Solved: Re: Leafref firewall interface in service template

horia.gunica · ‎03-25-2020

Hello!

I have the below YANG file and MakeFile for a simple firewall service. In it - I am trying to leafref the device's interfaces so you can see them in a drop-down list in the GUI .

===FW_SERVICE.yang===

module FW_SERVICE {
namespace "http://com/example/FW_SERVICE";
prefix FW_SERVICE;

import ietf-inet-types {
prefix inet;
}
import tailf-ncs {
prefix ncs;
}
import tailf-common {
prefix tailf;
}
import tailf-ned-fortinet-fortios-non-vdom {
prefix fortinet-fortios-non-vdom;
}

list FW_SERVICE {
key name;

uses ncs:service-data;
ncs:servicepoint "FW_SERVICE";

leaf name {
type string;
}

// may replace this with other ways of refering to the devices.
leaf FW_OBJECT_NAME {
tailf:info "New Firewall Object Name";
type string;
}
leaf FW_WO_COMMENT {
tailf:info "WO Reference Comment";
type string;
}
leaf FW_OBJECT_SUBNET {
tailf:info "FW Object Subnet Address";
type string;
}
leaf FW_OBJECT_NETMASK {
tailf:info "FW Object Subnet Address Netmask";
type string;
}
leaf FW_POLICY_NAME {
tailf:info "FW Policy name";
type string;
}
leaf FW_PORT_SRC {
tailf:info "Incoming Interface";
type leafref {
path "deref(../../device)/../ncs:config/fortinet-fortios-non-vdom:system/fortinet-fortios-non-vdom:interface/fortinet-fortios-
non-vdom:interface-list";
}
}
leaf FW_PORT_DST {
tailf:info "Outgoing Interface";
type string;
}
leaf-list FW_OBJECT_DESTINATION {
tailf:info "Destination Object";
type string;
}
leaf FW_ACTION {
tailf:info "FW Action - cccept or deny";
type string;
}
leaf-list FW_SERVICE {
tailf:info "Destination Services to add";
type string;
}
// replace with your own stuff here
}
}

===MakeFile===

all: fxs
.PHONY: all

# Include standard NCS examples build definitions and rules
include $(NCS_DIR)/src/ncs/build/include.ncs.mk

src=$(wildcard yang/*.yang)
DIRS = ../load-dir
FXS = $(SRC:yang/%.yang=../load-dir/%.fxs)
YANGPATH += ../../fortinet-fortios-cli-5.4/src/ncsc-out/modules/yang

## Uncomment and patch the line below if you have a dependency to a NED
## or to other YANG files
# YANGPATH += ../../<ned-name>/src/ncsc-out/modules/yang \
# ../../<pkt-name>/src/yang

NCSCPATH = $(YANGPATH:%=--yangpath %)
YANGERPATH = $(YANGPATH:%=--path %)

fxs: $(DIRS) $(FXS)
.PHONY: fxs

$(DIRS):
mkdir -p $@

../load-dir/%.fxs: yang/%.yang
$(NCSC) `ls $*-ann.yang > /dev/null 2>&1 && echo "-a $*-ann.yang"` \
$(NCSCPATH) -c -o $@ $<
clean:
rm -rf $(DIRS)
.PHONY: clean

Now the error that it throws at me :

[root@localhost src]# pyang yang/FW_SERVICE.yang
yang/FW_SERVICE.yang:5: warning: imported module ietf-inet-types not used
yang/FW_SERVICE.yang:14: error: module "tailf-ned-fortinet-fortios-non-vdom" not found in search path
/home/horia/ncs-5.3/src/ncs/yang/ietf-yang-schema-mount.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/ietf-yang-schema-mount.yang:9: error: unexpected keyword "reference"
/home/horia/ncs-5.3/src/ncs/yang/ietf-yang-schema-mount.yang:15: error: unexpected keyword "reference"
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-cluster.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-common.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-compliance.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-customers.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-devices.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-devices.yang:3789: error: XPath function "derived-from-or-self" is not defined in the XPath context
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-devices.yang:3997: error: XPath function "derived-from-or-self" is not defined in the XPath context
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-java-vm.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-log.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-packages.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-plan.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-python-vm.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-service-progress-monitoring.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-services.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-smart-license.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-snmp-notification-receiver.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-software.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-ssh.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs.yang:2: error: bad value "1.1" (should be version)

If I try to compile the file :

