc(
47234
- ipaddr /* Dest IP */,
47235
47188
  "wildcard" ( /* Dest IP wildcard */
47236
47189
  ipaddr /* Dest IP wildcard */
47237
- )
47190
+ ),
47191
+ ipaddr /* Dest IP */
47238
47192
  )
47239
47193
  ).as(:oneline),
47240
47194
  "sw-sip" ( /* Filter based on source softwire ip (and wildcard) */
47241
47195
  sc(
47242
- ipv6addr /* Source softwire IP */,
47243
47196
  "wildcard" ( /* Source IP wildcard */
47244
47197
  ipv6addr /* Source IP wildcard */
47245
- )
47198
+ ),
47199
+ ipv6addr /* Source softwire IP */
47246
47200
  )
47247
47201
  ).as(:oneline),
47248
47202
  "sw-dip" ( /* Filter based on destination softwire ip (and wildcard) */
47249
47203
  sc(
47250
- ipaddr /* Destination softwire IP */,
47251
47204
  "wildcard" ( /* Destination IP wildcard */
47252
47205
  ipaddr /* Destination IP wildcard */
47253
- )
47206
+ ),
47207
+ ipaddr /* Destination softwire IP */
47254
47208
  )
47255
47209
  ).as(:oneline),
47256
47210
  "sport-range" ( /* Filter based on source port */
@@ -55337,10 +55291,10 @@ rule(:juniper_policy_options) do
55337
55291
  c(
55338
55292
  "self" /* Use a local address as the next-hop address */,
55339
55293
  "peer-address" /* Use the remote peer address as the next-hop address */,
55340
- ipaddr /* Next-hop address */,
55341
55294
  "reject" /* Use a reject next hop */,
55342
55295
  "discard" /* Use a discard next hop */,
55343
- "next-table" arg /* Perform a forwarding lookup in the specified table */
55296
+ "next-table" arg /* Perform a forwarding lookup in the specified table */,
55297
+ ipaddr /* Next-hop address */
55344
55298
  )
55345
55299
  )
55346
55300
  ).as(:oneline),
@@ -55948,10 +55902,10 @@ rule(:juniper_policy_options) do
55948
55902
  c(
55949
55903
  "self" /* Use a local address as the next-hop address */,
55950
55904
  "peer-address" /* Use the remote peer address as the next-hop address */,
55951
- ipaddr /* Next-hop address */,
55952
55905
  "reject" /* Use a reject next hop */,
55953
55906
  "discard" /* Use a discard next hop */,
55954
- "next-table" arg /* Perform a forwarding lookup in the specified table */
55907
+ "next-table" arg /* Perform a forwarding lookup in the specified table */,
55908
+ ipaddr /* Next-hop address */
55955
55909
  )
55956
55910
  )
55957
55911
  ).as(:oneline),
@@ -56163,8 +56117,8 @@ rule(:juniper_policy_options) do
56163
56117
  c(
56164
56118
  "inet" ( /* Route to match corresponds to an inet/inet6 prefix */
56165
56119
  c(
56166
- ipprefix /* Exact address of the route */,
56167
- "table" arg /* Routing table in which route should exist */
56120
+ "table" arg /* Routing table in which route should exist */,
56121
+ ipprefix /* Exact address of the route */
56168
56122
  )
56169
56123
  ),
56170
56124
  "ccc" ( /* Route to match corresponds to a ccc prefix */
@@ -56178,8 +56132,8 @@ rule(:juniper_policy_options) do
56178
56132
  )
56179
56133
  )
56180
56134
  ),
56181
- ipprefix /* Exact address of the route */,
56182
- "table" arg /* Routing table in which route should exist */
56135
+ "table" arg /* Routing table in which route should exist */,
56136
+ ipprefix /* Exact address of the route */
56183
56137
  )
56184
56138
  )
56185
56139
  )
@@ -56468,10 +56422,10 @@ rule(:control_prefix_list_filter_type) do
56468
56422
  c(
56469
56423
  "self" /* Use a local address as the next-hop address */,
56470
56424
  "peer-address" /* Use the remote peer address as the next-hop address */,
56471
- ipaddr /* Next-hop address */,
56472
56425
  "reject" /* Use a reject next hop */,
56473
56426
  "discard" /* Use a discard next hop */,
56474
- "next-table" arg /* Perform a forwarding lookup in the specified table */
56427
+ "next-table" arg /* Perform a forwarding lookup in the specified table */,
