Support for Juniper Wildcard Zones

[minitriga]

I have a requirement to enable wildcard security policies on some SRX devices using Caparica and I'm unable to do this.

header {
  target:: srx from-zone <*> to-zone <*>
}

term deny-to-google {
  source-address:: INTERNAL
  destination-address:: GOOGLE_DNS
  destination-port:: DNS
  protocol:: tcp
  action:: accept
}

This should result in a security policy that is from-zone <*> to-zone <*>

But you are presented with UnsupportedFilterError: SRX filter arguments must specify from-zone and to-zone.

I think this is because the parser is not allowing the <*> through and is erroring out somewhere.

[abhindes]

Yup, the parser considers these illegal characters here - https://github.com/google/capirca/blob/master/capirca/lib/policy.py#L1832

Could you elaborate on this requirement so we can decide if this is something Capirca can support safely?

I wasn't aware of SRX supporting wildcard zones, is this something specific to your policies?

[minitriga]

Its a very niche use case but when defining security policies in groups you can do wild card zones. This allows Junos users to add security policy information to all policies that would match the wildcard groups.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB35745&showDraft=false

[abhindes]

We've discussed this internally. We'd prefer to not modify the parser to handle * as a legal character.

A way to handle this could be to use a special reserved token to represent the wildcard zone - "wildcard-zone-token", and when this is provided in the .pol file as the from-zone or to-zone, the Junper SRX generator can convert this "wildcard-zone-token" into the correct configuration (i.e. to <*>). This will limit this change to the SRX generator. We also don't expect zones to be named "wildcard-zone-token", so that should have no issues either.

We will accept a PR for this if you need this feature! Thanks!