[root@localhost src]# make --debug
GNU Make 3.82
Built for x86_64-redhat-linux-gnu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Reading makefiles...
Updating goal targets....
File `all' does not exist.
File `fxs' does not exist.
Prerequisite `yang/FW_SERVICE.yang' is newer than target `../load-dir/FW_SERVICE.fxs'.
Must remake target `../load-dir/FW_SERVICE.fxs'.
Invoking recipe from Makefile:27 to update target `../load-dir/FW_SERVICE.fxs'.
/home/horia/ncs-5.3/bin/ncsc `ls FW_SERVICE-ann.yang > /dev/null 2>&1 && echo "-a FW_SERVICE-ann.yang"` \
--yangpath ../../fortinet-fortios-cli-5.4/src/ncsc-out/modules/yang -c -o ../load-dir/FW_SERVICE.fxs yang/FW_SERVICE.yang
yang/FW_SERVICE.yang:52: error: the node 'device' from module 'FW_SERVICE' is not found
make: *** [../load-dir/FW_SERVICE.fxs] Error 1

As for the NED - I am using this one :

[root@localhost packages]# ls | grep forti
fortinet-fortios-cli-5.4

Am struggling a little bit with this .

Best regards!

lmanor · ‎03-26-2020

Hello,

I tried a few test cases:

import tailf-ned-fortinet-fortios-non-vdom {

prefix fortios-non-vdom;

}

....

type leafref {

path "/ncs:devices/ncs:device/ncs:name";

}

leaf dev-name {

type string;

default 'TESTKEY';

}

leaf fw-port-src {

tailf:info "Incoming Interface";

type leafref {

// Compiles: deref points to device tree device specified in leaf device above

// path "deref(../device)/../ncs:config/fortios-non-vdom:system/fortios-non-vdom:interface/fortios-non-vdom:interface-list/fortios-non-vdom:name";

// Compiles: likewise this set the device name to the name specified in the leaf device above

// path "/ncs:devices/ncs:device[ncs:name=current()/../device]/ncs:config/fortios-non-vdom:system/fortios-non-vdom:interface/fortios-non-vdom:interface-list/fortios-non-vdom:name";

// Compiler error: bad argument value:

// Don't think you can specify a literal as name here, the compiler will not know how to follow the path

// path "/ncs:devices/ncs:device[ncs:name='TESTKEY']/ncs:config/fortios-non-vdom:system/fortios-non-vdom:interface/fortios-non-vdom:interface-list/fortios-non-vdom:name";

// Compiles: if you want the 'dev-name' to be static (like I think you are trying to do by specifying 'TESTKEY' above)

// you'll need to do something like this.. to point to a leaf with the value set as a default value...

path "/ncs:devices/ncs:device[ncs:name=current()/../dev-name]/ncs:config/fortios-non-vdom:system/fortios-non-vdom:interface/fortios-non-vdom:interface-list/fortios-non-vdom:name";

}

Makefile YANGPATH same as your's in first post..

View solution in original post

rogaglia · ‎03-25-2020

Hi,

the error refers to this path in line 52 of your YANG model:

path "deref(../../device)/../ncs:config/fortinet-fortios-non-vdom:system/fortinet-fortios-non-

Basically, NSO cannot find ../../device (neither can I).

Regards,

Roque

rogaglia · ‎03-25-2020

One interestic trick is to use the xpath tool to find the right xpath:

admin@ncs> set devtools true
[ok][2020-03-25 14:37:30]
admin@ncs> configure
Entering configuration mode private
[ok][2020-03-25 14:37:36]

[edit]
admin@ncs% xpath ctx firewalls-policies firewall-policy POL1 eval hosts
/firewalls-policies/firewall-policy[name='POL1']/hosts[ip4-address='1.1.1.1']
[ok][2020-03-25 14:38:30]

[edit]
admin@ncs%

horia.gunica · ‎03-25-2020

Hi Rogaglia!

Thank you for your quick reply !

Tried that as well but with no luck (pretty sure I am misconfiguring something) :

Tried to find the correct xpath :

admin@ncs% xpath ctx devices device Fortigate_VM config system interface interface-list port1 eval ip
/devices/device[name='Fortigate_VM']/config/fortinet-fortios-non-vdom:system/interface/interface-list[name='port1']/ip
[ok][2020-03-25 09:39:56]

leaf FW_PORT_SRC {
tailf:info "Incoming Interface";
type leafref {
path "/ncs:devices/ncs:device[name='Fortigate_VM']/ncs:config/fortinet-fortios-non-vdom:system/fortinet-fortios-non-vdom:interface/fortinet-fortios-non-vdom:interface-list";
}
}