56428
+ ipaddr /* Next-hop address */
56475
56429
  )
56476
56430
  )
56477
56431
  ).as(:oneline),
@@ -56863,10 +56817,10 @@ rule(:control_route_filter_type) do
56863
56817
  c(
56864
56818
  "self" /* Use a local address as the next-hop address */,
56865
56819
  "peer-address" /* Use the remote peer address as the next-hop address */,
56866
- ipaddr /* Next-hop address */,
56867
56820
  "reject" /* Use a reject next hop */,
56868
56821
  "discard" /* Use a discard next hop */,
56869
- "next-table" arg /* Perform a forwarding lookup in the specified table */
56822
+ "next-table" arg /* Perform a forwarding lookup in the specified table */,
56823
+ ipaddr /* Next-hop address */
56870
56824
  )
56871
56825
  )
56872
56826
  ).as(:oneline),
@@ -57242,10 +57196,10 @@ rule(:control_source_address_filter_type) do
57242
57196
  c(
57243
57197
  "self" /* Use a local address as the next-hop address */,
57244
57198
  "peer-address" /* Use the remote peer address as the next-hop address */,
57245
- ipaddr /* Next-hop address */,
57246
57199
  "reject" /* Use a reject next hop */,
57247
57200
  "discard" /* Use a discard next hop */,
57248
- "next-table" arg /* Perform a forwarding lookup in the specified table */
57201
+ "next-table" arg /* Perform a forwarding lookup in the specified table */,
57202
+ ipaddr /* Next-hop address */
57249
57203
  )
57250
57204
  )
57251
57205
  ).as(:oneline),
@@ -77513,9 +77467,9 @@ rule(:juniper_system) do
77513
77467
  ).as(:oneline),
77514
77468
  "inet6-backup-router" ( /* IPv6 router to use while booting */
77515
77469
  sc(
77516
- ipv6addr /* Address of router to use while booting */,
77517
77470
  "destination" ( /* Destination network reachable through the router */
77518
- ipv6prefix /* Destination network reachable through the router */
77471
+ ipv6prefix /* Destination network reachable through the router */,
77472
+ ipv6addr /* Address of router to use while booting */
77519
77473
  )
77520
77474
  )
77521
77475
  ).as(:oneline),
@@ -98364,14 +98318,6 @@ rule(:log_object) do
98364
98318
  )
98365
98319
  end
98366
98320
 
98367
- rule(:logical_system_type) do
98368
- arg.as(:arg) (
98369
- c(
98370
- "max-sessions" arg /* Max number of IDP sessions */
98371
- )
98372
- )
98373
- end
98374
-
98375
98321
  rule(:login_class_object) do
98376
98322
  arg.as(:arg) (
98377
98323
  c(
@@ -101523,31 +101469,6 @@ rule(:nasreq_definition) do
101523
101469
  )
101524
101470
  end
101525
101471
 
101526
- rule(:nat_object) do
101527
- c(
101528
- "pool" ( /* Define a NAT pool */
101529
- nat_pool_object /* Define a NAT pool */
101530
- ),
101531
- "ipv6-multicast-interfaces" ("all" | "interface-name") ( /* Enable IPv6 multicast filter for IPv6 NAT */
101532
- c(
101533
- "disable" /* Disable IPv6 multicast filter for IPv6 NAT */
101534
- )
101535
- ),
101536
- "allow-overlapping-nat-pools" /* Allow usage of overlapping and same nat pools in multiple service sets */,
101537
- "rule" ( /* Define a NAT rule */
101538
- nat_rule_object /* Define a NAT rule */
101539
- ),
101540
- "port-forwarding" ( /* Define a port-forwarding pool */
101541
- pf_mapping /* Define a port-forwarding pool */
101542
- ),
101543
- "rule-set" arg ( /* Defines a set of NAT rules */
101544
- c(
101545
- "rule" arg /* Rule to be included in this rule set */
101546
- )
101547
- )
101548
- )
101549
- end
101550
-
101551
101472
  rule(:nat_pool_object) do
101552
101473
  arg.as(:arg) (
101553
101474
  c(
@@ -105285,10 +105206,10 @@ rule(:route_filter_list_items) do
105285
105206
  c(
105286
105207
  "self" /* Use a local address as the next-hop address */,
105287
105208
  "peer-address" /* Use the remote peer address as the next-hop address */,
105288
- ipaddr /* Next-hop address */,
105289
105209
  "reject" /* Use a reject next hop */,
105290
105210
  "discard" /* Use a discard next hop */,
105291
- "next-table" arg /* Perform a forwarding lookup in the specified table */
105211
+ "next-table" arg /* Perform a forwarding lookup in the specified table */,
105212
+ ipaddr /* Next-hop address */
105292
105213
  )
105293
105214
  )
105294
105215
  ).as(:oneline),
@@ -105552,11 +105473,11 @@ end
105552
105473
 
105553
105474
  rule(:routing_destination_address) do
105554
105475
  c(
105555
- ipaddr /* IP address */,
105556
105476
  "port" arg /* Port number */,
105557
105477
  "transport-protocol" ( /* Transport protocol */
105558
105478
  transport_protocol /* Transport protocol */
105559
- )
105479
+ ),
105480
+ ipaddr /* IP address */
105560
105481
  ).as(:oneline)
105561
105482
  end
105562
105483
 
@@ -107412,12 +107333,6 @@ rule(:ipsec_sa) do
107412
107333
  )
107413
107334
  end
107414
107335
 
107415
- rule(:ipsec_traceoptions) do
107416
- c(
107417
- "flag" enum(("packet-processing" | "packet-drops" | "security-associations" | "next-hop-tunnel-binding" | "all")) /* Events to include in data-plane IPSec trace output */.as(:oneline)
107418
- )
107419
- end
107420
-
107421
107336
  rule(:ipsec_trusted_channel_sa) do
107422
107337
  c(
107423
107338
  "description" arg /* Text description of trusted channel security association */,
@@ -107467,114 +107382,6 @@ rule(:ipsec_trusted_channel_sa) do
107467
107382
  )
107468
107383
  end
107469
107384
 
107470
- rule(:ipsec_vpn_monitor) do
107471
- c(
107472
- "interval" arg /* Monitor interval in seconds */,
107473
- "threshold" arg /* Number of consecutive failures to determine connectivity */
107474
- )
107475
- end
107476
-
107477
- rule(:ipsec_vpn_template) do
107478
- arg.as(:arg) (
107479
- c(
107480
- "bind-interface" ( /* Bind to tunnel interface (route-based VPN) */
107481
- interface_name /* Bind to tunnel interface (route-based VPN) */
107482
- ),
107483
- "df-bit" ( /* Specifies how to handle the Don't Fragment bit */
107484
- ("clear" | "set" | "copy")
107485
- ),
107486
- "vpn-monitor" ( /* Monitor VPN liveliness */
107487
- ipsec_template_monitor /* Monitor VPN liveliness */
107488
- ),
107489
- c(
107490
- "manual" ( /* Define a manual security association */
107491
- c(
107492
- "gateway" ( /* Define the IPSec peer */
107493
- hostname /* Define the IPSec peer */
107494
- ),
107495
- "external-interface" ( /* External interface for the security association */
107496
- interface_unit /* External interface for the security association */
107497
- ),
107498
- "protocol" ( /* Define an IPSec protocol for the security association */
107499
- ("ah" | "esp")
107500
- ),
107501
- "spi" arg /* Define security parameter index */,
107502
- "authentication" ( /* Define authentication parameters */
107503
- c(
107504
- "algorithm" ( /* Define authentication algorithm */
107505
- ("hmac-md5-96" | "hmac-sha1-96" | "hmac-sha-256-128" | "hmac-sha-256-96")
107506
- ),
107507
- "key" ( /* Define an authentication key */
107508
- sc(
107509
- c(
107510
- "ascii-text" arg /* Format as text */,
107511
- "hexadecimal" arg /* Format as hexadecimal */
107512
- )
107513
- )
107514
- ).as(:oneline)
107515
- )
107516
- ),
107517
- "encryption" ( /* Define encryption parameters */
107518
- c(
107519
- "algorithm" ( /* Define encryption algorithm */
107520
- ("des-cbc" | "3des-cbc" | "aes-128-cbc" | "aes-192-cbc" | "aes-256-cbc")
107521
- ),
107522
- "key" ( /* Define an encryption key */
107523
- sc(
107524
- c(
107525
- "ascii-text" arg /* Format as text */,
107526
- "hexadecimal" arg /* Format as hexadecimal */
107527
- )
107528
- )
107529
- ).as(:oneline)
107530
- )
107531
- )
107532
- )
107533
- ),
107534