[root@localhost src]# make
/home/horia/ncs-5.3/bin/ncsc `ls FW_SERVICE-ann.yang > /dev/null 2>&1 && echo "-a FW_SERVICE-ann.yang"` \
--yangpath ../../fortinet-fortios-cli-5.4/src/ncsc-out/modules/yang -c -o ../load-dir/FW_SERVICE.fxs yang/FW_SERVICE.yang
yang/FW_SERVICE.yang:52: error: bad argument value "/ncs:devices/ncs:device[name='Fortigate_VM']/ncs:config/fortinet-fortios-non-vdom:system/fortinet-fortios-non-vdom:interface/fortinet-fortios-non-vdom:interface-list", should be of type path-arg
make: *** [../load-dir/FW_SERVICE.fxs] Error 1

I guess I am writing the path wrong ?

Best regards!

rogaglia · ‎03-25-2020

Can you try adding the prefix to the "name" key (note that you are fixing the device name though):
path "/ncs:devices/ncs:device[ncs:name='Fortigate_VM']/ncs:config/fortinet-fortios-non-vdom:system/fortinet-fortios-non-vdom:interface/fortinet-fortios-non-vdom:interface-list";

horia.gunica · ‎03-26-2020

I modified it :

leaf FW_PORT_SRC {
tailf:info "Incoming Interface";
type leafref {
path "/ncs:devices/ncs:device[ncs:name='Fortigate_VM']/ncs:config/fortinet-fortios-non-vdom:system/fortinet-fortios-non-vdom:interface/fortinet-fortios-non-vdom:interface-list";
}
}

Same error unfortunetly :

[root@localhost src]# make
/home/horia/ncs-5.3/bin/ncsc `ls FW_SERVICE-ann.yang > /dev/null 2>&1 && echo "-a FW_SERVICE-ann.yang"` \
--yangpath ../../fortinet-fortios-cli-5.4/src/ncsc-out/modules/yang -c -o ../load-dir/FW_SERVICE.fxs yang/FW_SERVICE.yang
yang/FW_SERVICE.yang:52: error: bad argument value "/ncs:devices/ncs:device[ncs:name='Fortigate_VM']/ncs:config/fortinet-fortios-non-vdom:system/fortinet-fortios-non-vdom:interface/fortinet-fortios-non-vdom:interface-list", should be of type path-arg
make: *** [../load-dir/FW_SERVICE.fxs] Error 1

And yes - I know that I will fixate the device this way - but I am just trying to get at least this example working and I can start working towards a filter with "current device" from there .

tcragg1 · ‎03-26-2020

I think the path-arg issue you are seeing here is because the path for a leafref must point to either a leaf-list or leaf node, but fortinet-fortios-non-vdom:system/fortinet-fortios-non-vdom:interface/fortinet-fortios-non-vdom:interface-list is a list, not a leaf-list. Instead of pointing to the interface-list object, you need to point to one of the leaf nodes contained within it. Try using the following path:

path "/ncs:devices/ncs:device[ncs:name='Fortigate_VM']/ncs:config/fortinet-fortios-non-vdom:system/fortinet-fortios-non-vdom:interface/fortinet-fortios-non-vdom:interface-list/fortinet-fortios-non-vdom:name";

horia.gunica · ‎03-26-2020

Hello!

I modified it :

    leaf FW_PORT_SRC {
        tailf:info "Incoming Interface";
      type leafref {
       path "/ncs:devices/ncs:device[name='Fortigate_VM']/ncs:config/fortinet-fortios-non-vdom:system/fortinet-fortios-non-vdom:interface/fortinet-fortios-non-vdom:interface-list/fortinet-fortios-non-vdom:name";
      }
    }

Same effect unfortunetly :

[root@localhost src]# make
/home/horia/ncs-5.3/bin/ncsc  `ls FW_SERVICE-ann.yang  > /dev/null 2>&1 && echo "-a FW_SERVICE-ann.yang"` \
             --yangpath ../../fortinet-fortios-cli-5.4/src/ncsc-out/modules/yang -c -o ../load-dir/FW_SERVICE.fxs yang/FW_SERVICE.yang
yang/FW_SERVICE.yang:52: error: bad argument value "/ncs:devices/ncs:device[name='Fortigate_VM']/ncs:config/fortinet-fortios-non-vdom:system/fortinet-fortios-non-vdom:interface/fortinet-fortios-non-vdom:interface-list/fortinet-fortios-non-vdom:name", should be of type path-arg
make: *** [../load-dir/FW_SERVICE.fxs] Error 1

I also tried another pyang validation - here is the output :