- "ike" ( /* Define an IKE-keyed IPSec vpn */
107535
- c(
107536
- "gateway" arg /* Name of remote gateway */,
107537
- "idle-time" arg /* Idle time to delete SA */,
107538
- "no-anti-replay" /* Disable the anti-replay check */,
107539
- "proxy-identity" ( /* IPSec proxy-id to use in IKE negotiations */
107540
- ipsec_template_proxy_id /* IPSec proxy-id to use in IKE negotiations */
107541
- ),
107542
- "ipsec-policy" arg /* Name of the IPSec policy */,
107543
- "install-interval" arg /* Delay installation of rekeyed outbound SAs on initiator */
107544
- )
107545
- )
107546
- ),
107547
- "establish-tunnels" ( /* Define the criteria to establish tunnels */
107548
- ("immediately" | "on-traffic")
107549
- )
107550
- )
107551
- )
107552
- end
107553
-
107554
- rule(:ipsec_template_monitor) do
107555
- c(
107556
- "optimized" /* Optimize for scalability */,
107557
- "source-interface" ( /* Source interface for monitor message */
107558
- interface_unit /* Source interface for monitor message */
107559
- ),
107560
- "destination-ip" ( /* Destination IP addres for monitor message */
107561
- ipaddr /* Destination IP addres for monitor message */
107562
- )
107563
- )
107564
- end
107565
-
107566
- rule(:ipsec_template_proxy_id) do
107567
- c(
107568
- "local" ( /* Local IP address/prefix length */
107569
- ipprefix_mandatory /* Local IP address/prefix length */
107570
- ),
107571
- "remote" ( /* Remote IP address/prefix length */
107572
- ipprefix_mandatory /* Remote IP address/prefix length */
107573
- ),
107574
- "service" arg /* Name of serivce that passes through, any enables all services */
107575
- )
107576
- end
107577
-
107578
107385
  rule(:security_macsec) do
107579
107386
  c(
107580
107387
  "traceoptions" ( /* Tracing options for debugging protocol operation */
@@ -108138,14 +107945,14 @@ rule(:service_set_ipsec_vpn_options_object) do
108138
107945
  "trusted-ca" arg /* List of trusted certificate authority profiles */,
108139
107946
  "local-gateway" ( /* Address and routing instance for local gateway */
108140
107947
  sc(
108141
- ipaddr /* Local gateway address */,
108142
107948
  "routing-instance" arg /* Name of routing instance that hosts local gateway */,
108143
107949
  "interface" ( /* Interface as local gateway */
108144
107950
  interface_unit /* Interface as local gateway */
108145
107951
  ),
108146
107952
  "gw-interface" ( /* Interface as local gateway */
108147
107953
  interface_unit /* Interface as local gateway */
108148
- )
107954
+ ),
107955
+ ipaddr /* Local gateway address */
108149
107956
  )
108150
107957
  ).as(:oneline),
108151
107958
  "ike-access-profile" arg /* IKE access profile for dynamic peers */,
@@ -109942,10 +109749,10 @@ rule(:source_address_filter_list_items) do
109942
109749
  c(
109943
109750
  "self" /* Use a local address as the next-hop address */,
109944
109751
  "peer-address" /* Use the remote peer address as the next-hop address */,
109945
- ipaddr /* Next-hop address */,
109946
109752
  "reject" /* Use a reject next hop */,
109947
109753
  "discard" /* Use a discard next hop */,
109948
- "next-table" arg /* Perform a forwarding lookup in the specified table */
109754
+ "next-table" arg /* Perform a forwarding lookup in the specified table */,
109755
+ ipaddr /* Next-hop address */
109949
109756
  )
109950
109757
  )
109951
109758
  ).as(:oneline),
@@ -115822,8 +115629,8 @@ rule(:default_anti_virus_feature) do
115822
115629
  c(
115823
115630
  "server" ( /* SAV and Anti-Spam first hop DNS server */
115824
115631
  c(
115825
- ipaddr /* SAV and Anti-Spam first hop DNS server ip */,
115826
- "routing-instance" arg /* Routing instance name */
115632
+ "routing-instance" arg /* Routing instance name */,
115633
+ ipaddr /* SAV and Anti-Spam first hop DNS server ip */
115827
115634
  )
115828
115635
  ),
115829
115636
  "sxl-timeout" arg /* Sxl sophos anti-virus engine timeout */,
@@ -116163,9 +115970,9 @@ end
116163
115970
 
116164
115971
  rule(:host_object) do
116165
115972
  c(
116166
- ipaddr /* IP address */,
116167
115973
  "port" arg /* Host port number */,
116168
- "routing-instance" arg /* Routing-instance name */
115974
+ "routing-instance" arg /* Routing-instance name */,
115975
+ ipaddr /* IP address */
116169
115976
  )
116170
115977
  end
116171
115978
 
@@ -116563,7 +116370,6 @@ rule(:address_type) do
116563
116370
  c(
116564
116371
  "description" arg /* Text description of address */,
116565
116372
  c(
116566
- ipprefix /* Numeric IPv4 or IPv6 address with prefix */,
116567
116373
  "dns-name" ( /* DNS address name */
116568
116374
  dns_name_type /* DNS address name */
116569
116375
  ),
@@ -116572,7 +116378,8 @@ rule(:address_type) do
116572
116378
  ),
116573
116379
  "range-address" ( /* Address range */
116574
116380
  range_address_type /* Address range */
116575
- )
116381
+ ),
116382
+ ipprefix /* Numeric IPv4 or IPv6 address with prefix */
116576
116383
  )
116577
116384
  )
116578
116385
  )
@@ -117077,36 +116884,6 @@ rule(:security_ipsec_policy) do
117077
116884
  )
117078
116885
  end
117079
116886
 
117080
- rule(:security_ipsec_vpn) do
117081
- c(
117082
- "internal" ( /* Define an IPSec SA for internal RE-RE communication */
117083
- c(
117084
- "security-association" ( /* Define an IPsec security association */
117085
- ipsec_internal_sa /* Define an IPsec security association */
117086
- )
117087
- )
117088
- ),
117089
- "traceoptions" ( /* Trace options for IPSec data-plane debug */
117090
- ipsec_traceoptions /* Trace options for IPSec data-plane debug */
117091
- ),
117092
- "vpn-monitor-options" ( /* Global options for VPN liveliness monitoring */
117093
- ipsec_vpn_monitor /* Global options for VPN liveliness monitoring */
117094
- ),
117095
- "proposal" ( /* Define an IPSec proposal */
117096
- ipsec_proposal /* Define an IPSec proposal */
117097
- ),
117098
- "policy" ( /* Define an IPSec policy */
117099
- ipsec_policy /* Define an IPSec policy */
117100
- ),
117101
- "vpn" ( /* Define an IPSec VPN */
117102
- ipsec_vpn_template /* Define an IPSec VPN */
117103
- ),
117104
- "security-association" ( /* Define a manual control plane SA */
117105
- ipsec_sa /* Define a manual control plane SA */
117106
- )
117107
- )
117108
- end
117109
-
117110
116887
  rule(:ipsec_traceoptions) do
117111
116888
  c(
117112
116889
  "flag" enum(("packet-processing" | "packet-drops" | "security-associations" | "next-hop-tunnel-binding" | "all")) /* Events to include in data-plane IPSec trace output */.as(:oneline)
@@ -117450,7 +117227,6 @@ rule(:ssg_destination_nat_object) do
117450
117227
  ),
117451
117228
  "address" ( /* Add address or address range to pool */
117452
117229
  sc(
117453
- ipprefix /* IPv4 or IPv6 address or address range */,
117454
117230
  c(
117455
117231
  "to" ( /* Upper limit of address range */
117456
117232
  c(
@@ -117458,7 +117234,8 @@ rule(:ssg_destination_nat_object) do
117458
117234
  )
117459
117235
  ),
117460
117236
  "port" arg /* Specify the port value */
117461
- )
117237
+ ),
117238
+ ipprefix /* IPv4 or IPv6 address or address range */
117462
117239
  )
117463
117240
  ).as(:oneline)
117464
117241
  )
@@ -118056,13 +117833,13 @@ rule(:static_nat_rule_object) do
118056
117833
  ),
118057
117834
  "prefix" ( /* Address prefix */
118058
117835
  c(
118059
- ipprefix /* IPv4 or IPv6 address prefix value */,
118060
117836
  "mapped-port" ( /* Mapped port */
118061
117837
  static_nat_rule_mapped_port_object /* Mapped port */
118062
117838
  ).as(:oneline),
118063
117839