[root@localhost src]# pyang yang/FW_SERVICE.yang 
yang/FW_SERVICE.yang:5: warning: imported module ietf-inet-types not used
yang/FW_SERVICE.yang:14: error: module "tailf-ned-fortinet-fortios-non-vdom" not found in search path
yang/FW_SERVICE.yang:14: warning: imported module tailf-ned-fortinet-fortios-non-vdom not used
yang/FW_SERVICE.yang:52: error: bad value "/ncs:devices/ncs:device[name='Fortigate_VM']/ncs:config/fortinet-fortios-non-vdom:system/fortinet-fortios-non-vdom:interface/fortinet-fortios-non-vdom:interface-list/fortinet-fortios-non-vdom:name" (should be path-arg)
/home/horia/ncs-5.3/src/ncs/yang/ietf-yang-schema-mount.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/ietf-yang-schema-mount.yang:9: error: unexpected keyword "reference"
/home/horia/ncs-5.3/src/ncs/yang/ietf-yang-schema-mount.yang:15: error: unexpected keyword "reference"
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-cluster.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-common.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-compliance.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-customers.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-devices.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-devices.yang:3789: error: XPath function "derived-from-or-self" is not defined in the XPath context
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-devices.yang:3997: error: XPath function "derived-from-or-self" is not defined in the XPath context
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-java-vm.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-log.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-packages.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-plan.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-python-vm.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-service-progress-monitoring.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-services.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-smart-license.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-snmp-notification-receiver.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-software.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs-ssh.yang:2: error: bad value "1.1" (should be version)
/home/horia/ncs-5.3/src/ncs/yang/tailf-ncs.yang:2: error: bad value "1.1" (should be version)

Why does it actually say that it cannot find tailf-ned-fortinet-fortios-non-vdom ? It's in the path in the MakeFile I included :

[root@localhost src]# ls ../../fortinet-fortios-cli-5.4/src/ncsc-out/modules/yang
fortinet-fortios-cli-5.4.yang  tailf-ned-fortinet-fortios-common.yang    tailf-ned-fortinet-fortios.yang
fortinet-fortios-cli.yang      tailf-ned-fortinet-fortios-non-vdom.yang

Best regards and thank you all for your help!

lmanor · ‎03-26-2020

Hello,

I tried a few test cases:

import tailf-ned-fortinet-fortios-non-vdom {

prefix fortios-non-vdom;

}

....

type leafref {

path "/ncs:devices/ncs:device/ncs:name";

}

leaf dev-name {

type string;

default 'TESTKEY';

}

leaf fw-port-src {

tailf:info "Incoming Interface";

type leafref {

// Compiles: deref points to device tree device specified in leaf device above

// path "deref(../device)/../ncs:config/fortios-non-vdom:system/fortios-non-vdom:interface/fortios-non-vdom:interface-list/fortios-non-vdom:name";

// Compiles: likewise this set the device name to the name specified in the leaf device above

// path "/ncs:devices/ncs:device[ncs:name=current()/../device]/ncs:config/fortios-non-vdom:system/fortios-non-vdom:interface/fortios-non-vdom:interface-list/fortios-non-vdom:name";

// Compiler error: bad argument value:

// Don't think you can specify a literal as name here, the compiler will not know how to follow the path

// path "/ncs:devices/ncs:device[ncs:name='TESTKEY']/ncs:config/fortios-non-vdom:system/fortios-non-vdom:interface/fortios-non-vdom:interface-list/fortios-non-vdom:name";

// Compiles: if you want the 'dev-name' to be static (like I think you are trying to do by specifying 'TESTKEY' above)

// you'll need to do something like this.. to point to a leaf with the value set as a default value...

path "/ncs:devices/ncs:device[ncs:name=current()/../dev-name]/ncs:config/fortios-non-vdom:system/fortios-non-vdom:interface/fortios-non-vdom:interface-list/fortios-non-vdom:name";

}

Makefile YANGPATH same as your's in first post..

horia.gunica · ‎03-27-2020

Hi Imanor!

Thank you very much for all your info !

This is what I was missing ! Once I've inserted this section into the yang file and referenced it as you did below - it worked like a charm :

    leaf device {
      type leafref {
        path "/ncs:devices/ncs:device/ncs:name";
      }
    }

    leaf FW_PORT_SRC {
        tailf:info "Incoming Interface";
      type leafref {
       path "/ncs:devices/ncs:device[ncs:name=current()/../device]/ncs:config/fortios-non-vdom:system/fortios-non-vdom:interface/fortios-non-vdom:interface-list/fortios-non-vdom:name";
      }
    }

Thank you very much for your help and explanations!

Best regards!

Horia