  "routing-instance" ( /* Routing instance */
118064
117840
  ("default" | arg)
118065
- )
117841
+ ),
117842
+ ipprefix /* IPv4 or IPv6 address prefix value */
118066
117843
  )
118067
117844
  ),
118068
117845
  "prefix-name" ( /* Address from address book */
@@ -118078,10 +117855,10 @@ rule(:static_nat_rule_object) do
118078
117855
  ),
118079
117856
  "nptv6-prefix" ( /* NPTv6 address prefix, the longest prefix will be supported is /64 */
118080
117857
  c(
118081
- ipprefix /* IPv6 address prefix value, the longest prefix will be supported is /64 */,
118082
117858
  "routing-instance" ( /* Routing instance */
118083
117859
  ("default" | arg)
118084
- )
117860
+ ),
117861
+ ipprefix /* IPv6 address prefix value, the longest prefix will be supported is /64 */
118085
117862
  )
118086
117863
  ),
118087
117864
  "nptv6-prefix-name" ( /* NPTv6 address from address book */
@@ -118416,4 +118193,91 @@ rule(:zone_system_services_object_type) do
118416
118193
  )
118417
118194
  )
118418
118195
  end
118196
+
118197
+ rule(:application_object) do
118198
+ arg.as(:arg) (
118199
+ c(
118200
+ "description" arg /* Text description of application */,
118201
+ "term" ( /* Define individual application protocols */
118202
+ term_object /* Define individual application protocols */
118203
+ ),
118204
+ "application-protocol" ( /* Application protocol type */
118205
+ ("bootp" | "dce-rpc" | "dce-rpc-portmap" | "dns" | "exec" | "ftp" | "ftp-data" | "gprs-gtp-c" | "gprs-gtp-u" | "gprs-gtp-v0" | "gprs-sctp" | "h323" | "icmp" | "icmpv6" | "ignore" | "iiop" | "ike-esp-nat" | "ip" | "login" | "mgcp-ca" | "mgcp-ua" | "ms-rpc" | "netbios" | "netshow" | "none" | "pptp" | "q931" | "ras" | "realaudio" | "rpc" | "rpc-portmap" | "rsh" | "rtsp" | "sccp" | "sip" | "shell" | "snmp" | "sqlnet" | "sqlnet-v2" | "sun-rpc" | "talk" | "tftp" | "traceroute" | "http" | "winframe" | "https" | "imap" | "smtp" | "ssh" | "telnet" | "twamp")
118206
+ ),
118207
+ "protocol" ( /* Match IP protocol type */
118208
+ ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg)
118209
+ ),
118210
+ "source-port" ( /* Match TCP/UDP source port */
118211
+ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg)
118212
+ ),
118213
+ "destination-port" ( /* Match TCP/UDP destination port */
118214
+ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg)
118215
+ ),
118216
+ "ether-type" arg /* Match ether type */,
118217
+ "snmp-command" arg /* Match SNMP command */,
118218
+ "icmp-type" ( /* Match ICMP message type */
118219
+ ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg)
118220
+ ),
118221
+ "icmp6-type" ( /* Match ICMP6 message type */
118222
+ ("echo-request" | "echo-reply" | "destination-unreachable" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "packet-too-big" | "membership-query" | "membership-report" | "membership-termination" | "redirect" | "neighbor-solicit" | "neighbor-advertisement" | "router-renumbering" | "node-information-request" | "node-information-reply" | arg)
118223
+ ),
118224
+ "icmp-code" ( /* Match ICMP message code */
118225
+ ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg)
118226
+ ),
118227
+ "icmp6-code" ( /* Match ICMP6 message code */
118228
+ ("no-route-to-destination" | "administratively-prohibited" | "address-unreachable" | "port-unreachable" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip6-header-bad" | "unrecognized-next-header" | "unrecognized-option" | arg)
118229
+ ),
118230
+ "ttl-threshold" arg /* Traceroute TTL threshold */,
118231
+ "rpc-program-number" arg /* Match range of RPC program numbers */,
118232
+ "uuid" arg /* Match universal unique identifier for DCE RPC objects */,
118233
+ "inactivity-timeout" ( /* Application-specific inactivity timeout */
118234
+ ("never" | arg)
118235
+ ),
118236
+ "gate-timeout" arg /* Application-specific gate timeout */,
118237
+ "child-inactivity-timeout" arg /* Application-specific child session inactivity timeout */,
118238
+ "learn-sip-register" /* Learn potential incoming SIP calls by inspecting the SIP register method */,
118239
+ "sip-call-hold-timeout" arg /* SIP flow timeout when call is put on hold */,
118240
+ c(
118241
+ "do-not-translate-AAAA-query-to-A-query" /* Knob to control the translation of AAAA query to A query */,
118242
+ "do-not-translate-A-query-to-AAAA-query" /* Knob to control the translation of A query to AAAA query */
118243
+ )
118244
+ )
118245
+ )
118246
+ end
118247
+
118248
+ rule(:term_object) do
118249
+ arg.as(:arg) (
118250
+ c(
118251
+ "alg" ( /* Application Layer Gateway */
118252
+ ("bootp" | "dce-rpc" | "dce-rpc-portmap" | "dns" | "exec" | "ftp" | "ftp-data" | "gprs-gtp-c" | "gprs-gtp-u" | "gprs-gtp-v0" | "gprs-sctp" | "h323" | "icmp" | "icmpv6" | "ignore" | "iiop" | "ike-esp-nat" | "ip" | "login" | "mgcp-ca" | "mgcp-ua" | "ms-rpc" | "netbios" | "netshow" | "none" | "pptp" | "q931" | "ras" | "realaudio" | "rpc" | "rpc-portmap" | "rsh" | "rtsp" | "sccp" | "sip" | "shell" | "snmp" | "sqlnet" | "sqlnet-v2" | "sun-rpc" | "talk" | "tftp" | "traceroute" | "http" | "winframe" | "https" | "imap" | "smtp" | "ssh" | "telnet" | "twamp")
118253
+ ),
118254
+ "protocol" ( /* Match IP protocol type */
118255
+ ("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg)
118256
+ ),
118257
+ "source-port" ( /* Match TCP/UDP source port */
118258
+ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg)
118259
+ ),
118260
+ "destination-port" ( /* Match TCP/UDP destination port */
118261
+ ("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg)
118262
+ ),
118263
+ "icmp-type" ( /* Match ICMP message type */
118264
+ ("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg)
118265
+ ),
118266
+ "icmp-code" ( /* Match ICMP message code */
118267
+ ("network-unreachable" | "host-unreachable" | "protocol-unreachable" | "port-unreachable" | "fragmentation-needed" | "source-route-failed" | "destination-network-unknown" | "destination-host-unknown" | "source-host-isolated" | "destination-network-prohibited" | "destination-host-prohibited" | "network-unreachable-for-tos" | "host-unreachable-for-tos" | "communication-prohibited-by-filtering" | "host-precedence-violation" | "precedence-cutoff-in-effect" | "redirect-for-network" | "redirect-for-host" | "redirect-for-tos-and-net" | "redirect-for-tos-and-host" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip-header-bad" | "required-option-missing" | arg)
118268
+ ),
118269
+ "icmp6-type" ( /* Match ICMP6 message type */
118270
+ ("echo-request" | "echo-reply" | "destination-unreachable" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "packet-too-big" | "membership-query" | "membership-report" | "membership-termination" | "redirect" | "neighbor-solicit" | "neighbor-advertisement" | "router-renumbering" | "node-information-request" | "node-information-reply" | arg)
118271
+ ),
118272
+ "icmp6-code" ( /* Match ICMP6 message code */
118273
+ ("no-route-to-destination" | "administratively-prohibited" | "address-unreachable" | "port-unreachable" | "ttl-eq-zero-during-transit" | "ttl-eq-zero-during-reassembly" | "ip6-header-bad" | "unrecognized-next-header" | "unrecognized-option" | arg)
118274
+ ),
118275
+ "rpc-program-number" arg /* Match range of RPC program numbers */,
118276
+ "uuid" arg /* Match universal unique identifier for DCE RPC objects */,
118277
+ "inactivity-timeout" ( /* Application-specific inactivity timeout */
118278
+ ("never" | arg)
118279
+ )
118280
+ )
118281
+ ).as(:oneline)
118282
+ end
118419
118283
  # End of vSRX 18.3R1.9